Jump to content

Change Mode

Viruses security essentials couldnt fix


Recommended Posts

So microsoft security essentials fond some viruses but wasnt able to remove them. It said it did but they came back after every reboot. My world of warcraft account got compromised so I uninstalled security essentials and got nod 32. Im scanning right now in safe mode. Im having trouble reading the log since its in a dos prompt. Does any of this stuff make sense to you? Anything pop out as bad? Obviously the virus does but the unable to open stuff worries me too. Its still scanning I think. This is what I have so far.

ECLS Command-line scanner, version 4.0.474.0, (C) 1992-2009 ESET, spol. s r.o.
Module loader, version 1031 (20091029), build 1035
Module perseus, version 1272 (20100416), build 1332
Module scanner, version 5086 (20100504), build 7063
Module archiver, version 1113 (20100427), build 1070
Module advheur, version 1107 (20100426), build 1065

Command line: /auto

Scan started at:   05/05/10 00:25:57
name="C:\Boot\BCD", threat="", action="", info="error opening"
name="C:\Boot\BCD.LOG", threat="", action="", info="error opening"
name="C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\11dde19e5fabe3be143166c583
68f049_99903c5e-206b-47ba-b4a7-91d26ff96b99", threat="", action="", info="error
opening"
name="C:\Users\Adam\NTUSER.DAT", threat="", action="", info="error opening"
name="C:\Users\Adam\ntuser.dat.LOG1", threat="", action="", info="error opening"

name="C:\Users\Adam\ntuser.dat.LOG2", threat="", action="", info="error opening"

name="C:\Users\Adam\AppData\Local\Google\Chrome\User Data\Default\Current Sessio
n", threat="", action="", info="error opening"
name="C:\Users\Adam\AppData\Local\Google\Chrome\User Data\Default\Current Tabs",
 threat="", action="", info="error opening"
name="C:\Users\Adam\AppData\Local\Microsoft\Windows\UsrClass.dat", threat="", ac
tion="", info="error opening"
name="C:\Users\Adam\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1", threat="
", action="", info="error opening"
name="C:\Users\Adam\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2", threat="
", action="", info="error opening"
name="C:\Users\Adam\AppData\Local\Temp\1629431952Ati.dll", threat="a variant of
Win32/Induc.A virus", action="action selection postponed until scan completion",
 info=""
name="C:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\11dde19e5fabe3be143166
c58368f049_99903c5e-206b-47ba-b4a7-91d26ff96b99", threat="", action="", info="er
ror opening"
name="C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT", threat="", action="",
 info="error opening"
name="C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1", threat="", actio
n="", info="error opening"
name="C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG2", threat="", actio
n="", info="error opening"
name="C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat", thr
eat="", action="", info="error opening"
name="C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat", thr
eat="", action="", info="error opening"
name="C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT", threat="", action="
", info="error opening"
name="C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1", threat="", act
ion="", info="error opening"
name="C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG2", threat="", act
ion="", info="error opening"
Link to comment
Share on other sites

Ok so it didnt get rid of the keylogger because peerblock is still telling me about an access attempt whenever I try to log to WoW. it is trying to access managed solutions group. I assume its trying to send my keystrokes at that moment. Nod32 did not get rid of whatever is causing this.

 

Heres a hijackthis log

 

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:38:26 AM, on 5/5/2010
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18904)
Boot mode: Normal

Running processes:
D:\Fraps\fraps.exe
C:\Program Files (x86)\USBDLM\USBDLM_usr.exe
D:\Program Files (x86)\uTorrent\uTorrent.exe
D:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files (x86)\Steam\Steam.exe
D:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe
C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe
C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
D:\Program Files (x86)\Pidgin\pidgin.exe
C:\Program Files (x86)\Java\jre6\bin\jusched.exe
C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files (x86)\Windows Sidebar\sidebar.exe
D:\Program Files (x86)\Atheros\ACU.exe
C:\Windows\SysWOW64\MAFWTray.exe
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Users\Adam\AppData\Local\Google\Update\1.2.183.23\GoogleCrashHandler.exe
C:\Program Files (x86)\Windows Sidebar\sidebar.exe
E:\lcdsirreal\LCDSirReal.exe
C:\Program Files (x86)\Common Files\Realtime Soft\RTSHookInterop\x32\RTSHookInterop.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files (x86)\Skype\Plugin Manager\skypePM.exe
C:\Program Files (x86)\Java\jre6\bin\jucheck.exe
C:\Users\Adam\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Adam\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Adam\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Adam\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Adam\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Adam\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Adam\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Adam\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Adam\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Adam\Downloads\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://portal.mypearson.com/cclogin.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 128.208.4.198:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files (x86)\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~2\SPYBOT~1\SDHelper.dll
O2 - BHO: D - {9B4C6B5E-C048-36DD-A35B-E25BD001851F} - C:\Windows\u2v18357.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Foxit Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files (x86)\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files (x86)\DAEMON Tools Toolbar\DTToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ArcSoft Connection Service] "C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "d:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [ACU] "d:\Program Files (x86)\Atheros\ACU.exe" -nogui
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\Windows\system32\MAFWTray.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\Adam\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [igndlm.exe] D:\Program Files (x86)\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [EPSON5ABA61] C:\Windows\system32\spool\DRIVERS\x64\3\E_IATIELA.EXE /FU "C:\Windows\TEMP\E_SFA27.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [uTorrent] "d:\Program Files (x86)\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] d:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Steam] "d:\program files (x86)\steam\steam.exe" -silent
O4 - HKCU\..\Run: [PeerBlock] D:\Program Files\PeerBlock\peerblock.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "D:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe"
O4 - HKCU\..\Run: [QuickGammaLoader] D:\Program Files (x86)\QuickGamma\QuickGammaLoader.exe
O4 - HKCU\..\Run: [EPSON WorkForce 40(Network)] C:\Windows\system32\spool\DRIVERS\x64\3\E_IATIELA.EXE /FU "C:\Windows\TEMP\E_SDC0F.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [Nvidias] C:\Windows\system32\rundll32.exe C:\Users\Adam\AppData\Local\Temp\1629431952Ati.dll,Sets
O4 - HKCU\..\Run: [office] "C:\Windows\system32\rundll32.exe" C:\Users\Adam\AppData\Local\Temp\355588.dll,S
O4 - HKCU\..\Run: [Windows Defender] C:\Windows\system32\KB123386.EXE
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: CurseClientStartup.ccip
O4 - Startup: sidebar.exe.lnk = C:\Program Files (x86)\Windows Sidebar\sidebar.exe
O4 - Global Startup: Pidgin.lnk = D:\Program Files (x86)\Pidgin\pidgin.exe
O4 - Global Startup: UltraMon.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~2\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~2\SPYBOT~1\SDHelper.dll
O16 - DPF: {40F576AD-8680-4F9E-9490-99D069CD665F} (System Requirements Lab Class) - http://srtest-cdn.systemrequirementslab.com.s3.amazonaws.com/bin/sysreqlabdetect.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{72973E80-7132-4BE1-BA33-A2823169C1E4}: Domain = rnxeasyn4
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\Windows\SysWOW64\acs.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: ASWLSVC - Unknown owner - C:\Windows\SysWOW64\ASWLSVC.exe (file missing)
O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - D:\Program Files (x86)\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - D:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - D:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
O23 - Service: EpsonBidirectionalService - SEIKO EPSON CORPORATION - C:\Program Files (x86)\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: FLEXnet Licensing Service 64 - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - D:\Program Files (x86)\LogMeIn\x64\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - D:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - D:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: USBDLM - Uwe Sieber - www.uwe-sieber.de - C:\Program Files (x86)\USBDLM\USBDLM.exe
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: Zune Wireless Configuration Service (ZuneWlanCfgSvc) - Unknown owner - C:\Windows\system32\ZuneWlanCfgSvc.exe (file missing)

--
End of file - 12429 bytes
Link to comment
Share on other sites

So the virus scan said this was bad:

name="C:\Users\Adam\AppData\Local\Temp\1629431952Ati.dll", threat="a variant of

Win32/Induc.A virus", action="action selection postponed until scan completion",

info=""

 

And it didnt remove it. Have no idea why.

Then HJT said this was running:

O4 - HKCU\..\Run: [Nvidias] C:\Windows\system32\rundll32.exe C:\Users\Adam\AppData\Local\Temp\1629431952Ati.dll,Sets

 

So I killed that dll using HJT. How can I know if Im safe now?

Thanks.

 

Heres a full new log after a reboot:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:02:10 PM, on 5/5/2010
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18904)
Boot mode: Normal

Running processes:
D:\Fraps\fraps.exe
C:\Program Files (x86)\USBDLM\USBDLM_usr.exe
D:\Program Files (x86)\uTorrent\uTorrent.exe
D:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files (x86)\Steam\Steam.exe
D:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe
D:\Program Files (x86)\Pidgin\pidgin.exe
C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files (x86)\Java\jre6\bin\jusched.exe
C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
D:\Program Files (x86)\Atheros\ACU.exe
C:\Windows\SysWOW64\MAFWTray.exe
C:\Program Files (x86)\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
C:\Users\Adam\AppData\Local\Google\Update\1.2.183.23\GoogleCrashHandler.exe
C:\Program Files (x86)\Windows Sidebar\sidebar.exe
E:\lcdsirreal\LCDSirReal.exe
C:\Program Files (x86)\Common Files\Realtime Soft\RTSHookInterop\x32\RTSHookInterop.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files (x86)\Skype\Plugin Manager\skypePM.exe
C:\Users\Adam\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Adam\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Adam\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Adam\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Adam\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Adam\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Adam\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Java\jre6\bin\jucheck.exe
C:\Users\Adam\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Adam\Downloads\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://portal.mypearson.com/cclogin.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 128.208.4.198:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files (x86)\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~2\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Foxit Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files (x86)\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files (x86)\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [ArcSoft Connection Service] "C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "d:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [ACU] "d:\Program Files (x86)\Atheros\ACU.exe" -nogui
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\Windows\system32\MAFWTray.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\Adam\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [igndlm.exe] D:\Program Files (x86)\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [EPSON5ABA61] C:\Windows\system32\spool\DRIVERS\x64\3\E_IATIELA.EXE /FU "C:\Windows\TEMP\E_SFA27.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [uTorrent] "d:\Program Files (x86)\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] d:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Steam] "d:\program files (x86)\steam\steam.exe" -silent
O4 - HKCU\..\Run: [PeerBlock] D:\Program Files\PeerBlock\peerblock.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "D:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKCU\..\Run: [EPSON WorkForce 40(Network)] C:\Windows\system32\spool\DRIVERS\x64\3\E_IATIELA.EXE /FU "C:\Windows\TEMP\E_SDC0F.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [Windows Defender] C:\Windows\system32\KB123386.EXE
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: CurseClientStartup.ccip
O4 - Startup: sidebar.exe.lnk = C:\Program Files (x86)\Windows Sidebar\sidebar.exe
O4 - Global Startup: Pidgin.lnk = D:\Program Files (x86)\Pidgin\pidgin.exe
O4 - Global Startup: UltraMon.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~2\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~2\SPYBOT~1\SDHelper.dll
O16 - DPF: {40F576AD-8680-4F9E-9490-99D069CD665F} (System Requirements Lab Class) - http://srtest-cdn.systemrequirementslab.com.s3.amazonaws.com/bin/sysreqlabdetect.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{72973E80-7132-4BE1-BA33-A2823169C1E4}: Domain = rnxeasyn4
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\Windows\SysWOW64\acs.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: ASWLSVC - Unknown owner - C:\Windows\SysWOW64\ASWLSVC.exe (file missing)
O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - D:\Program Files (x86)\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - D:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - D:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
O23 - Service: EpsonBidirectionalService - SEIKO EPSON CORPORATION - C:\Program Files (x86)\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: FLEXnet Licensing Service 64 - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - D:\Program Files (x86)\LogMeIn\x64\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - D:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - D:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: USBDLM - Uwe Sieber - www.uwe-sieber.de - C:\Program Files (x86)\USBDLM\USBDLM.exe
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: Zune Wireless Configuration Service (ZuneWlanCfgSvc) - Unknown owner - C:\Windows\system32\ZuneWlanCfgSvc.exe (file missing)

--
End of file - 11246 bytes
Edited by dragnmastr85
Link to comment
Share on other sites

Well, for one thing, you're in the wrong forum to have your logs analyzed.

 

This link takes you to the correct forum---> http://forums.pcpitstop.com/index.php?showforum=25

 

Do this before you start your new topic in the HJT forum, then include the DDS log

 

Download DDS from one of these links:

Mirror 1 Mirror 2 Mirror 3

  • Disable any script blocking protection
  • Double click the dds icon to run the tool.
  • When done, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt
  • Save both reports to your desktop. (one will be in the task bar)
Include the contents of both logs in your new topic.

The scan will instruct you to post Attach.txt as an attachment.

No need for that though ..... just post it's contents as you would any other log, also don't use 'code' or 'quote' tags :)

 

 

*** see this article from Sophos: http://www.sophos.com/security/analyses/vi.../w32induca.html

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...