1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Can't Restore or set Windows Explorer options

Discussion in 'Malware and Virus Removal Archive' started by chuckmg, 2010/05/24.

Page 1 of 2
  1. 2010/05/24
    chuckmg Contributing Member

    chuckmg Inactive Thread Starter

    Joined:
    2002/01/08
    Messages:
    236
    Likes Received:
    0
    [Resolved] Can't Restore or set Windows Explorer options

    This was originally posted in WinXP forum ... advised to post here:

    As per posting instructions:

    I executed hijackthis ...the results are at
    http://hjt.networktechs.com/parse.php?log=822178

    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Nanc at 13:25:32.42 on Mon 05/24/2010
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1162 [GMT -7:00]

    AV: Acronis Backup and Security Antivirus *On-access scanning enabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
    FW: Acronis Backup and Security Firewall *enabled* {4055920F-2E99-48A8-A270-4243D2B8F242}

    ============== Running Processes ===============

    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\Program Files\Common Files\Acronis Backup and Security\Acronis Backup and Security Update Service\livesrv.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    C:\WINDOWS\system32\acs.exe
    C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Diskeeper\DkService.exe
    C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    C:\Program Files\LogMeIn\x86\RaMaint.exe
    C:\Program Files\LogMeIn\x86\LogMeIn.exe
    C:\Program Files\LogMeIn\x86\LMIGuardian.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\tbh\monitor\bin\tbhMonitor.exe
    c:\Program Files\tbh\base\bin\tbhDaemon.exe
    C:\Program Files\Common Files\Acronis Backup and Security\Acronis Backup and Security Arrakis Server\bin\arrakis3.exe
    C:\Program Files\Acronis Backup and Security\Acronis Backup and Security 2010\bdagent.exe
    C:\Program Files\Acronis Backup and Security\Acronis Backup and Security 2010\seccenter.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
    C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
    C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
    C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\Apple\AirPort\APAgent.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    C:\Program Files\tbh\base\bin\tbhSystray.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\LogMeIn\x86\LMIGuardian.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Program Files\NETGEAR\WG311T\wlancfg5.exe
    C:\Program Files\Eudora\Eudora.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Skype\Plugin Manager\skypePM.exe
    C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
    C:\Program Files\Firefox\firefox.exe
    C:\PROGRA~1\FOXITS~1\FOXITR~1\FOXITR~1.EXE
    C:\WINDOWS\system32\notepad.exe
    C:\Documents and Settings\Nanc\My Documents\Downloads\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://nrhs1960.net/
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    uDefault_Search_URL = hxxp://www.google.com/ie
    uWindow Title = Microsoft Internet Explorer
    uInternet Connection Wizard,ShellNext = "c:\program files\outlook express\msimn.exe "
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    mWinlogon: Userinit=c:\windows\system32\userinit.exe
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
    TB: Foxit Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
    TB: Acronis Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\acronis backup and security\acronis backup and security 2010\IEToolbar.dll
    EB: Ask Toolbar Quick View: {b0de3308-5d5a-470d-81b9-634fc078393b} - c:\windows\system32\shdocvw.dll
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [Skype] "c:\program files\skype\\phone\Skype.exe" /nosplash /minimized
    mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /install
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe "
    mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe
    mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
    mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe "
    mRun: [DiskeeperSystray] "c:\program files\diskeeper\DkIcon.exe "
    mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe "
    mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
    mRun: [AirPort Base Station Agent] "c:\program files\apple\airport\APAgent.exe "
    mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe
    mRun: [<NO NAME>]
    mRun: [tbhSystray] c:\program files\tbh\base\bin\tbhSystray.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe "
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe "
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe "
    mRun: [ACAgent] "c:\program files\acronis backup and security\acronis backup and security 2010\bdagent.exe "
    mRun: [Acronis Antiphishing Helper] "c:\program files\acronis backup and security\acronis backup and security 2010\IEShow.exe "
    mRun: [regdiit] c:\windows\win.exe
    mRun: [CTFMON] c:\windows\system32\wscript.exe /e:vbs c:\windows\system32\regedit.sys
    mRun: [svchost] c:\windows\win.exe
    StartupFolder: c:\docume~1\nanc\startm~1\programs\startup\eudora.lnk - c:\program files\eudora\Eudora.exe
    StartupFolder: c:\docume~1\nanc\startm~1\programs\startup\Internet.lnk -
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg311t\wlancfg5.exe
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    Trusted Zone: intuit.com\ttlc
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab
    DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: LMIinit - LMIinit.dll
    AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
    SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\program files\eudora\EuShlExt.dll
    mASetup: {27AB0758-F8E8-3AFE-8A4B-A08AB9658382} - c:\windows\win.exe
    IFEO: algsrvs.exe - c:\windows\win.exe
    IFEO: algssl.exe - c:\windows\win.exe
    IFEO: Angry.bat - c:\windows\win.exe
    IFEO: bad1.exe - c:\windows\win.exe
    IFEO: bad2.exe - c:\windows\win.exe

    Note: multiple IFEO entries found. Please refer to Attach.txt

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\nanc\applic~1\mozilla\firefox\profiles\vg8m9i4i.default\
    FF - prefs.js: browser.startup.homepage - www.google.com
    FF - plugin: c:\program files\firefox\plugins\npFoxitReaderPlugin.dll
    FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
    FF - plugin: c:\program files\java\j2re1.4.1_02\bin\NPJPI141_02.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

    ---- FIREFOX POLICIES ----
    c:\program files\firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
    c:\program files\firefox\greprefs\all.js - pref( "ui.use_native_popup_windows ", false);
    c:\program files\firefox\greprefs\all.js - pref( "browser.enable_click_image_resizing ", true);
    c:\program files\firefox\greprefs\all.js - pref( "accessibility.browsewithcaret_shortcut.enabled ", true);
    c:\program files\firefox\greprefs\all.js - pref( "javascript.options.mem.high_water_mark ", 32);
    c:\program files\firefox\greprefs\all.js - pref( "javascript.options.mem.gc_frequency ", 1600);
    c:\program files\firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
    c:\program files\firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
    c:\program files\firefox\greprefs\all.js - pref( "ui.trackpoint_hack.enabled ", -1);
    c:\program files\firefox\greprefs\all.js - pref( "browser.formfill.debug ", false);
    c:\program files\firefox\greprefs\all.js - pref( "browser.formfill.agedWeight ", 2);
    c:\program files\firefox\greprefs\all.js - pref( "browser.formfill.bucketSize ", 1);
    c:\program files\firefox\greprefs\all.js - pref( "browser.formfill.maxTimeGroupings ", 25);
    c:\program files\firefox\greprefs\all.js - pref( "browser.formfill.timeGroupingSize ", 604800);
    c:\program files\firefox\greprefs\all.js - pref( "browser.formfill.boundaryWeight ", 25);
    c:\program files\firefox\greprefs\all.js - pref( "browser.formfill.prefixWeight ", 5);
    c:\program files\firefox\greprefs\all.js - pref( "html5.enable ", false);
    c:\program files\firefox\greprefs\security-prefs.js - pref( "security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref ", true);
    c:\program files\firefox\greprefs\security-prefs.js - pref( "security.ssl.renego_unrestricted_hosts ", " ");
    c:\program files\firefox\greprefs\security-prefs.js - pref( "security.ssl.treat_unsafe_negotiation_as_broken ", false);
    c:\program files\firefox\greprefs\security-prefs.js - pref( "security.ssl.require_safe_negotiation ", false);
    c:\program files\firefox\greprefs\security-prefs.js - pref( "security.ssl3.rsa_seed_sha ", true);
    c:\program files\firefox\defaults\pref\firefox-branding.js - pref( "app.update.download.backgroundInterval ", 600);
    c:\program files\firefox\defaults\pref\firefox-branding.js - pref( "app.update.url.manual ", "http://www.firefox.com ");
    c:\program files\firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-ja ", "mozff ");
    c:\program files\firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
    c:\program files\firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
    c:\program files\firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add ", "addons.mozilla.org ");
    c:\program files\firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add.36 ", "getpersonas.com ");
    c:\program files\firefox\defaults\pref\firefox.js - pref( "lightweightThemes.update.enabled ", true);
    c:\program files\firefox\defaults\pref\firefox.js - pref( "browser.allTabs.previews ", false);
    c:\program files\firefox\defaults\pref\firefox.js - pref( "plugins.hide_infobar_for_outdated_plugin ", false);
    c:\program files\firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
    c:\program files\firefox\defaults\pref\firefox.js - pref( "toolbar.customization.usesheet ", false);
    c:\program files\firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.enable ", false);
    c:\program files\firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.max ", 20);
    c:\program files\firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.cachetime ", 20);

    ============= SERVICES / DRIVERS ===============

    R0 tdrpman258;Acronis Try&Decide and Restore Points filter (build 258);c:\windows\system32\drivers\tdrpm258.sys [2010-3-26 911680]
    R2 afcdpsrv;Acronis Nonstop Backup service;c:\program files\common files\acronis\cdp\afcdpsrv.exe [2010-3-26 2480048]
    R2 BDVEDISK;BDVEDISK;c:\program files\acronis backup and security\acronis backup and security 2010\bdvedisk.sys [2009-9-22 83208]
    R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-8-11 12856]
    R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-9-12 47640]
    R2 tbhMonitor.exe;The Browser Highlighter Monitor;c:\program files\tbh\monitor\bin\tbhMonitor.exe [2009-10-22 70952]
    R3 afcdp;afcdp;c:\windows\system32\drivers\afcdp.sys [2010-3-26 160288]
    R3 Arrakis3;Acronis Arrakis Server;c:\program files\common files\acronis backup and security\acronis backup and security arrakis server\bin\arrakis3.exe [2009-12-10 181600]
    R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2009-11-10 152456]
    R3 bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [2009-10-19 110984]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-8-27 1684736]
    S3 AWINDIS5;AWINDIS5 Protocol Driver;c:\windows\system32\AWINDIS5.SYS [2009-8-27 16194]
    S3 GoogleDesktopManager-093009-130223;Google Desktop Manager 5.9.909.30391;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-10-28 30192]
    S4 LMIRfsClientNP;LMIRfsClientNP; [x]

    =============== Created Last 30 ================

    2010-05-23 05:55:58 132 ----a-w- c:\windows\system32\rezumatenoi.dat
    2010-05-23 01:10:08 376 ----a-w- c:\documents and settings\nanc\Application Dataprivacy.xml
    2010-05-22 22:59:45 204 --sha-r- C:\autorun.inf
    2010-05-22 04:10:49 0 d-----w- c:\program files\MSECache

    ==================== Find3M ====================

    2010-03-26 18:21:18 160288 ----a-w- c:\windows\system32\drivers\afcdp.sys
    2010-03-26 18:21:10 911680 ----a-w- c:\windows\system32\drivers\tdrpm258.sys
    2010-03-26 18:21:05 581984 ----a-w- c:\windows\system32\drivers\timntr.sys
    2010-03-26 18:20:50 166272 ----a-w- c:\windows\system32\drivers\snapman.sys
    2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
    2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
    2006-07-05 12:33:24 472000 ----a-w- c:\windows\inf\wg311t\WG311T13.sys
    2006-04-26 00:30:38 35232 ----a-w- c:\windows\inf\wg311t\ME_INST.EXE
    2006-04-26 00:30:38 26112 ----a-w- c:\windows\inf\wg311t\install.exe
    2008-05-08 11:24:44 155648 --sha-r- c:\windows\system32\wscript.exe

    ============= FINISH: 13:25:45.92 ===============

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-03-17.01)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 8/27/2009 10:32:56 AM
    System Uptime: 5/23/2010 10:59:47 AM (27 hours ago)

    Motherboard: ASUSTeK Computer INC. | | P5K-VM
    Processor: Intel(R) Core(TM)2 Quad CPU Q6600 @ 2.40GHz | LGA775 | 2405/266mhz

    ==== Disk Partitions =========================

    A: is Removable
    C: is FIXED (NTFS) - 149 GiB total, 112.562 GiB free.
    D: is FIXED (NTFS) - 149 GiB total, 115.514 GiB free.
    E: is CDROM ()
    G: is FIXED (NTFS) - 76 GiB total, 8.575 GiB free.

    ==== Disabled Device Manager Items =============

    Class GUID: {4D36E96B-E325-11CE-BFC1-08002BE10318}
    Description: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
    Device ID: ACPI\PNP0303\4&1400782C&0
    Manufacturer: (Standard keyboards)
    Name: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
    PNP Device ID: ACPI\PNP0303\4&1400782C&0
    Service: i8042prt

    ==== System Restore Points ===================

    No restore point in system.

    ==== Image File Execution Options =============

    IFEO: algsrvs.exe - C:\WINDOWS\win.exe
    IFEO: algssl.exe - C:\WINDOWS\win.exe
    IFEO: Angry.bat - C:\WINDOWS\win.exe
    IFEO: bad1.exe - C:\WINDOWS\win.exe
    IFEO: bad2.exe - C:\WINDOWS\win.exe
    IFEO: bad3.exe - C:\WINDOWS\win.exe
    IFEO: destrukto.vbs - C:\WINDOWS\win.exe
    IFEO: drwtsn32.exe - C:\WINDOWS\system32\wscript.exe /E:vbs C:\WINDOWS\system32\regedit.sys
    IFEO: dwwin.exe - C:\WINDOWS\win.exe
    IFEO: FileKan.exe - C:\WINDOWS\win.exe
    IFEO: flashy.exe - C:\WINDOWS\win.exe
    IFEO: fs6519.dll.vbs - C:\WINDOWS\win.exe
    IFEO: fun.xls.exe - C:\WINDOWS\win.exe
    IFEO: ker.vbs - C:\WINDOWS\win.exe
    IFEO: killVBS.vbs - C:\WINDOWS\win.exe
    IFEO: MSConfig.exe - C:\WINDOWS\system32\wscript.exe /E:vbs C:\WINDOWS\system32\regedit.sys
    IFEO: msdos.pif - C:\WINDOWS\win.exe
    IFEO: msfir80.exe - C:\WINDOWS\win.exe
    IFEO: MSGrc32.vbs - C:\WINDOWS\win.exe
    IFEO: msime80.exe - C:\WINDOWS\win.exe
    IFEO: msmsgs.exe - C:\WINDOWS\win.exe
    IFEO: msvcr71.dll - C:\WINDOWS\win.exe
    IFEO: procexp.exe - C:\WINDOWS\win.exe
    IFEO: regedit.exe - C:\WINDOWS\system32\wscript.exe /E:vbs C:\WINDOWS\system32\regedit.sys
    IFEO: rstrui.exe - C:\WINDOWS\system32\wscript.exe /E:vbs C:\WINDOWS\system32\regedit.sys
    IFEO: sal.xls.exe - C:\WINDOWS\win.exe
    IFEO: SCVHOST.exe - C:\WINDOWS\win.exe
    IFEO: scvhosts.exe - C:\WINDOWS\win.exe
    IFEO: SCVHSOT.exe - C:\WINDOWS\win.exe
    IFEO: SCVVHOST.exe - C:\WINDOWS\win.exe
    IFEO: scvvhosts.exe - C:\WINDOWS\win.exe
    IFEO: SCVVHSOT.exe - C:\WINDOWS\win.exe
    IFEO: session.exe - C:\WINDOWS\win.exe
    IFEO: SocksA.ex - C:\WINDOWS\win.exe
    IFEO: taskmgr.exe - C:\WINDOWS\system32\wscript.exe /E:vbs C:\WINDOWS\system32\regedit.sys
    IFEO: temp2.exe - C:\WINDOWS\win.exe
    IFEO: toy.exe - C:\WINDOWS\win.exe
    IFEO: WinGrc32.dll - C:\WINDOWS\win.exe

    ==== Installed Programs ======================


    Acrobat.com
    Acronis Backup and Security 2010
    Acronis*True*Image*Home
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.3
    AirPort
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Bonjour
    Browser Highlighter - Firefox
    Compatibility Pack for the 2007 Office system
    Dell Driver Download Manager
    Desktop Restore
    Diskeeper Professional Edition
    Eudora
    Foxit Reader
    Foxit Toolbar
    Google Desktop
    HijackThis 2.0.2
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB942288-v3)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    HP Deskjet 6500
    HP Update
    iSEEK AnswerWorks English Runtime
    iTunes
    Java 2 Runtime Environment, SE v1.4.1_02
    Java Web Start
    LogMeIn
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Office Professional Edition 2003
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Mozilla Firefox (3.6.3)
    MSN
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    NETGEAR WG311T Wireless Adapter
    Netscape (7.2)
    NVIDIA Drivers
    NVIDIA nView Desktop Manager
    NVIDIA PhysX
    Picasa 3
    QuickTime
    Realtek High Definition Audio Driver
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB979402)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371-v2)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165-v2)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB980232)
    Skype™ 4.2
    StuffIt Deluxe
    StuffIt Deluxe 9.5
    TurboTax 2009
    TurboTax 2009 WinPerFedFormset
    TurboTax 2009 WinPerReleaseEngine
    TurboTax 2009 WinPerTaxSupport
    TurboTax 2009 wrapper
    Tweak UI
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    WebFldrs XP
    Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 8
    Windows PowerShell(TM) 1.0

    ==== Event Viewer Messages From Past Week ========

    5/24/2010 8:13:24 AM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\system32\regedt32.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.0.
    5/19/2010 8:33:16 AM, error: Service Control Manager [7034] - The Acronis Virus Shield service terminated unexpectedly. It has done this 1 time(s).
    5/18/2010 7:02:28 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)

    ==== End Of File ===========================
     
    Last edited: 2010/05/24
    chuckmg,
    #1
  2. 2010/05/24
    chuckmg Contributing Member

    chuckmg Inactive Thread Starter

    Joined:
    2002/01/08
    Messages:
    236
    Likes Received:
    0
    How can I delete this post?

    Chuck
     
    Last edited: 2010/05/24
    chuckmg,
    #2


  3. to hide this advert.

  4. 2010/05/24
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    It looks like some malicious entry.

    Print these instructions out.

    NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe

    ***VERY IMPORTANT! Make sure, you update Malwarebytes before running the scans.***


    STEP 1. Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php to your desktop.
    (Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform Quick Scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

    RESTART COMPUTER!

    STEP 2. Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
    Alternative downloads:
    - http://majorgeeks.com/GMER_d5198.html
    - http://www.softpedia.com/get/Interne...ers/GMER.shtml
    Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
    Do NOT use the computer while GMER is running!
    When scan is completed, click Save button, and save the results as gmer.log
    Warning ! Please, do not select the "Show all" checkbox during the scan.
    Post the log to your next reply.

    IMPORTANT! If for some reason GMER refuses to run, try again.
    If it still fails, try to UN-check "Devices" in right pane.
    If still no joy, try to run it from Safe Mode.

    RESTART COMPUTER

    STEP 3. Download HijackThis:
    http://free.antivirus.com/hijackthis/
    by clicking on Installer under Version 2.0.4
    Install, and run it.
    Post HijackThis log.
    NOTE. If you're using Vista, or 7, right click on HijackThis, and click Run as Administrator
    Do NOT attempt to "fix" anything!


    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #3
  5. 2010/05/25
    chuckmg Contributing Member

    chuckmg Inactive Thread Starter

    Joined:
    2002/01/08
    Messages:
    236
    Likes Received:
    0
    Hi Broni,

    Here is the Step 1 Malwarebytes' Anti-Malware log:

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4052

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    5/25/2010 12:42:41 PM
    mbam-log-2010-05-25 (12-42-41).txt

    Scan type: Quick scan
    Objects scanned: 139627
    Time elapsed: 7 minute(s), 54 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 10
    Registry Values Infected: 2
    Registry Data Items Infected: 1
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{27ab0758-f8e8-3afe-8a4b-a08ab9658382} (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{27ab0758-f8e8-3afe-8a4b-a08ab9658382} (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\algsrvs.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\algssl.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwwin.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fs6519.dll.vbs (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.Exe (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe (Security.Hijack) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\regdiit (Backdoor.PoisonIvy) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost (Backdoor.Bot) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    Chuck
     
    chuckmg,
    #4
  6. 2010/05/25
    chuckmg Contributing Member

    chuckmg Inactive Thread Starter

    Joined:
    2002/01/08
    Messages:
    236
    Likes Received:
    0
    The system is getting more unstable and hanging. Had to reboot again to be able to send this.

    Here is gmer.log:
    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-05-25 14:08:22
    Windows 5.1.2600 Service Pack 3
    Running: z80cs0l6.exe; Driver: C:\DOCUME~1\Nanc\LOCALS~1\Temp\uxldqpog.sys


    ---- System - GMER 1.0.15 ----

    SSDT \??\C:\Program Files\Acronis Backup and Security\Acronis Backup and Security 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwDuplicateObject [0xB282123C]
    SSDT \??\C:\Program Files\Acronis Backup and Security\Acronis Backup and Security 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwOpenProcess [0xB2820FCE]
    SSDT \??\C:\Program Files\Acronis Backup and Security\Acronis Backup and Security 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwOpenThread [0xB28210E8]
    SSDT \??\C:\Program Files\Acronis Backup and Security\Acronis Backup and Security 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwTerminateProcess [0xB2820F32]
    SSDT \??\C:\Program Files\Acronis Backup and Security\Acronis Backup and Security 2010\bdselfpr.sys (BitDefender Self Protection Driver/BitDefender) ZwTerminateThread [0xB2821338]

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!ZwCallbackReturn + 2DD0 8050466C 4 Bytes CALL A502C881
     
    chuckmg,
    #5
  7. 2010/05/25
    chuckmg Contributing Member

    chuckmg Inactive Thread Starter

    Joined:
    2002/01/08
    Messages:
    236
    Likes Received:
    0
    ... and HyoerActive log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 2:25:16 PM, on 5/25/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Acronis Backup and Security\Acronis Backup and Security Update Service\livesrv.exe
    C:\Program Files\Acronis Backup and Security\Acronis Backup and Security 2010\vsserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    C:\WINDOWS\system32\acs.exe
    C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Diskeeper\DkService.exe
    C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    C:\Program Files\LogMeIn\x86\RaMaint.exe
    C:\Program Files\LogMeIn\x86\LogMeIn.exe
    C:\Program Files\LogMeIn\x86\LMIGuardian.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\tbh\monitor\bin\tbhMonitor.exe
    c:\Program Files\tbh\base\bin\tbhDaemon.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Acronis Backup and Security\Acronis Backup and Security 2010\bdagent.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
    C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
    C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
    C:\Program Files\Acronis Backup and Security\Acronis Backup and Security 2010\seccenter.exe
    C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\LogMeIn\x86\LMIGuardian.exe
    C:\Program Files\Apple\AirPort\APAgent.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    C:\Program Files\tbh\base\bin\tbhSystray.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Program Files\NETGEAR\WG311T\wlancfg5.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Firefox\firefox.exe
    C:\Program Files\Skype\Plugin Manager\skypePM.exe
    C:\Program Files\Common Files\Acronis Backup and Security\Acronis Backup and Security Arrakis Server\bin\arrakis3.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nrhs1960.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe "
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
    N3 - Netscape 7: user_pref( "browser.startup.homepage ", "http://home.netscape.com/bookmark/7_2/home.html "); (C:\Documents and Settings\NANC\Application Data\Mozilla\Profiles\default\3nqhsrqu.slt\prefs.js)
    N3 - Netscape 7: user_pref( "browser.search.defaultengine ", "engine://C%3A%5CProgram%20Files%5CNetscape%5Csearchplugins%5CSBWeb_01.src "); (C:\Documents and Settings\NANC\Application Data\Mozilla\Profiles\default\3nqhsrqu.slt\prefs.js)
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
    O3 - Toolbar: Foxit Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
    O3 - Toolbar: Acronis Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\Acronis Backup and Security\Acronis Backup and Security 2010\IEToolbar.dll
    O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
    O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
    O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe "
    O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper\DkIcon.exe "
    O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe "
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [AirPort Base Station Agent] "C:\Program Files\Apple\AirPort\APAgent.exe "
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [tbhSystray] C:\Program Files\tbh\base\bin\tbhSystray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe "
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe "
    O4 - HKLM\..\Run: [ACAgent] "C:\Program Files\Acronis Backup and Security\Acronis Backup and Security 2010\bdagent.exe "
    O4 - HKLM\..\Run: [Acronis Antiphishing Helper] "C:\Program Files\Acronis Backup and Security\Acronis Backup and Security 2010\IEShow.exe "
    O4 - HKLM\..\Run: [CTFMON] C:\WINDOWS\system32\wscript.exe /E:vbs C:\WINDOWS\system32\regedit.sys
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\\Phone\Skype.exe" /nosplash /minimized
    O4 - Startup: Eudora.lnk = C:\Program Files\Eudora\Eudora.exe
    O4 - Startup: Internet.lnk = ?
    O4 - Global Startup: NETGEAR WG311T Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311T\wlancfg5.exe
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
    O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
    O23 - Service: Acronis Nonstop Backup service (afcdpsrv) - Acronis - C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Acronis Arrakis Server (Arrakis3) - Acronis Inc. http://www.acronis.com/homecomputing/products/antivirus - C:\Program Files\Common Files\Acronis Backup and Security\Acronis Backup and Security Arrakis Server\bin\arrakis3.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper\DkService.exe
    O23 - Service: Google Desktop Manager 5.9.909.30391 (GoogleDesktopManager-093009-130223) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Acronis Desktop Update Service (LIVESRV) - Acronis Inc. - C:\Program Files\Common Files\Acronis Backup and Security\Acronis Backup and Security Update Service\livesrv.exe
    O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
    O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: The Browser Highlighter Monitor (tbhMonitor.exe) - Unknown owner - C:\Program Files\tbh\monitor\bin\tbhMonitor.exe
    O23 - Service: Acronis Virus Shield (VSSERV) - Acronis Inc. - C:\Program Files\Acronis Backup and Security\Acronis Backup and Security 2010\vsserv.exe

    --
    End of file - 10558 bytes
     
    chuckmg,
    #6
  8. 2010/05/25
    chuckmg Contributing Member

    chuckmg Inactive Thread Starter

    Joined:
    2002/01/08
    Messages:
    236
    Likes Received:
    0
    Good luck on your diagnosos!
     
    chuckmg,
    #7
  9. 2010/05/25
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    GMER log looks incomplete.
    It should end with "EOF" line.
    Leave it alone for now.

    Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #8
  10. 2010/05/25
    chuckmg Contributing Member

    chuckmg Inactive Thread Starter

    Joined:
    2002/01/08
    Messages:
    236
    Likes Received:
    0
    1. can't disable Acronis Antivirus Protection ... and nothing in Help or User Guide
    2. can't access the Windows Task Manager to end Access process
    3. can't uninstall Access ... tried
    4. I clicked on the link you sent for disabling antivirus programs ... nothing on Access

    I'll try contacting Access ... if you have any thoughts on this please let me know.
     
    Last edited: 2010/05/25
    chuckmg,
    #9
  11. 2010/05/25
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Run Combofix anyway.
     
    broni,
    #10
  12. 2010/05/26
    chuckmg Contributing Member

    chuckmg Inactive Thread Starter

    Joined:
    2002/01/08
    Messages:
    236
    Likes Received:
    0
    Good morning ...

    Update and question:
    Acronis got back to me before I could do this. After a great deal of effort ...
    they also took command of my PC ... we were finally able to get Acronis working again ... and, at the same time, were able to access System Restore, etc. w/o the previous error msg.

    I then initiated a Deep System Scan which found the 1 virus, Worm.VBS.Autorun.S, again. Acronis said that it could not disinfect or quarantine it but could delete it. I deleted it.

    This morning we got another virus alert from Acronis telling us that ciademon found the same virus in C:\System Vol Info\_restore\... I presume the latter is a system version of Recycle Bin and find no reason for concern. Correct me if I should be concerned.

    My question:
    In your steps prior to #3, you emphasized that I should not install any programs until the system was clean. Obviously Acronis was reinstalled. Should I, nonetheless, proceed with Combofix ... or should I go back and redo the previous step(s)?
     
    chuckmg,
    #11
  13. 2010/05/26
    chuckmg Contributing Member

    chuckmg Inactive Thread Starter

    Joined:
    2002/01/08
    Messages:
    236
    Likes Received:
    0
    Broni,

    The combofix.txt log, attached, includes an update to Combofix and the Recovery Console installation.

    Also attached, the HiJackThis log
     

    Attached Files:

    chuckmg,
    #12
  14. 2010/05/26
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    No. The infection is present in one of your restore points, which we'll eventually reset.

    Let me see, what Combofix log shows.

    I prefer, if you paste all logs into your replies. It's easier for me to read...

    ComboFix 10-05-26.01 - Nanc 05/26/2010 13:15:50.2.4 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1343 [GMT -7:00]
    Running from: c:\documents and settings\Nanc\Desktop\ComboFix.exe
    FW: Acronis Backup and Security Firewall *disabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
    .

    ((((((((((((((((((((((((( Files Created from 2010-04-26 to 2010-05-26 )))))))))))))))))))))))))))))))
    .

    2010-05-26 02:44 . 2010-05-26 18:56 -------- d-----w- c:\windows\system32\NtmsData
    2010-05-26 01:34 . 2010-05-26 20:15 -------- d-----w- c:\windows\system32\CatRoot2
    2010-05-26 01:08 . 2010-05-26 01:08 -------- d-----w- c:\documents and settings\Nanc\Application Data\webex
    2010-05-25 22:29 . 2010-05-25 22:29 -------- d--h--w- c:\windows\system32\GroupPolicy
    2010-05-25 19:26 . 2010-05-25 19:26 -------- d-----w- c:\documents and settings\Nanc\Application Data\Malwarebytes
    2010-05-25 19:26 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-05-25 19:26 . 2010-05-25 19:26 -------- d-----w- c:\program files\WindowsBBS
    2010-05-25 19:26 . 2010-05-25 19:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-05-25 19:26 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-05-23 05:55 . 2010-05-23 06:08 132 ----a-w- c:\windows\system32\rezumatenoi.dat
    2010-05-22 04:10 . 2010-05-22 04:10 -------- d-----w- c:\program files\MSECache

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-05-26 20:18 . 2009-09-03 16:49 -------- d-----w- c:\documents and settings\Nanc\Application Data\Skype
    2010-05-26 19:00 . 2009-09-03 16:51 -------- d-----w- c:\documents and settings\Nanc\Application Data\skypePM
    2010-05-26 18:51 . 2009-09-12 19:46 -------- d-----w- c:\program files\LogMeIn
    2010-05-26 04:18 . 2009-09-03 14:08 -------- d-----w- c:\documents and settings\Nanc\Application Data\U3
    2010-05-26 03:41 . 2010-03-26 18:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Acronis Backup and Security
    2010-05-26 02:51 . 2009-09-03 00:51 24672 ----a-w- c:\documents and settings\Nanc\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-05-05 19:19 . 2009-10-07 14:07 -------- d-----w- c:\program files\Eudora
    2010-05-05 16:35 . 2009-12-09 17:11 3977088 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
    2010-04-14 23:27 . 2009-09-12 19:19 -------- d-----w- c:\program files\Diskeeper
    2010-04-13 21:26 . 2010-04-13 21:26 4 ----a-w- c:\windows\system32\aspdict-en.dat
    2010-04-13 21:26 . 2010-04-13 21:26 16 ----a-w- c:\windows\system32\asdict.dat
    2010-04-10 18:21 . 2010-04-10 18:21 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Parallels
    2010-04-06 05:10 . 2010-04-06 05:10 -------- d-----w- c:\program files\Common Files\Skype
    2010-04-06 05:09 . 2009-09-03 04:30 -------- d-----w- c:\program files\Firefox
    2010-03-28 23:39 . 2010-03-28 23:39 0 ----a-w- c:\windows\system32\wsbl.dat
    2010-03-28 23:39 . 2010-03-28 23:39 0 ----a-w- c:\windows\system32\ph_white.dat
    2010-03-28 23:39 . 2010-03-28 23:39 0 ----a-w- c:\windows\system32\ph_summ.dat
    2010-03-28 23:39 . 2010-03-28 23:39 0 ----a-w- c:\windows\system32\ph_black.dat
    2010-03-28 23:39 . 2010-03-28 23:39 0 ----a-w- c:\windows\system32\pcwords2.dat
    2010-03-28 23:39 . 2010-03-28 23:39 0 ----a-w- c:\windows\system32\pcwords.dat
    2010-03-26 18:21 . 2010-03-26 18:21 160288 ----a-w- c:\windows\system32\drivers\afcdp.sys
    2010-03-26 18:21 . 2010-03-26 18:21 911680 ----a-w- c:\windows\system32\drivers\tdrpm258.sys
    2010-03-26 18:21 . 2009-09-12 19:13 581984 ----a-w- c:\windows\system32\drivers\timntr.sys
    2010-03-26 18:20 . 2009-09-12 19:13 166272 ----a-w- c:\windows\system32\drivers\snapman.sys
    2010-03-24 18:17 . 2010-03-24 08:04 952768 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\29783\AdobeARM.exe
    2010-03-24 18:17 . 2010-03-24 08:04 70584 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\29783\AdobeExtractFiles.dll
    2010-03-24 18:17 . 2010-03-24 08:04 326056 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\29783\ReaderUpdater.exe
    2010-03-24 18:17 . 2010-03-24 08:04 326056 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\29783\AcrobatUpdater.exe
    2010-03-21 14:05 . 2009-12-18 02:27 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-03-10 06:15 . 2008-04-14 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
    2008-05-08 11:24 . 2008-04-14 12:00 155648 --sha-r- c:\windows\system32\wscript.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
    2008-11-18 19:58 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{3041d03e-fd4b-44e0-b742-2d9b88305f98} "= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

    [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
    [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{3041D03E-FD4B-44E0-B742-2D9B88305F98} "= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

    [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
    [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Skype "= "c:\program files\Skype\\Phone\Skype.exe" [2010-03-09 26100520]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TrueImageMonitor.exe "= "c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2010-02-19 5107320]
    "tbhSystray "= "c:\program files\tbh\base\bin\tbhSystray.exe" [2010-05-26 492840]
    "RTHDCPL "= "RTHDCPL.EXE" [2009-07-20 18670592]
    "QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
    "nwiz "= "c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-07-09 1657376]
    "NvMediaCenter "= "c:\windows\system32\NvMcTray.dll" [2009-07-14 86016]
    "NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2009-07-14 13877248]
    "LogMeIn GUI "= "c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048]
    "iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]
    "HPDJ Taskbar Utility "= "c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2006-01-14 172032]
    "HP Software Update "= "c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
    "HP Component Manager "= "c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
    "Google Desktop Search "= "c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-10-28 30192]
    "DiskeeperSystray "= "c:\program files\Diskeeper\DkIcon.exe" [2006-06-07 319488]
    "AirPort Base Station Agent "= "c:\program files\Apple\AirPort\APAgent.exe" [2009-05-27 753664]
    "Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
    "Adobe ARM "= "c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
    "Acronis Scheduler2 Service "= "c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2010-02-19 361736]
    "Acronis Antiphishing Helper "= "c:\program files\Acronis Backup and Security\Acronis Backup and Security 2010\IEShow.exe" [2009-12-11 82272]
    "ACAgent "= "c:\program files\Acronis Backup and Security\Acronis Backup and Security 2010\bdagent.exe" [2009-12-11 1110368]

    c:\documents and settings\Nanc\Start Menu\Programs\Startup\
    Eudora.lnk - c:\program files\Eudora\Eudora.exe [2009-10-8 2658304]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    NETGEAR WG311T Smart Wizard.lnk - c:\program files\NETGEAR\WG311T\wlancfg5.exe [2006-9-15 1503232]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{EDB0E980-90BD-11D4-8599-0008C7D3B6F8} "= "c:\program files\Eudora\EuShlExt.dll" [2006-08-17 86016]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
    2009-09-29 02:34 87352 ----a-w- c:\windows\system32\LMIinit.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall "= 0 (0x0)
    "DisableNotifications "= 1 (0x1)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "%windir%\\system32\\sessmgr.exe "=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
    "c:\\Program Files\\Apple\\AirPort\\APAgent.exe "=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe "=
    "c:\\Program Files\\tbh\\base\\bin\\tbhDaemon.exe "=
    "c:\\Program Files\\tbh\\monitor\\bin\\tbhMonitor.exe "=
    "c:\\Program Files\\iTunes\\iTunes.exe "=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe "=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "5353:UDP "= 5353:UDP:Bonjour
    "5191:TCP "= 5191:TCP:The Browser Highlighter XCOM

    R0 tdrpman258;Acronis Try&Decide and Restore Points filter (build 258);c:\windows\system32\drivers\tdrpm258.sys [3/26/2010 11:21 AM 911680]
    R2 afcdpsrv;Acronis Nonstop Backup service;c:\program files\Common Files\Acronis\CDP\afcdpsrv.exe [3/26/2010 11:21 AM 2480048]
    R2 BDVEDISK;BDVEDISK;c:\program files\Acronis Backup and Security\Acronis Backup and Security 2010\bdvedisk.sys [9/22/2009 8:22 AM 83208]
    R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/11/2008 12:41 PM 12856]
    R2 tbhMonitor.exe;The Browser Highlighter Monitor;c:\program files\tbh\monitor\bin\tbhMonitor.exe [10/22/2009 2:57 PM 70952]
    R3 afcdp;afcdp;c:\windows\system32\drivers\afcdp.sys [3/26/2010 11:21 AM 160288]
    R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [11/10/2009 5:04 PM 152456]
    R3 bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [10/19/2009 4:04 PM 110984]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [8/27/2009 11:17 AM 1684736]
    S3 Arrakis3;Acronis Arrakis Server;c:\program files\Common Files\Acronis Backup and Security\Acronis Backup and Security Arrakis Server\bin\arrakis3.exe [12/10/2009 5:01 PM 181600]
    S3 AWINDIS5;AWINDIS5 Protocol Driver;c:\windows\system32\AWINDIS5.SYS [8/27/2009 11:27 AM 16194]
    S3 GoogleDesktopManager-093009-130223;Google Desktop Manager 5.9.909.30391;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [10/28/2009 6:29 AM 30192]

    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - 159AA279
    *NewlyCreated* - AC97B2BD
    *Deregistered* - 159aa279
    *Deregistered* - ac97b2bd

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    bdx REG_MULTI_SZ scan
    .
    Contents of the 'Scheduled Tasks' folder

    2010-05-26 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://nrhs1960.net/
    uDefault_Search_URL = hxxp://www.google.com/ie
    uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe "
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    Trusted Zone: intuit.com\ttlc
    FF - ProfilePath - c:\documents and settings\Nanc\Application Data\Mozilla\Firefox\Profiles\vg8m9i4i.default\
    FF - prefs.js: browser.startup.homepage - www.google.com
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
    c:\program files\Firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
    c:\program files\Firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
    c:\program files\Firefox\greprefs\security-prefs.js - pref( "security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref ", true);
    c:\program files\Firefox\greprefs\security-prefs.js - pref( "security.ssl.renego_unrestricted_hosts ", " ");
    c:\program files\Firefox\greprefs\security-prefs.js - pref( "security.ssl.treat_unsafe_negotiation_as_broken ", false);
    c:\program files\Firefox\greprefs\security-prefs.js - pref( "security.ssl.require_safe_negotiation ", false);
    c:\program files\Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
    c:\program files\Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
    c:\program files\Firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-05-26 13:18
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(1504)
    c:\windows\system32\LMIinit.dll
    c:\windows\system32\LMIRfsClientNP.dll

    - - - - - - - > 'explorer.exe'(2904)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\msi.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
    c:\windows\system32\webcheck.dll
    .
    Completion time: 2010-05-26 13:19:35
    ComboFix-quarantined-files.txt 2010-05-26 20:19
    ComboFix2.txt 2010-05-26 19:02

    Pre-Run: 122,290,249,728 bytes free
    Post-Run: 122,274,811,904 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    - - End Of File - - 336B9DEF86B9CA4B234315A3BEBC3C8B
     
    broni,
    #13
  15. 2010/05/26
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please, uninstall AskBarDis through Add\Remove.


    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
c:\windows\system32\rezumatenoi.dat


Folder::

Driver::

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
 "AntiVirusOverride "=-


RegLockDel::

    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
    • A new HijackThis log.
     
    broni,
    #14
  16. 2010/05/26
    chuckmg Contributing Member

    chuckmg Inactive Thread Starter

    Joined:
    2002/01/08
    Messages:
    236
    Likes Received:
    0
    Here is ComboFix output

    ComboFix 10-05-26.01 - Nanc 05/26/2010 20:17:53.3.4 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1226 [GMT -7:00]
    Running from: c:\documents and settings\Nanc\Desktop\ComboFix.exe
    Command switches used :: C:\CFScript.txt
    FW: Acronis Backup and Security Firewall *enabled* {4055920F-2E99-48A8-A270-4243D2B8F242}

    FILE ::
    "c:\windows\system32\rezumatenoi.dat "
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\system32\rezumatenoi.dat

    .
    ((((((((((((((((((((((((( Files Created from 2010-04-27 to 2010-05-27 )))))))))))))))))))))))))))))))
    .

    2010-05-26 02:44 . 2010-05-26 18:56 -------- d-----w- c:\windows\system32\NtmsData
    2010-05-26 01:34 . 2010-05-27 03:17 -------- d-----w- c:\windows\system32\CatRoot2
    2010-05-26 01:08 . 2010-05-26 01:08 -------- d-----w- c:\documents and settings\Nanc\Application Data\webex
    2010-05-25 22:29 . 2010-05-25 22:29 -------- d--h--w- c:\windows\system32\GroupPolicy
    2010-05-25 19:26 . 2010-05-25 19:26 -------- d-----w- c:\documents and settings\Nanc\Application Data\Malwarebytes
    2010-05-25 19:26 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-05-25 19:26 . 2010-05-25 19:26 -------- d-----w- c:\program files\WindowsBBS
    2010-05-25 19:26 . 2010-05-25 19:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-05-25 19:26 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-05-22 04:10 . 2010-05-22 04:10 -------- d-----w- c:\program files\MSECache

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-05-27 03:21 . 2009-09-03 16:49 -------- d-----w- c:\documents and settings\Nanc\Application Data\Skype
    2010-05-26 23:00 . 2009-09-03 16:51 -------- d-----w- c:\documents and settings\Nanc\Application Data\skypePM
    2010-05-26 18:51 . 2009-09-12 19:46 -------- d-----w- c:\program files\LogMeIn
    2010-05-26 04:18 . 2009-09-03 14:08 -------- d-----w- c:\documents and settings\Nanc\Application Data\U3
    2010-05-26 03:41 . 2010-03-26 18:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Acronis Backup and Security
    2010-05-26 02:51 . 2009-09-03 00:51 24672 ----a-w- c:\documents and settings\Nanc\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-05-05 19:19 . 2009-10-07 14:07 -------- d-----w- c:\program files\Eudora
    2010-05-05 16:35 . 2009-12-09 17:11 3977088 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
    2010-04-14 23:27 . 2009-09-12 19:19 -------- d-----w- c:\program files\Diskeeper
    2010-04-13 21:26 . 2010-04-13 21:26 4 ----a-w- c:\windows\system32\aspdict-en.dat
    2010-04-13 21:26 . 2010-04-13 21:26 16 ----a-w- c:\windows\system32\asdict.dat
    2010-04-10 18:21 . 2010-04-10 18:21 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Parallels
    2010-04-06 05:10 . 2010-04-06 05:10 -------- d-----w- c:\program files\Common Files\Skype
    2010-04-06 05:09 . 2009-09-03 04:30 -------- d-----w- c:\program files\Firefox
    2010-03-28 23:39 . 2010-03-28 23:39 0 ----a-w- c:\windows\system32\wsbl.dat
    2010-03-28 23:39 . 2010-03-28 23:39 0 ----a-w- c:\windows\system32\ph_white.dat
    2010-03-28 23:39 . 2010-03-28 23:39 0 ----a-w- c:\windows\system32\ph_summ.dat
    2010-03-28 23:39 . 2010-03-28 23:39 0 ----a-w- c:\windows\system32\ph_black.dat
    2010-03-28 23:39 . 2010-03-28 23:39 0 ----a-w- c:\windows\system32\pcwords2.dat
    2010-03-28 23:39 . 2010-03-28 23:39 0 ----a-w- c:\windows\system32\pcwords.dat
    2010-03-26 18:21 . 2010-03-26 18:21 160288 ----a-w- c:\windows\system32\drivers\afcdp.sys
    2010-03-26 18:21 . 2010-03-26 18:21 911680 ----a-w- c:\windows\system32\drivers\tdrpm258.sys
    2010-03-26 18:21 . 2009-09-12 19:13 581984 ----a-w- c:\windows\system32\drivers\timntr.sys
    2010-03-26 18:20 . 2009-09-12 19:13 166272 ----a-w- c:\windows\system32\drivers\snapman.sys
    2010-03-24 18:17 . 2010-03-24 08:04 952768 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\29783\AdobeARM.exe
    2010-03-24 18:17 . 2010-03-24 08:04 70584 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\29783\AdobeExtractFiles.dll
    2010-03-24 18:17 . 2010-03-24 08:04 326056 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\29783\ReaderUpdater.exe
    2010-03-24 18:17 . 2010-03-24 08:04 326056 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\29783\AcrobatUpdater.exe
    2010-03-21 14:05 . 2009-12-18 02:27 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-03-10 06:15 . 2008-04-14 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
    2008-05-08 11:24 . 2008-04-14 12:00 155648 --sha-r- c:\windows\system32\wscript.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
    2008-11-18 19:58 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{3041d03e-fd4b-44e0-b742-2d9b88305f98} "= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

    [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
    [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{3041D03E-FD4B-44E0-B742-2D9B88305F98} "= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

    [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
    [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Skype "= "c:\program files\Skype\\Phone\Skype.exe" [2010-03-09 26100520]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TrueImageMonitor.exe "= "c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2010-02-19 5107320]
    "tbhSystray "= "c:\program files\tbh\base\bin\tbhSystray.exe" [2010-05-26 492840]
    "RTHDCPL "= "RTHDCPL.EXE" [2009-07-20 18670592]
    "QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
    "nwiz "= "c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-07-09 1657376]
    "NvMediaCenter "= "c:\windows\system32\NvMcTray.dll" [2009-07-14 86016]
    "NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2009-07-14 13877248]
    "LogMeIn GUI "= "c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048]
    "iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]
    "HPDJ Taskbar Utility "= "c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2006-01-14 172032]
    "HP Software Update "= "c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
    "HP Component Manager "= "c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
    "Google Desktop Search "= "c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-10-28 30192]
    "DiskeeperSystray "= "c:\program files\Diskeeper\DkIcon.exe" [2006-06-07 319488]
    "AirPort Base Station Agent "= "c:\program files\Apple\AirPort\APAgent.exe" [2009-05-27 753664]
    "Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
    "Adobe ARM "= "c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
    "Acronis Scheduler2 Service "= "c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2010-02-19 361736]
    "Acronis Antiphishing Helper "= "c:\program files\Acronis Backup and Security\Acronis Backup and Security 2010\IEShow.exe" [2009-12-11 82272]
    "ACAgent "= "c:\program files\Acronis Backup and Security\Acronis Backup and Security 2010\bdagent.exe" [2009-12-11 1110368]

    c:\documents and settings\Nanc\Start Menu\Programs\Startup\
    Eudora.lnk - c:\program files\Eudora\Eudora.exe [2009-10-8 2658304]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    NETGEAR WG311T Smart Wizard.lnk - c:\program files\NETGEAR\WG311T\wlancfg5.exe [2006-9-15 1503232]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{EDB0E980-90BD-11D4-8599-0008C7D3B6F8} "= "c:\program files\Eudora\EuShlExt.dll" [2006-08-17 86016]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
    2009-09-29 02:34 87352 ----a-w- c:\windows\system32\LMIinit.dll

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall "= 0 (0x0)
    "DisableNotifications "= 1 (0x1)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "%windir%\\system32\\sessmgr.exe "=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
    "c:\\Program Files\\Apple\\AirPort\\APAgent.exe "=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe "=
    "c:\\Program Files\\tbh\\base\\bin\\tbhDaemon.exe "=
    "c:\\Program Files\\tbh\\monitor\\bin\\tbhMonitor.exe "=
    "c:\\Program Files\\iTunes\\iTunes.exe "=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe "=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "5353:UDP "= 5353:UDP:Bonjour
    "5191:TCP "= 5191:TCP:The Browser Highlighter XCOM

    R0 tdrpman258;Acronis Try&Decide and Restore Points filter (build 258);c:\windows\system32\drivers\tdrpm258.sys [3/26/2010 11:21 AM 911680]
    R2 afcdpsrv;Acronis Nonstop Backup service;c:\program files\Common Files\Acronis\CDP\afcdpsrv.exe [3/26/2010 11:21 AM 2480048]
    R2 BDVEDISK;BDVEDISK;c:\program files\Acronis Backup and Security\Acronis Backup and Security 2010\bdvedisk.sys [9/22/2009 8:22 AM 83208]
    R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/11/2008 12:41 PM 12856]
    R2 tbhMonitor.exe;The Browser Highlighter Monitor;c:\program files\tbh\monitor\bin\tbhMonitor.exe [10/22/2009 2:57 PM 70952]
    R3 afcdp;afcdp;c:\windows\system32\drivers\afcdp.sys [3/26/2010 11:21 AM 160288]
    R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [11/10/2009 5:04 PM 152456]
    R3 bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [10/19/2009 4:04 PM 110984]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [8/27/2009 11:17 AM 1684736]
    S3 Arrakis3;Acronis Arrakis Server;c:\program files\Common Files\Acronis Backup and Security\Acronis Backup and Security Arrakis Server\bin\arrakis3.exe [12/10/2009 5:01 PM 181600]
    S3 AWINDIS5;AWINDIS5 Protocol Driver;c:\windows\system32\AWINDIS5.SYS [8/27/2009 11:27 AM 16194]
    S3 GoogleDesktopManager-093009-130223;Google Desktop Manager 5.9.909.30391;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [10/28/2009 6:29 AM 30192]

    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - 159AA279
    *NewlyCreated* - AC97B2BD
    *Deregistered* - 159aa279
    *Deregistered* - ac97b2bd

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    bdx REG_MULTI_SZ scan
    .
    Contents of the 'Scheduled Tasks' folder

    2010-05-26 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://nrhs1960.net/
    uDefault_Search_URL = hxxp://www.google.com/ie
    uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe "
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    Trusted Zone: intuit.com\ttlc
    FF - ProfilePath - c:\documents and settings\Nanc\Application Data\Mozilla\Firefox\Profiles\vg8m9i4i.default\
    FF - prefs.js: browser.startup.homepage - www.google.com
    FF - plugin: c:\program files\Firefox\plugins\npFoxitReaderPlugin.dll
    FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
    FF - plugin: c:\program files\Java\j2re1.4.1_02\bin\NPJPI141_02.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
    c:\program files\Firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
    c:\program files\Firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
    c:\program files\Firefox\greprefs\security-prefs.js - pref( "security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref ", true);
    c:\program files\Firefox\greprefs\security-prefs.js - pref( "security.ssl.renego_unrestricted_hosts ", " ");
    c:\program files\Firefox\greprefs\security-prefs.js - pref( "security.ssl.treat_unsafe_negotiation_as_broken ", false);
    c:\program files\Firefox\greprefs\security-prefs.js - pref( "security.ssl.require_safe_negotiation ", false);
    c:\program files\Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
    c:\program files\Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
    c:\program files\Firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-05-26 20:21
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(1504)
    c:\windows\system32\LMIinit.dll
    c:\windows\system32\LMIRfsClientNP.dll
    .
    Completion time: 2010-05-26 20:22:40
    ComboFix-quarantined-files.txt 2010-05-27 03:22
    ComboFix2.txt 2010-05-26 20:24
    ComboFix3.txt 2010-05-26 19:02

    Pre-Run: 122,288,050,176 bytes free
    Post-Run: 122,272,849,920 bytes free

    - - End Of File - - 5D7504F1462B807392DE63E0F528455E
     
    chuckmg,
    #15
  17. 2010/05/26
    chuckmg Contributing Member

    chuckmg Inactive Thread Starter

    Joined:
    2002/01/08
    Messages:
    236
    Likes Received:
    0
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:34:44 PM, on 5/26/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Acronis Backup and Security\Acronis Backup and Security Update Service\livesrv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Diskeeper\DkService.exe
    C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    C:\Program Files\LogMeIn\x86\RaMaint.exe
    C:\Program Files\LogMeIn\x86\LogMeIn.exe
    C:\Program Files\LogMeIn\x86\LMIGuardian.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\tbh\monitor\bin\tbhMonitor.exe
    C:\Program Files\Acronis Backup and Security\Acronis Backup and Security 2010\vsserv.exe
    c:\Program Files\tbh\base\bin\tbhDaemon.exe
    C:\Program Files\Acronis Backup and Security\Acronis Backup and Security 2010\bdagent.exe
    C:\Program Files\Acronis Backup and Security\Acronis Backup and Security 2010\seccenter.exe
    C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
    C:\Program Files\tbh\base\bin\tbhSystray.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\Apple\AirPort\APAgent.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
    C:\Program Files\LogMeIn\x86\LMIGuardian.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Program Files\NETGEAR\WG311T\wlancfg5.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Skype\Plugin Manager\skypePM.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Eudora\Eudora.exe
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
    C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Firefox\firefox.exe
    C:\PROGRA~1\FOXITS~1\FOXITR~1\FOXITR~1.EXE
    C:\Program Files\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nrhs1960.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe "
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    N3 - Netscape 7: user_pref( "browser.startup.homepage ", "http://home.netscape.com/bookmark/7_2/home.html "); (C:\Documents and Settings\NANC\Application Data\Mozilla\Profiles\default\3nqhsrqu.slt\prefs.js)
    N3 - Netscape 7: user_pref( "browser.search.defaultengine ", "engine://C%3A%5CProgram%20Files%5CNetscape%5Csearchplugins%5CSBWeb_01.src "); (C:\Documents and Settings\NANC\Application Data\Mozilla\Profiles\default\3nqhsrqu.slt\prefs.js)
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
    O3 - Toolbar: Foxit Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
    O3 - Toolbar: Acronis Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\Acronis Backup and Security\Acronis Backup and Security 2010\IEToolbar.dll
    O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
    O4 - HKLM\..\Run: [tbhSystray] C:\Program Files\tbh\base\bin\tbhSystray.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe "
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper\DkIcon.exe "
    O4 - HKLM\..\Run: [AirPort Base Station Agent] "C:\Program Files\Apple\AirPort\APAgent.exe "
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe "
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe "
    O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe "
    O4 - HKLM\..\Run: [Acronis Antiphishing Helper] "C:\Program Files\Acronis Backup and Security\Acronis Backup and Security 2010\IEShow.exe "
    O4 - HKLM\..\Run: [ACAgent] "C:\Program Files\Acronis Backup and Security\Acronis Backup and Security 2010\bdagent.exe "
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\\Phone\Skype.exe" /nosplash /minimized
    O4 - Startup: Eudora.lnk = C:\Program Files\Eudora\Eudora.exe
    O4 - Startup: Internet.lnk = ?
    O4 - Global Startup: NETGEAR WG311T Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311T\wlancfg5.exe
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://acronis.webex.com/client/T27LB/webex/ieatgpc.cab
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
    O23 - Service: Acronis Nonstop Backup service (afcdpsrv) - Acronis - C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Acronis Arrakis Server (Arrakis3) - Acronis Inc. http://www.acronis.com/homecomputing/products/antivirus - C:\Program Files\Common Files\Acronis Backup and Security\Acronis Backup and Security Arrakis Server\bin\arrakis3.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper\DkService.exe
    O23 - Service: Google Desktop Manager 5.9.909.30391 (GoogleDesktopManager-093009-130223) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Acronis Desktop Update Service (LIVESRV) - Acronis Inc. - C:\Program Files\Common Files\Acronis Backup and Security\Acronis Backup and Security Update Service\livesrv.exe
    O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
    O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: The Browser Highlighter Monitor (tbhMonitor.exe) - Unknown owner - C:\Program Files\tbh\monitor\bin\tbhMonitor.exe
    O23 - Service: Acronis Virus Shield (VSSERV) - Acronis Inc. - C:\Program Files\Acronis Backup and Security\Acronis Backup and Security 2010\vsserv.exe

    --
    End of file - 10144 bytes
     
    chuckmg,
    #16
  18. 2010/05/26
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Looks good :)

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start> "Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall "
    Click OK (Vista users - press Enter).
    Restart computer.

    ================================================================

    1. Download Temp File Cleaner (TFC)
    Double click on TFC.exe to run the program.
    Click on Start button to begin cleaning process.
    TFC will close all running programs, and it may ask you to restart computer.

    2. Update MBAM, run quick scan and post fresh log.

    3. Go to Kaspersky website and perform an online antivirus scan.

    1. Disable your active antivirus program.
    2. Read through the requirements and privacy statement and click on Accept button.
    3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    4. When the downloads have finished, click on Settings.
    5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, Adware, Dialers, and other potentially dangerous programs
      [*] Archives
      [*] Mail databases
    6. Click on My Computer under Scan.
    7. Once the scan is complete, it will display the results. Click on View Scan Report.
    8. You will see a list of infected items there. Click on Save Report As....
    9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

    Post fresh HijackThis log as well.
     
    broni,
    #17
  19. 2010/05/26
    chuckmg Contributing Member

    chuckmg Inactive Thread Starter

    Joined:
    2002/01/08
    Messages:
    236
    Likes Received:
    0
    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4147

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    5/26/2010 9:48:26 PM
    mbam-log-2010-05-26 (21-48-26).txt

    Scan type: Quick scan
    Objects scanned: 134443
    Time elapsed: 4 minute(s), 39 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
    chuckmg,
    #18
  20. 2010/05/26
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Ok :)
     
    broni,
    #19
  21. 2010/05/27
    chuckmg Contributing Member

    chuckmg Inactive Thread Starter

    Joined:
    2002/01/08
    Messages:
    236
    Likes Received:
    0
    Broni,

    Thought I had already posted this and wanted to make sure I had sent you the latest scan ... but I don't see it so here is the scan again:

    Chuck

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:46:19 AM, on 5/27/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Acronis Backup and Security\Acronis Backup and Security Update Service\livesrv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    C:\WINDOWS\system32\acs.exe
    C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Diskeeper\DkService.exe
    C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    C:\Program Files\LogMeIn\x86\RaMaint.exe
    C:\Program Files\LogMeIn\x86\LogMeIn.exe
    C:\Program Files\LogMeIn\x86\LMIGuardian.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\tbh\monitor\bin\tbhMonitor.exe
    C:\Program Files\Acronis Backup and Security\Acronis Backup and Security 2010\vsserv.exe
    c:\Program Files\tbh\base\bin\tbhDaemon.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Acronis Backup and Security\Acronis Backup and Security 2010\bdagent.exe
    C:\Program Files\Acronis Backup and Security\Acronis Backup and Security 2010\seccenter.exe
    C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
    C:\Program Files\tbh\base\bin\tbhSystray.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\LogMeIn\x86\LMIGuardian.exe
    C:\Program Files\Apple\AirPort\APAgent.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Program Files\NETGEAR\WG311T\wlancfg5.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Firefox\firefox.exe
    C:\Program Files\Skype\Plugin Manager\skypePM.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Java\jre6\bin\java.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nrhs1960.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe "
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    N3 - Netscape 7: # Mozilla User Preferences

    /* Do not edit this file.
    *
    * If you make changes to this file while the browser is running,
    * the changes will be overwritten when the browser exits.
    *
    * To make a manual change to preferences, you can visit the URL about:config
    * For more information, see http://www.mozilla.org/unix/customizing.html#prefs
    */

    user_pref( "aim.session.firsttime ", false);
    user_pref( "browser.activation.checkedNNFlag ", true);
    user_pref( "browser.bookmarks.added_static_root ", true);
    user_pref( "browser.search.defaultengine ", "engine://C%3A%5CProgram%20Files%5CNetscape%5Csearchplugins%5CSBWeb_01.src ");
    user_pref( "browser.startup.homepage ", "http://home.netscape.com/bookmark/7_2/home.html ");
    user_pref( "browser.startup.homepage_override.mstone ", "rv:1.7.2 ");
    user_pref( "browser.turbo.showDialog ", false);
    user_pref( "dom.disable_open_during_load ", true);
    user_pref( "intl.charsetmenu.browser.cache ", "UTF-8, ISO-8859-1 ");
    user_pref( "intl.charsetmenu.composer.cache ", "ISO-8859-1 ");
    user_pref
    N3 - Netscape 7: # Mozilla User Preferences

    /* Do not edit this file.
    *
    * If you make changes to this file while the browser is running,
    * the changes will be overwritten when the browser exits.
    *
    * To make a manual change to preferences, you can visit the URL about:config
    * For more information, see http://www.mozilla.org/unix/customizing.html#prefs
    */

    user_pref( "aim.session.firsttime ", false);
    user_pref( "browser.activation.checkedNNFlag ", true);
    user_pref( "browser.bookmarks.added_static_root ", true);
    user_pref( "browser.search.defaultengine ", "engine://C%3A%5CProgram%20Files%5CNetscape%5Csearchplugins%5CSBWeb_01.src ");
    user_pref( "browser.startup.homepage ", "http://home.netscape.com/bookmark/7_2/home.html ");
    user_pref( "browser.startup.homepage_override.mstone ", "rv:1.7.2 ");
    user_pref( "browser.turbo.showDialog ", false);
    user_pref( "dom.disable_open_during_load ", true);
    user_pref( "intl.charsetmenu.browser.cache ", "UTF-8, ISO-8859-1 ");
    user_pref( "intl.charsetmenu.composer.cache ", "ISO-8859-1 ");
    user_pref
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Foxit Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
    O3 - Toolbar: Acronis Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\Acronis Backup and Security\Acronis Backup and Security 2010\IEToolbar.dll
    O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
    O4 - HKLM\..\Run: [tbhSystray] C:\Program Files\tbh\base\bin\tbhSystray.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe "
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper\DkIcon.exe "
    O4 - HKLM\..\Run: [AirPort Base Station Agent] "C:\Program Files\Apple\AirPort\APAgent.exe "
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe "
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe "
    O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe "
    O4 - HKLM\..\Run: [Acronis Antiphishing Helper] "C:\Program Files\Acronis Backup and Security\Acronis Backup and Security 2010\IEShow.exe "
    O4 - HKLM\..\Run: [ACAgent] "C:\Program Files\Acronis Backup and Security\Acronis Backup and Security 2010\bdagent.exe "
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe "
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\\Phone\Skype.exe" /nosplash /minimized
    O4 - Startup: Eudora.lnk = C:\Program Files\Eudora\Eudora.exe
    O4 - Startup: Internet.lnk = ?
    O4 - Global Startup: NETGEAR WG311T Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311T\wlancfg5.exe
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://acronis.webex.com/client/T27LB/webex/ieatgpc.cab
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
    O23 - Service: Acronis Nonstop Backup service (afcdpsrv) - Acronis - C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Acronis Arrakis Server (Arrakis3) - Acronis Inc. http://www.acronis.com/homecomputing/products/antivirus - C:\Program Files\Common Files\Acronis Backup and Security\Acronis Backup and Security Arrakis Server\bin\arrakis3.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper\DkService.exe
    O23 - Service: Google Desktop Manager 5.9.909.30391 (GoogleDesktopManager-093009-130223) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Acronis Desktop Update Service (LIVESRV) - Acronis Inc. - C:\Program Files\Common Files\Acronis Backup and Security\Acronis Backup and Security Update Service\livesrv.exe
    O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
    O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: The Browser Highlighter Monitor (tbhMonitor.exe) - Unknown owner - C:\Program Files\tbh\monitor\bin\tbhMonitor.exe
    O23 - Service: Acronis Virus Shield (VSSERV) - Acronis Inc. - C:\Program Files\Acronis Backup and Security\Acronis Backup and Security 2010\vsserv.exe

    --
    End of file - 12260 bytes
     
    chuckmg,
    #20
Page 1 of 2

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...