Hi all,

Just got a new computer Sunday (Acer Aspire 5735Z, running Vista), and first pass with MalwareBytes showed that the machine was afflicted with both Trojan.zlob and backdoor.botl. I tried to use MalwareBytes to remove them, but after restarting, they're still there. I also tried using Acer's eRecovery system with the Recovery CDs I burned right after opening the machine... all I succeeded in doing was wasting a bunch of time, as the viruses were still there! Hopefully someone here can help me

I have an updated version of AVG anti-virus running - it detected 4 cookies, which have been deleted but it detected neither trojan.zlob nor backdoor.net.

Thanks so much for any help you can give me.



Here's the Malware Log:

Malwarebytes' Anti-Malware 1.32
Database version: 1637
Windows 6.0.6001 Service Pack 1

1/10/2009 8:46:41 AM
mbam-log-2009-01-10 (08-46-41).txt

Scan type: Quick Scan
Objects scanned: 46334
Time elapsed: 4 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Default\My Documents\My Music\New Song.lagu (Backdoor.Bot) -> Delete on reboot.
C:\Users\Default\My Documents\My Music\Video.vidz (Backdoor.Bot) -> Delete on reboot.
C:\Users\Default\My Documents\My Pictures\aweks.pikz (Backdoor.Bot) -> Delete on reboot.
C:\Users\Default\My Documents\My Pictures\seram.pikz (Backdoor.Bot) -> Delete on reboot.
C:\Users\Default\My Documents\My Music\My Music.url (Trojan.Zlob) -> Delete on reboot.
C:\Users\Default\My Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> Delete on reboot.
C:\Users\Default\My Documents\My Videos\My Video.url (Trojan.Zlob) -> Delete on reboot.


And the HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:05:31 AM, on 1/10/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe
C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe
C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe
C:\Program Files\Acer Arcade Deluxe\PlayMovie\PMVService.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.us.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "c:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [BkupTray] "C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe"
O4 - HKLM\..\Run: [ArcadeDeluxeAgent] "C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe"
O4 - HKLM\..\Run: [CLMLServer] "C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe"
O4 - HKLM\..\Run: [PlayMovie] "C:\Program Files\Acer Arcade Deluxe\PlayMovie\PMVService.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,avgrsstx.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: NTI Backup Now 5 Agent Service (BUNAgentSvc) - NewTech Infosystems, Inc. - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
O23 - Service: CLHNService - Unknown owner - C:\Program Files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe
O23 - Service: Empowering Technology Service (ETService) - Unknown owner - C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
O23 - Service: Google Desktop Manager 5.7.808.7150 (GoogleDesktopManager-080708-050100) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NTI Backup Now 5 Backup Service (NTIBackupSvc) - NewTech InfoSystems, Inc. - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
O23 - Service: NTI Backup Now 5 Scheduler Service (NTISchedulerSvc) - Unknown owner - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe

--
End of file - 7801 bytes

Please download the following scanning tool. GMER

• Open the zip file and copy the file gmer.exe to your Desktop.
• Double click on gmer.exe and run it.
• It may take a minute to load and become available.
• Do not make any changes. As soon as it's done and the COPY button is available click on the COPY button.
• DO NOT Click on the SCAN button.
• This will place the scan in your clipboard. Paste that into notepad or into your next reply post please.
• Click OK and quit the GMER program.

Thanks! Here's my GMER log:

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-11 13:37:20
Windows 6.0.6001 Service Pack 1


---- System - GMER 1.0.14 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0x8BA5E9BE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0x8BA5E958]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0x8BA5E96C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8BA5E9FC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0x8BA5EA3F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0x8BA5E930]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0x8BA5E944]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x8BA5E9D2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0x8BA5EA67]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0x8BA5EA53]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0x8BA5E9AA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x8BA5E996]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0x8BA5EA2B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8BA5EA12]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0x8BA5E9E8]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateUserProcess [0x8BA5E982]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

---- EOF - GMER 1.0.14 ----

Okay please update MBAM again and do another Quick Scan and fix anything found.
Restart the computer and After the restart please run a new HJT Scan and Save log, then post back both new logs.

MBAM Log:

Malwarebytes' Anti-Malware 1.32
Database version: 1646
Windows 6.0.6001 Service Pack 1

1/12/2009 5:51:35 PM
mbam-log-2009-01-12 (17-51-35).txt

Scan type: Quick Scan
Objects scanned: 46470
Time elapsed: 4 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Default\My Documents\My Music\New Song.lagu (Backdoor.Bot) -> Delete on reboot.
C:\Users\Default\My Documents\My Music\Video.vidz (Backdoor.Bot) -> Delete on reboot.
C:\Users\Default\My Documents\My Pictures\aweks.pikz (Backdoor.Bot) -> Delete on reboot.
C:\Users\Default\My Documents\My Pictures\seram.pikz (Backdoor.Bot) -> Delete on reboot.
C:\Users\Default\My Documents\My Music\My Music.url (Trojan.Zlob) -> Delete on reboot.
C:\Users\Default\My Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> Delete on reboot.
C:\Users\Default\My Documents\My Videos\My Video.url (Trojan.Zlob) -> Delete on reboot.


HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:02:26 PM, on 1/12/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe
C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe
C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe
C:\Program Files\Acer Arcade Deluxe\PlayMovie\PMVService.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.us.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "c:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [BkupTray] "C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe"
O4 - HKLM\..\Run: [ArcadeDeluxeAgent] "C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe"
O4 - HKLM\..\Run: [CLMLServer] "C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe"
O4 - HKLM\..\Run: [PlayMovie] "C:\Program Files\Acer Arcade Deluxe\PlayMovie\PMVService.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,avgrsstx.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: NTI Backup Now 5 Agent Service (BUNAgentSvc) - NewTech Infosystems, Inc. - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
O23 - Service: CLHNService - Unknown owner - C:\Program Files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe
O23 - Service: Empowering Technology Service (ETService) - Unknown owner - C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
O23 - Service: Google Desktop Manager 5.7.808.7150 (GoogleDesktopManager-080708-050100) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NTI Backup Now 5 Backup Service (NTIBackupSvc) - NewTech InfoSystems, Inc. - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
O23 - Service: NTI Backup Now 5 Scheduler Service (NTISchedulerSvc) - Unknown owner - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe

--
End of file - 7771 bytes

Please download this and then disable your current Anti-Virus and run it.

Download to the desktop: Dr.Web CureIt

• Doubleclick the drweb-cureit.exe file and Allow to run the express scan
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, Click Options > Change settings
• Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
• Back at the main window, mark the drives that you want to scan.
• Select all drives. A red dot shows which drives have been chosen.
• Click the green arrow at the right, and the scan will start.
• Click 'Yes to all' if it asks if you want to cure/move the file.
• When the scan has finished, look if you can click next icon next to the files found:
  
  If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
  
  This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
• After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.
• Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
• After reboot, post the contents of the log from Dr.Web you saved previously in your next reply with a new hijackthis log.

Hi again,

I ran CureIt, and neither quick nor complete scan found any viruses. Because of this, I wasn't able to save a report list. The log file was quite long - so much so that my computer hangs up trying to cut and paste it. Is there something else I should try?

Cheers,
Sonja

No, that's fine, and good news. Please run the following one more time.


Update and Scan with Malwarebytes' Anti-Malware

• Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
• Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
  
  • Update Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Update
• When the update is complete, select the Scanner tab
• Select Perform quick scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then RESTART the computer and AFTER the reboot run HJT Do a system scan and save a logfile
The post back NEW MBAM and HJT logs in that order please.


Then let me know how the computer is running and if there are still any signs of infection.

Hi there,
The MBAM still showed the 7 instances it has always showed - I removed them and on reboot, repeated a scan. They're still there I did make sure to run both MBAM and HJT as administrator. My computer has not shown any sign of infection, other than what turns up on the MBAM log. I am concerned though about the fact that I have both of these viruses showing up on a computer that is brand new (and hasn't been used other than to download security software and find viruses!). I haven't yet begun to get my programs on it, and use it (outside of coming to this forum and running the above procedures). Again, thank you so much for your help - anything I can do to get these 7 instances off my computer would be very welcome

Here's the MBAM Log:

Malwarebytes' Anti-Malware 1.32
Database version: 1653
Windows 6.0.6001 Service Pack 1

1/14/2009 6:04:05 PM
mbam-log-2009-01-14 (18-04-05).txt

Scan type: Quick Scan
Objects scanned: 46722
Time elapsed: 4 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Default\My Documents\My Music\New Song.lagu (Backdoor.Bot) -> Delete on reboot.
C:\Users\Default\My Documents\My Music\Video.vidz (Backdoor.Bot) -> Delete on reboot.
C:\Users\Default\My Documents\My Pictures\aweks.pikz (Backdoor.Bot) -> Delete on reboot.
C:\Users\Default\My Documents\My Pictures\seram.pikz (Backdoor.Bot) -> Delete on reboot.
C:\Users\Default\My Documents\My Music\My Music.url (Trojan.Zlob) -> Delete on reboot.
C:\Users\Default\My Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> Delete on reboot.
C:\Users\Default\My Documents\My Videos\My Video.url (Trojan.Zlob) -> Delete on reboot.


HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:15:39 PM, on 1/14/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe
C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe
C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe
C:\Program Files\Acer Arcade Deluxe\PlayMovie\PMVService.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.us.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "c:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [BkupTray] "C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe"
O4 - HKLM\..\Run: [ArcadeDeluxeAgent] "C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe"
O4 - HKLM\..\Run: [CLMLServer] "C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe"
O4 - HKLM\..\Run: [PlayMovie] "C:\Program Files\Acer Arcade Deluxe\PlayMovie\PMVService.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,avgrsstx.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: NTI Backup Now 5 Agent Service (BUNAgentSvc) - NewTech Infosystems, Inc. - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
O23 - Service: CLHNService - Unknown owner - C:\Program Files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe
O23 - Service: Empowering Technology Service (ETService) - Unknown owner - C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
O23 - Service: Google Desktop Manager 5.7.808.7150 (GoogleDesktopManager-080708-050100) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NTI Backup Now 5 Backup Service (NTIBackupSvc) - NewTech InfoSystems, Inc. - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
O23 - Service: NTI Backup Now 5 Scheduler Service (NTISchedulerSvc) - Unknown owner - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe

--
End of file - 7771 bytes

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!
These steps are for member sonja only. If you are a lurker, do NOT try this on your system!
If you are not sonja and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!
Do NOT run any other tools on your own or do any fixes other than what is listed here.
If you have questions, please ask before you do something on your own.
But it is important that you get going on these following steps.

STEP01
Reconfigure Windows XP to show hidden files:
To enable the viewing of Hidden files follow these steps:

* Close all programs so that you are at your desktop.
* Double-click on the My Computer icon.
* Select the Tools menu and click Folder Options.
* After the new window appears select the View tab.
* Put a checkmark in the checkbox labeled Display the contents of system folders.
* Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
* Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
* Remove the checkmark from the checkbox labeled Hide protected operating system files.
* Press the Apply button and then the OK button and exit My Computer.
* Now your computer is configured to show all hidden files.


STEP02

Download and install CCleaner
• CCleaner
• Double-click on the downloaded file "ccsetup215.exe" and install the application.
• Keep the default installation folder "C:\Program Files\CCleaner"
• Uncheck "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser"
• Click finish when done and close ALL PROGRAMS
• Start the CCleaner program.
• Click on Registry and Uncheck Registry Integrity so that it does not run
• Click on Options - Advanced and Uncheck "Only delete files in Windows Temp folders older than 48 hours"
• Click back to Cleaner and under SYSTEM uncheck the Memory Dumps and Windows Log Files
• Click on Run Cleaner button on the bottom right side of the program.
• Click OK to any prompts

STEP03
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
This should apply to AVG8:
To disable the Resident Shield, please:
open AVG User Interface
double-click on the Resident Shield
un-tick the option Resident Shield active
save the changes.

STEP04
Please download and run the following file to repair file and registry permissions
fixacl.exe

STEP05

• Download FixPolicies.exe by Bill Castner and save it to your desktop.
• Double click on FixPolicies.exe to run it.
• Click on Install. It will create a folder named FixPolicies on your desktop.
• Open the FixPolicies folder.
• Double click on Fix_policies.cmd to run it. Command Prompt will open and close quickly this is normal.
• Reboot your computer after it runs
• This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.
• Note: some malware will block the running of this tool. So if you cannot run Fixpolicies, then, RENAME the EXE file to something like Mytool.exe and then run it.

STEP06
Download this INF repair file by MS-MVP Miekiemoes: http://users.telenet.be/bluepatchy/miekiemoes/tools/VArestorepolicies.zip
Unzip the download. Open the folder VArestorepolicies and Right-click the file inside, VArestorepolicies.INF and choose Install

STEP07
If you have a prior copy of Combofix, delete it now !

Download ComboFix from one of these locations, saving to DESKTOP:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  
• Double click on Combo-Fix.exe & follow the prompts.
  
• If and only if you are prompted to download a new version of Combofix, reply NO .
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

IF you should see a message like this:

then, be sure to write down fully and also copy that into your next reply here and then await for my response.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
-------------------------------------------------------

A caution - Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.
If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light.
If it is flashing, Combofix is still at work.

Please then reply with a copy of C:\Combofix.txt, and a new HijackThis

RE-Enable your AntiVirus and AntiSpyware applications.

I've followed along great up to Step 7.

I've saved ComboFix onto my desktop. When I ran it, I didn't get anything about the Recovery Console (which I figure was ok, perhaps it's standard with Vista). It then starts running, and then it halts at this:

Completed Stage_50

'"C:\Windows\system32\"' is not recognized as an internal or external command, operable program or batch file.

The quotes are a ' followed by a ".

Please run this. START - RUN and type in ComboFix.exe /U or if you renamed it to what you named it.

Then make sure this folder is deleted C:\QooBox\LastRun
Make sure you clear your cache in the browser and turn off your screen saver and power saver



Then download a new copy and try running it again as instructed.

Please visit this webpage for instructions for downloading ComboFix to your DESKTOP : how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
NOTE!!: You must save and run ComboFix.exe on your DESKTOP and not from any other folder.
Also, DO NOT click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:
ComboFix.exe
ComboFix.exe
ComboFix.exe

Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Click Yes to allow ComboFix to continue scanning for malware.
• When the tool is finished, it will produce a report for you.
• Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

Thanks! That worked a lot better.

Here's the ComboFix log:

ComboFix 09-01-15.01 - DarkFriend 2009-01-16 18:36:43.8 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1976.1239 [GMT 0:00]
Running from: c:\users\DarkFriend\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-12-16 to 2009-01-16 )))))))))))))))))))))))))))))))
.

2009-01-16 18:19 . 2009-01-16 18:20 <DIR> d-------- C:\Combo-Fix
2009-01-15 19:18 . 2009-01-15 19:18 <DIR> d-------- c:\program files\CCleaner
2009-01-15 19:06 . 2009-01-15 19:06 <DIR> d-------- c:\program files\VS Revo Group
2009-01-13 22:51 . 2008-12-16 02:42 288,768 --a------ c:\windows\System32\drivers\srv.sys
2009-01-13 20:07 . 2009-01-13 20:07 <DIR> d-------- c:\users\DarkFriend\DoctorWeb
2009-01-12 14:06 . 2008-10-06 18:03 3,195 --a------ C:\Patch.rev
2009-01-12 14:05 . 2009-01-12 14:06 <DIR> d-------- c:\program files\Preload
2009-01-12 14:05 . 2008-07-17 20:27 380,928 --a------ c:\windows\AcerStore.exe
2009-01-12 14:05 . 2008-05-09 13:58 49,152 --a------ c:\windows\Interop.IWshRuntimeLibrary.dll
2009-01-12 14:05 . 2009-01-12 14:05 1,302 --a------ c:\windows\AceSto02.cfg
2009-01-12 14:05 . 2009-01-12 14:05 1,279 --a------ c:\windows\System32\AcerScre.cfg
2009-01-12 14:03 . 2009-01-12 14:03 361,984 --a------ c:\windows\System32\IPSECSVC.DLL
2009-01-12 13:59 . 2009-01-12 13:59 12,240,896 --a------ c:\windows\System32\NlsLexicons0007.dll
2009-01-12 13:59 . 2009-01-12 13:59 2,644,480 --a------ c:\windows\System32\NlsLexicons0009.dll
2009-01-12 13:59 . 2009-01-12 13:59 801,280 --a------ c:\windows\System32\NaturalLanguage6.dll
2009-01-12 13:58 . 2009-01-12 13:58 891,448 --a------ c:\windows\System32\drivers\tcpip.sys
2009-01-12 13:58 . 2009-01-12 13:58 784,896 --a------ c:\windows\System32\rpcrt4.dll
2009-01-12 13:58 . 2009-01-12 13:58 430,080 --a------ c:\windows\System32\vbscript.dll
2009-01-12 13:58 . 2009-01-12 13:58 180,224 --a------ c:\windows\System32\scrobj.dll
2009-01-12 13:58 . 2009-01-12 13:58 172,032 --a------ c:\windows\System32\scrrun.dll
2009-01-12 13:58 . 2009-01-12 13:58 155,648 --a------ c:\windows\System32\wscript.exe
2009-01-12 13:58 . 2009-01-12 13:58 135,168 --a------ c:\windows\System32\wshom.ocx
2009-01-12 13:58 . 2009-01-12 13:58 135,168 --a------ c:\windows\System32\cscript.exe
2009-01-12 13:58 . 2009-01-12 13:58 90,112 --a------ c:\windows\System32\wshext.dll
2009-01-12 13:58 . 2009-01-12 13:58 72,192 --a------ c:\windows\System32\drivers\pacer.sys
2009-01-12 13:58 . 2009-01-12 13:58 15,360 --a------ c:\windows\System32\pacerprf.dll
2009-01-12 13:57 . 2009-01-12 13:57 885,248 --a------ c:\windows\System32\RacEngn.dll
2009-01-12 13:57 . 2009-01-12 13:57 9,127 --a------ c:\windows\System32\RacUR.xml
2009-01-12 13:57 . 2009-01-12 13:57 153 --a------ c:\windows\System32\RacUREx.xml
2009-01-12 13:56 . 2009-01-12 13:56 1,314,816 --a------ c:\windows\System32\quartz.dll
2009-01-12 13:56 . 2009-01-12 13:56 113,664 --a------ c:\windows\System32\drivers\rmcast.sys
2009-01-12 13:55 . 2009-01-12 13:55 57,856 --a------ c:\windows\System32\MSDvbNP.ax
2009-01-12 13:54 . 2009-01-12 13:54 1,695,744 --a------ c:\windows\System32\gameux.dll
2009-01-12 13:52 . 2009-01-12 13:52 988,216 --a------ c:\windows\System32\winload.exe
2009-01-12 13:52 . 2009-01-12 13:52 927,288 --a------ c:\windows\System32\winresume.exe
2009-01-12 13:52 . 2009-01-12 13:52 615,992 --a------ c:\windows\System32\ci.dll
2009-01-12 13:52 . 2009-01-12 13:52 378,368 --a------ c:\windows\System32\srcore.dll
2009-01-12 13:52 . 2009-01-12 13:52 318,464 --a------ c:\windows\System32\rstrui.exe
2009-01-12 13:52 . 2009-01-12 13:52 46,592 --a------ c:\windows\System32\setbcdlocale.dll
2009-01-12 13:52 . 2009-01-12 13:52 40,960 --a------ c:\windows\System32\srclient.dll
2009-01-12 13:52 . 2009-01-12 13:52 19,000 --a------ c:\windows\System32\kd1394.dll
2009-01-12 13:52 . 2009-01-12 13:52 14,848 --a------ c:\windows\System32\srdelayed.exe
2009-01-12 13:52 . 2009-01-12 13:52 6,656 --a------ c:\windows\System32\kbd106n.dll
2009-01-12 13:51 . 2009-01-12 13:51 <DIR> d-------- c:\windows\Users
2009-01-12 13:14 . 2009-01-12 13:14 <DIR> d-------- c:\windows\System32\Lang
2009-01-12 13:14 . 2008-07-16 23:27 920,088 --a------ c:\windows\System32\igxpun.exe
2009-01-12 13:14 . 2006-11-10 17:25 319,456 --a------ c:\windows\System32\difxapi.dll
2009-01-12 13:13 . 2008-05-07 01:41 6,416,928 --a------ c:\windows\system\DriveIcon.dll
2009-01-12 13:13 . 2008-08-12 21:33 61,440 --a------ c:\windows\System32\drivers\RTSTOR.sys
2009-01-12 13:13 . 2004-07-01 00:24 5,430 --a------ c:\windows\system\MyMulti.ico
2009-01-12 13:13 . 2009-01-12 13:13 0 --ah----- c:\windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-01-11 13:33 . 2009-01-11 13:33 250 --a------ c:\windows\gmer.ini
2009-01-10 16:57 . 2009-01-10 16:57 <DIR> d-------- c:\program files\Trend Micro
2009-01-10 16:36 . 2009-01-10 16:36 <DIR> d--h----- C:\$AVG8.VAULT$
2009-01-10 14:42 . 2008-08-05 09:49 428,544 --a------ c:\windows\System32\EncDec.dll
2009-01-10 14:42 . 2008-08-05 09:49 293,376 --a------ c:\windows\System32\psisdecd.dll
2009-01-10 14:42 . 2008-08-05 09:48 217,088 --a------ c:\windows\System32\psisrndr.ax
2009-01-10 14:42 . 2008-08-05 09:48 177,664 --a------ c:\windows\System32\mpg2splt.ax
2009-01-10 14:42 . 2008-09-18 04:56 147,456 --a------ c:\windows\System32\Faultrep.dll
2009-01-10 14:42 . 2008-09-18 04:56 125,952 --a------ c:\windows\System32\wersvc.dll
2009-01-10 14:42 . 2008-08-05 09:48 80,896 --a------ c:\windows\System32\MSNP.ax
2009-01-10 14:39 . 2008-10-29 06:29 2,927,104 --a------ c:\windows\explorer.exe
2009-01-10 14:39 . 2008-08-02 01:01 625,152 --a------ c:\windows\System32\drivers\dxgkrnl.sys
2009-01-10 14:39 . 2008-06-26 03:29 565,248 --a------ c:\windows\System32\emdmgmt.dll
2009-01-10 14:39 . 2008-08-12 03:39 443,392 --a------ c:\windows\System32\win32spl.dll
2009-01-10 14:39 . 2008-06-26 03:29 303,616 --a------ c:\windows\System32\wmpeffects.dll
2009-01-10 14:39 . 2008-10-22 03:57 241,152 --a------ c:\windows\System32\PortableDeviceApi.dll
2009-01-10 14:39 . 2008-08-27 01:05 212,480 --a------ c:\windows\System32\drivers\mrxsmb10.sys
2009-01-10 14:39 . 2008-05-20 02:07 148,480 --a------ c:\windows\System32\drivers\nwifi.sys
2009-01-10 14:39 . 2008-06-26 03:29 45,056 --a------ c:\windows\System32\dataclen.dll
2009-01-10 14:39 . 2008-08-02 03:26 36,864 --a------ c:\windows\System32\cdd.dll
2009-01-10 14:38 . 2008-10-21 05:25 1,645,568 --a------ c:\windows\System32\connect.dll
2009-01-10 14:34 . 2009-01-10 14:34 <DIR> d-------- c:\users\DarkFriend\AppData\Roaming\Malwarebytes
2009-01-10 14:34 . 2009-01-10 14:34 <DIR> d-------- c:\users\All Users\Malwarebytes
2009-01-10 14:34 . 2009-01-10 14:34 <DIR> d-------- c:\programdata\Malwarebytes
2009-01-10 14:34 . 2009-01-10 14:34 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-10 14:34 . 2009-01-05 02:38 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2009-01-10 14:34 . 2009-01-05 02:38 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2009-01-10 14:30 . 2008-10-16 21:13 1,809,944 --a------ c:\windows\System32\wuaueng.dll
2009-01-10 14:30 . 2008-10-16 20:56 1,524,736 --a------ c:\windows\System32\wucltux.dll
2009-01-10 14:30 . 2008-10-16 21:12 561,688 --a------ c:\windows\System32\wuapi.dll
2009-01-10 14:30 . 2008-10-16 22:08 162,064 --a------ c:\windows\System32\wuwebv.dll
2009-01-10 14:30 . 2008-10-16 20:55 83,456 --a------ c:\windows\System32\wudriver.dll
2009-01-10 14:30 . 2008-10-16 21:09 51,224 --a------ c:\windows\System32\wuauclt.exe
2009-01-10 14:30 . 2008-10-16 21:09 43,544 --a------ c:\windows\System32\wups2.dll
2009-01-10 14:30 . 2008-10-16 21:08 34,328 --a------ c:\windows\System32\wups.dll
2009-01-10 14:30 . 2008-10-16 21:56 31,232 --a------ c:\windows\System32\wuapp.exe
2009-01-10 14:23 . 2009-01-10 14:23 <DIR> dr------- c:\users\DarkFriend\Videos
2009-01-10 14:23 . 2009-01-10 14:23 <DIR> dr------- c:\users\DarkFriend\Searches
2009-01-10 14:23 . 2009-01-10 14:23 <DIR> dr------- c:\users\DarkFriend\Pictures
2009-01-10 14:23 . 2009-01-10 14:23 <DIR> dr------- c:\users\DarkFriend\Music
2009-01-10 14:23 . 2009-01-10 14:23 <DIR> dr------- c:\users\DarkFriend\Contacts
2009-01-10 14:23 . 2009-01-10 14:23 <DIR> d-------- c:\program files\Google
2009-01-10 14:23 . 2009-01-10 14:23 <DIR> d--hs---- C:\$RECYCLE.BIN
2009-01-10 14:21 . 2009-01-10 14:21 16,062 --a------ c:\windows\System32\results.xml
2009-01-10 14:20 . 2009-01-10 14:23 <DIR> dr------- c:\users\DarkFriend\Saved Games
2009-01-10 14:20 . 2009-01-10 14:23 <DIR> dr------- c:\users\DarkFriend\Links
2009-01-10 14:20 . 2009-01-15 19:48 <DIR> dr------- c:\users\DarkFriend\Downloads
2009-01-10 14:20 . 2009-01-10 14:23 <DIR> dr------- c:\users\DarkFriend\Documents
2009-01-10 14:20 . 2006-11-02 12:37 <DIR> d-------- c:\users\DarkFriend\AppData\Roaming\Media Center Programs
2009-01-10 14:20 . 2008-04-30 09:52 <DIR> d-------- c:\users\DarkFriend\AppData\Roaming\Acer GameZone Console
2009-01-10 14:20 . 2009-01-10 14:21 <DIR> d--h----- c:\users\DarkFriend\AppData
2009-01-10 14:20 . 2009-01-13 20:07 <DIR> d-------- c:\users\DarkFriend
2009-01-10 14:17 . 2009-01-10 14:17 <DIR> dr------- c:\windows\System32\config\systemprofile\Contacts
2009-01-10 07:09 . 2009-01-16 17:53 <DIR> d-------- c:\windows\System32\drivers\Avg
2009-01-10 07:09 . 2009-01-10 07:09 <DIR> d-------- c:\users\All Users\avg8
2009-01-10 07:09 . 2009-01-10 07:09 <DIR> d-------- c:\programdata\avg8
2009-01-10 07:09 . 2009-01-10 07:09 <DIR> d-------- c:\program files\AVG
2009-01-10 07:09 . 2009-01-10 07:09 97,928 --a------ c:\windows\System32\drivers\avgldx86.sys
2009-01-10 07:09 . 2009-01-10 07:09 10,520 --a------ c:\windows\System32\avgrsstx.dll
2009-01-10 06:52 . 2008-10-02 01:32 1,383,424 --a------ c:\windows\System32\mshtml.tlb
2009-01-10 06:49 . 2008-10-22 01:22 2,048 --a------ c:\windows\System32\tzres.dll
2009-01-10 06:47 . 2009-01-10 06:47 <DIR> d-------- c:\program files\MSXML 4.0
2009-01-10 06:44 . 2008-11-01 01:21 4,240,384 --a------ c:\windows\System32\GameUXLegacyGDFs.dll
2009-01-10 06:44 . 2008-10-16 04:47 827,392 --a------ c:\windows\System32\wininet.dll
2009-01-10 06:44 . 2008-11-01 03:44 28,672 --a------ c:\windows\System32\Apphlpdm.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-15 19:11 --------- d-----w c:\programdata\McAfee
2009-01-14 00:52 --------- d-----w c:\program files\Windows Mail
2009-01-12 17:25 --------- d-----w c:\programdata\SiteAdvisor
2009-01-12 13:54 2,560 ----a-w c:\windows\AppPatch\AcRes.dll
2009-01-12 13:51 28,728 ----a-w c:\windows\system32\drivers\msahci.sys
2009-01-12 13:51 21,560 ----a-w c:\windows\system32\drivers\atapi.sys
2009-01-12 13:13 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-01 03:44 541,696 ----a-w c:\windows\AppPatch\AcLayers.dll
2008-11-01 03:44 52,736 ----a-w c:\windows\AppPatch\iebrshim.dll
2008-11-01 03:44 460,288 ----a-w c:\windows\AppPatch\AcSpecfc.dll
2008-11-01 03:44 2,154,496 ----a-w c:\windows\AppPatch\AcGenral.dll
2008-11-01 03:44 173,056 ----a-w c:\windows\AppPatch\AcXtrnal.dll
2008-10-21 05:25 296,960 ----a-w c:\windows\System32\gdi32.dll
2008-01-21 02:43 174 --sha-w c:\program files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="oobefldr.dll" [2008-01-21 c:\windows\System32\oobefldr.dll]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-02-22 1037608]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-03-08 40048]
"BkupTray"="c:\program files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe" [2008-04-07 34040]
"ArcadeDeluxeAgent"="c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe" [2008-04-10 147456]
"CLMLServer"="c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe" [2008-04-10 167936]
"PlayMovie"="c:\program files\Acer Arcade Deluxe\PlayMovie\PMVService.exe" [2008-04-18 167936]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-16 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-16 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-16 145944]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-01-10 24064]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-10 1261336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GOEC62~1.DLL,avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{2C411C84-53D6-4469-905E-392FC486B67F}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{A4A230D8-3309-46A5-9896-1A2A466106F6}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{CBFCEE09-B268-40D0-9B98-8253B9881C48}"= UDP:c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe:BackupSvc.exe
"{0F388B47-814E-4F3F-82B2-859760D32881}"= TCP:c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe:BackupSvc.exe
"{0B538B91-DA99-4709-B4D4-0B6AC6ADA895}"= UDP:c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe:AgentSvc.exe
"{782B1532-616A-4555-933B-0D7A609CB435}"= TCP:c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe:AgentSvc.exe
"{55E5AC1D-E66C-4A6D-AB6E-40A1926AA6D5}"= UDP:c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe:SchedulerSvc.exe
"{5B94FB7E-4F9E-4B8F-BE1F-9FE57EAFC1EE}"= TCP:c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe:SchedulerSvc.exe
"{BA5EEAC4-BBD4-4655-BAE8-94F3EE16812F}"= c:\program files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{D5A0E150-9516-42DF-B866-BED21BA3EFA0}"= c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\Acer Arcade Deluxe.exe:Acer Arcade Deluxe
"{50D7FB1E-66D8-435A-98F7-DFFA0E9B02E7}"= c:\program files\Acer Arcade Deluxe\PlayMovie\PlayMovie.exe:Acer Play Movie
"{1C65A0D9-F940-4663-9FEB-5289907DAE59}"= c:\program files\Acer Arcade Deluxe\PlayMovie\PMVService.exe:Acer Play Movie Resident Program
"{07B34CE5-90CF-46CF-ABCD-20CFC2ECD58A}"= c:\program files\Acer Arcade Deluxe\HomeMedia\HomeMedia.exe:Acer HomeMedia
"{93D34F48-1519-4A44-B64D-1913B73EBCEF}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [2009-01-10 97928]
R4 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\Acer Arcade Deluxe\PlayMovie\000.fcl [2008-04-30 09:58:49 61424]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-10 231704]
R4 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe [2008-03-03 16384]
R4 CLHNService;CLHNService;c:\program files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe [2008-04-30 81504]
R4 ETService;Empowering Technology Service;c:\program files\Acer\Empowering Technology\Service\ETService.exe [2008-04-30 24576]
R4 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2008-04-07 50424]
R4 NTIPPKernel;NTIPPKernel;c:\program files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\NTIPPKernel.sys [2008-04-30 122368]
R4 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2008-04-04 131072]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [2008-01-21 179712]
S3 GoogleDesktopManager-080708-050100;Google Desktop Manager 5.7.808.7150;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2009-01-10 24064]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://en.us.acer.yahoo.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-16 18:37:54
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-01-16 18:39:40
ComboFix-quarantined-files.txt 2009-01-16 18:39:34

Pre-Run: 43,812,237,312 bytes free
Post-Run: 43,579,465,728 bytes free

214 --- E O F --- 2009-01-14 00:52:41


And the HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:51:17 PM, on 1/16/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe
C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe
C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe
C:\Program Files\Acer Arcade Deluxe\PlayMovie\PMVService.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Acer\Empowering Technology\Framework.Launcher.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\Explorer.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "c:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BkupTray] "C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe"
O4 - HKLM\..\Run: [ArcadeDeluxeAgent] "C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe"
O4 - HKLM\..\Run: [CLMLServer] "C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe"
O4 - HKLM\..\Run: [PlayMovie] "C:\Program Files\Acer Arcade Deluxe\PlayMovie\PMVService.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,avgrsstx.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: NTI Backup Now 5 Agent Service (BUNAgentSvc) - NewTech Infosystems, Inc. - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
O23 - Service: CLHNService - Unknown owner - C:\Program Files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe
O23 - Service: Empowering Technology Service (ETService) - Unknown owner - C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
O23 - Service: Google Desktop Manager 5.7.808.7150 (GoogleDesktopManager-080708-050100) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NTI Backup Now 5 Backup Service (NTIBackupSvc) - NewTech InfoSystems, Inc. - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
O23 - Service: NTI Backup Now 5 Scheduler Service (NTISchedulerSvc) - Unknown owner - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe

--
End of file - 5552 bytes

Good. Okay, now please run this.

Update and Scan with Malwarebytes' Anti-Malware

• Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
• Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
  
  • Update Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Update
• When the update is complete, select the Scanner tab
• Select Perform quick scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then RESTART the computer and AFTER the reboot run HJT Do a system scan and save a logfile
The post back NEW MBAM and HJT logs in that order please.

MBAM Log:

Malwarebytes' Anti-Malware 1.33
Database version: 1659
Windows 6.0.6001 Service Pack 1

1/16/2009 10:22:36 PM
mbam-log-2009-01-16 (22-22-36).txt

Scan type: Quick Scan
Objects scanned: 44057
Time elapsed: 2 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Default\My Documents\My Music\New Song.lagu (Backdoor.Bot) -> Delete on reboot.
C:\Users\Default\My Documents\My Music\Video.vidz (Backdoor.Bot) -> Delete on reboot.
C:\Users\Default\My Documents\My Pictures\aweks.pikz (Backdoor.Bot) -> Delete on reboot.
C:\Users\Default\My Documents\My Pictures\seram.pikz (Backdoor.Bot) -> Delete on reboot.
C:\Users\Default\My Documents\My Music\My Music.url (Trojan.Zlob) -> Delete on reboot.
C:\Users\Default\My Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> Delete on reboot.
C:\Users\Default\My Documents\My Videos\My Video.url (Trojan.Zlob) -> Delete on reboot.


HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:27:36 PM, on 1/16/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe
C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe
C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe
C:\Program Files\Acer Arcade Deluxe\PlayMovie\PMVService.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "c:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BkupTray] "C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe"
O4 - HKLM\..\Run: [ArcadeDeluxeAgent] "C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe"
O4 - HKLM\..\Run: [CLMLServer] "C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe"
O4 - HKLM\..\Run: [PlayMovie] "C:\Program Files\Acer Arcade Deluxe\PlayMovie\PMVService.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,avgrsstx.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: NTI Backup Now 5 Agent Service (BUNAgentSvc) - NewTech Infosystems, Inc. - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
O23 - Service: CLHNService - Unknown owner - C:\Program Files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe
O23 - Service: Empowering Technology Service (ETService) - Unknown owner - C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
O23 - Service: Google Desktop Manager 5.7.808.7150 (GoogleDesktopManager-080708-050100) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NTI Backup Now 5 Backup Service (NTIBackupSvc) - NewTech InfoSystems, Inc. - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
O23 - Service: NTI Backup Now 5 Scheduler Service (NTISchedulerSvc) - Unknown owner - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe

--
End of file - 5445 bytes

Please reboot the computer as requested and run the update, scan again.

Update and Scan with Malwarebytes' Anti-Malware

• Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
• Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
  
  • Update Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Update
• When the update is complete, select the Scanner tab
• Select Perform quick scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then RESTART the computer and AFTER the reboot run HJT Do a system scan and save a logfile
The post back NEW MBAM and HJT logs in that order please.

MBAM Log:

Malwarebytes' Anti-Malware 1.33
Database version: 1659
Windows 6.0.6001 Service Pack 1

1/16/2009 10:55:28 PM
mbam-log-2009-01-16 (22-55-28).txt

Scan type: Quick Scan
Objects scanned: 43995
Time elapsed: 2 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Default\My Documents\My Music\New Song.lagu (Backdoor.Bot) -> Delete on reboot.
C:\Users\Default\My Documents\My Music\Video.vidz (Backdoor.Bot) -> Delete on reboot.
C:\Users\Default\My Documents\My Pictures\aweks.pikz (Backdoor.Bot) -> Delete on reboot.
C:\Users\Default\My Documents\My Pictures\seram.pikz (Backdoor.Bot) -> Delete on reboot.
C:\Users\Default\My Documents\My Music\My Music.url (Trojan.Zlob) -> Delete on reboot.
C:\Users\Default\My Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> Delete on reboot.
C:\Users\Default\My Documents\My Videos\My Video.url (Trojan.Zlob) -> Delete on reboot.


HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:58:05 PM, on 1/16/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe
C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe
C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe
C:\Program Files\Acer Arcade Deluxe\PlayMovie\PMVService.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "c:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BkupTray] "C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe"
O4 - HKLM\..\Run: [ArcadeDeluxeAgent] "C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe"
O4 - HKLM\..\Run: [CLMLServer] "C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe"
O4 - HKLM\..\Run: [PlayMovie] "C:\Program Files\Acer Arcade Deluxe\PlayMovie\PMVService.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,avgrsstx.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: NTI Backup Now 5 Agent Service (BUNAgentSvc) - NewTech Infosystems, Inc. - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
O23 - Service: CLHNService - Unknown owner - C:\Program Files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe
O23 - Service: Empowering Technology Service (ETService) - Unknown owner - C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
O23 - Service: Google Desktop Manager 5.7.808.7150 (GoogleDesktopManager-080708-050100) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NTI Backup Now 5 Backup Service (NTIBackupSvc) - NewTech InfoSystems, Inc. - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
O23 - Service: NTI Backup Now 5 Scheduler Service (NTISchedulerSvc) - Unknown owner - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe

--
End of file - 5412 bytes

Please download this tool Junction.zip
Open it and copy both the files to the top folder of C:\

Please locate and Right click and choose "Run as administrator" this shortcut "Start" > "All Programs" > "Accessories" > "Command Prompt"
You should now be able to type junction and press the Enter key. An End User License Agreement should popup and click OK to accept.

Then type in, or Copy/Paste the following command in the DOS Prompt to generate a report.



Then open C:\MBAM_REPORT.TXT and post that on your next reply please.

Vista has a built-in command for this but I'm not sure if it works properly because it seemed to fail when another user ran it to obtain similar data.
Depending on the size and speed of your computer it may take it a few minutes to complete.

Junction v1.05 - Windows junction creator and reparse point viewer
Copyright © 2000-2007 Mark Russinovich
Systems Internals - http://www.sysinternals.com

\\?\C:\\Documents and Settings: JUNCTION
Print Name : C:\Users
Substitute Name: C:\Users


Failed to open \\?\C:\\hiberfil.sys: The process cannot access the file because it is being used by another process.



Failed to open \\?\C:\\pagefile.sys: The process cannot access the file because it is being used by another process.



Failed to open \\?\C:\\System Volume Information: Access is denied.


...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

.\\?\C:\\ProgramData\Application Data: JUNCTION
Print Name : C:\ProgramData
Substitute Name: C:\ProgramData

\\?\C:\\ProgramData\Desktop: JUNCTION
Print Name : C:\Users\Public\Desktop
Substitute Name: C:\Users\Public\Desktop

\\?\C:\\ProgramData\Documents: JUNCTION
Print Name : C:\Users\Public\Documents
Substitute Name: C:\Users\Public\Documents

\\?\C:\\ProgramData\Favorites: JUNCTION
Print Name : C:\Users\Public\Favorites
Substitute Name: C:\Users\Public\Favorites

\\?\C:\\ProgramData\Start Menu: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Start Menu
Substitute Name: C:\ProgramData\Microsoft\Windows\Start Menu

\\?\C:\\ProgramData\Templates: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Templates
Substitute Name: C:\ProgramData\Microsoft\Windows\Templates

.\\?\C:\\Users\All Users: UNKNOWN MICROSOFT REPARSE POINT

\\?\C:\\Users\Default User: JUNCTION
Print Name : C:\Users\Default
Substitute Name: C:\Users\Default

\\?\C:\\Users\All Users\Application Data: JUNCTION
Print Name : C:\ProgramData
Substitute Name: C:\ProgramData

\\?\C:\\Users\All Users\Desktop: JUNCTION
Print Name : C:\Users\Public\Desktop
Substitute Name: C:\Users\Public\Desktop

\\?\C:\\Users\All Users\Documents: JUNCTION
Print Name : C:\Users\Public\Documents
Substitute Name: C:\Users\Public\Documents

\\?\C:\\Users\All Users\Favorites: JUNCTION
Print Name : C:\Users\Public\Favorites
Substitute Name: C:\Users\Public\Favorites

\\?\C:\\Users\All Users\Start Menu: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Start Menu
Substitute Name: C:\ProgramData\Microsoft\Windows\Start Menu

\\?\C:\\Users\All Users\Templates: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Templates
Substitute Name: C:\ProgramData\Microsoft\Windows\Templates

.

\\?\C:\\Users\DarkFriend\Application Data: JUNCTION
Print Name : C:\Users\DarkFriend\AppData\Roaming
Substitute Name: C:\Users\DarkFriend\AppData\Roaming

\\?\C:\\Users\DarkFriend\Cookies: JUNCTION
Print Name : C:\Users\DarkFriend\AppData\Roaming\Microsoft\Windows\Cookies
Substitute Name: C:\Users\DarkFriend\AppData\Roaming\Microsoft\Windows\Cookies

\\?\C:\\Users\DarkFriend\Local Settings: JUNCTION
Print Name : C:\Users\DarkFriend\AppData\Local
Substitute Name: C:\Users\DarkFriend\AppData\Local

\\?\C:\\Users\DarkFriend\My Documents: JUNCTION
Print Name : C:\Users\DarkFriend\Documents
Substitute Name: C:\Users\DarkFriend\Documents

\\?\C:\\Users\DarkFriend\NetHood: JUNCTION
Print Name : C:\Users\DarkFriend\AppData\Roaming\Microsoft\Windows\Network Shortcuts
Substitute Name: C:\Users\DarkFriend\AppData\Roaming\Microsoft\Windows\Network Shortcuts

\\?\C:\\Users\DarkFriend\PrintHood: JUNCTION
Print Name : C:\Users\DarkFriend\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
Substitute Name: C:\Users\DarkFriend\AppData\Roaming\Microsoft\Windows\Printer Shortcuts

\\?\C:\\Users\DarkFriend\Recent: JUNCTION
Print Name : C:\Users\DarkFriend\AppData\Roaming\Microsoft\Windows\Recent
Substitute Name: C:\Users\DarkFriend\AppData\Roaming\Microsoft\Windows\Recent

\\?\C:\\Users\DarkFriend\SendTo: JUNCTION
Print Name : C:\Users\DarkFriend\AppData\Roaming\Microsoft\Windows\SendTo
Substitute Name: C:\Users\DarkFriend\AppData\Roaming\Microsoft\Windows\SendTo

\\?\C:\\Users\DarkFriend\Start Menu: JUNCTION
Print Name : C:\Users\DarkFriend\AppData\Roaming\Microsoft\Windows\Start Menu
Substitute Name: C:\Users\DarkFriend\AppData\Roaming\Microsoft\Windows\Start Menu

\\?\C:\\Users\DarkFriend\Templates: JUNCTION
Print Name : C:\Users\DarkFriend\AppData\Roaming\Microsoft\Windows\Templates
Substitute Name: C:\Users\DarkFriend\AppData\Roaming\Microsoft\Windows\Templates

\\?\C:\\Users\DarkFriend\AppData\Local\Application Data: JUNCTION
Print Name : C:\Users\DarkFriend\AppData\Local
Substitute Name: C:\Users\DarkFriend\AppData\Local

\\?\C:\\Users\DarkFriend\AppData\Local\History: JUNCTION
Print Name : C:\Users\DarkFriend\AppData\Local\Microsoft\Windows\History
Substitute Name: C:\Users\DarkFriend\AppData\Local\Microsoft\Windows\History

\\?\C:\\Users\DarkFriend\AppData\Local\Temporary Internet Files: JUNCTION
Print Name : C:\Users\DarkFriend\AppData\Local\Microsoft\Windows\Temporary Internet Files
Substitute Name: C:\Users\DarkFriend\AppData\Local\Microsoft\Windows\Temporary Internet Files

..\\?\C:\\Users\Default\Application Data: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming
Substitute Name: C:\Users\Default\AppData\Roaming

\\?\C:\\Users\Default\Local Settings: JUNCTION
Print Name : C:\Users\Default\AppData\Local
Substitute Name: C:\Users\Default\AppData\Local

\\?\C:\\Users\Default\Music: JUNCTION
Print Name : C:\Users\Default\Music
Substitute Name: C:\Users\Default\Music

\\?\C:\\Users\Default\My Documents: JUNCTION
Print Name : C:\Users\Default\Documents
Substitute Name: C:\Users\Default\Documents

\\?\C:\\Users\Default\NetHood: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts
Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts

\\?\C:\\Users\Default\Pictures: JUNCTION
Print Name : C:\Users\Default\Pictures
Substitute Name: C:\Users\Default\Pictures

\\?\C:\\Users\Default\PrintHood: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts

\\?\C:\\Users\Default\Recent: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent
Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent

\\?\C:\\Users\Default\SendTo: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo
Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo

\\?\C:\\Users\Default\Start Menu: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu
Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu

\\?\C:\\Users\Default\Templates: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates
Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates

\\?\C:\\Users\Default\Videos: JUNCTION
Print Name : C:\Users\Default\Videos
Substitute Name: C:\Users\Default\Videos

\\?\C:\\Users\Default\AppData\Local\Application Data: JUNCTION
Print Name : C:\Users\Default\AppData\Local
Substitute Name: C:\Users\Default\AppData\Local

\\?\C:\\Users\Default\AppData\Local\History: JUNCTION
Print Name : C:\Users\Default\AppData\Local\Microsoft\Windows\History
Substitute Name: C:\Users\Default\AppData\Local\Microsoft\Windows\History

\\?\C:\\Users\Default\AppData\Local\Temporary Internet Files: JUNCTION
Print Name : C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files
Substitute Name: C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files

\\?\C:\\Users\Default\AppData\Local\Microsoft\Windows\History: JUNCTION
Print Name : C:\Users\Default\AppData\Local\Microsoft\Windows\History
Substitute Name: C:\Users\Default\AppData\Local\Microsoft\Windows\History

\\?\C:\\Users\Default\Documents\My Music: JUNCTION
Print Name : C:\Users\Default\Music
Substitute Name: C:\Users\Default\Music

\\?\C:\\Users\Default\Documents\My Pictures: JUNCTION
Print Name : C:\Users\Default\Pictures
Substitute Name: C:\Users\Default\Pictures

\\?\C:\\Users\Default\Documents\My Videos: JUNCTION
Print Name : C:\Users\Default\Videos
Substitute Name: C:\Users\Default\Videos

\\?\C:\\Users\Public\Favorites: JUNCTION
Print Name : C:\Users\Public\Favorites
Substitute Name: C:\Users\Public\Favorites

\\?\C:\\Users\Public\Documents\My Music: JUNCTION
Print Name : C:\Users\Public\Music
Substitute Name: C:\Users\Public\Music

\\?\C:\\Users\Public\Documents\My Pictures: JUNCTION
Print Name : C:\Users\Public\Pictures
Substitute Name: C:\Users\Public\Pictures

\\?\C:\\Users\Public\Documents\My Videos: JUNCTION
Print Name : C:\Users\Public\Videos
Substitute Name: C:\Users\Public\Videos

.

...

...

...

...

...

...

...

...

...

...

...

...


Failed to open \\?\C:\\Windows\System32\LogFiles\WMI\RtBackup: Access is denied.


...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

Was there more of the log? If its too big to post please attach the file.

Thanks.

I think that's all there was. I'm attaching the file just in case.

Yes the file was fully posted. Thanks.

Well that is odd. Can you see or access these folders or files at all?

C:\Users\Default\My Documents\My Music\New Song.lagu
C:\Users\Default\My Documents\My Music\Video.vidz
C:\Users\Default\My Documents\My Pictures\aweks.pikz
C:\Users\Default\My Documents\My Pictures\seram.pikz
C:\Users\Default\My Documents\My Music\My Music.url
C:\Users\Default\My Documents\My Pictures\My Pictures.url
C:\Users\Default\My Documents\My Videos\My Video.url

This has been reported by a few users and on other sites and they all say they're junction files but your report seems to say otherwise.
If you can see them do they have any special look to them? Can your right click any of them and do a PROPERTIES on them?

That's the weird part to me too... I still have all the folder viewing options set as in a previous post, and in Windows Explorer, I only have two folders showing in my C:\users folder - neither one of them titled 'Default' (one named 'DarkFriend' and one 'Public').

In those folders, I have folders named 'Documents' but not 'My Documents'.

When I try typing in the direct path in the location bar, I can get a folder with 'C:\users\default\' but not with anything beyond that. It's a similar story if I try to browse the directories in the command prompt.

Quite perplexing. Let me do a bit more research and see what I can find.

Did you create or is your logon name DarkFriend?

Yes, I created the name DarkFriend - I'm still new to Vista (ugh) and I'm not sure if DarkFriend is my log on and the name of the computer, or if they're one and the same, but it was something that was prompted upon initial run of the machine.

Just for the heck of it can you try this please.

Start that Run As Administrator DOS prompt as shown before.

Then type in this command.



Then see if you get an error or if it does copy the file.

Nope, didn't copy anything... I got the following:

'c:\Users\Default\My' is not recognized as an internal or external command, operable program or batch file.

I think you may have typed it wrong.
If anything you should have gotten back this error The system cannot find the path specified

The error you posted is from an incomplete command.

Please make sure you include the quote marks " around the path as shown.

Ok, included the quote marks this time, and got the "The system cannot find the file spcified" message.

Well not sure what else we can do to locate these entries without maybe using some type of Boot CD to try to track it down.

There are some very experienced Helpers from another site that assures users that this is not a security issue.
I'm not comfortable enough to make that statement on my own though so it's up to you what you'd like to do at this time.

Possible Options

1. Burn some bootable Anti-Virus CDs to do further testing.
2. Try some online scans at various Anti-Virus sites
3. Take it to a shop where someone that has experience with security can review it (not just the average PC repair shop)
4. FDISK, Format, and re-install the OS from CD/DVD or an OEM partition recovery process.
5. Ignore it and assume the Expert from the other site is correct.

Bottom line for me would be that if I can't find or determine what they are, how they got there, or how to remove then I would not ever trust the computer again for any type of Banking or online shopping or other features that required the use of personal information or passwords.

Please let me know if there is something I can help you with but at this point I only know to use some external tools to try and track this down.
Maybe there is some DLL file or system driver loaded that is masquerading these folders?

Hi there,

Truly, thank you for all you've tried to do to this point - I agree that it could be nothing, but it's really not something I would want to risk either. I think at one point I tried a Panda scan that came up negative (it's hard to keep track of everything I've tried at this point!). I'm definitely leaning more towards the reformat option - I haven't yet put anything on the computer, as I detected the viruses less than a week after purchasing it.

However, I'm new to Vista - do you have any good links on how to reformat and re-install vista given that the computer did not ship with any installation disks? I burned recovery disks as directed right out of the box, and there is a small partition (i would assume) with some files on it. Would reformatting be much different than just using the recovery disks (I have tried that and still had these viruses show up).

Cheers,
Sonja

Well it sounds like you have a new system that has a Recovery Option built-in. That basically will re-install everything back to the way it came from the factory. Different system run it differently. You should have a manual or small sheet that came with the system that details how to do it.
You can also look online for your system and they should be able to tell you how. Maybe like an F11 key?

Then stay off line until your sure your system is updated with latest AV. Burn definitions to CD if you can to run while off line.
Make sure your firewall is on.
Download and burn the latest MBAM and rules file for it to a CD and install that offline and update it and scan to see if those same files/folders are still there. It could be something the MFG has done to the install.

I've done all the above, and come up with the same trojan.zlob and backdoor.bot instances that I had before (and in the same locations). Am I correct in assuming that this means the files used to restore my computer to factory settings (in this, from the recovery partition) are where the infection is coming from?

Would this also mean that my only leftover option is to contact Acer for new recovery disks or to purchase the vista browser and install from the box?

That doesn't sound correct. Are you sure you did not connect to the Internet and browse any location before being fully patched and up to date on Anti-Virus?


Turn off System Restore-Vista

• Click the Vista/Start icon.
• Right Click >> Computer
• Click Properties.
• Click the System Protection tab.
• Uncheck All drives
• Click "Turn Off System Restore" at the prompt then click "Apply".
• Restart your computer.

Turn ON System Restore-Vista

• Click the Vista/Start icon
• Right Click >> Computer
• Click Properties.
• Click the System Protection tab.
• Checkmark All drives that were selected previously then click "Apply".

This will remove all restore points except the new one you just created.


Then please scan ALL the drives including the Recovery Partition with up to date Anti-Virus software.
Let me know what it finds please. It is possible that Acer unknowing shipped an infected image but often that is posted in public pretty quickly when something like that happens.

Having the Vundo infection is okay per say as we can get rid of that, but I want to make sure those files/folders are not still there.

After the Anti-Virus scan please run an up to date MBAM scan and post that log please.

Yes, I'm quite sure I didn't access the internet at all before running the scan - I had turned wi-fi off, and hadn't even put in my network key to connect to the internet.

I scanned all drives with my antivirus software - except that the recovery partition seems to be a hidden drive, even tweaking file and folder options kept me from seeing the drive. There were no viruses found. So far, MBAM is the only software that has detected the virus. It remains that the exact same files are found and yet are not there at the same time. I guess that a lot of others may have this computer and be unaware of it - the computer certainly doesn't act as though it is infected and most other security software seems to overlook it. Perhaps this is why it hasn't been made more public on the internet?

Here's the MBAM Log:

Malwarebytes' Anti-Malware 1.33
Database version: 1666
Windows 6.0.6001 Service Pack 1

1/18/2009 3:53:50 PM
mbam-log-2009-01-18 (15-53-50).txt

Scan type: Quick Scan
Objects scanned: 46047
Time elapsed: 1 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\ProgramData\Partner\partner.dll (Trojan.BHO) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\TypeLib\{86676e13-d6d8-4652-9fcf-f2047f1fb000} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{83ff80f4-8c74-4b80-b5ba-c8ddd434e5c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{83ff80f4-8c74-4b80-b5ba-c8ddd434e5c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83ff80f4-8c74-4b80-b5ba-c8ddd434e5c4} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\ProgramData\Partner\partner.dll (Trojan.BHO) -> Delete on reboot.
C:\Users\Default\My Documents\My Music\New Song.lagu (Backdoor.Bot) -> Delete on reboot.
C:\Users\Default\My Documents\My Music\Video.vidz (Backdoor.Bot) -> Delete on reboot.
C:\Users\Default\My Documents\My Pictures\aweks.pikz (Backdoor.Bot) -> Delete on reboot.
C:\Users\Default\My Documents\My Pictures\seram.pikz (Backdoor.Bot) -> Delete on reboot.
C:\Users\Default\My Documents\My Music\My Music.url (Trojan.Zlob) -> Delete on reboot.
C:\Users\Default\My Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> Delete on reboot.
C:\Users\Default\My Documents\My Videos\My Video.url (Trojan.Zlob) -> Delete on reboot.

Not really sure what to say but it would seem that maybe Acer shipped it that way. The odd thing though is that there are other systems out there with quite similar, but different names. Had Acer shipped it that way I would expect the image they used to be the same file names.

I don't want to give you bad advice, but again, only speaking for myself. I personally just could not trust the system as it is.

Please download GMER and use it to browse to this file location and lets see if you can see them with that tool. You seem to know a bit of what you're doing so I'm sure you can operate the tool manually. If you need help let me know though.

Please download the following scanning tool. GMER
RESTART the computer and then once back on, shut down ALL applications and run it.

Start it, then do a scan, then click on the tab button that has symbols like this > > > > and go to Files and from there browse and try to locate these entries.

Please let me know what you find.

Hi Sonja,

Well I've spoken with one of the developers and it would appear that this is probably caused by a virtual account on Vista machines.
GMER may or may not see it as well, but it appears this is not really anything to worry about as the other helper said. It's just how the low level driver is reading this account and marks it.

Please go into the Quarantine tab of MBAM and restore this file.
C:\ProgramData\Partner\partner.dll

Please click on START - RUN - and type in mbam.exe /developer and hit OK then click and run a Quick Scan.
This will produce a developer log so that we can review more details on the partner.dll file.

I'm really sorry about all the trouble you've gone through with this but I only learned tonight that these other entries were nothing to worry about.


When that scan is done please post back the log.

Thanks again for all your help. I have done the GMER thing, but was not able to locate the files. I unquarantined the partner.dll file and ran another MBAM log, which I've included below.

Fortunately, we are still within the window where we can return the machine, so I think we're going to do that. Perhaps with what your developer friend said it's a bit paranoid, but it's really not a chance I want to take, and certainly I don't expect to pay for a machine that comes with this much hassle out of the box. I certainly do appreciate all the help you've been able to give over the past week and a half!

Cheers,
Sonja

Malwarebytes' Anti-Malware 1.33
Database version: 1666
Windows 6.0.6001 Service Pack 1

1/20/2009 12:49:06 PM
mbam-log-2009-01-20 (12-49-06).txt

Scan type: Quick Scan
Objects scanned: 45858
Time elapsed: 1 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Default\My Documents\My Music\New Song.lagu (Backdoor.Bot) -> Delete on reboot. [3857535134303566687669808083153580851301362761548470838461377071668677856146900
13780688678707985846146900146868474686147708801528079721577667286]
C:\Users\Default\My Documents\My Music\Video.vidz (Backdoor.Bot) -> Delete on reboot. [3857535134303566687669808083153580851301362761548470838461377071668677856146900
13780688678707985846146900146868474686155746970801587746991]
C:\Users\Default\My Documents\My Pictures\aweks.pikz (Backdoor.Bot) -> Delete on reboot. [3857535134303566687669808083153580851301362761548470838461377071668677856146900
13780688678707985846146900149746885868370846166887076841581747691]
C:\Users\Default\My Documents\My Pictures\seram.pikz (Backdoor.Bot) -> Delete on reboot. [3857535134303566687669808083153580851301362761548470838461377071668677856146900
13780688678707985846146900149746885868370846184708366781581747691]
C:\Users\Default\My Documents\My Music\My Music.url (Trojan.Zlob) -> Delete on reboot. [3857535134305383807566791559778067130136276154847083846137707166867785614690013
7806886787079858461469001468684746861469001468684746815868377]
C:\Users\Default\My Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> Delete on reboot. [3857535134305383807566791559778067130136276154847083846137707166867785614690013
7806886787079858461469001497468858683708461469001497468858683708415868377]
C:\Users\Default\My Documents\My Videos\My Video.url (Trojan.Zlob) -> Delete on reboot. [3857535134305383807566791559778067130136276154847083846137707166867785614690013
780688678707985846146900155746970808461469001557469708015868377]

Thanks for the log again Sonja.

Its up to you but please be aware that at this time if you purchase another Acer system like that I would expect that we would still find that information on the new system as well.

Though, as you say. Out of the box the system should be reasonably well protected from an infection so easily. What ever you decide just make sure you get Anti-Virus updated right away as well as the Microsoft Security Updates. If there is an older version of Java or Acrobat Reader on it then remove them and get the latest versions.

I have alerted the developers of your new log post.

Thanks again and let me know what you decide please as I will go ahead and soon close this post since your current system appears to be clean based on the current information and logs.

Thanks again! I think though that this was the last straw for me as far as PCs and Microsoft goes. I think I might join the evil empire of Mac...

ROFL - No problem but be warned that even the Mac is starting to come under attack these days. But much less than Windows.

Okay, well I go ahead and close this post tomorrow then and wish you the best.

Cheers.