8 replies to this topic

[Scheraz]

I noticed I was infected sometime last week around this time. I tried my anti-virus (avast) to no avail. I installed MBAM and it found and deleted *every* infected file, registry value, and registry key, except for one. I've run it several times, it says it will delete the registry key on reboot, then fails to do so. After reading on several forums I also installed and ran Combofix... I don't know if it did anything that helped. I have the log files from both times I ran it if those are needed.

I also haven't been able to open any e-mail program since this infection started - yahoo, hotmail, gmail, all return error messages when I try to go to log-in. I hope it's related to the infection, that when/if I finally delete it from the system the e-mail will work again... I can't see why it wouldn't be.

I've tried manually deleting the infected registry key in regedit... it returned an error, unable to delete.

Thanks for your help; log files for HijackThis and MBAM follow.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:49:24 AM, on 4/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Zahdi 1\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Zahdi 1\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://en.us.acer.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe 0
O4 - HKLM\..\Run: [AdminWorks Tray] "C:\Acer\LANScope Agent\awtray.exe"
O4 - HKLM\..\Run: [eLockMonitor] C:\Acer\Empowering Technology\eLock\Monitor\LaunchMonitor.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Zahdi 1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Global Startup: Acer Empowering Technology.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...DSL/tgctlcm.cab
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.micr...veX/MSDcode.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail....es/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1210633934531
O23 - Service: Acer ODDSpeedControl - TODO: <????> - C:\Acer\Empowering Technology\eAcoustics\ODDSpeedCtl\speedcontrol.exe
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AdminWorks Agent X6 (AWService) - OSA Technologies Inc., An Avocent Company - C:\Acer\LANScope Agent\awServ.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: LockServ - Unknown owner - C:\Acer\Empowering Technology\eLock\LockServ.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7075 bytes


------------------------------------------------------------------------------------
Malwarebytes' Anti-Malware 1.36
Database version: 2040
Windows 5.1.2600 Service Pack 3

4/25/2009 1:29:32 PM
mbam-log-2009-04-25 (13-29-13).txt

Scan type: Quick Scan
Objects scanned: 80433
Time elapsed: 1 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


-------------------------------------------------------------------------------



-- Zahdi

[miekiemoes]

Hi,

Quote

I also installed and ran Combofix... I don't know if it did anything that helped. I have the log files from both times I ran it if those are needed.

Please post the combofix log in your next reply.

[Scheraz]

This is the first Combofix log:
ComboFix 09-04-25.A1 - Zahdi 1 04/25/2009 12:40.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.546 [GMT -4:00]
Running from: c:\documents and settings\Zahdi 1\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090425-0] *On-access scanning enabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\ZAHDI1~1\LOCALS~1\Temp\install_flash_player.exe
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\Downloaded Program Files\ODCTOOLS
c:\windows\Downloaded Program Files\ODCTOOLS\~t17.tmp
c:\windows\system32\apumiyef.ini
c:\windows\system32\autorun.ini
c:\windows\system32\jeyanoyu.dll
c:\windows\system32\juymxb.dll
c:\windows\system32\koverame.dll
c:\windows\system32\losidaje.dll
c:\windows\system32\olegijul.ini
c:\windows\system32\vayejopi.dll
c:\windows\system32\x64
c:\windows\temp\440272746.exe
c:\windows\temp\444491496.exe

----- BITS: Possible infected sites -----

hxxp://82.98.235.205
.
((((((((((((((((((((((((( Files Created from 2009-05-25 to 2009-4-25 )))))))))))))))))))))))))))))))
.

2009-04-25 15:02 . 2009-04-25 15:02 -------- d-----w c:\documents and settings\Zahdi 1\Application Data\Malwarebytes
2009-04-25 15:02 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-25 15:02 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-25 15:02 . 2009-04-25 15:02 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-25 15:02 . 2009-04-25 15:02 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-25 14:53 . 2009-04-25 14:54 -------- d-----w c:\program files\ERUNT
2009-04-24 22:00 . 2008-04-14 00:12 578560 ----a-w c:\windows\system32\xqktqno
2009-04-24 22:00 . 2009-04-24 22:00 153 ----a-w C:\43454354.bat
2009-04-24 22:00 . 2009-04-24 22:00 21504 ----a-w C:\bomp.exe
2009-04-11 21:01 . 2009-04-11 21:01 -------- d-----w c:\windows\Sun
2009-04-11 18:56 . 2009-04-11 18:56 -------- d-----w c:\documents and settings\Zahdi 1\Local Settings\Application Data\Intuit
2009-04-11 18:56 . 2009-04-11 18:56 -------- d-----w c:\documents and settings\Zahdi 1\Application Data\Intuit
2009-04-11 18:54 . 2009-04-11 18:54 -------- d-----w c:\program files\Common Files\AnswerWorks 5.0
2009-04-11 18:52 . 2009-04-11 18:53 -------- d-----w c:\documents and settings\All Users\Application Data\Intuit
2009-04-11 18:52 . 2009-04-11 18:53 -------- d-----w c:\program files\Common Files\Intuit
2009-04-11 18:51 . 2009-04-11 18:51 -------- d-----w c:\program files\TurboTax

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-25 12:46 . 2009-01-25 12:46 47616 --sha-w c:\windows\system32\jebikono.exe
2009-04-24 22:00 . 2009-01-24 22:00 47104 --sha-w c:\windows\system32\sirifiwi.exe
2009-04-11 18:56 . 2007-09-04 19:24 92896 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-25 05:39 . 2009-03-25 05:39 -------- d-----w c:\program files\Alwil Software
2009-03-25 04:42 . 2009-03-25 04:42 -------- d-----w c:\program files\Trend Micro
2009-03-25 04:36 . 2007-09-04 19:41 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-25 04:34 . 2009-02-05 03:47 -------- d-----w c:\program files\Lavasoft
2009-03-25 04:34 . 2008-06-11 03:56 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-25 04:33 . 2009-03-20 05:44 -------- d-----w c:\documents and settings\Zahdi 1\Application Data\SUPERAntiSpyware.com
2009-03-25 04:31 . 2007-09-04 19:40 -------- d-----w c:\program files\Symantec
2009-03-25 04:31 . 2007-09-04 19:40 -------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-03-25 02:41 . 2009-02-05 04:42 7282 ----a-w C:\aaw7boot.log
2009-03-21 03:45 . 2007-09-04 19:25 -------- d-----w c:\program files\Microsoft SQL Server
2009-03-20 05:49 . 2009-03-20 05:49 -------- d-----w c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-03-20 05:44 . 2009-03-20 05:44 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-03-19 13:23 . 2009-03-19 13:20 -------- d-----w c:\documents and settings\Zahdi 1\Application Data\GetRightToGo
2009-03-18 07:02 . 2009-03-18 07:02 -------- d-----w c:\program files\MSXML 6.0
2009-03-12 18:46 . 2007-09-04 19:20 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-06 08:25 . 2008-12-29 07:20 -------- d-----w c:\documents and settings\All Users\Application Data\Rosetta Stone
2009-03-03 16:05 . 2008-09-08 00:55 -------- d-----w c:\program files\Microsoft Silverlight
2009-02-18 16:45 . 2009-02-18 16:40 68294 ----a-w c:\windows\hpoins05.dat
2009-02-09 11:13 . 2007-03-08 13:47 1846784 ----a-w c:\windows\system32\win32k.sys
2008-05-11 22:41 . 2008-05-11 22:41 130 ------w c:\documents and settings\Zahdi 1\Local Settings\Application Data\fusioncache.dat
2007-09-04 19:24 . 2008-05-11 22:38 68456 ------w c:\documents and settings\Zahdi 1\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Google Update"="c:\documents and settings\Zahdi 1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-17 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-01-09 68640]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-06-24 342528]
"AdminWorks Tray"="c:\acer\LANScope Agent\awtray.exe" [2007-05-22 1459992]
"eLockMonitor"="c:\acer\Empowering Technology\eLock\Monitor\LaunchMonitor.exe" [2006-03-31 16384]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-27 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-27 162328]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-27 137752]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2007-07-11 421888]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-30 583048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-07-02 16377344]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acer Empowering Technology.lnk - c:\acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [2006-9-12 45056]

[HKLM\~\startupfolder\C:^Documents and Settings^Zahdi 1^Start Menu^Programs^Startup^ChkDisk.dll]
path=c:\documents and settings\Zahdi 1\Start Menu\Programs\Startup\ChkDisk.dll
backup=c:\windows\pss\ChkDisk.dllStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Zahdi 1^Start Menu^Programs^Startup^ChkDisk.lnk]
path=c:\documents and settings\Zahdi 1\Start Menu\Programs\Startup\ChkDisk.lnk
backup=c:\windows\pss\ChkDisk.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Acer\\Empowering Technology\\ePerformance\\MemCheck.exe"=
"c:\\Program Files\\Symantec\\LiveUpdate\\AluSchedulerSvc.exe"=
"c:\\Program Files\\Alwil Software\\Avast4\\ashServ.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9999:UDP"= 9999:UDP:LANScope UDP Port
"2804:TCP"= 2804:TCP:LANScope TCP Port

R0 Lbd;Lbd; [x]
R1 aswSP;avast! Self Protection; [x]
R1 OsaFsLoc;OsaFsLoc;c:\windows\system32\drivers\OsaFsLoc.sys [2007-08-27 26768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [2008-01-11 30312]
R2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;c:\windows\system32\eLock2BurnerLockDriver.sys [2006-06-09 17664]
R2 eLock2FSCTLDriver;eLock2FSCTLDriver;c:\windows\system32\eLock2FSCTLDriver.sys [2006-06-07 90112]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2009-02-25 13088]
R2 LockServ;LockServ;c:\acer\Empowering Technology\eLock\LockServ.exe [2006-06-29 520192]
R2 netlimiter;netlimiter;c:\windows\system32\drivers\netlimiter.sys [2006-10-03 18072]
R2 netlock;netlock;c:\windows\system32\drivers\netlock.sys [2007-05-30 14616]
R2 osaio;osaio;c:\windows\system32\drivers\osaio.sys [2007-06-13 15640]
R2 osanbm;osanbm;c:\windows\system32\drivers\osanbm.sys [2006-11-09 10944]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
R3 Acer ODDSpeedControl;Acer ODDSpeedControl;c:\acer\Empowering Technology\eAcoustics\ODDSpeedCtl\speedcontrol.exe [2005-02-15 81920]
R3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2006-04-14 28933976]

.
Contents of the 'Scheduled Tasks' folder

2009-04-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-891139853-3681392883-3031111325-1008.job
- c:\documents and settings\Zahdi 1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-17 07:29]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-installnet.exe - c:\acer\LANScope Agent\Installnet.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig?hl=en
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = hxxp://en.us.acer.yahoo.com/
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-25 12:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}\InprocServer32]
@DACL=(02 0000)
@="c:\\windows\\system32\\zuvepomi.dll"
"ThreadingModel"="Both"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1596)
c:\progra~1\WINDOW~2\wmpband.dll
.
Completion time: 2009-04-25 12:45 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-25 16:45

Pre-Run: 60,125,933,568 bytes free
Post-Run: 62,110,158,848 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

192 --- E O F --- 2009-03-21 03:45



I ran it a second time when the first didn't "work":
ComboFix 09-04-25.A1 - Zahdi 1 04/25/2009 12:54.2 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.809 [GMT -4:00]
Running from: c:\documents and settings\Zahdi 1\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090425-0] *On-access scanning enabled* (Updated)
.

((((((((((((((((((((((((( Files Created from 2009-05-25 to 2009-4-25 )))))))))))))))))))))))))))))))
.

2009-04-25 16:48 . 2009-04-25 16:48 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-25 15:02 . 2009-04-25 15:02 -------- d-----w c:\documents and settings\Zahdi 1\Application Data\Malwarebytes
2009-04-25 15:02 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-25 15:02 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-25 15:02 . 2009-04-25 15:02 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-25 15:02 . 2009-04-25 15:02 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-25 14:53 . 2009-04-25 14:54 -------- d-----w c:\program files\ERUNT
2009-04-24 22:00 . 2008-04-14 00:12 578560 ----a-w c:\windows\system32\xqktqno
2009-04-24 22:00 . 2009-04-24 22:00 153 ----a-w C:\43454354.bat
2009-04-24 22:00 . 2009-04-24 22:00 21504 ----a-w C:\bomp.exe
2009-04-11 21:01 . 2009-04-11 21:01 -------- d-----w c:\windows\Sun
2009-04-11 18:56 . 2009-04-11 18:56 -------- d-----w c:\documents and settings\Zahdi 1\Local Settings\Application Data\Intuit
2009-04-11 18:56 . 2009-04-11 18:56 -------- d-----w c:\documents and settings\Zahdi 1\Application Data\Intuit
2009-04-11 18:54 . 2009-04-11 18:54 -------- d-----w c:\program files\Common Files\AnswerWorks 5.0
2009-04-11 18:52 . 2009-04-11 18:53 -------- d-----w c:\documents and settings\All Users\Application Data\Intuit
2009-04-11 18:52 . 2009-04-11 18:53 -------- d-----w c:\program files\Common Files\Intuit
2009-04-11 18:51 . 2009-04-11 18:51 -------- d-----w c:\program files\TurboTax

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-25 12:46 . 2009-01-25 12:46 47616 --sha-w c:\windows\system32\jebikono.exe
2009-04-24 22:00 . 2009-01-24 22:00 47104 --sha-w c:\windows\system32\sirifiwi.exe
2009-04-11 18:56 . 2007-09-04 19:24 92896 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-25 05:39 . 2009-03-25 05:39 -------- d-----w c:\program files\Alwil Software
2009-03-25 04:42 . 2009-03-25 04:42 -------- d-----w c:\program files\Trend Micro
2009-03-25 04:36 . 2007-09-04 19:41 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-25 04:34 . 2009-02-05 03:47 -------- d-----w c:\program files\Lavasoft
2009-03-25 04:34 . 2008-06-11 03:56 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-25 04:33 . 2009-03-20 05:44 -------- d-----w c:\documents and settings\Zahdi 1\Application Data\SUPERAntiSpyware.com
2009-03-25 04:31 . 2007-09-04 19:40 -------- d-----w c:\program files\Symantec
2009-03-25 04:31 . 2007-09-04 19:40 -------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-03-25 02:41 . 2009-02-05 04:42 7282 ----a-w C:\aaw7boot.log
2009-03-21 03:45 . 2007-09-04 19:25 -------- d-----w c:\program files\Microsoft SQL Server
2009-03-20 05:49 . 2009-03-20 05:49 -------- d-----w c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-03-20 05:44 . 2009-03-20 05:44 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-03-19 13:23 . 2009-03-19 13:20 -------- d-----w c:\documents and settings\Zahdi 1\Application Data\GetRightToGo
2009-03-18 07:02 . 2009-03-18 07:02 -------- d-----w c:\program files\MSXML 6.0
2009-03-12 18:46 . 2007-09-04 19:20 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-06 08:25 . 2008-12-29 07:20 -------- d-----w c:\documents and settings\All Users\Application Data\Rosetta Stone
2009-03-03 16:05 . 2008-09-08 00:55 -------- d-----w c:\program files\Microsoft Silverlight
2009-02-18 16:45 . 2009-02-18 16:40 68294 ----a-w c:\windows\hpoins05.dat
2009-02-09 11:13 . 2007-03-08 13:47 1846784 ----a-w c:\windows\system32\win32k.sys
2008-05-11 22:41 . 2008-05-11 22:41 130 ------w c:\documents and settings\Zahdi 1\Local Settings\Application Data\fusioncache.dat
2007-09-04 19:24 . 2008-05-11 22:38 68456 ------w c:\documents and settings\Zahdi 1\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Google Update"="c:\documents and settings\Zahdi 1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-17 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-01-09 68640]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-06-24 342528]
"AdminWorks Tray"="c:\acer\LANScope Agent\awtray.exe" [2007-05-22 1459992]
"eLockMonitor"="c:\acer\Empowering Technology\eLock\Monitor\LaunchMonitor.exe" [2006-03-31 16384]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-27 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-27 162328]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-27 137752]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2007-07-11 421888]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-30 583048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2008-04-14 169984]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-07-02 16377344]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acer Empowering Technology.lnk - c:\acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [2006-9-12 45056]

[HKLM\~\startupfolder\C:^Documents and Settings^Zahdi 1^Start Menu^Programs^Startup^ChkDisk.dll]
path=c:\documents and settings\Zahdi 1\Start Menu\Programs\Startup\ChkDisk.dll
backup=c:\windows\pss\ChkDisk.dllStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Zahdi 1^Start Menu^Programs^Startup^ChkDisk.lnk]
path=c:\documents and settings\Zahdi 1\Start Menu\Programs\Startup\ChkDisk.lnk
backup=c:\windows\pss\ChkDisk.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Acer\\Empowering Technology\\ePerformance\\MemCheck.exe"=
"c:\\Program Files\\Symantec\\LiveUpdate\\AluSchedulerSvc.exe"=
"c:\\Program Files\\Alwil Software\\Avast4\\ashServ.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9999:UDP"= 9999:UDP:LANScope UDP Port
"2804:TCP"= 2804:TCP:LANScope TCP Port

R0 Lbd;Lbd; [x]
R1 aswSP;avast! Self Protection; [x]
R1 OsaFsLoc;OsaFsLoc;c:\windows\system32\drivers\OsaFsLoc.sys [2007-08-27 26768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [2008-01-11 30312]
R2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;c:\windows\system32\eLock2BurnerLockDriver.sys [2006-06-09 17664]
R2 eLock2FSCTLDriver;eLock2FSCTLDriver;c:\windows\system32\eLock2FSCTLDriver.sys [2006-06-07 90112]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2009-02-25 13088]
R2 LockServ;LockServ;c:\acer\Empowering Technology\eLock\LockServ.exe [2006-06-29 520192]
R2 netlimiter;netlimiter;c:\windows\system32\drivers\netlimiter.sys [2006-10-03 18072]
R2 netlock;netlock;c:\windows\system32\drivers\netlock.sys [2007-05-30 14616]
R2 osaio;osaio;c:\windows\system32\drivers\osaio.sys [2007-06-13 15640]
R2 osanbm;osanbm;c:\windows\system32\drivers\osanbm.sys [2006-11-09 10944]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
R3 Acer ODDSpeedControl;Acer ODDSpeedControl;c:\acer\Empowering Technology\eAcoustics\ODDSpeedCtl\speedcontrol.exe [2005-02-15 81920]
R3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2006-04-14 28933976]

.
Contents of the 'Scheduled Tasks' folder

2009-04-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-891139853-3681392883-3031111325-1008.job
- c:\documents and settings\Zahdi 1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-17 07:29]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-SUPERAntiSpyware - c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig?hl=en
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = hxxp://en.us.acer.yahoo.com/
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-25 12:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}\InprocServer32]
@DACL=(02 0000)
@="c:\\windows\\system32\\zuvepomi.dll"
"ThreadingModel"="Both"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1108)
c:\progra~1\WINDOW~2\wmpband.dll
.
Completion time: 2009-04-25 12:56
ComboFix-quarantined-files.txt 2009-04-25 16:56
ComboFix2.txt 2009-04-25 16:45

Pre-Run: 62,110,126,080 bytes free
Post-Run: 62,093,713,408 bytes free

166 --- E O F --- 2009-03-21 03:45


-- Zahdi

[miekiemoes]

Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

Quote

File::
c:\windows\pss\ChkDisk.dllStartup
c:\windows\pss\ChkDisk.lnkStartup
C:\43454354.bat
C:\bomp.exe
c:\windows\system32\jebikono.exe
c:\windows\system32\sirifiwi.exe
Registry::
[-HKLM\~\startupfolder\C:^Documents and Settings^Zahdi 1^Start Menu^Programs^Startup^ChkDisk.dll]
[-HKLM\~\startupfolder\C:^Documents and Settings^Zahdi 1^Start Menu^Programs^Startup^ChkDisk.lnk]
REGLOCKDEL::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}\InprocServer32]

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

[Scheraz]

Okay, I went ahead as you said,
here's the log file:
ComboFix 09-04-25.A1 - Zahdi 1 05/01/2009 18:24.3 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.820 [GMT -4:00]
Running from: c:\documents and settings\Zahdi 1\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Zahdi 1\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090425-0] *On-access scanning enabled* (Updated)

FILE ::
C:\43454354.bat
C:\bomp.exe
c:\windows\pss\ChkDisk.dllStartup
c:\windows\pss\ChkDisk.lnkStartup
c:\windows\system32\jebikono.exe
c:\windows\system32\sirifiwi.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\43454354.bat
C:\bomp.exe
c:\windows\pss\ChkDisk.lnkStartup
c:\windows\system32\jebikono.exe
c:\windows\system32\sirifiwi.exe

.
((((((((((((((((((((((((( Files Created from 2009-06-01 to 2009-5-1 )))))))))))))))))))))))))))))))
.

2009-04-25 16:48 . 2009-04-25 16:48 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-25 15:02 . 2009-04-25 15:02 -------- d-----w c:\documents and settings\Zahdi 1\Application Data\Malwarebytes
2009-04-25 15:02 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-25 15:02 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-25 15:02 . 2009-04-25 15:02 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-25 15:02 . 2009-04-25 15:02 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-25 14:53 . 2009-04-25 14:54 -------- d-----w c:\program files\ERUNT
2009-04-24 22:00 . 2008-04-14 00:12 578560 ----a-w c:\windows\system32\xqktqno
2009-04-11 21:01 . 2009-04-11 21:01 -------- d-----w c:\windows\Sun
2009-04-11 18:56 . 2009-04-11 18:56 -------- d-----w c:\documents and settings\Zahdi 1\Local Settings\Application Data\Intuit
2009-04-11 18:56 . 2009-04-11 18:56 -------- d-----w c:\documents and settings\Zahdi 1\Application Data\Intuit
2009-04-11 18:54 . 2009-04-11 18:54 -------- d-----w c:\program files\Common Files\AnswerWorks 5.0
2009-04-11 18:52 . 2009-04-11 18:53 -------- d-----w c:\documents and settings\All Users\Application Data\Intuit
2009-04-11 18:52 . 2009-04-11 18:53 -------- d-----w c:\program files\Common Files\Intuit
2009-04-11 18:51 . 2009-04-11 18:51 -------- d-----w c:\program files\TurboTax

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-11 18:56 . 2007-09-04 19:24 92896 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-25 05:39 . 2009-03-25 05:39 -------- d-----w c:\program files\Alwil Software
2009-03-25 04:42 . 2009-03-25 04:42 -------- d-----w c:\program files\Trend Micro
2009-03-25 04:36 . 2007-09-04 19:41 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-25 04:34 . 2009-02-05 03:47 -------- d-----w c:\program files\Lavasoft
2009-03-25 04:34 . 2008-06-11 03:56 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-25 04:33 . 2009-03-20 05:44 -------- d-----w c:\documents and settings\Zahdi 1\Application Data\SUPERAntiSpyware.com
2009-03-25 04:31 . 2007-09-04 19:40 -------- d-----w c:\program files\Symantec
2009-03-25 04:31 . 2007-09-04 19:40 -------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-03-25 02:41 . 2009-02-05 04:42 7282 ----a-w C:\aaw7boot.log
2009-03-21 03:45 . 2007-09-04 19:25 -------- d-----w c:\program files\Microsoft SQL Server
2009-03-20 05:49 . 2009-03-20 05:49 -------- d-----w c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-03-20 05:44 . 2009-03-20 05:44 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-03-19 13:23 . 2009-03-19 13:20 -------- d-----w c:\documents and settings\Zahdi 1\Application Data\GetRightToGo
2009-03-18 07:02 . 2009-03-18 07:02 -------- d-----w c:\program files\MSXML 6.0
2009-03-12 18:46 . 2007-09-04 19:20 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-06 08:25 . 2008-12-29 07:20 -------- d-----w c:\documents and settings\All Users\Application Data\Rosetta Stone
2009-03-03 16:05 . 2008-09-08 00:55 -------- d-----w c:\program files\Microsoft Silverlight
2009-02-18 16:45 . 2009-02-18 16:40 68294 ----a-w c:\windows\hpoins05.dat
2009-02-09 11:13 . 2007-03-08 13:47 1846784 ----a-w c:\windows\system32\win32k.sys
2008-05-11 22:41 . 2008-05-11 22:41 130 ------w c:\documents and settings\Zahdi 1\Local Settings\Application Data\fusioncache.dat
2007-09-04 19:24 . 2008-05-11 22:38 68456 ------w c:\documents and settings\Zahdi 1\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Google Update"="c:\documents and settings\Zahdi 1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-17 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-01-09 68640]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-06-24 342528]
"AdminWorks Tray"="c:\acer\LANScope Agent\awtray.exe" [2007-05-22 1459992]
"eLockMonitor"="c:\acer\Empowering Technology\eLock\Monitor\LaunchMonitor.exe" [2006-03-31 16384]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-27 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-27 162328]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-27 137752]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2007-07-11 421888]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-30 583048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-07-02 16377344]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acer Empowering Technology.lnk - c:\acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [2006-9-12 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Acer\\Empowering Technology\\ePerformance\\MemCheck.exe"=
"c:\\Program Files\\Symantec\\LiveUpdate\\AluSchedulerSvc.exe"=
"c:\\Program Files\\Alwil Software\\Avast4\\ashServ.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9999:UDP"= 9999:UDP:LANScope UDP Port
"2804:TCP"= 2804:TCP:LANScope TCP Port

R0 Lbd;Lbd; [x]
R1 aswSP;avast! Self Protection; [x]
R1 OsaFsLoc;OsaFsLoc;c:\windows\system32\drivers\OsaFsLoc.sys [2007-08-27 26768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [2008-01-11 30312]
R2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;c:\windows\system32\eLock2BurnerLockDriver.sys [2006-06-09 17664]
R2 eLock2FSCTLDriver;eLock2FSCTLDriver;c:\windows\system32\eLock2FSCTLDriver.sys [2006-06-07 90112]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2009-02-25 13088]
R2 LockServ;LockServ;c:\acer\Empowering Technology\eLock\LockServ.exe [2006-06-29 520192]
R2 netlimiter;netlimiter;c:\windows\system32\drivers\netlimiter.sys [2006-10-03 18072]
R2 netlock;netlock;c:\windows\system32\drivers\netlock.sys [2007-05-30 14616]
R2 osaio;osaio;c:\windows\system32\drivers\osaio.sys [2007-06-13 15640]
R2 osanbm;osanbm;c:\windows\system32\drivers\osanbm.sys [2006-11-09 10944]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
R3 Acer ODDSpeedControl;Acer ODDSpeedControl;c:\acer\Empowering Technology\eAcoustics\ODDSpeedCtl\speedcontrol.exe [2005-02-15 81920]
R3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2006-04-14 28933976]

.
Contents of the 'Scheduled Tasks' folder

2009-04-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-891139853-3681392883-3031111325-1008.job
- c:\documents and settings\Zahdi 1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-17 07:29]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig?hl=en
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = hxxp://en.us.acer.yahoo.com/
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-01 18:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-05-01 18:26
ComboFix-quarantined-files.txt 2009-05-01 22:26
ComboFix2.txt 2009-04-25 16:56
ComboFix3.txt 2009-04-25 16:45

Pre-Run: 62,190,092,288 bytes free
Post-Run: 62,183,632,896 bytes free

160 --- E O F --- 2009-04-25 17:14


It looks like it worked that time?
-- Zahdi

[miekiemoes]

Hi,

This looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

[Scheraz]

Thanks =) There are no more popups. I still can't access any (hotmail, yahoo, gmail) e-mail in any browser (IE or Google Chrome). When I try in IE it says it may not be connected to the internet (which it is), and when I try in Chrome it says it can't connect and then gives this error message:Error 2 (net::ERR_FAILED): Unknown error. It seems like the virus is gone, so I just don't know...

[miekiemoes]

I assume it's set as https: in your browser for Yahoo, Gmail etc?
Please see here: http://support.microsoft.com/default.aspx?...kb;en-us;813444 (don't use the system restore option)

In your case, I guess it may be caused by your Avast, because you're having it in chrome too.
The only way to find out is to uninstall (since disabling won't work to test) Avast and see if that solves it.

[miekiemoes]

Since there is no feedback anymore, I assume this issue is resolved ... so, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.