Virus Removal Help - Logs

[CareyS]

HijackThis

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:46:49 PM, on 4/10/2011
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v8.00 (8.00.7601.17514)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\PixArt\PAC7302\Monitor.exe
C:\Users\Carey\AppData\Roaming\hidserv.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Trend Micro\RUBotted\RUBottedGUI.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10o_ActiveX.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Carey\AppData\Local\Temp\15297.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe
C:\Windows\SysWOW64\DllHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=e525&r=273601100745l0354z125r49122341
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/home.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=e525&r=273601100745l0354z125r49122341
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=e525&r=273601100745l0354z125r49122341
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe
O4 - HKLM\..\Run: [InstaLAN] "C:\Program Files (x86)\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe" startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Trend Micro RUBotted V2.0 Beta] C:\Program Files (x86)\Trend Micro\RUBotted\RUBottedGUI.exe
O4 - HKCU\..\Run: [msconfig] C:\Users\Carey\AppData\Roaming\Microsoft\System\Services\msconfig.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [SysCore] C:\Users\Carey\AppData\Roaming\hidserv.exe
O4 - HKCU\..\Run: [WinDefend] C:\Users\Carey\AppData\Roaming\newer1.exe
O4 - HKCU\..\Run: [Core Services] C:\Users\Carey\AppData\Roaming\winlogon.exe
O4 - HKLM\..\Policies\Explorer\Run: [Windows Defender] C:\Users\Carey\AppData\Roaming\update.exe
O4 - HKLM\..\Policies\Explorer\Run: [WinDefend] C:\Users\Carey\AppData\Roaming\update.exe
O4 - Startup: RUNDLI32.dll
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://msn.worldwinner.com/games/v47/shared/FunGamesLoader.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {8F6E7FB2-E56B-4F66-A4E1-9765D2565280} (WorldWinner ActiveX Launcher Control) - http://www.worldwinner.com/games/launcher/ie/v2.22.01.0/iewwload.cab
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader2.cab
O16 - DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - http://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.4.16.0.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O23 - Service: AffinegyService - Affinegy, Inc. - C:\Program Files (x86)\Belkin\Router Setup and Monitor\BelkinService.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: Acer ePower Service (ePowerSvc) - Acer Incorporated - C:\Program Files\eMachines\eMachines Power Management\ePowerSvc.exe
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: GRegService (Greg_Service) - Acer Incorporated - C:\Program Files (x86)\eMachines\Registration\GregHSRW.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files (x86)\WinPcap\rpcapd.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: Trend Micro RUBotted Service (RUBotSrv) - Trend Micro Inc. - C:\Program Files (x86)\Trend Micro\RUBotted\RUBotSrv.exe
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: TeamViewer 6 (TeamViewer6) - TeamViewer GmbH - C:\Program Files (x86)\TeamViewer\Version6\TeamViewer_Service.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: Updater Service - Acer - C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 9025 bytes

ComboFix

ComboFix 11-04-10.01 - Carey 04/10/2011 21:03:22.1.1 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3002.1789 [GMT -4:00]
Running from: c:\users\Carey\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NO8AF8DR\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Carey\AppData\Roaming\chrtmp
c:\users\Carey\AppData\Roaming\data.dat
c:\users\Carey\AppData\Roaming\hidserv.exe
c:\users\Carey\AppData\Roaming\jtkwv.exe
c:\users\Carey\AppData\Roaming\Microsoft\System\Services\msconfig.exe
c:\users\Carey\AppData\Roaming\Microsoft\Windows\Recent\SkyDrive.url
c:\users\Carey\AppData\Roaming\whmkp.exe
c:\users\Carey\AppData\Roaming\WinDefenders22.exe
c:\users\Carey\AppData\Roaming\winlogon.exe
c:\windows\system32\drivers\etc\lmhosts
.
.
((((((((((((((((((((((((( Files Created from 2011-03-11 to 2011-04-11 )))))))))))))))))))))))))))))))
.
.
2011-04-11 01:31 . 2011-04-11 01:31 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-04-10 20:13 . 2011-04-10 20:13 418816 ---h--w- c:\users\Carey\AppData\Roaming\skint.exe
2011-04-10 20:13 . 2011-04-10 20:13 418816 ---h--w- c:\users\Carey\AppData\Roaming\newer1.exe
2011-04-10 16:48 . 2011-04-10 16:48 102400 ----a-w- c:\windows\RegBootClean.exe
2011-04-10 16:41 . 2010-09-06 09:26 189520 ----a-w- c:\windows\SysWow64\drivers\tmcomm.sys
2011-04-10 16:40 . 2011-04-10 16:40 388096 ----a-r- c:\users\Carey\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-04-10 16:38 . 2011-04-10 16:38 -------- dc----w- c:\program files (x86)\WinPcap
2011-04-10 16:38 . 2011-04-10 16:40 -------- dc----w- c:\program files (x86)\Trend Micro
2011-04-10 02:41 . 2011-04-10 02:41 101376 ---ha-w- c:\users\Carey\AppData\Roaming\ognvj.exe
2011-04-07 01:40 . 2011-04-07 01:40 -------- d-----w- c:\windows\system32\SPReview
2011-04-07 01:39 . 2011-04-07 01:39 -------- d-----w- c:\windows\system32\EventProviders
2011-04-07 01:39 . 2011-03-27 09:21 601424 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A99B6432-3690-4787-890A-35262ED9053F}\gapaengine.dll
2011-04-07 01:39 . 2011-03-15 02:17 8424784 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{AF5642E4-54E8-4BB2-9650-D2C06641F859}\mpengine.dll
2011-04-07 01:35 . 2010-11-20 13:27 3650560 ----a-w- c:\windows\system32\MSVidCtl.dll
2011-04-07 01:34 . 2010-11-20 13:28 459248 ----a-w- c:\windows\system32\drivers\cng.sys
2011-04-07 01:33 . 2010-11-20 13:33 31104 ----a-w- c:\windows\system32\drivers\msahci.sys
2011-04-07 01:32 . 2010-11-20 13:27 73216 ----a-w- c:\windows\system32\unimdmat.dll
2011-04-07 01:31 . 2010-11-20 13:11 6144 ----a-w- c:\windows\system32\drivers\en-US\IPMIDrv.sys.mui
2011-04-07 01:31 . 2010-11-20 13:10 4608 ----a-w- c:\windows\system32\drivers\en-US\kbdclass.sys.mui
2011-04-07 01:31 . 2010-11-20 12:21 189952 ----a-w- c:\windows\SysWow64\wdscore.dll
2011-04-07 01:31 . 2010-11-20 12:17 209920 ----a-w- c:\windows\SysWow64\PkgMgr.exe
2011-04-07 01:31 . 2010-11-20 12:18 323072 ----a-w- c:\windows\SysWow64\drvstore.dll
2011-04-07 01:31 . 2010-11-20 12:18 257024 ----a-w- c:\windows\SysWow64\dpx.dll
2011-04-07 01:31 . 2010-11-20 12:21 363008 ----a-w- c:\windows\SysWow64\wbemcomn.dll
2011-04-07 01:31 . 2010-11-20 12:19 606208 ----a-w- c:\windows\SysWow64\wbem\fastprox.dll
2011-04-07 01:27 . 2010-11-20 13:27 524288 ----a-w- c:\windows\system32\wmicmiplugin.dll
2011-04-07 01:27 . 2010-11-20 13:27 529408 ----a-w- c:\windows\system32\wbemcomn.dll
2011-04-07 01:27 . 2010-11-20 13:27 1225216 ----a-w- c:\windows\system32\wbem\wbemcore.dll
2011-04-07 01:27 . 2010-11-20 13:27 933376 ----a-w- c:\windows\system32\SmiEngine.dll
2011-04-07 01:27 . 2010-11-20 13:25 199168 ----a-w- c:\windows\system32\PkgMgr.exe
2011-04-07 01:26 . 2010-11-20 13:26 422912 ----a-w- c:\windows\system32\drvstore.dll
2011-04-07 01:26 . 2010-11-20 13:26 399872 ----a-w- c:\windows\system32\dpx.dll
2011-04-07 01:07 . 2011-01-17 11:09 197120 ----a-w- c:\windows\system32\d3d10_1.dll
2011-04-07 01:07 . 2011-01-17 05:47 161792 ----a-w- c:\windows\SysWow64\d3d10_1.dll
2011-04-07 01:07 . 2010-11-20 13:26 321024 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-04-07 01:07 . 2010-11-20 12:18 219136 ----a-w- c:\windows\SysWow64\d3d10_1core.dll
2011-04-07 00:13 . 2011-04-07 00:13 -------- dc----w- c:\program files (x86)\FileASSASSIN
2011-04-04 02:19 . 2011-04-04 02:19 -------- d-----w- c:\users\Carey\AppData\Roaming\Malwarebytes
2011-04-04 02:16 . 2011-04-04 02:16 14336 ---h--w- c:\users\Carey\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RUNDLI32.dll
2011-04-03 20:59 . 2011-04-07 02:25 -------- d-----w- c:\programdata\lGk31400hCjEf31400
2011-04-03 18:41 . 2011-04-03 18:41 200192 ---h--w- c:\users\Carey\AppData\Roaming\Cartguy.exe
2011-04-03 18:15 . 2011-04-03 18:15 199680 ---h--w- c:\users\Carey\AppData\Roaming\Taserz.exe
2011-04-03 17:53 . 2011-04-03 17:53 199680 ---h--w- c:\users\Carey\AppData\Roaming\zer0.exe
2011-04-03 17:42 . 2011-04-03 17:42 200192 ---h--w- c:\users\Carey\AppData\Roaming\hncfee.exe
2011-04-03 17:42 . 2011-04-03 17:42 200192 ---h--w- c:\users\Carey\AppData\Roaming\Baller.exe
2011-04-03 17:27 . 2011-04-03 17:27 98304 ----a-r- c:\users\Carey\AppData\Roaming\Microsoft\Installer\{32939827-D8E5-470A-B126-870DB3C69FDF}\python_icon.exe
2011-03-31 03:59 . 2011-03-31 03:59 -------- dc----w- c:\program files (x86)\Microsoft ActiveSync
2011-03-31 03:58 . 2011-03-31 03:58 -------- d-----w- c:\windows\PCHEALTH
2011-03-31 03:53 . 2011-03-31 03:53 -------- dc----r- C:\MSOCache
2011-03-27 09:22 . 2011-03-27 09:21 601424 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2011-03-27 09:22 . 2011-03-15 02:17 8424784 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-03-27 09:19 . 2011-03-27 09:19 -------- dc----w- c:\program files (x86)\Microsoft Security Client
2011-03-27 09:19 . 2011-03-27 09:19 -------- dc----w- c:\program files\Microsoft Security Client
2011-03-27 01:34 . 2011-03-27 01:34 -------- dc----w- c:\program files (x86)\Web Cam
2011-03-27 01:34 . 2011-03-27 01:34 -------- d-----w- c:\windows\Web Cam
2011-03-27 00:48 . 2011-03-27 00:57 -------- d-----w- c:\users\Carey\AppData\Roaming\acccore
2011-03-27 00:48 . 2011-03-27 00:48 -------- d-----w- c:\users\Carey\AppData\Local\AOL
2011-03-27 00:48 . 2011-03-27 00:48 -------- d-----w- c:\users\Carey\AppData\Local\AIM
2011-03-27 00:47 . 2011-03-27 00:47 -------- d-----w- c:\programdata\AIM
2011-03-27 00:47 . 2011-03-27 00:47 -------- dc----w- c:\program files (x86)\AIM
2011-03-27 00:47 . 2011-03-27 00:47 -------- d-----w- c:\program files (x86)\Common Files\Software Update Utility
2011-03-27 00:47 . 2011-03-27 00:47 -------- d-----w- c:\program files (x86)\Common Files\AOL
2011-03-23 20:19 . 2011-03-18 17:53 142296 -c--a-w- c:\program files (x86)\Mozilla Firefox\components\browsercomps.dll
2011-03-23 20:19 . 2011-03-18 17:53 781272 -c--a-w- c:\program files (x86)\Mozilla Firefox\mozsqlite3.dll
2011-03-23 20:19 . 2011-03-18 17:53 1874904 -c--a-w- c:\program files (x86)\Mozilla Firefox\mozjs.dll
2011-03-23 20:19 . 2011-03-18 17:53 15832 -c--a-w- c:\program files (x86)\Mozilla Firefox\mozalloc.dll
2011-03-23 20:19 . 2011-03-18 17:53 728024 -c--a-w- c:\program files (x86)\Mozilla Firefox\libGLESv2.dll
2011-03-23 20:19 . 2011-03-18 17:53 142296 -c--a-w- c:\program files (x86)\Mozilla Firefox\libEGL.dll
2011-03-23 20:19 . 2011-03-18 17:53 1893336 -c--a-w- c:\program files (x86)\Mozilla Firefox\d3dx9_42.dll
2011-03-23 20:19 . 2011-03-18 17:53 1975768 -c--a-w- c:\program files (x86)\Mozilla Firefox\D3DCompiler_42.dll
2011-03-22 05:42 . 2011-03-22 05:43 -------- d-----w- c:\users\Carey\FrostWire
2011-03-22 05:42 . 2011-03-27 19:49 -------- d-----w- c:\users\Carey\AppData\Roaming\FrostWire
2011-03-22 05:42 . 2011-03-22 05:42 -------- dc----w- c:\program files (x86)\FrostWire
2011-03-21 07:31 . 2011-02-17 21:21 228272 ----a-w- c:\windows\system32\drivers\VBoxDrv.sys
2011-03-21 07:31 . 2011-02-17 21:21 56688 ----a-w- c:\windows\system32\drivers\VBoxUSBMon.sys
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-07 07:22 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
2011-04-07 07:21 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
2011-03-25 02:24 . 2010-06-24 15:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-02-27 02:49 . 2009-07-13 23:55 332288 ----a-w- c:\windows\system32\uxtheme.dll
2011-02-27 02:49 . 2009-07-13 23:54 44544 ----a-w- c:\windows\system32\themeservice.dll
2011-02-27 02:48 . 2011-02-27 02:48 245760 ----a-w- c:\windows\SysWow64\uxtheme.dll.tmp
2011-02-27 02:48 . 2009-07-13 23:39 245760 ----a-w- c:\windows\SysWow64\uxtheme.dll
2011-02-19 12:05 . 2011-03-09 03:14 1139200 ----a-w- c:\windows\system32\FntCache.dll
2011-02-19 12:04 . 2011-03-09 03:14 1544192 ----a-w- c:\windows\system32\DWrite.dll
2011-02-19 12:04 . 2011-03-09 03:14 902656 ----a-w- c:\windows\system32\d2d1.dll
2011-02-19 06:30 . 2011-03-09 03:14 1076736 ----a-w- c:\windows\SysWow64\DWrite.dll
2011-02-19 06:30 . 2011-03-09 03:14 739840 ----a-w- c:\windows\SysWow64\d2d1.dll
2011-02-17 21:21 . 2011-02-17 21:21 156080 ----a-w- c:\windows\system32\drivers\VBoxNetAdp.sys
2011-02-03 02:40 . 2010-05-27 19:00 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
"WinDefend"="c:\users\Carey\AppData\Roaming\newer1.exe" [2011-04-10 418816]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"LManager"="c:\program files (x86)\Launch Manager\LManager.exe" [2009-08-18 1157128]
"InstaLAN"="c:\program files (x86)\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe" [2010-07-28 1485208]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"Trend Micro RUBotted V2.0 Beta"="c:\program files (x86)\Trend Micro\RUBotted\RUBottedGUI.exe" [2010-12-17 1103184]
.
c:\users\Carey\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
RUNDLI32.dll [2011-4-3 14336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R1 SABKUTIL;SABKUTIL;c:\program files\SUPERAntiSpyware\SABKUTIL.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-01-22 136176]
R3 elomoufiltr;ELO TouchSystems-SRV2;c:\windows\system32\DRIVERS\elofiltr.sys [x]
R3 EloUsb;ELO TouchSystems-SRV;c:\windows\system32\DRIVERS\EloUsb.sys [x]
R3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2009-09-02 225280]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 UsbFltr;WayTech USB Filter Driver;c:\windows\system32\Drivers\UsbFltr.sys [x]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\DRIVERS\VBoxNetAdp.sys [x]
R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2010-06-07 125440]
R4 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files (x86)\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2009-06-18 50432]
R4 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2009-06-18 144640]
R4 TomTomHOMEService;TomTomHOMEService;c:\program files (x86)\TomTom HOME 2\TomTomHOMEService.exe [2010-08-24 92008]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2010-02-17 14920]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2010-02-17 12360]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x64.sys [x]
S2 ePowerSvc;Acer ePower Service;c:\program files\eMachines\eMachines Power Management\ePowerSvc.exe [2009-09-30 844320]
S2 Greg_Service;GRegService;c:\program files (x86)\eMachines\Registration\GregHSRW.exe [2009-08-28 1150496]
S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [x]
S2 RUBotSrv;Trend Micro RUBotted Service;c:\program files (x86)\Trend Micro\RUBotted\RUBotSrv.exe [2010-12-17 439632]
S2 TeamViewer6;TeamViewer 6;c:\program files (x86)\TeamViewer\Version6\TeamViewer_Service.exe [2011-03-18 2271608]
S2 Updater Service;Updater Service;c:\program files\eMachines\eMachines Updater\UpdaterService.exe [2009-07-04 240160]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [x]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys [x]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
S3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 282616]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{2D46B6DC-2207-486B-B523-A557E6D54B47}]
2010-11-20 12:17 302592 ----a-w- c:\windows\System32\cmd.exe
.
[HKEY_CURRENT_USER\software\microsoft\active setup\installed components\{50EEBAAA-D4BB-0338-D3E5-FF1A20D6BE6A}]
2011-04-03 18:41 200192 ---h--w- c:\users\Carey\AppData\Roaming\Cartguy.exe
.
[HKEY_CURRENT_USER\software\microsoft\active setup\installed components\{A2EE6DEE-7BDD-ECAF-ECFA-385888B80BBC}]
2011-04-03 17:42 200192 ---h--w- c:\users\Carey\AppData\Roaming\Baller.exe
.
[HKEY_CURRENT_USER\software\microsoft\active setup\installed components\{DBD0BFDA-BD7B-D79F-EDFF-A3FDF1CEFE5E}]
2011-04-03 18:15 199680 ---h--w- c:\users\Carey\AppData\Roaming\Taserz.exe
.
[HKEY_CURRENT_USER\software\microsoft\active setup\installed components\{DE6B89F3-D15B-DDEC-5FD7-AAFDF408ACEB}]
2011-04-03 17:53 199680 ---h--w- c:\users\Carey\AppData\Roaming\zer0.exe
.
[HKEY_CURRENT_USER\software\microsoft\active setup\installed components\{FEDBDBAD-AB4A-ABBE-E9FC-8BB5ABCCDFBF}]
2011-04-10 20:13 418816 ---h--w- c:\users\Carey\AppData\Roaming\newer1.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-01-22 17:38]
.
2011-04-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-01-22 17:38]
.
2011-04-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-980950009-3502926670-818389737-1000Core.job
- c:\users\Carey\AppData\Local\Google\Update\GoogleUpdate.exe [2011-02-14 17:38]
.
2011-04-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-980950009-3502926670-818389737-1000UA.job
- c:\users\Carey\AppData\Local\Google\Update\GoogleUpdate.exe [2011-02-14 17:38]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-10-13 186904]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-07-28 7982112]
"Acer ePower Management"="c:\program files\eMachines\eMachines Power Management\ePowerTray.exe" [2009-09-30 823840]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2009-06-11 301056]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-02 159232]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-02 380928]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-02 358912]
"PAC7302_Monitor"="c:\windows\PixArt\PAC7302\Monitor.exe" [2007-08-09 319488]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 1436224]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x1
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/home.php
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=e525&r=273601100745l0354z125r49122341
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
FF - ProfilePath - c:\users\Carey\AppData\Roaming\Mozilla\Firefox\Profiles\wzheli8w.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKCU-Run-SysCore - c:\users\Carey\AppData\Roaming\hidserv.exe
Wow6432Node-HKCU-Run-Core Services - c:\users\Carey\AppData\Roaming\winlogon.exe
Wow6432Node-HKCU-Run-WinNT - c:\users\Carey\AppData\Roaming\WinDefenders22.exe
HKLM_Wow6432Node-ActiveSetup-{84A965AC-D1D6-DCED-07DC-B40E2CFFDDCC} - c:\users\Carey\AppData\Roaming\update.exe
HKLM_Wow6432Node-ActiveSetup-{BAF57B7D-6ABF-EC3D-946F-6E82B4DE4CD0} - c:\users\Carey\AppData\Roaming\update.exe
HKCU_Wow6432Node-ActiveSetup-{0CFAA4BB-B63B-AACB-D3FD-3AC9DAA8BD2E} - c:\users\Carey\AppData\Roaming\WinDefenders22.exe
HKCU_Wow6432Node-ActiveSetup-{0FFDB5B6-1FBE-DEDA-CF96-CE66CEB0EAD8} - c:\users\Carey\AppData\Roaming\svchost.exe
HKCU_Wow6432Node-ActiveSetup-{84A965AC-D1D6-DCED-07DC-B40E2CFFDDCC} - c:\users\Carey\AppData\Roaming\update.exe
HKCU_Wow6432Node-ActiveSetup-{A4A2FEEE-B2BE-FBAE-CEEA-1B3FF11ED79E} - c:\users\Carey\AppData\Roaming\bot.exe
HKCU_Wow6432Node-ActiveSetup-{BAF57B7D-6ABF-EC3D-946F-6E82B4DE4CD0} - c:\users\Carey\AppData\Roaming\update.exe
HKCU_Wow6432Node-ActiveSetup-{F4381CAD-8FAB-F5B6-BDD7-9BDE0AD9D5AC} - c:\users\Carey\AppData\Roaming\WinUpdts.exe
HKCU_Wow6432Node-ActiveSetup-{FEA35EA1-BCF8-ED94-ABC4-FA397BFBC5DA} - c:\users\Carey\AppData\Roaming\local.exe
Toolbar-Locked - (no file)
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-04-10 21:34:36
ComboFix-quarantined-files.txt 2011-04-11 01:34
.
Pre-Run: 180,876,242,944 bytes free
Post-Run: 181,018,210,304 bytes free
.
- - End Of File - - B85BB3E29219A95318AC51E1B9D23020

Security Essentials found nothing but has been cleaning when infected things come about.

TrendMicro RUBotted Found 2 things and removed them.

And TrendMicro RootkitBuster won't run on x64-bit Operating Systems.

Thanks, CareyS

 

[johnb35]

You posted the hijackthis log before you ran combofix, please repost a fresh hijackthis log while I go through the combofix log.

 

[CareyS]

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:20:28 PM, on 4/10/2011
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v8.00 (8.00.7601.17514)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\PixArt\PAC7302\Monitor.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Trend Micro\RUBotted\RUBottedGUI.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10o_ActiveX.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/home.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=e525&r=273601100745l0354z125r49122341
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe
O4 - HKLM\..\Run: [InstaLAN] "C:\Program Files (x86)\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe" startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Trend Micro RUBotted V2.0 Beta] C:\Program Files (x86)\Trend Micro\RUBotted\RUBottedGUI.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WinDefend] C:\Users\Carey\AppData\Roaming\newer1.exe
O4 - Startup: RUNDLI32.dll
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://msn.worldwinner.com/games/v47/shared/FunGamesLoader.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {8F6E7FB2-E56B-4F66-A4E1-9765D2565280} (WorldWinner ActiveX Launcher Control) - http://www.worldwinner.com/games/launcher/ie/v2.22.01.0/iewwload.cab
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader2.cab
O16 - DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - http://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.4.16.0.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O23 - Service: AffinegyService - Affinegy, Inc. - C:\Program Files (x86)\Belkin\Router Setup and Monitor\BelkinService.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: Acer ePower Service (ePowerSvc) - Acer Incorporated - C:\Program Files\eMachines\eMachines Power Management\ePowerSvc.exe
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: GRegService (Greg_Service) - Acer Incorporated - C:\Program Files (x86)\eMachines\Registration\GregHSRW.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files (x86)\WinPcap\rpcapd.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: Trend Micro RUBotted Service (RUBotSrv) - Trend Micro Inc. - C:\Program Files (x86)\Trend Micro\RUBotted\RUBotSrv.exe
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: TeamViewer 6 (TeamViewer6) - TeamViewer GmbH - C:\Program Files (x86)\TeamViewer\Version6\TeamViewer_Service.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: Updater Service - Acer - C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 7991 bytes

 

[johnb35]

OK, scratch that... You are still highly infected, please do the following.

Please download Malwarebytes' Anti-Malware from here or here and save it to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to
  • Update Malwarebytes' Anti-Malware
  • and Launch Malwarebytes' Anti-Malware
• then click Finish.
• If an update is found, it will download and install the latest version. Please keep updating until it says you have the latest version.
• Once the program has loaded, select Perform quick scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• A log will be saved automatically which you can access by clicking on the Logs tab within Malwarebytes' Anti-Malware

If for some reason Malwarebytes will not install or run please download and run Rkill.scr, Rkill.exe, or Rkill.com but DO NOT reboot the system and then try installing or running Malwarebytes. If Rkill (which is a black box) appears and then disappears right away or you get a message saying rkill is infected, keep trying to run rkill until it over powers the infection and temporarily kills it. Once a log appears on the screen, you can try running malwarebytes or downloading other programs.



Post the Malwarebytes Anti-Malware log along with a fresh hijackthis log.

 

[CareyS]

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 6.1.7601 Service Pack 1
Internet Explorer 8.0.7601.17514

4/10/2011 11:31:47 PM
mbam-log-2011-04-10 (23-31-47).txt

Scan type: Quick scan
Objects scanned: 118381
Time elapsed: 5 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

[johnb35]

You need to update malwarebytes and rerun a quick scan as you are using an outdated database.

Open malwarebytes, click on the update tab, click on check for updates. Then rerun a scan.

 

[CareyS]

Running Scan, But I get this at every startup.

 

[CareyS]

Malwarebytes has found 15 threats so far.

 

[johnb35]

Running Scan, But I get this at every startup.

Yes, thats one of the infections I saw in the combofix log. Just make sure you run a new hijackthis log after posting the malwarebytes log.

 

[CareyS]

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6329

Windows 6.1.7601 Service Pack 1
Internet Explorer 8.0.7601.17514

4/10/2011 11:51:18 PM
mbam-log-2011-04-10 (23-51-18).txt

Scan type: Quick scan
Objects scanned: 165261
Time elapsed: 5 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{DE6B89F3-D15B-DDEC-5FD7-AAFDF408ACEB} (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{DE6B89F3-D15B-DDEC-5FD7-AAFDF408ACEB} (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{50EEBAAA-D4BB-0338-D3E5-FF1A20D6BE6A} (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{50EEBAAA-D4BB-0338-D3E5-FF1A20D6BE6A} (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{A2EE6DEE-7BDD-ECAF-ECFA-385888B80BBC} (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{A2EE6DEE-7BDD-ECAF-ECFA-385888B80BBC} (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{DBD0BFDA-BD7B-D79F-EDFF-A3FDF1CEFE5E} (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{DBD0BFDA-BD7B-D79F-EDFF-A3FDF1CEFE5E} (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\SrvID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\Carey\AppData\Roaming\zer0.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\Users\Carey\AppData\Roaming\Cartguy.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\Users\Carey\AppData\Roaming\Baller.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\Users\Carey\AppData\Roaming\Taserz.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\Users\Carey\AppData\Roaming\hncfee.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\Users\Carey\AppData\Roaming\ognvj.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\Users\Carey\AppData\Roaming\microsoft\Windows\start menu\Programs\Startup\RUNDLI32.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Users\Carey\AppData\Roaming\data.dat (Stolen.Data) -> Quarantined and deleted successfully.

 

[CareyS]

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:52:13 PM, on 4/10/2011
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v8.00 (8.00.7601.17514)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\PixArt\PAC7302\Monitor.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Trend Micro\RUBotted\RUBottedGUI.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Belkin\Router Setup and Monitor\BelkinSetup.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10o_ActiveX.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe
C:\Windows\SysWOW64\DllHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/home.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=e525&r=273601100745l0354z125r49122341
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe
O4 - HKLM\..\Run: [InstaLAN] "C:\Program Files (x86)\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe" startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Trend Micro RUBotted V2.0 Beta] C:\Program Files (x86)\Trend Micro\RUBotted\RUBottedGUI.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WinDefend] C:\Users\Carey\AppData\Roaming\newer1.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://msn.worldwinner.com/games/v47/shared/FunGamesLoader.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {8F6E7FB2-E56B-4F66-A4E1-9765D2565280} (WorldWinner ActiveX Launcher Control) - http://www.worldwinner.com/games/launcher/ie/v2.22.01.0/iewwload.cab
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader2.cab
O16 - DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - http://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.4.16.0.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O23 - Service: AffinegyService - Affinegy, Inc. - C:\Program Files (x86)\Belkin\Router Setup and Monitor\BelkinService.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: Acer ePower Service (ePowerSvc) - Acer Incorporated - C:\Program Files\eMachines\eMachines Power Management\ePowerSvc.exe
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: GRegService (Greg_Service) - Acer Incorporated - C:\Program Files (x86)\eMachines\Registration\GregHSRW.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files (x86)\WinPcap\rpcapd.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: Trend Micro RUBotted Service (RUBotSrv) - Trend Micro Inc. - C:\Program Files (x86)\Trend Micro\RUBotted\RUBotSrv.exe
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: TeamViewer 6 (TeamViewer6) - TeamViewer GmbH - C:\Program Files (x86)\TeamViewer\Version6\TeamViewer_Service.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: Updater Service - Acer - C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 8068 bytes

 

[johnb35]

Did malwarebytes tell you to reboot the system? If so, please do so now. Your hijackthis log still shows the infection. Reboot the system and rerun combofix for me.

 

[CareyS]

Can I have the link for ComboFix?

 

[johnb35]

Please download combofix to your desktop as we will most likely need to use it later on.

Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.

• Download this file here :
  
  http://www.bleepingcomputer.com/download/anti-virus/combofix
  
• Then double click combofix.exe & follow the prompts.
• When finished, it shall produce a log for you. Post that log in your next reply

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.


In your next reply please post:

• The ComboFix log
• A fresh HiJackThis log
• An update on how your computer is running

 

[CareyS]

Start up is alot faster and no more error messages.

Combo is running.

 

[CareyS]

ComboFix 11-04-10.02 - Carey 04/11/2011 0:22.2.1 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3002.1968 [GMT -4:00]
Running from: c:\users\Carey\Desktop\Security and Tools\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Carey\AppData\Local\Temp\1.tmp\F_IN_BOX.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-03-11 to 2011-04-11 )))))))))))))))))))))))))))))))
.
.
2011-04-11 04:29 . 2011-04-11 04:29 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-04-11 04:01 . 2011-03-15 02:17 8424784 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4F6D234C-4011-4CBB-A633-13EE3E614609}\mpengine.dll
2011-04-11 02:48 . 2011-04-11 02:48 -------- dc----w- C:\dell
2011-04-10 16:48 . 2011-04-10 16:48 102400 ----a-w- c:\windows\RegBootClean.exe
2011-04-10 16:41 . 2010-09-06 09:26 189520 ----a-w- c:\windows\SysWow64\drivers\tmcomm.sys
2011-04-10 16:40 . 2011-04-10 16:40 388096 ----a-r- c:\users\Carey\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-04-10 16:38 . 2011-04-10 16:38 -------- dc----w- c:\program files (x86)\WinPcap
2011-04-10 16:38 . 2011-04-10 16:40 -------- dc----w- c:\program files (x86)\Trend Micro
2011-04-07 01:40 . 2011-04-07 01:40 -------- d-----w- c:\windows\system32\SPReview
2011-04-07 01:39 . 2011-04-07 01:39 -------- d-----w- c:\windows\system32\EventProviders
2011-04-07 01:39 . 2011-03-27 09:21 601424 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A99B6432-3690-4787-890A-35262ED9053F}\gapaengine.dll
2011-04-07 01:35 . 2010-11-20 13:27 3650560 ----a-w- c:\windows\system32\MSVidCtl.dll
2011-04-07 01:34 . 2010-11-20 13:28 459248 ----a-w- c:\windows\system32\drivers\cng.sys
2011-04-07 01:33 . 2010-11-20 13:33 31104 ----a-w- c:\windows\system32\drivers\msahci.sys
2011-04-07 01:32 . 2010-11-20 13:27 73216 ----a-w- c:\windows\system32\unimdmat.dll
2011-04-07 01:31 . 2010-11-20 13:11 6144 ----a-w- c:\windows\system32\drivers\en-US\IPMIDrv.sys.mui
2011-04-07 01:31 . 2010-11-20 13:10 4608 ----a-w- c:\windows\system32\drivers\en-US\kbdclass.sys.mui
2011-04-07 01:31 . 2010-11-20 12:21 189952 ----a-w- c:\windows\SysWow64\wdscore.dll
2011-04-07 01:31 . 2010-11-20 12:17 209920 ----a-w- c:\windows\SysWow64\PkgMgr.exe
2011-04-07 01:31 . 2010-11-20 12:18 323072 ----a-w- c:\windows\SysWow64\drvstore.dll
2011-04-07 01:31 . 2010-11-20 12:18 257024 ----a-w- c:\windows\SysWow64\dpx.dll
2011-04-07 01:31 . 2010-11-20 12:21 363008 ----a-w- c:\windows\SysWow64\wbemcomn.dll
2011-04-07 01:31 . 2010-11-20 12:19 606208 ----a-w- c:\windows\SysWow64\wbem\fastprox.dll
2011-04-07 01:27 . 2010-11-20 13:27 524288 ----a-w- c:\windows\system32\wmicmiplugin.dll
2011-04-07 01:27 . 2010-11-20 13:27 529408 ----a-w- c:\windows\system32\wbemcomn.dll
2011-04-07 01:27 . 2010-11-20 13:27 1225216 ----a-w- c:\windows\system32\wbem\wbemcore.dll
2011-04-07 01:27 . 2010-11-20 13:27 933376 ----a-w- c:\windows\system32\SmiEngine.dll
2011-04-07 01:27 . 2010-11-20 13:25 199168 ----a-w- c:\windows\system32\PkgMgr.exe
2011-04-07 01:26 . 2010-11-20 13:26 422912 ----a-w- c:\windows\system32\drvstore.dll
2011-04-07 01:26 . 2010-11-20 13:26 399872 ----a-w- c:\windows\system32\dpx.dll
2011-04-07 01:07 . 2011-01-17 11:09 197120 ----a-w- c:\windows\system32\d3d10_1.dll
2011-04-07 01:07 . 2011-01-17 05:47 161792 ----a-w- c:\windows\SysWow64\d3d10_1.dll
2011-04-07 01:07 . 2010-11-20 13:26 321024 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-04-07 01:07 . 2010-11-20 12:18 219136 ----a-w- c:\windows\SysWow64\d3d10_1core.dll
2011-04-07 00:13 . 2011-04-07 00:13 -------- dc----w- c:\program files (x86)\FileASSASSIN
2011-04-04 02:19 . 2011-04-04 02:19 -------- d-----w- c:\users\Carey\AppData\Roaming\Malwarebytes
2011-04-03 20:59 . 2011-04-07 02:25 -------- d-----w- c:\programdata\lGk31400hCjEf31400
2011-04-03 17:27 . 2011-04-03 17:27 98304 ----a-r- c:\users\Carey\AppData\Roaming\Microsoft\Installer\{32939827-D8E5-470A-B126-870DB3C69FDF}\python_icon.exe
2011-03-31 03:59 . 2011-03-31 03:59 -------- dc----w- c:\program files (x86)\Microsoft ActiveSync
2011-03-31 03:58 . 2011-03-31 03:58 -------- d-----w- c:\windows\PCHEALTH
2011-03-31 03:53 . 2011-03-31 03:53 -------- dc----r- C:\MSOCache
2011-03-27 09:22 . 2011-03-27 09:21 601424 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2011-03-27 09:22 . 2011-03-15 02:17 8424784 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-03-27 09:19 . 2011-03-27 09:19 -------- dc----w- c:\program files (x86)\Microsoft Security Client
2011-03-27 09:19 . 2011-03-27 09:19 -------- dc----w- c:\program files\Microsoft Security Client
2011-03-27 01:34 . 2011-03-27 01:34 -------- dc----w- c:\program files (x86)\Web Cam
2011-03-27 01:34 . 2011-03-27 01:34 -------- d-----w- c:\windows\Web Cam
2011-03-27 00:48 . 2011-03-27 00:57 -------- d-----w- c:\users\Carey\AppData\Roaming\acccore
2011-03-27 00:48 . 2011-03-27 00:48 -------- d-----w- c:\users\Carey\AppData\Local\AOL
2011-03-27 00:48 . 2011-03-27 00:48 -------- d-----w- c:\users\Carey\AppData\Local\AIM
2011-03-27 00:47 . 2011-03-27 00:47 -------- d-----w- c:\programdata\AIM
2011-03-27 00:47 . 2011-03-27 00:47 -------- dc----w- c:\program files (x86)\AIM
2011-03-27 00:47 . 2011-03-27 00:47 -------- d-----w- c:\program files (x86)\Common Files\Software Update Utility
2011-03-27 00:47 . 2011-03-27 00:47 -------- d-----w- c:\program files (x86)\Common Files\AOL
2011-03-23 20:19 . 2011-03-18 17:53 142296 -c--a-w- c:\program files (x86)\Mozilla Firefox\components\browsercomps.dll
2011-03-23 20:19 . 2011-03-18 17:53 781272 -c--a-w- c:\program files (x86)\Mozilla Firefox\mozsqlite3.dll
2011-03-23 20:19 . 2011-03-18 17:53 1874904 -c--a-w- c:\program files (x86)\Mozilla Firefox\mozjs.dll
2011-03-23 20:19 . 2011-03-18 17:53 15832 -c--a-w- c:\program files (x86)\Mozilla Firefox\mozalloc.dll
2011-03-23 20:19 . 2011-03-18 17:53 728024 -c--a-w- c:\program files (x86)\Mozilla Firefox\libGLESv2.dll
2011-03-23 20:19 . 2011-03-18 17:53 142296 -c--a-w- c:\program files (x86)\Mozilla Firefox\libEGL.dll
2011-03-23 20:19 . 2011-03-18 17:53 1893336 -c--a-w- c:\program files (x86)\Mozilla Firefox\d3dx9_42.dll
2011-03-23 20:19 . 2011-03-18 17:53 1975768 -c--a-w- c:\program files (x86)\Mozilla Firefox\D3DCompiler_42.dll
2011-03-22 05:42 . 2011-03-22 05:43 -------- d-----w- c:\users\Carey\FrostWire
2011-03-22 05:42 . 2011-03-27 19:49 -------- d-----w- c:\users\Carey\AppData\Roaming\FrostWire
2011-03-22 05:42 . 2011-03-22 05:42 -------- dc----w- c:\program files (x86)\FrostWire
2011-03-21 07:31 . 2011-02-17 21:21 228272 ----a-w- c:\windows\system32\drivers\VBoxDrv.sys
2011-03-21 07:31 . 2011-02-17 21:21 56688 ----a-w- c:\windows\system32\drivers\VBoxUSBMon.sys
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-07 07:22 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
2011-04-07 07:21 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
2011-03-25 02:24 . 2010-06-24 15:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-02-27 02:49 . 2009-07-13 23:55 332288 ----a-w- c:\windows\system32\uxtheme.dll
2011-02-27 02:49 . 2009-07-13 23:54 44544 ----a-w- c:\windows\system32\themeservice.dll
2011-02-27 02:48 . 2011-02-27 02:48 245760 ----a-w- c:\windows\SysWow64\uxtheme.dll.tmp
2011-02-27 02:48 . 2009-07-13 23:39 245760 ----a-w- c:\windows\SysWow64\uxtheme.dll
2011-02-19 12:05 . 2011-03-09 03:14 1139200 ----a-w- c:\windows\system32\FntCache.dll
2011-02-19 12:04 . 2011-03-09 03:14 1544192 ----a-w- c:\windows\system32\DWrite.dll
2011-02-19 12:04 . 2011-03-09 03:14 902656 ----a-w- c:\windows\system32\d2d1.dll
2011-02-19 06:30 . 2011-03-09 03:14 1076736 ----a-w- c:\windows\SysWow64\DWrite.dll
2011-02-19 06:30 . 2011-03-09 03:14 739840 ----a-w- c:\windows\SysWow64\d2d1.dll
2011-02-17 21:21 . 2011-02-17 21:21 156080 ----a-w- c:\windows\system32\drivers\VBoxNetAdp.sys
2011-02-03 02:40 . 2010-05-27 19:00 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-04-11_01.31.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-05 17:49 . 2011-04-11 04:09 57912 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2011-04-11 04:09 47418 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
- 2010-01-24 21:55 . 2011-04-10 19:56 13278 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-980950009-3502926670-818389737-1000_UserData.bin
+ 2010-01-24 21:55 . 2011-04-11 04:09 13278 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-980950009-3502926670-818389737-1000_UserData.bin
+ 2010-04-10 17:01 . 2010-12-20 22:08 24152 c:\windows\system32\drivers\mbam.sys
+ 2010-01-24 21:56 . 2011-04-11 04:09 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-01-24 21:56 . 2011-04-10 19:57 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-01-24 21:56 . 2011-04-11 04:09 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-01-24 21:56 . 2011-04-10 19:57 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-01-24 21:56 . 2011-04-10 19:57 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-01-24 21:56 . 2011-04-11 04:09 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-01-24 10:49 . 2011-04-11 04:09 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-01-24 10:49 . 2011-04-11 01:03 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-01-24 10:49 . 2011-04-11 01:03 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-01-24 10:49 . 2011-04-11 04:09 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-04-11 04:29 . 2011-04-11 04:29 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-04-10 19:53 . 2011-04-10 19:53 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-04-10 19:53 . 2011-04-10 19:53 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-04-11 04:29 . 2011-04-11 04:29 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-07-14 02:36 . 2011-04-11 04:16 626278 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2011-04-10 20:01 626278 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2011-04-11 04:16 107522 c:\windows\system32\perfc009.dat
- 2009-07-14 02:36 . 2011-04-10 20:01 107522 c:\windows\system32\perfc009.dat
- 2009-07-14 05:01 . 2011-04-10 19:52 352064 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2011-04-11 04:29 352064 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2010-08-12 03:35 . 2011-04-11 03:41 1372144 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-980950009-3502926670-818389737-1000-8192.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"LManager"="c:\program files (x86)\Launch Manager\LManager.exe" [2009-08-18 1157128]
"InstaLAN"="c:\program files (x86)\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe" [2010-07-28 1485208]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"Trend Micro RUBotted V2.0 Beta"="c:\program files (x86)\Trend Micro\RUBotted\RUBottedGUI.exe" [2010-12-17 1103184]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R1 SABKUTIL;SABKUTIL;c:\program files\SUPERAntiSpyware\SABKUTIL.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-01-22 136176]
R3 elomoufiltr;ELO TouchSystems-SRV2;c:\windows\system32\DRIVERS\elofiltr.sys [x]
R3 EloUsb;ELO TouchSystems-SRV;c:\windows\system32\DRIVERS\EloUsb.sys [x]
R3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2009-09-02 225280]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 UsbFltr;WayTech USB Filter Driver;c:\windows\system32\Drivers\UsbFltr.sys [x]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\DRIVERS\VBoxNetAdp.sys [x]
R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2010-06-07 125440]
R4 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files (x86)\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2009-06-18 50432]
R4 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2009-06-18 144640]
R4 TomTomHOMEService;TomTomHOMEService;c:\program files (x86)\TomTom HOME 2\TomTomHOMEService.exe [2010-08-24 92008]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2010-02-17 14920]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2010-02-17 12360]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x64.sys [x]
S2 ePowerSvc;Acer ePower Service;c:\program files\eMachines\eMachines Power Management\ePowerSvc.exe [2009-09-30 844320]
S2 Greg_Service;GRegService;c:\program files (x86)\eMachines\Registration\GregHSRW.exe [2009-08-28 1150496]
S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [x]
S2 RUBotSrv;Trend Micro RUBotted Service;c:\program files (x86)\Trend Micro\RUBotted\RUBotSrv.exe [2010-12-17 439632]
S2 TeamViewer6;TeamViewer 6;c:\program files (x86)\TeamViewer\Version6\TeamViewer_Service.exe [2011-03-18 2271608]
S2 Updater Service;Updater Service;c:\program files\eMachines\eMachines Updater\UpdaterService.exe [2009-07-04 240160]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [x]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys [x]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
S3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 282616]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{2D46B6DC-2207-486B-B523-A557E6D54B47}]
2010-11-20 12:17 302592 ----a-w- c:\windows\System32\cmd.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-01-22 17:38]
.
2011-04-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-01-22 17:38]
.
2011-04-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-980950009-3502926670-818389737-1000Core.job
- c:\users\Carey\AppData\Local\Google\Update\GoogleUpdate.exe [2011-02-14 17:38]
.
2011-04-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-980950009-3502926670-818389737-1000UA.job
- c:\users\Carey\AppData\Local\Google\Update\GoogleUpdate.exe [2011-02-14 17:38]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-10-13 186904]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-07-28 7982112]
"Acer ePower Management"="c:\program files\eMachines\eMachines Power Management\ePowerTray.exe" [2009-09-30 823840]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2009-06-11 301056]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-02 159232]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-02 380928]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-02 358912]
"PAC7302_Monitor"="c:\windows\PixArt\PAC7302\Monitor.exe" [2007-08-09 319488]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 1436224]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/home.php
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=e525&r=273601100745l0354z125r49122341
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
FF - ProfilePath - c:\users\Carey\AppData\Roaming\Mozilla\Firefox\Profiles\wzheli8w.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
AddRemove-Dell Photo Printer 720 - c:\program files (x86) (x86)\Dell Photo Printer 720\Install\x64\Uninst.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Belkin\Router Setup and Monitor\BelkinService.exe
c:\program files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
.
**************************************************************************
.
Completion time: 2011-04-11 00:37:11 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-11 04:37
ComboFix2.txt 2011-04-11 01:34
.
Pre-Run: 180,586,139,648 bytes free
Post-Run: 180,573,495,296 bytes free
.
- - End Of File - - 0208475E172DD6006E7A5B0BEDC7AB0F





HiJackThis

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:42:45 AM, on 4/11/2011
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v8.00 (8.00.7601.17514)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\PixArt\PAC7302\Monitor.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Trend Micro\RUBotted\RUBottedGUI.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10o_ActiveX.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe
C:\Windows\SysWOW64\DllHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/home.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=e525&r=273601100745l0354z125r49122341
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe
O4 - HKLM\..\Run: [InstaLAN] "C:\Program Files (x86)\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe" startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Trend Micro RUBotted V2.0 Beta] C:\Program Files (x86)\Trend Micro\RUBotted\RUBottedGUI.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://msn.worldwinner.com/games/v47/shared/FunGamesLoader.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {8F6E7FB2-E56B-4F66-A4E1-9765D2565280} (WorldWinner ActiveX Launcher Control) - http://www.worldwinner.com/games/launcher/ie/v2.22.01.0/iewwload.cab
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader2.cab
O16 - DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - http://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.4.16.0.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O23 - Service: AffinegyService - Affinegy, Inc. - C:\Program Files (x86)\Belkin\Router Setup and Monitor\BelkinService.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: Acer ePower Service (ePowerSvc) - Acer Incorporated - C:\Program Files\eMachines\eMachines Power Management\ePowerSvc.exe
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: GRegService (Greg_Service) - Acer Incorporated - C:\Program Files (x86)\eMachines\Registration\GregHSRW.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files (x86)\WinPcap\rpcapd.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: Trend Micro RUBotted Service (RUBotSrv) - Trend Micro Inc. - C:\Program Files (x86)\Trend Micro\RUBotted\RUBotSrv.exe
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: TeamViewer 6 (TeamViewer6) - TeamViewer GmbH - C:\Program Files (x86)\TeamViewer\Version6\TeamViewer_Service.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: Updater Service - Acer - C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 7923 bytes

 

[johnb35]

Ok, a quick look at your logs is showing lots of improvement. I need you to do one more thing, please post an uninstall list using hijackthis.

Open hijackthis, click on open misc tools section, click on open uninstall manager, click on save list and save it. Then copy and paste that log back here. I'm going to bed now but will look at your logs more thoroughly in the morning and will post fixes afterwards.

 

[CareyS]

Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.1 MUI
Adobe Shockwave Player 11.5
AIM 7
Apple Application Support
Apple Software Update
Atheros Communications Inc.(R) AR81Family Gigabit/Fast Ethernet Driver
Belkin Setup and Router Monitor
D3DX10
Dell Photo Printer 720
Download Updater (AOL LLC)
EA Download Manager
eBay Worldwide
eMachines Games
eMachines Power Management
eMachines Recovery Management
eMachines Registration
eMachines Updater
FileASSASSIN
FrostWire 4.21.4
Google Earth
Google Update Helper
HiJackThis
Identity Card
Java(TM) 6 Update 24
Launch Manager
Malwarebytes' Anti-Malware
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
Microsoft WSE 3.0 Runtime
Mozilla Firefox 4.0 (x86 en-US)
MSVCRT
NTI Backup Now 5
NTI Media Maker 8
PC VGA Camer@ Plus
PhoTags Express
Python 2.7.1
QuickTime
Realtek High Definition Audio Driver
Realtek USB 2.0 Card Reader
Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
Skype™ 4.2
TeamViewer 6
The Sims™ 3
The Sims™ 3 Ambitions
The Sims™ 3 Fast Lane Stuff
The Sims™ 3 High-End Loft Stuff
The Sims™ 3 Late Night
The Sims™ 3 Outdoor Living Stuff
The Sims™ 3 World Adventures
TomTom HOME 2.7.6.2056
TomTom HOME Visual Studio Merge Modules
Trend Micro RUBotted 2.0 Beta
Visual C++ 8.0 Runtime Setup Package (x64)
Web Cam
Welcome Center
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Installer
Windows Live Movie Maker
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live Sync
Windows Live UX Platform
Windows Live UX Platform Language Pack
WinPcap 4.1.1

 

[johnb35]

I highly recommend for you to uninstall frostwire as most likely thats how you became infected.

Please move combofix out of the folder its in and onto the desktop area so that you can perform this step and we can uninstall it afterwards.

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box

Folder::
c:\programdata\lGk31400hCjEf31400

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

 

[CareyS]

ComboFix 11-04-11.01 - Carey 04/11/2011 17:46:42.3.1 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3002.1852 [GMT -4:00]
Running from: c:\users\Carey\Desktop\ComboFix.exe
Command switches used :: c:\users\Carey\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\lGk31400hCjEf31400
c:\programdata\lGk31400hCjEf31400\lGk31400hCjEf31400
.
.
((((((((((((((((((((((((( Files Created from 2011-03-11 to 2011-04-11 )))))))))))))))))))))))))))))))
.
.
2011-04-11 21:52 . 2011-04-11 21:52 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-04-11 04:01 . 2011-03-15 02:17 8424784 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4F6D234C-4011-4CBB-A633-13EE3E614609}\mpengine.dll
2011-04-11 02:48 . 2011-04-11 02:48 -------- dc----w- C:\dell
2011-04-10 16:48 . 2011-04-10 16:48 102400 ----a-w- c:\windows\RegBootClean.exe
2011-04-10 16:41 . 2010-09-06 09:26 189520 ----a-w- c:\windows\SysWow64\drivers\tmcomm.sys
2011-04-10 16:40 . 2011-04-10 16:40 388096 ----a-r- c:\users\Carey\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-04-10 16:38 . 2011-04-10 16:38 -------- dc----w- c:\program files (x86)\WinPcap
2011-04-10 16:38 . 2011-04-10 16:40 -------- dc----w- c:\program files (x86)\Trend Micro
2011-04-07 01:40 . 2011-04-07 01:40 -------- d-----w- c:\windows\system32\SPReview
2011-04-07 01:39 . 2011-04-07 01:39 -------- d-----w- c:\windows\system32\EventProviders
2011-04-07 01:39 . 2011-03-27 09:21 601424 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A99B6432-3690-4787-890A-35262ED9053F}\gapaengine.dll
2011-04-07 01:35 . 2010-11-20 13:27 3650560 ----a-w- c:\windows\system32\MSVidCtl.dll
2011-04-07 01:34 . 2010-11-20 13:28 459248 ----a-w- c:\windows\system32\drivers\cng.sys
2011-04-07 01:33 . 2010-11-20 13:33 31104 ----a-w- c:\windows\system32\drivers\msahci.sys
2011-04-07 01:32 . 2010-11-20 13:27 73216 ----a-w- c:\windows\system32\unimdmat.dll
2011-04-07 01:31 . 2010-11-20 13:11 6144 ----a-w- c:\windows\system32\drivers\en-US\IPMIDrv.sys.mui
2011-04-07 01:31 . 2010-11-20 13:10 4608 ----a-w- c:\windows\system32\drivers\en-US\kbdclass.sys.mui
2011-04-07 01:31 . 2010-11-20 12:21 189952 ----a-w- c:\windows\SysWow64\wdscore.dll
2011-04-07 01:31 . 2010-11-20 12:17 209920 ----a-w- c:\windows\SysWow64\PkgMgr.exe
2011-04-07 01:31 . 2010-11-20 12:18 323072 ----a-w- c:\windows\SysWow64\drvstore.dll
2011-04-07 01:31 . 2010-11-20 12:18 257024 ----a-w- c:\windows\SysWow64\dpx.dll
2011-04-07 01:31 . 2010-11-20 12:21 363008 ----a-w- c:\windows\SysWow64\wbemcomn.dll
2011-04-07 01:31 . 2010-11-20 12:19 606208 ----a-w- c:\windows\SysWow64\wbem\fastprox.dll
2011-04-07 01:27 . 2010-11-20 13:27 524288 ----a-w- c:\windows\system32\wmicmiplugin.dll
2011-04-07 01:27 . 2010-11-20 13:27 529408 ----a-w- c:\windows\system32\wbemcomn.dll
2011-04-07 01:27 . 2010-11-20 13:27 1225216 ----a-w- c:\windows\system32\wbem\wbemcore.dll
2011-04-07 01:27 . 2010-11-20 13:27 933376 ----a-w- c:\windows\system32\SmiEngine.dll
2011-04-07 01:27 . 2010-11-20 13:25 199168 ----a-w- c:\windows\system32\PkgMgr.exe
2011-04-07 01:26 . 2010-11-20 13:26 422912 ----a-w- c:\windows\system32\drvstore.dll
2011-04-07 01:26 . 2010-11-20 13:26 399872 ----a-w- c:\windows\system32\dpx.dll
2011-04-07 01:07 . 2011-01-17 11:09 197120 ----a-w- c:\windows\system32\d3d10_1.dll
2011-04-07 01:07 . 2011-01-17 05:47 161792 ----a-w- c:\windows\SysWow64\d3d10_1.dll
2011-04-07 01:07 . 2010-11-20 13:26 321024 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-04-07 01:07 . 2010-11-20 12:18 219136 ----a-w- c:\windows\SysWow64\d3d10_1core.dll
2011-04-07 00:13 . 2011-04-07 00:13 -------- dc----w- c:\program files (x86)\FileASSASSIN
2011-04-04 02:19 . 2011-04-04 02:19 -------- d-----w- c:\users\Carey\AppData\Roaming\Malwarebytes
2011-04-03 17:27 . 2011-04-03 17:27 98304 ----a-r- c:\users\Carey\AppData\Roaming\Microsoft\Installer\{32939827-D8E5-470A-B126-870DB3C69FDF}\python_icon.exe
2011-03-31 03:59 . 2011-03-31 03:59 -------- dc----w- c:\program files (x86)\Microsoft ActiveSync
2011-03-31 03:58 . 2011-03-31 03:58 -------- d-----w- c:\windows\PCHEALTH
2011-03-31 03:53 . 2011-03-31 03:53 -------- dc----r- C:\MSOCache
2011-03-27 09:22 . 2011-03-27 09:21 601424 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2011-03-27 09:22 . 2011-03-15 02:17 8424784 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-03-27 09:19 . 2011-03-27 09:19 -------- dc----w- c:\program files (x86)\Microsoft Security Client
2011-03-27 09:19 . 2011-03-27 09:19 -------- dc----w- c:\program files\Microsoft Security Client
2011-03-27 01:34 . 2011-03-27 01:34 -------- dc----w- c:\program files (x86)\Web Cam
2011-03-27 01:34 . 2011-03-27 01:34 -------- d-----w- c:\windows\Web Cam
2011-03-27 00:48 . 2011-03-27 00:57 -------- d-----w- c:\users\Carey\AppData\Roaming\acccore
2011-03-27 00:48 . 2011-03-27 00:48 -------- d-----w- c:\users\Carey\AppData\Local\AOL
2011-03-27 00:48 . 2011-03-27 00:48 -------- d-----w- c:\users\Carey\AppData\Local\AIM
2011-03-27 00:47 . 2011-03-27 00:47 -------- d-----w- c:\programdata\AIM
2011-03-27 00:47 . 2011-03-27 00:47 -------- dc----w- c:\program files (x86)\AIM
2011-03-27 00:47 . 2011-03-27 00:47 -------- d-----w- c:\program files (x86)\Common Files\Software Update Utility
2011-03-27 00:47 . 2011-03-27 00:47 -------- d-----w- c:\program files (x86)\Common Files\AOL
2011-03-23 20:19 . 2011-03-18 17:53 142296 -c--a-w- c:\program files (x86)\Mozilla Firefox\components\browsercomps.dll
2011-03-23 20:19 . 2011-03-18 17:53 781272 -c--a-w- c:\program files (x86)\Mozilla Firefox\mozsqlite3.dll
2011-03-23 20:19 . 2011-03-18 17:53 1874904 -c--a-w- c:\program files (x86)\Mozilla Firefox\mozjs.dll
2011-03-23 20:19 . 2011-03-18 17:53 15832 -c--a-w- c:\program files (x86)\Mozilla Firefox\mozalloc.dll
2011-03-23 20:19 . 2011-03-18 17:53 728024 -c--a-w- c:\program files (x86)\Mozilla Firefox\libGLESv2.dll
2011-03-23 20:19 . 2011-03-18 17:53 142296 -c--a-w- c:\program files (x86)\Mozilla Firefox\libEGL.dll
2011-03-23 20:19 . 2011-03-18 17:53 1893336 -c--a-w- c:\program files (x86)\Mozilla Firefox\d3dx9_42.dll
2011-03-23 20:19 . 2011-03-18 17:53 1975768 -c--a-w- c:\program files (x86)\Mozilla Firefox\D3DCompiler_42.dll
2011-03-22 05:42 . 2011-03-22 05:43 -------- d-----w- c:\users\Carey\FrostWire
2011-03-22 05:42 . 2011-03-27 19:49 -------- d-----w- c:\users\Carey\AppData\Roaming\FrostWire
2011-03-22 05:42 . 2011-03-22 05:42 -------- dc----w- c:\program files (x86)\FrostWire
2011-03-21 07:31 . 2011-02-17 21:21 228272 ----a-w- c:\windows\system32\drivers\VBoxDrv.sys
2011-03-21 07:31 . 2011-02-17 21:21 56688 ----a-w- c:\windows\system32\drivers\VBoxUSBMon.sys
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-07 07:22 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
2011-04-07 07:21 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
2011-03-25 02:24 . 2010-06-24 15:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-02-27 02:49 . 2009-07-13 23:55 332288 ----a-w- c:\windows\system32\uxtheme.dll
2011-02-27 02:49 . 2009-07-13 23:54 44544 ----a-w- c:\windows\system32\themeservice.dll
2011-02-27 02:48 . 2011-02-27 02:48 245760 ----a-w- c:\windows\SysWow64\uxtheme.dll.tmp
2011-02-27 02:48 . 2009-07-13 23:39 245760 ----a-w- c:\windows\SysWow64\uxtheme.dll
2011-02-19 12:05 . 2011-03-09 03:14 1139200 ----a-w- c:\windows\system32\FntCache.dll
2011-02-19 12:04 . 2011-03-09 03:14 1544192 ----a-w- c:\windows\system32\DWrite.dll
2011-02-19 12:04 . 2011-03-09 03:14 902656 ----a-w- c:\windows\system32\d2d1.dll
2011-02-19 06:30 . 2011-03-09 03:14 1076736 ----a-w- c:\windows\SysWow64\DWrite.dll
2011-02-19 06:30 . 2011-03-09 03:14 739840 ----a-w- c:\windows\SysWow64\d2d1.dll
2011-02-17 21:21 . 2011-02-17 21:21 156080 ----a-w- c:\windows\system32\drivers\VBoxNetAdp.sys
2011-02-03 02:40 . 2010-05-27 19:00 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-04-11_01.31.40 )))))))))))))))))))))))))))))))))))))))))
.
- 2010-04-10 17:01 . 2010-04-29 19:39 38224 c:\windows\SysWOW64\drivers\mbamswissarmy.sys
+ 2010-04-10 17:01 . 2010-12-20 22:09 38224 c:\windows\SysWOW64\drivers\mbamswissarmy.sys
+ 2011-04-11 02:49 . 2006-12-20 20:55 94208 c:\windows\SysWOW64\dlbcpplc.dll
+ 2011-04-11 02:49 . 2007-02-02 10:06 86016 c:\windows\SysWOW64\dlbcinsr.dll
+ 2011-04-11 02:49 . 2007-02-02 10:06 90112 c:\windows\SysWOW64\dlbccur.dll
+ 2011-04-11 02:49 . 2007-02-02 09:55 73728 c:\windows\SysWOW64\dlbccu.dll
+ 2011-04-11 02:49 . 2007-01-23 02:28 73728 c:\windows\SysWOW64\DLBCcfg.dll
+ 2009-11-05 17:49 . 2011-04-11 04:55 58482 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2011-04-11 04:55 47450 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2010-01-24 21:55 . 2011-04-11 04:55 13420 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-980950009-3502926670-818389737-1000_UserData.bin
+ 2010-04-10 17:01 . 2010-12-20 22:08 24152 c:\windows\system32\drivers\mbam.sys
- 2009-12-25 14:53 . 2011-04-10 16:38 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-12-25 14:53 . 2011-04-11 05:50 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-12-25 14:53 . 2011-04-11 05:50 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-12-25 14:53 . 2011-04-10 16:38 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2011-04-11 05:50 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2011-04-10 16:38 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-01-24 21:56 . 2011-04-10 19:57 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-01-24 21:56 . 2011-04-11 04:55 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-01-24 21:56 . 2011-04-10 19:57 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-01-24 21:56 . 2011-04-11 04:55 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-01-24 21:56 . 2011-04-11 04:55 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-01-24 21:56 . 2011-04-10 19:57 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-01-24 10:49 . 2011-04-11 21:10 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-01-24 10:49 . 2011-04-11 01:03 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-01-24 10:49 . 2011-04-11 01:03 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-01-24 10:49 . 2011-04-11 21:10 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-01-25 01:34 . 2011-04-11 04:38 3400 c:\windows\system32\wdi\ERCQueuedResolutions.dat
- 2011-04-10 19:53 . 2011-04-10 19:53 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-04-11 04:52 . 2011-04-11 04:52 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-04-11 04:52 . 2011-04-11 04:52 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2011-04-10 19:53 . 2011-04-10 19:53 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-04-11 02:49 . 2007-02-02 09:55 413696 c:\windows\SysWOW64\dlbcutil.dll
+ 2011-04-11 02:49 . 2006-12-20 20:46 991232 c:\windows\SysWOW64\dlbcusb1.dll
+ 2011-04-11 02:49 . 2006-12-20 20:54 163840 c:\windows\SysWOW64\dlbcprox.dll
+ 2011-04-11 02:49 . 2007-02-07 20:26 181744 c:\windows\SysWOW64\dlbcppls.exe
+ 2011-04-11 02:49 . 2006-12-20 21:08 643072 c:\windows\SysWOW64\dlbcpmui.dll
+ 2011-04-11 02:49 . 2006-12-20 20:59 585728 c:\windows\SysWOW64\dlbclmpm.dll
+ 2011-04-11 02:49 . 2007-02-02 10:06 483328 c:\windows\SysWOW64\dlbcjswr.dll
+ 2011-04-11 02:49 . 2006-12-20 20:58 274432 c:\windows\SysWOW64\DLBCinst.dll
+ 2011-04-11 02:49 . 2007-02-02 09:56 155648 c:\windows\SysWOW64\dlbcinsb.dll
+ 2011-04-11 02:49 . 2007-02-02 09:56 131072 c:\windows\SysWOW64\dlbcins.dll
+ 2011-04-11 02:49 . 2006-12-20 20:47 413696 c:\windows\SysWOW64\dlbcinpa.dll
+ 2011-04-11 02:49 . 2007-02-07 20:26 386544 c:\windows\SysWOW64\dlbcih.exe
+ 2011-04-11 02:49 . 2006-12-20 20:58 397312 c:\windows\SysWOW64\dlbciesc.dll
+ 2011-04-11 02:49 . 2006-12-20 20:43 323584 c:\windows\SysWOW64\DLBChcp.dll
+ 2011-04-11 02:49 . 2006-12-20 20:42 696320 c:\windows\SysWOW64\dlbchbn3.dll
+ 2011-04-11 02:49 . 2006-09-18 15:23 983101 c:\windows\SysWOW64\dlbcgf.dll
+ 2011-04-11 02:49 . 2007-02-07 20:26 538096 c:\windows\SysWOW64\dlbccoms.exe
+ 2011-04-11 02:49 . 2006-12-20 21:01 421888 c:\windows\SysWOW64\dlbccomm.dll
+ 2011-04-11 02:49 . 2006-12-20 20:54 684032 c:\windows\SysWOW64\dlbccomc.dll
+ 2011-04-11 02:49 . 2007-02-07 20:26 382448 c:\windows\SysWOW64\dlbccfg.exe
+ 2009-07-14 02:36 . 2011-04-11 04:37 626278 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2011-04-10 20:01 626278 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2011-04-10 20:01 107522 c:\windows\system32\perfc009.dat
+ 2009-07-14 02:36 . 2011-04-11 04:37 107522 c:\windows\system32\perfc009.dat
+ 2009-07-14 05:01 . 2011-04-11 04:51 352064 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 05:01 . 2011-04-10 19:52 352064 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-04-11 02:49 . 2006-12-20 21:06 1224704 c:\windows\SysWOW64\dlbcserv.dll
+ 2010-08-12 03:35 . 2011-04-11 03:41 1372144 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-980950009-3502926670-818389737-1000-8192.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"LManager"="c:\program files (x86)\Launch Manager\LManager.exe" [2009-08-18 1157128]
"InstaLAN"="c:\program files (x86)\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe" [2010-07-28 1485208]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"Trend Micro RUBotted V2.0 Beta"="c:\program files (x86)\Trend Micro\RUBotted\RUBottedGUI.exe" [2010-12-17 1103184]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R1 SABKUTIL;SABKUTIL;c:\program files\SUPERAntiSpyware\SABKUTIL.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-01-22 136176]
R3 elomoufiltr;ELO TouchSystems-SRV2;c:\windows\system32\DRIVERS\elofiltr.sys [x]
R3 EloUsb;ELO TouchSystems-SRV;c:\windows\system32\DRIVERS\EloUsb.sys [x]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x]
R3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2009-09-02 225280]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 UsbFltr;WayTech USB Filter Driver;c:\windows\system32\Drivers\UsbFltr.sys [x]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\DRIVERS\VBoxNetAdp.sys [x]
R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2010-06-07 125440]
R4 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files (x86)\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2009-06-18 50432]
R4 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2009-06-18 144640]
R4 TomTomHOMEService;TomTomHOMEService;c:\program files (x86)\TomTom HOME 2\TomTomHOMEService.exe [2010-08-24 92008]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2010-02-17 14920]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2010-02-17 12360]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x64.sys [x]
S2 ePowerSvc;Acer ePower Service;c:\program files\eMachines\eMachines Power Management\ePowerSvc.exe [2009-09-30 844320]
S2 Greg_Service;GRegService;c:\program files (x86)\eMachines\Registration\GregHSRW.exe [2009-08-28 1150496]
S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [x]
S2 RUBotSrv;Trend Micro RUBotted Service;c:\program files (x86)\Trend Micro\RUBotted\RUBotSrv.exe [2010-12-17 439632]
S2 TeamViewer6;TeamViewer 6;c:\program files (x86)\TeamViewer\Version6\TeamViewer_Service.exe [2011-03-18 2271608]
S2 Updater Service;Updater Service;c:\program files\eMachines\eMachines Updater\UpdaterService.exe [2009-07-04 240160]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [x]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys [x]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
S3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 282616]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{2D46B6DC-2207-486B-B523-A557E6D54B47}]
2010-11-20 12:17 302592 ----a-w- c:\windows\System32\cmd.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-01-22 17:38]
.
2011-04-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-01-22 17:38]
.
2011-04-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-980950009-3502926670-818389737-1000Core.job
- c:\users\Carey\AppData\Local\Google\Update\GoogleUpdate.exe [2011-02-14 17:38]
.
2011-04-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-980950009-3502926670-818389737-1000UA.job
- c:\users\Carey\AppData\Local\Google\Update\GoogleUpdate.exe [2011-02-14 17:38]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-10-13 186904]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-07-28 7982112]
"Acer ePower Management"="c:\program files\eMachines\eMachines Power Management\ePowerTray.exe" [2009-09-30 823840]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2009-06-11 301056]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-02 159232]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-02 380928]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-02 358912]
"PAC7302_Monitor"="c:\windows\PixArt\PAC7302\Monitor.exe" [2007-08-09 319488]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 1436224]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/home.php
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=e525&r=273601100745l0354z125r49122341
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
FF - ProfilePath - c:\users\Carey\AppData\Roaming\Mozilla\Firefox\Profiles\wzheli8w.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-04-11 17:55:26
ComboFix-quarantined-files.txt 2011-04-11 21:55
ComboFix2.txt 2011-04-11 04:37
ComboFix3.txt 2011-04-11 01:34
.
Pre-Run: 180,636,876,800 bytes free
Post-Run: 180,575,096,832 bytes free
.
- - End Of File - - 7074DFDBFCA730795E38A9F15D81B659