Genevive's hijack info

[Genevive]

Acer Arcade Deluxe
Acer Assist
Acer Crystal Eye webcam
Acer eAudio Management
Acer eDataSecurity Management
Acer eLock Management
Acer Empowering Technology
Acer eNet Management
Acer ePower Management
Acer ePresentation Management
Acer eSettings Management
Acer GridVista
Acer Mobility Center Plug-In
Acer Registration
Acer ScreenSaver
Acer Tour
Acer VCM
Ad-Aware
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.2
AIM 7
AMT Media Manager
Apple Mobile Device Support
Apple Software Update
ArcSoft PhotoStudio 2000
Avira AntiVir Personal - Free Antivirus
Big Kahuna Reef 2
Bricks of Egypt
ClueFinders(R) Search & Solve Adventures(TM)
Download Updater (AOL LLC)
Dynasty
eBay Icon
ffdshow (remove only)
FormatFactory
Free Audio CD Burner version 1.4
Free YouTube to MP3 Converter version 3.8
Galapago
HDAUDIO Soft Data Fax Modem with SmartCP
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Intel Matrix Storage Manager
Intel(R) Graphics Media Accelerator Driver
Java Auto Updater
Java(TM) 6 Update 22
Java(TM) 6 Update 3
Jewel Quest Solitaire
Launch Manager
LightScribe 1.4.142.1
LiveUpdate 3.2 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Luxor 2
Malwarebytes' Anti-Malware
Media Converter for Philips
MediaCoderSE 0.5.1
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office 97, Professional Edition
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mouse Setting Software 4.0
Mozilla Firefox 4.0.1 (x86 en-US)
MSVCRT
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Mystery Case Files - Prime Suspects
Mystery Case Files Ravenhearst
NTI Backup NOW! 4.7
NTI CD & DVD-Maker
Orion
Player
PokerStars
PowerProducer 3.72
QuickTime
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealPlayer
Realtek High Definition Audio Driver
RealUpgrade 1.1
RICOH R5C83x/84x Flash Media Controller Driver Ver.3.51.01
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Skype Toolbars
Skype™ 4.2
Spybot - Search & Destroy
SpywareBlaster 4.4
SUPERAntiSpyware Free Edition
Synaptics Pointing Device Driver
Text Twist
Text Twist (remove only)
Treasures of the Deep
Uninstall 1.0.0.1
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
VDownloader 0.77
Viewpoint Media Player
Winbond CIR Drivers
Windows Live Communications Platform
Windows Live Essentials
Windows Live Movie Maker
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Live Writer
Windows Media Player Firefox Plugin
Yahoo! Messenger
Yahoo! Search Protection
Yahoo! Software Update
Zuma Deluxe

 

[Genevive]

Here's the malware bytes

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6618

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

5/23/2011 8:44:16 PM
mbam-log-2011-05-23 (20-44-16).txt

Scan type: Quick scan
Objects scanned: 149695
Time elapsed: 6 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

[johnb35]

Please go into add/remove programs and uninstall the following programs.

Adobe Reader 8.1.2
Java Auto Updater
Java(TM) 6 Update 22
Java(TM) 6 Update 3
LiveUpdate 3.2 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Uninstall 1.0.0.1
Viewpoint Media Player


Then go here to download the latest versions of Adobe Reader and Java

http://get.adobe.com/reader/?promoid=BUIGO

http://www.java.com/en/download/index.jsp

 

[Genevive]

The new hijack this

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:46:07 PM, on 5/23/2011
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Mouse Setting\Mouse Setting Software\4.0\ACQTMAPP.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\ehome\ehmsas.exe
C:\Users\JENIFE~1\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Users\Jenifer & James\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {03402f96-3dc7-4285-bc50-9e81fefafe43} - (no file)
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IEPlugin Class - {11222041-111B-46E3-BD29-EFB2449479B1} - C:\PROGRA~1\ArcSoft\MEDIAC~1\INTERN~1\ARCURL~1.DLL
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Windows\system32\ActiveToolBand.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [PLFSet] rundll32.exe C:\Windows\PLFSet.dll,PLFDefSetting
O4 - HKLM\..\Run: [Acer Product Registration] "C:\Program Files\Acer Registration\ACE1.exe" /startup
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [ACQTMOUSE] "C:\Program Files\Mouse Setting\Mouse Setting Software\4.0\ACQTMAPP.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: Free YouTube to Mp3 Converter - C:\Users\Jenifer & James\AppData\Roaming\DVDVideoSoftIEHelpers\youtubetomp3.htm
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: ALaunch Service (ALaunchService) - Unknown owner - C:\Acer\ALaunch\ALaunchSvc.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: eDataSecurity Service - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 8864 bytes

 

[johnb35]

You aren't running the latest database for malwarebytes. Please open malwarebytes, click on the update tab, click on check for updates. The latest database is 6658. Please rerun the quick scan after updating and post the new log.

 

[Genevive]

I got all those uninstalled but the only one I didn't see in the add/remove programs was the Java Auto Updater. Going now to download the new ones you recommended.

 

[Genevive]

I still have that shortcut for the malware protection & I didn't delete that folder yet...what should I do with that?

 

[johnb35]

Delete the shortcut for now. Don't touch anything else.

 

[Genevive]

New malwarebytes log

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6658

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

5/23/2011 9:02:04 PM
mbam-log-2011-05-23 (21-02-04).txt

Scan type: Quick scan
Objects scanned: 149286
Time elapsed: 4 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

[Genevive]

Ok, I downloaded the new adobe reader & java...did I forget anything?

 

[johnb35]

Please rerun hijackthis and place checks next to the following entries.

R3 - URLSearchHook: (no name) - {03402f96-3dc7-4285-bc50-9e81fefafe43} - (no file)
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [Acer Product Registration] "C:\Program Files\Acer Registration\ACE1.exe" /startup
O8 - Extra context menu item: Free YouTube to Mp3 Converter - C:\Users\Jenifer & James\AppData\Roaming\DVDVideoSoftIEHelpers\youtub etomp3.htm
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe

Then click on fix checked at the bottom.

How is the system running now? Let me look through the combofix log one more time.

 

[Genevive]

Ok should I reboot the computer before or after I run that combo scan?

 

[johnb35]

Ok should I reboot the computer before or after I run that combo scan?

I'm not asking you to run combofix again. I just wanted to look at the log you already posted before. I didn't see any issues. How's the system running now? One more thing to do and it will help with your system speed is to download and run Ccleaner.

http://download.cnet.com/ccleaner/

Download and install, open the program and click on run cleaner. It may take a few minutes to complete. This will delete your temporary internet file and temporary system files making your system run faster.

 

[Genevive]

Computer is running great, here's the combo fix from earlier. I now have a backups folder on my desktop what is this for?


ComboFix 11-05-23.02 - Jenifer & James 05/23/2011 18:50:16.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2038.903 [GMT -4:00]
Running from: c:\users\Jenifer & James\Documents\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\DFRDC1D.tmp
c:\program files\IEToolbar
c:\program files\IEToolbar\ChaCha Guide Universe Toolbar\basis.xml
c:\program files\IEToolbar\ChaCha Guide Universe Toolbar\icons.bmp
c:\program files\IEToolbar\ChaCha Guide Universe Toolbar\info.txt
c:\program files\IEToolbar\ChaCha Guide Universe Toolbar\logo.gif
c:\program files\IEToolbar\ChaCha Guide Universe Toolbar\Master.bmp
c:\program files\IEToolbar\ChaCha Guide Universe Toolbar\small.bmp
c:\program files\IEToolbar\ChaCha Guide Universe Toolbar\small_logo.gif
c:\program files\IEToolbar\ChaCha Guide Universe Toolbar\stub.html
c:\program files\IEToolbar\ChaCha Guide Universe Toolbar\tbs_include_script_016216.js
c:\program files\IEToolbar\ChaCha Guide Universe Toolbar\tbu08907\Universe.dll
c:\program files\IEToolbar\ChaCha Guide Universe Toolbar\uninstall.exe
c:\program files\IEToolbar\ChaCha Guide Universe Toolbar\Universe.crc
c:\program files\IEToolbar\ChaCha Guide Universe Toolbar\Universe.dll
c:\program files\IEToolbar\ChaCha Guide Universe Toolbar\universe_restart.exe
c:\program files\IEToolbar\ChaCha Guide Universe Toolbar\version.txt
c:\program files\IEToolbar\ChaCha Guide Universe Toolbar\your_logo.png
c:\users\Jenifer & James\AppData\Local\{CB05F3FF-FB20-4764-8AD5-C451D07CB068}
c:\users\Jenifer & James\AppData\Local\{CB05F3FF-FB20-4764-8AD5-C451D07CB068}\chrome.manifest
c:\users\Jenifer & James\AppData\Local\{CB05F3FF-FB20-4764-8AD5-C451D07CB068}\chrome\content\_cfg.js
c:\users\Jenifer & James\AppData\Local\{CB05F3FF-FB20-4764-8AD5-C451D07CB068}\chrome\content\overlay.xul
c:\users\Jenifer & James\AppData\Local\{CB05F3FF-FB20-4764-8AD5-C451D07CB068}\install.rdf
c:\windows\hide.exe
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll
c:\windows\winhelp.ini
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
-------\Service_NPF
.
.
((((((((((((((((((((((((( Files Created from 2011-04-23 to 2011-05-23 )))))))))))))))))))))))))))))))
.
.
2011-05-23 22:59 . 2011-05-23 23:03 -------- d-----w- c:\users\Jenifer & James\AppData\Local\temp
2011-05-23 22:59 . 2011-05-23 22:59 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-05-23 21:38 . 2011-05-23 21:38 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-23 21:34 . 2011-05-23 21:34 -------- d-----w- c:\users\Jenifer & James\AppData\Roaming\Leadertech
2011-05-23 20:57 . 2011-05-23 20:57 -------- d-----w- c:\users\Jenifer & James\AppData\Roaming\Adobe(772)
2011-05-23 16:21 . 2011-05-23 16:21 -------- d-----w- c:\programdata\AVAST Software
2011-05-23 16:21 . 2011-05-23 16:21 -------- d-----w- c:\program files\AVAST Software
2011-05-23 15:24 . 2011-05-23 15:24 -------- d-----w- C:\found.000
2011-05-20 20:01 . 2011-05-09 20:46 6962000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C1F67108-BD36-422B-A7E4-43AC0C152297}\mpengine.dll
2011-05-14 20:05 . 2011-05-14 20:05 11776 ----a-w- c:\program files\Mozilla Firefox\plugins\nprjplug.dll
2011-05-14 20:05 . 2011-05-14 20:05 -------- d-----w- c:\program files\Common Files\xing shared
2011-05-14 20:04 . 2011-05-14 20:04 150712 ----a-w- c:\program files\Mozilla Firefox\plugins\nppl3260.dll
2011-05-14 20:04 . 2011-05-14 20:04 105472 ----a-w- c:\program files\Mozilla Firefox\plugins\nprpjplug.dll
2011-05-14 20:04 . 2011-05-14 20:05 -------- d-----w- c:\program files\real
2011-05-08 01:11 . 2011-05-08 01:11 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-05-08 01:11 . 2011-05-08 01:11 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-05-08 01:11 . 2011-05-08 01:11 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-05-08 01:11 . 2011-05-08 01:11 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-05-08 01:11 . 2011-05-08 01:11 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-05-08 01:11 . 2011-05-08 01:11 1974616 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-05-08 01:11 . 2011-05-08 01:11 1892184 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-05-08 01:11 . 2011-05-08 01:11 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-05-02 20:53 . 2010-01-10 23:40 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2011-05-02 20:53 . 2011-05-02 20:53 -------- d-----w- c:\program files\SpywareBlaster
2011-05-02 01:33 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-02 01:33 . 2011-05-02 01:33 -------- d-----w- c:\programdata\Malwarebytes
2011-05-02 01:33 . 2011-05-02 01:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-02 01:33 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-14 20:04 . 2003-03-19 03:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-05-14 20:04 . 2003-02-21 12:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-03-10 17:03 . 2011-04-13 20:47 1162240 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-10 17:03 . 2011-04-13 20:47 1136640 ----a-w- c:\windows\system32\mfc42.dll
2011-03-03 15:42 . 2011-04-13 20:47 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-03 13:25 . 2011-04-13 20:47 2041856 ----a-w- c:\windows\system32\win32k.sys
2011-03-02 15:44 . 2011-04-13 20:47 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-05-08 01:11 . 2011-05-08 01:11 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-06-26 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-26 8433664]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-26 81920]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-05-09 865840]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-04-25 457216]
"RtHDVCpl"="RtHDVCpl.exe" [2007-05-10 4468736]
"PLFSet"="c:\windows\PLFSet.dll" [2007-04-25 45056]
"Acer Product Registration"="c:\program files\Acer Registration\ACE1.exe" [2007-02-02 3383296]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-02-12 174872]
"Skytel"="Skytel.exe" [2007-05-07 1826816]
"ACQTMOUSE"="c:\program files\Mouse Setting\Mouse Setting Software\4.0\ACQTMAPP.exe" [2008-08-01 501760]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-07-03 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2010-06-15 14:22 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Acer VCM.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Acer VCM.lnk
backup=c:\windows\pss\Acer VCM.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Empowering Technology Launcher.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Empowering Technology Launcher.lnk
backup=c:\windows\pss\Empowering Technology Launcher.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Philips GoGear VIBE Device Manager.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Philips GoGear VIBE Device Manager.lnk
backup=c:\windows\pss\Philips GoGear VIBE Device Manager.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^Jenifer & James^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Desktop Application Director.lnk]
path=c:\users\Jenifer & James\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Desktop Application Director.lnk
backup=c:\windows\pss\Desktop Application Director.lnk.Startup
backupExtension=.Startup
.
[HKLM\~\startupfolder\C:^Users^Jenifer & James^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
path=c:\users\Jenifer & James\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
backup=c:\windows\pss\Microsoft Find Fast.lnk.Startup
backupExtension=.Startup
.
[HKLM\~\startupfolder\C:^Users^Jenifer & James^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Office Startup.lnk]
path=c:\users\Jenifer & James\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Office Startup.lnk
backup=c:\windows\pss\Office Startup.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Assist Launcher]
2007-02-02 18:05 1261568 ----a-w- c:\program files\Acer Assist\launcher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Tour Reminder]
2007-05-22 22:49 151552 ----a-w- c:\acer\AcerTour\Reminder.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-12 03:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ALUAlert]
2007-09-12 23:27 492912 ----a-w- c:\program files\Symantec\LiveUpdate\ALUNOTIFY.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AMTDeviceService]
2009-01-21 20:11 184320 ----a-w- c:\program files\AMT Media Manager\AMTDeviceService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
2009-10-10 18:32 203264 ----a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eAudio]
2007-06-11 21:54 1286144 ----a-w- c:\acer\Empowering Technology\eAudio\eAudio.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-02-12 00:13 166424 ----a-w- c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-02-12 00:13 141848 ----a-w- c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
2007-07-31 01:36 707080 ----a-w- c:\progra~1\LAUNCH~1\QtZgAcer.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-02-12 00:13 133656 ----a-w- c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlayMovie]
2007-05-24 20:38 206952 ------w- c:\program files\Acer Arcade Deluxe\Play Movie\PMVService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-02-01 04:13 385024 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Search Protection]
2009-02-23 13:05 111856 ----a-w- c:\program files\Yahoo!\Search Protection\SearchProtection.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-04-06 06:27 26102056 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 ------w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 15:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2011-05-01 13:20 2423752 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec PIF AlertEng]
2007-11-29 00:51 583048 ----a-w- c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2011-05-14 20:04 273544 ----a-w- c:\program files\real\realplayer\Update\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-19 07:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
2009-02-23 13:05 111856 ----a-w- c:\program files\Yahoo!\Search Protection\SearchProtection.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-06-15 12872]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-06-15 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2010-06-15 67656]
S2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\Acer Arcade Deluxe\Play Movie\000.fcl [2006-11-02 13560]
S2 ALaunchService;ALaunch Service;c:\acer\ALaunch\ALaunchSvc.exe [2007-01-26 50688]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-02-08 179712]
S3 winbondcir;Winbond IR Transceiver;c:\windows\system32\DRIVERS\winbondcir.sys [2007-04-19 43008]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://en.us.acer.yahoo.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.us.acer.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: Free YouTube to Mp3 Converter - c:\users\Jenifer & James\AppData\Roaming\DVDVideoSoftIEHelpers\youtubetomp3.htm
FF - ProfilePath - c:\users\Jenifer & James\AppData\Roaming\Mozilla\Firefox\Profiles\uomxk22y.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.biblegateway.com/passage/?search=Isaiah%2041:10&version=NASB|http://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4cc6de46&v=6.010.006.004&i=23&tp=ab&iy=&ychte=us&lng=en-US&q=
FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-Acer Tour Reminder - (no file)
HKLM-Run-Acer Tour - (no file)
HKLM-Run-eRecoveryService - (no file)
HKLM-Run-SetPanel - c:\acer\APanel\APanel.cmd
MSConfigStartUp-ALaunch - c:\acer\ALaunch\AlaunchClient.exe
MSConfigStartUp-Rmijaxakuqejako - c:\users\Jenifer & James\AppData\Local\nedtyupi.dll
.
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
"ImagePath"="\??\c:\program files\Acer Arcade Deluxe\Play Movie\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(1272)
c:\windows\system32\MsnChatHook.dll
c:\windows\system32\ShowErrMsg.dll
c:\windows\system32\sysenv.dll
c:\windows\system32\BatchCrypto.dll
c:\windows\system32\CryptoAPI.dll
c:\windows\system32\keyManager.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\acer\Empowering Technology\eDataSecurity\eDSService.exe
c:\acer\Empowering Technology\eLock\Service\eLockServ.exe
c:\acer\Empowering Technology\eNet\eNet Service.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\acer\Mobility Center\MobilityService.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\acer\Empowering Technology\eRecovery\eRecoveryService.exe
c:\acer\Empowering Technology\eSettings\Service\capuserv.exe
c:\acer\Empowering Technology\ePower\ePowerSvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\RtHDVCpl.exe
c:\windows\ehome\ehmsas.exe
c:\users\JENIFE~1\AppData\Local\Temp\RtkBtMnt.exe
.
**************************************************************************
.
Completion time: 2011-05-23 19:11:27 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-23 23:10
.
Pre-Run: 11,708,706,816 bytes free
Post-Run: 14,668,541,952 bytes free
.
- - End Of File - - F50B394C075F84889F708C58B565B4BA

 

[johnb35]

I didn't need you to post the log again. I have no idea what the backups folder is on your desktop, whats in it?

 

[Genevive]

There are 7 of them and the first one says backup-20110523-212239-240 with the date...there were 7 of those hijack things you had me fix and when I clicked fix they just went away, and I was waiting for something to happen. I wonder if these are those things?

 

[Genevive]

When I click to open one of them a box comes up and wants me to find a program to open it with

 

[johnb35]

Never mind, I noticed you are running hijackthis from your desktop, thats why it created a backups folder on your desktop. You may delete the folder.

 

[Genevive]

yea I'm on it now and pulled up a few pages and it's working fine.

 

[Genevive]

Ok you are sure I can delete that back up folder? And now what about that defender.exe in the Roaming folder...just leave it?