Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Dave's Hijack log

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Dave's Hijack log

Unread postby DaveinthePeg » January 26th, 2009, 3:12 pm

Chuck,

I again ran the Ccleaner and got rid of the MalwareRemovalBot. I then tried to do the same for the Ask Toolbar. When I attempted this it gives me a message:

"we need to close your IE windows before uninstalling the Ask Toolbar. Click yes to close the open browsers""

Then I click YES and nothing happens... I click yes again and I can sit there forever and still nothing happens. Furthermore, I had just started up the computer and have not opened any IE windows and I don't see any open either.

I am stuck at this point.

Dave
DaveinthePeg
Regular Member
 
Posts: 21
Joined: January 22nd, 2009, 6:43 pm
Advertisement
Register to Remove

Re: Dave's Hijack log

Unread postby flashh4 » January 26th, 2009, 10:36 pm

Hi Dave, try and run the Malwarebytes program that i posted, just click the link and follow the instructions.
Then post the log.

Thanks
Chuck
User avatar
flashh4
Regular Member
 
Posts: 2276
Joined: June 7th, 2005, 8:36 pm
Location: wyoming

Re: Dave's Hijack log

Unread postby DaveinthePeg » January 27th, 2009, 1:00 am

Chuck,

Ok, here is the proper Mawarebyte log... sorry about the mistake!

Malwarebytes' Anti-Malware 1.33
Database version: 1698
Windows 6.0.6001 Service Pack 1

26/01/2009 10:47:40 PM
mbam-log-2009-01-26 (22-47-40).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 140794
Time elapsed: 40 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b7da9462-6630-5ac2-ee70-437e4b6bf8d6} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b7da9462-6630-5ac2-ee70-437e4b6bf8d6} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b903080c-b4f0-d96c-1332-d22dddc6f61d} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b903080c-b4f0-d96c-1332-d22dddc6f61d} (Adware.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wlaoscdeccqcv (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Wray Family\AppData\Local\Mozilla\Firefox\Profiles\hzbwl42j.default\Cache\D8AABD14d01 (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Users\Wray Family\AppData\Roaming\MalwareRemovalBot\Quarantine\25-01-2009-09-35-53\171.qit (Adware.BHO) -> Quarantined and deleted successfully.
C:\Users\Wray Family\Downloads\setupxv.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Windows\avfwi2324.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Windows\okrvn20502.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Windows\qdaw4618.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\ceids88045.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\dsqq64560.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Windows\System32\ncvzmhfzhtzc.dll (Trojan.Agent) -> Delete on reboot.
C:\Program Files\Mozilla Firefox\components\nsadsoftinc.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\nsm9B85.dll (Adware.BHO) -> Delete on reboot.


HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:56:31 PM, on 26/01/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Acer\Empowering Technology\SysMonitor.exe
C:\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\system32\conime.exe
C:\Windows\System32\nvraidservice.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Shaw Secure\Common\FSM32.EXE
C:\Users\Wray Family\AppData\Local\etrmnmon\etrmnmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Shaw Secure\FSGUI\fsguidll.exe
C:\Program Files\Pantone\huey\hueyTray.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACA ... pire_m1640
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.acer.com/rdr.aspx?b=ACA ... pire_m1640
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.us.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: EmailBHO - {647FD14A-C4F1-46F4-8FC3-0B40F54226F7} - C:\Program Files\jZip\WebmailPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Acer Empowering Technology Monitor] C:\Acer\Empowering Technology\SysMonitor.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Apanel] C:\ACERSW\config\SetApanel.cmd
O4 - HKLM\..\Run: [Acer Product Registration] "C:\Program Files\Acer Registration\ACE1.exe" /startup
O4 - HKLM\..\Run: [Acer Assist Launcher] C:\Program Files\Acer Assist\launcher.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [NVRaidService] C:\Windows\system32\nvraidservice.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Shaw Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Shaw Secure\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [etrmnmon] "C:\Users\Wray Family\AppData\Local\etrmnmon\etrmnmon.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MalwareRemovalBot] C:\Program Files\MalwareRemovalBot\MalwareRemovalBot.exe -boot
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ASETRES.EXE
O4 - Global Startup: Empowering Technology Launcher.lnk = ?
O4 - Global Startup: hueyTray.lnk = C:\Program Files\Pantone\huey\hueyTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Shaw Secure\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Shaw Secure\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Shaw Secure\FSPC\fspcmsie.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolbar/ ... ontrol.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ePerformance Service (AcerMemUsageCheckService) - Unknown owner - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: eDataSecurity Service - Egis Incorporated - C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\Shaw Secure\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Shaw Secure\Common\FSMA32.EXE
O23 - Service: F-Secure ORSP Client (FSORSPClient) - F-Secure Corporation - C:\Program Files\Shaw Secure\ORSP Client\fsorsp.exe
O23 - Service: Google Desktop Manager 5.8.809.23506 (GoogleDesktopManager-092308-165331) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 10260 bytes


Ccleaner log:

Acer Assist
Acer eDataSecurity Management
Acer Empowering Technology
Acer ePerformance Management
Acer eSettings Management
Acer GameZone Console DTV 2.0.1.1
Acer Registration
Acer ScreenSaver
Activation Assistant for the 2007 Microsoft Office suites
Ad-Aware
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Photoshop 7.0
Adobe Reader 8.1.0
Agatha Christie Death on the Nile
Alice Greenfingers
Apple Mobile Device Support
Apple Software Update
Ask Toolbar
ATI Catalyst Install Manager
Audacity 1.2.6
Azada
Backspin Billiards
Big Kahuna Reef
Bonjour
Bookworm Deluxe
Bricks of Egypt
Cake Mania
CCleaner (remove only)
Chicken Invaders 3
Chuzzle
Contextual Platform Adsoftinc
Diner Dash Flo on the Go
DPS
eSobi v2
Flip Words 2
Google Desktop
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Homeworkhelp.com Grammar
huey 1.0
iTunes
Jasc Animation Shop 3
Jasc Paint Shop Pro 9
Java(TM) 6 Update 7
Jewel Quest Solitaire
jZip
Kick N Rush
Mahjong Escape Ancient China
Mahjongg Artifacts
Malwarebytes' Anti-Malware
Microsoft Office Home and Student 2007
Microsoft Publisher 2002
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Mozilla Firefox (3.0.5)
Mozilla Thunderbird (2.0.0.19)
MSXML 4.0 SP2 (KB954430)
Mystery Case Files - Huntsville
Mystery Solitaire - Secret Island
NTI Backup NOW! 4.7
NTI CD & DVD-Maker
NVIDIA Drivers
PhotoNow!
PowerDirector (Acer DT)
PowerDVD 7.0 with 5.1ch
QuickTime
Realtek High Definition Audio Driver
RON Too1 Adsoftinc
Shaw Secure
TriplePlay Plus! in Japanese
Turbo Pizza
Windows Live Essentials
Windows Live Sign-in Assistant
Windows Live Upload Tool
Zuma Deluxe


Thanks,

Dave
DaveinthePeg
Regular Member
 
Posts: 21
Joined: January 22nd, 2009, 6:43 pm

Re: Dave's Hijack log

Unread postby flashh4 » January 28th, 2009, 8:51 am

Hi Dave, to continue.

Go to Start > Control Panel > Add or Remove Programs and remove the following: ( if present ).

Ask Toolbar



NEXT



:Remove bad HijackThis entries:
  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

      O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
      O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
      O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
      O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll


  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

Please post a new HJT log, also let me know if you removed Ask Toolbar ??

Thanks
Chuck
User avatar
flashh4
Regular Member
 
Posts: 2276
Joined: June 7th, 2005, 8:36 pm
Location: wyoming

Re: Dave's Hijack log

Unread postby DaveinthePeg » January 29th, 2009, 7:35 am

Hi Chuck,

I was able to get rid of the Ask Toolbar through the control panel/ delete programs.

Here is the new HJT log. I have to go out of town until Sunday for my daughter's hockey tournament so I won't be able to respond to your posts till then.

Thanks,

Dave

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:35:08 AM, on 29/01/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Acer\Empowering Technology\SysMonitor.exe
C:\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\system32\conime.exe
C:\Windows\System32\nvraidservice.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Shaw Secure\Common\FSM32.EXE
C:\Users\Wray Family\AppData\Local\etrmnmon\etrmnmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Shaw Secure\FSGUI\fsguidll.exe
C:\Program Files\Pantone\huey\hueyTray.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Windows\system32\rundll32.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\DllHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACA ... pire_m1640
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.acer.com/rdr.aspx?b=ACA ... pire_m1640
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.us.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: EmailBHO - {647FD14A-C4F1-46F4-8FC3-0B40F54226F7} - C:\Program Files\jZip\WebmailPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Acer Empowering Technology Monitor] C:\Acer\Empowering Technology\SysMonitor.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Apanel] C:\ACERSW\config\SetApanel.cmd
O4 - HKLM\..\Run: [Acer Product Registration] "C:\Program Files\Acer Registration\ACE1.exe" /startup
O4 - HKLM\..\Run: [Acer Assist Launcher] C:\Program Files\Acer Assist\launcher.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [NVRaidService] C:\Windows\system32\nvraidservice.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Shaw Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Shaw Secure\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [etrmnmon] "C:\Users\Wray Family\AppData\Local\etrmnmon\etrmnmon.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MalwareRemovalBot] C:\Program Files\MalwareRemovalBot\MalwareRemovalBot.exe -boot
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ASETRES.EXE
O4 - Global Startup: Empowering Technology Launcher.lnk = ?
O4 - Global Startup: hueyTray.lnk = C:\Program Files\Pantone\huey\hueyTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Shaw Secure\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Shaw Secure\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Shaw Secure\FSPC\fspcmsie.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolbar/ ... ontrol.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ePerformance Service (AcerMemUsageCheckService) - Unknown owner - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: eDataSecurity Service - Egis Incorporated - C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\Shaw Secure\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Shaw Secure\Common\FSMA32.EXE
O23 - Service: F-Secure ORSP Client (FSORSPClient) - F-Secure Corporation - C:\Program Files\Shaw Secure\ORSP Client\fsorsp.exe
O23 - Service: Google Desktop Manager 5.8.809.23506 (GoogleDesktopManager-092308-165331) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 9816 bytes
DaveinthePeg
Regular Member
 
Posts: 21
Joined: January 22nd, 2009, 6:43 pm

Re: Dave's Hijack log

Unread postby flashh4 » January 29th, 2009, 9:24 pm

Hi DaveinthePeg, lets continue.

Disabling Windows Defender temporarily and re-enabling it

  1. Go to Start > All Programs > Windows Defender.
  2. Click on Tools at the top.
  3. Under Settings, click on Options.
  4. Under Automatic scanning, uncheck (untick) Automatically scan my computer (recommended) box.
  5. Under Real-time protection options, uncheck (untick) Use real-time protection (recommended) box.
  6. Click on the Save button at the bottom right hand corner.

You may enable it after i give you the all clean speech !!

Re-enabling Windows Defender

  1. Go to Start > All Programs > Windows Defender.
  2. Click on Tools at the top.
  3. Under Settings, click on Options.
  4. Under Automatic scanning, check (tick) Automatically scan my computer (recommended) box.
  5. Under Real-time protection options, check (tick) Use real-time protection (recommended) box.
  6. Click on the Save button at the bottom right hand corner.


NEXT


Please download the Registry Search Tool from here (scroll down-there are also other tools on the page):
http://www.billsway.com/vbspage/
Unzip it to a convenient location such as your Desktop.
Make sure that your Antivirus / OS allows the use of the .vbs scripts. If prompted, make sure to allow the script.
Double click regsearch.vbs
Copy / Paste the following line into the Search Box:

conime.exe

then hit Ok
It may take a while to run.
It will tell you when it's done and offer to have you look at the file.
Say Yes, and when it opens copy/paste the content in your reply.

Thanks
Chuck
User avatar
flashh4
Regular Member
 
Posts: 2276
Joined: June 7th, 2005, 8:36 pm
Location: wyoming

Re: Dave's Hijack log

Unread postby flashh4 » February 1st, 2009, 1:37 pm

Hi DaveinthePeg, are you still in need of assistance ?? Please respond before this topic is closed.

Thanks
Chuck
User avatar
flashh4
Regular Member
 
Posts: 2276
Joined: June 7th, 2005, 8:36 pm
Location: wyoming

Re: Dave's Hijack log

Unread postby DaveinthePeg » February 1st, 2009, 6:04 pm

Hi Chuck,

I am back from my trip out of town so here is the log:

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "conime.exe" 01/02/2009 4:03:24 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\x86_microsoft-windows-consoleime_31bf3856ad364e35_6.0.6001.18000_none_b63a896057bb3b00]
"f!conime.exe"=hex:63,00,6f,00,6e,00,69,00,6d,00,65,00,2e,00,65,00,78,00,65,00

[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\VersionedIndex\6.0.6001.18000_001c50b5\ComponentFamilies\x86_microsoft-windows-consoleime_31bf3856ad364e35_none_624be001d4365e2a\f256!conime.exe]

[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\VersionedIndex\6.0.6001.18000_001c50b5\ComponentFamilies\x86_microsoft-windows-consoleime_31bf3856ad364e35_none_624be001d4365e2a\f256!conime.exe\7812184afc24f7a245d3d140eb0c1a4a23e73b34bc0a8c1556715368086f0376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\DerivedData\Components\x86_microsoft-windows-consoleime_31bf3856ad364e35_6.0.6001.18000_none_b63a896057bb3b00]
"f!conime.exe"=hex:63,00,6f,00,6e,00,69,00,6d,00,65,00,2e,00,65,00,78,00,65,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\DerivedData\VersionedIndex\6.0.6001.18000_001c50b5\ComponentFamilies\x86_microsoft-windows-consoleime_31bf3856ad364e35_none_624be001d4365e2a\f256!conime.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\DerivedData\VersionedIndex\6.0.6001.18000_001c50b5\ComponentFamilies\x86_microsoft-windows-consoleime_31bf3856ad364e35_none_624be001d4365e2a\f256!conime.exe\7812184afc24f7a245d3d140eb0c1a4a23e73b34bc0a8c1556715368086f0376]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\SysProcs]
"conime.exe"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Terminal Server\SysProcs]
"conime.exe"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\SysProcs]
"conime.exe"=dword:00000000


Thanks,
Dave
DaveinthePeg
Regular Member
 
Posts: 21
Joined: January 22nd, 2009, 6:43 pm

Re: Dave's Hijack log

Unread postby flashh4 » February 2nd, 2009, 9:48 pm

Hi DaveinthePeg, we are almost done. But i need you to upload this file to Jotti for me.

Upload a File to Jotti
Please visit http://virusscan.jotti.org/

Copy/paste this file and path into the white box at the top:
C:\Users\Wray Family\AppData\Local\etrmnmon\etrmnmon.exe

Press Submit - this will submit the file for testing.
Please wait for all the scanners to finish then copy and paste the results in your next response.

Thanks
Chuck
User avatar
flashh4
Regular Member
 
Posts: 2276
Joined: June 7th, 2005, 8:36 pm
Location: wyoming

Re: Dave's Hijack log

Unread postby DaveinthePeg » February 2nd, 2009, 11:03 pm

Hi Chuck,

I highlighted the C:/ etc you mentioned and opened the Jotti's thing but it won't let me paste anything in the white box. I can copy and paste the same thing to a word doc so the copy and paste seems to work but not for the Jotti. I also tried to enter it by keying it in but it won't let me type in the white space either.

Dave
DaveinthePeg
Regular Member
 
Posts: 21
Joined: January 22nd, 2009, 6:43 pm

Re: Dave's Hijack log

Unread postby flashh4 » February 2nd, 2009, 11:43 pm

Hi DaveinthePeg, then try uploading it to Virustotal.

Upload a File to Virustotal
Please visit Virustotal

Copy/paste this file and path into the white box at the top:
C:\Users\Wray Family\AppData\Local\etrmnmon\etrmnmon.exe

Press Submit - this will submit the file for testing.
Please wait for all the scanners to finish then copy and paste the results in your next response.

Chuck
User avatar
flashh4
Regular Member
 
Posts: 2276
Joined: June 7th, 2005, 8:36 pm
Location: wyoming

Re: Dave's Hijack log

Unread postby DaveinthePeg » February 3rd, 2009, 8:13 am

Hi Chuck,

I have the same problem with this site too. Can't paste the file path nor can I type it in manually.

Dave
DaveinthePeg
Regular Member
 
Posts: 21
Joined: January 22nd, 2009, 6:43 pm

Re: Dave's Hijack log

Unread postby flashh4 » February 3rd, 2009, 9:22 pm

Hi DaveinthePeg, find the file and right click the file and choose to scan it with F-Secure AntiVirus. If you are not sure how to find the file, try this:

Enable show hidden files and folders:

* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK
You can rehide these after the fix !

Useing Windows Explorer by right-clicking the Start button and left clicking Explore navigate to and find the following file:

C:\Users\Wray Family\AppData\Local\etrmnmon\etrmnmon.exe

Post me the report from F-Secure AntiVirus.

Thanks
Chuck
User avatar
flashh4
Regular Member
 
Posts: 2276
Joined: June 7th, 2005, 8:36 pm
Location: wyoming

Re: Dave's Hijack log

Unread postby DaveinthePeg » February 3rd, 2009, 11:56 pm

Hi Chuck,

Here is what I ended up with:

Dave

Suomi | ihMdI | | עברית | | Slovenščina | Dansk | Русский | Română | Türkçe | Nederlands | Ελληνικά | Français | Svenska | Português | Italiano | | | Magyar | Deutsch | Česky | Polski | Español
Virus Total
Virustotal is a service that analyzes suspicious files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines. More information...
File unknown received on 01.26.2009 04:17:56 (CET)
Current status: finished
Result: 5/39 (12.82%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
a-squared - - -
AhnLab-V3 - - -
AntiVir - - TR/Dldr.Puper.ZT
Authentium - - -
Avast - - -
AVG - - -
BitDefender - - -
CAT-QuickHeal - - -
ClamAV - - -
Comodo - - -
DrWeb - - -
eSafe - - -
eTrust-Vet - - -
F-Prot - - -
F-Secure - - -
Fortinet - - -
GData - - -
Ikarus - - -
K7AntiVirus - - -
Kaspersky - - -
McAfee - - -
McAfee+Artemis - - Generic!Artemis
Microsoft - - -
NOD32 - - -
Norman - - -
nProtect - - -
Panda - - -
PCTools - - -
Prevx1 - - Fraudulent Security Program
Rising - - -
SecureWeb-Gateway - - Trojan.Dldr.Puper.ZT
Sophos - - -
Sunbelt - - -
Symantec - - -
TheHacker - - -
TrendMicro - - -
VBA32 - - suspected of Trojan-PSW.Lmir.14 (paranoid heuristics)
ViRobot - - -
VirusBuster - - -
Additional information
MD5: 7256cd5faeb053a5e8ead35eea9a2b33
SHA1: 6be9770fc953cdee5528ab8ea983ab1c50346241
SHA256: 07162dff55c6196ee325732fb4ec5dea884c9bc12a345066736f56439817f02a

ATENTION ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

Scan another file
VirusTotal © Hispasec Sistemas - Blog - Contact: info@virustotal.com - Terms of Service & Privacy Policy
DaveinthePeg
Regular Member
 
Posts: 21
Joined: January 22nd, 2009, 6:43 pm

Re: Dave's Hijack log

Unread postby flashh4 » February 4th, 2009, 8:51 am

Hi DaveinthePeg, thanks for the report.

:Remove bad HijackThis entries:
  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

      O4 - HKLM\..\Run: [etrmnmon] "C:\Users\Wray Family\AppData\Local\etrmnmon\etrmnmon.exe"

  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.


Make sure show hidden files/folders are still checked as mentioned above.

Using Windows Explorer by right-clicking the Start button and left clicking Explore navigate to and delete/remove the following files:(if present):

(C:\Users\Wray Family\AppData\Local\etrmnmon\etrmnmon.exe)

EXit Explorer


Post new HJT log.

Thanks
Chuck
User avatar
flashh4
Regular Member
 
Posts: 2276
Joined: June 7th, 2005, 8:36 pm
Location: wyoming
Advertisement
Register to Remove

PreviousNext

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 435 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware