Malware using my computer to upload gigabytes of data per day

[jjoue]

In mid october I downloaded a Picture emailing program and unknowingly a spy came with it. Can you help.

 

JJ

DDS Dec 18 Main.txt

DDS Dec 18.txt

Hi Jack This report.txt

[Superdave]

Hello and welcome to IOBit Forums. My name is Dave. I will be helping you out with your particular problem on your computer.

 

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.

2. The fixes are specific to your problem and should only be used for this issue on this machine.

3. If you don't know or understand something, please don't hesitate to ask.

4. Please DO NOT run any other tools or scans while I am helping you.

5. It is important that you reply to this thread. Do not start a new topic.

6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.

7. Absence of symptoms does not mean that everything is clear.

 

SUPERAntiSpyware

 

If you already have SUPERAntiSpyware be sure to check for updates before scanning!

 

Download SuperAntispyware Free Edition (SAS)

* Double-click the icon on your desktop to run the installer.

* When asked to Update the program definitions, click Yes

* If you encounter any problems while downloading the updates, manually download and unzip them from here

* Next click the Preferences button.

 

•Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts

* Click the Scanning Control tab.

* Under Scanner Options make sure only the following are checked:

 

•Close browsers before scanning

•Scan for tracking cookies

•Terminate memory threats before quarantining

•Please leave the others unchecked

 

•Click the Close button to leave the control center screen.

 

* On the main screen click Scan your computer

* On the left check the box for the drive you are scanning.

* On the right choose Perform Complete Scan

* Click Next to start the scan. Please be patient while it scans your computer.

* After the scan is complete a summary box will appear. Click OK

* Make sure everything in the white box has a check next to it, then click Next

* It will quarantine what it found and if it asks if you want to reboot, click Yes

 

•To retrieve the removal information please do the following:

•After reboot, double-click the SUPERAntiSpyware icon on your desktop.

•Click Preferences. Click the Statistics/Logs tab.

 

•Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.

 

•It will open in your default text editor (preferably Notepad).

•Save the notepad file to your desktop by clicking (in notepad) File > Save As...

 

* Save the log somewhere you can easily find it. (normally the desktop)

* Click close and close again to exit the program.

*Copy and Paste the log in your post.

*****************************************

 

 

Please download Malwarebytes Anti-Malware from here.

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  
• Please save the log to a location you will remember.
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the entire report in your next reply.

Extra Note:

 

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

**********************************************

Download Security Check by screen317 from one of the following links and save it to your desktop.

 

Link 1

Link 2

 

* Unzip SecurityCheck.zip and a folder named Security Check should appear.

* Open the Security Check folder and double-click Security Check.bat

* Follow the on-screen instructions inside of the black box.

* A Notepad document should open automatically called checkup.txt

* Post the contents of that document in your next reply.

 

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.

[jjoue]

Thank you Dave.

 

I will perform your instructions in the next day.

[jjoue]

Malware removal

 

I have performed all of the tasks as suggested on your list.

 

Attached are the files

 

 

Thank you

 

JJ

 

PS The Superantispyware log file will not upload. It says it is a text file but does not have the (.txt) extension.

mbam-log-2010-12-21 (07-12-16).txt

checkup.txt

[Superdave]

Sorry for so late in getting to your post.

 

Update Your Java (JRE)

 

Old versions of Java have vulnerabilities that malware can use to infect your system.

 

First Verify your Java Version

 

If there are any other version(s) installed then update now.

 

Get the new version (if needed)

 

If your version is out of date install the newest version of the Sun Java Runtime Environment.

 

Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

 

Be sure to close ALL open web browsers before starting the installation.

 

Remove any old versions

 

1. Download JavaRa and unzip the file to your Desktop.

2. Open JavaRA.exe and choose Remove Older Versions

3. Once complete exit JavaRA.

4. Run CCleaner.

 

Additional Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.

 

******************************************

Please download the newest version of Adobe Acrobat Reader from Adobe.com

 

Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.

Go to the Control Panel and enter Add or Remove Programs.

Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

 

Once old versions are gone, please install the newest version.

************************************************

Download OTL to your desktop.

 

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

* When the window appears, underneath Output at the top change it to Minimal Output.

* Check the boxes beside LOP Check and Purity Check.

* Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan won't take long.

 

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

 

Please copy and pate the contents of these files, one at a time, into your next reply.

 

Note: You may need two or more posts to fit them all in.

[jjoue]

Thank you for your reply.

 

I have done as you have suggested except the following.

 

1. Unable to uninstall Acrobat 9.4.1. Windows displays the following " Error: 1326 Error getting file security. " and proceeds to reverse the uninstall.

 

CCleaner. Downloaded the file and did the scan but will not clean my pc unless I buy a registered copy.

 

Attached are my log files from the OTL Scan

 

Your forum software will not let me upload the OTL log file, because it is 83kb and you have a limit of 50 kb. How can I get this to you ?

Extras.Txt

[Superdave]

Download CCleaner Slim and save it to your Desktop - Alternate download link

 

When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe

Follow the prompts to install the program.

 

* Double-click the CCleaner shortcut on the desktop to start the program.

* Click on the Options block on the left, then choose Cookies.

* Under Cookies to Delete, highlight any cookies you would like to retain permanently

* Click the right arrow > to move them to the Cookies to Keep window.

* Go into Options > Advanced uncheck Only delete files in Windows Temp folders older than 48 hours

* Click Cleaner on the left then Run Cleaner on the right to run the program.

* Important: Make sure that ALL browser windows are closed before selecting Run Cleaner

 

Caution: Only use the Registry feature if you are very familiar with the registry.

Always back up your registry before making any changes. Exit CCleaner after it has completed it's process.

***************************************************

 

Your forum software will not let me upload the OTL log file

Copy and paste but you will have to do more than one post.

[jjoue]

OTL log

 

OTL log # 1

OTL logfile created on: 03/01/2011 7:00:35 AM - Run 1

OTL by OldTimer - Version 3.2.20.1 Folder = C:\Users\Owner\Desktop

64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.7600.16385)

Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

 

4.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 63.00% Memory free

8.00 Gb Paging File | 6.00 Gb Available in Paging File | 80.00% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

 

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)

Drive C: | 290.73 Gb Total Space | 133.39 Gb Free Space | 45.88% Space Free | Partition Type: NTFS

Drive D: | 290.78 Gb Total Space | 78.51 Gb Free Space | 27.00% Space Free | Partition Type: NTFS

 

Computer Name: JEANOFFICE | User Name: Owner | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

 

========== Processes (SafeList) ==========

 

PRC - C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)

PRC - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe (Google Inc.)

PRC - C:\Users\Owner\Desktop\OTL.exe (OldTimer Tools)

PRC - C:\Program Files (x86)\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe ()

PRC - C:\Users\Owner\AppData\Local\TheWeatherNetwork\WeatherEye\WeatherEye.exe (Pelmorex Media Inc.)

PRC - C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe (Acronis)

PRC - C:\Program Files (x86)\Motorola\MotoHelper\MotoHelperAgent.exe ()

PRC - C:\Program Files (x86)\Motorola\MotoHelper\MotoHelperService.exe ()

PRC - C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe (TomTom)

PRC - C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe (TomTom)

PRC - C:\Program Files (x86)\IObit\IObit Security 360\is360tray.exe (IObit)

PRC - C:\Program Files (x86)\IObit\IObit Security 360\is360srv.exe (IObit)

PRC - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)

PRC - C:\Program Files (x86)\PC Cleaner\PCCleanerTray.exe ()

PRC - C:\Program Files (x86)\Motorola Media Link\NServiceEntry.exe (Nero AG)

PRC - C:\Program Files (x86)\Norton Internet Security\Engine\17.8.0.5\ccsvchst.exe (Symantec Corporation)

PRC - C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe (Acronis)

PRC - C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe (Acronis)

PRC - C:\Program Files (x86)\Pure Networks\Network Magic\nmapp.exe (Cisco Systems, Inc.)

PRC - C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmsrvc.exe (Cisco Systems, Inc.)

PRC - C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth.exe (Cisco Systems, Inc.)

PRC - C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe (CyberLink)

PRC - C:\Program Files (x86)\Acer Arcade Deluxe\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe (CyberLink)

PRC - C:\Program Files (x86)\Acer Arcade Deluxe\Acer HomeMedia Connect\Kernel\DMS\CLMSMonitorService.exe ()

PRC - C:\Program Files (x86)\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe ()

PRC - C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)

PRC - C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)

PRC - C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe (EgisTec Inc.)

PRC - C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\MWLService.exe (EgisTec Inc.)

PRC - C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe (EgisTec Inc.)

PRC - C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe (NewTech Infosystems, Inc.)

PRC - C:\Program Files (x86)\Common Files\InstallShield\UpdateService\ISUSPM.exe (Macrovision Corporation)

 

 

========== Modules (SafeList) ==========

 

MOD - C:\Users\Owner\Desktop\OTL.exe (OldTimer Tools)

MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16661_none_420fe3fa2b8113bd\comctl32.dll (Microsoft Corporation)

 

 

========== Win32 Services (SafeList) ==========

 

SRV:64bit: - (WDDMService) -- C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe (WDC)

SRV:64bit: - (!SASCORE) -- C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE (SUPERAntiSpyware.com)

SRV:64bit: - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)

SRV:64bit: - (lxbu_device) -- C:\Windows\SysNative\lxbucoms.exe ( )

SRV - (WDFME) -- C:\Program Files (x86)\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe ()

SRV - (WDSC) -- C:\Program Files (x86)\Western Digital\WD SmartWare\Front Parlor\WDSC.exe ()

SRV - (afcdpsrv) -- C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe (Acronis)

SRV - (MotoHelper) -- C:\Program Files (x86)\Motorola\MotoHelper\MotoHelperService.exe ()

SRV - (TomTomHOMEService) -- C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe (TomTom)

SRV - (IS360service) -- C:\Program Files (x86)\IObit\IObit Security 360\is360srv.exe (IObit)

SRV - (Apple Mobile Device) -- C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)

SRV - (DeviceMonitorService) -- C:\Program Files (x86)\Motorola Media Link\NServiceEntry.exe (Nero AG)

SRV - (NIS) -- C:\Program Files (x86)\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe (Symantec Corporation)

SRV - (AcrSch2Svc) -- C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe (Acronis)

SRV - (nmservice) -- C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmsrvc.exe (Cisco Systems, Inc.)

SRV - (clr_optimization_v2.0.50727_32) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)

SRV - (CyberLink Media Server Service) -- C:\Program Files (x86)\Acer Arcade Deluxe\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe (CyberLink)

SRV - (CyberLink Media Server Monitor Service) -- C:\Program Files (x86)\Acer Arcade Deluxe\Acer HomeMedia Connect\Kernel\DMS\CLMSMonitorService.exe ()

SRV - (CLHNService) -- C:\Program Files (x86)\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe ()

SRV - (IAANTMON) Intel® -- C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)

SRV - (MWLService) -- C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\\MWLService.exe ()

SRV - (NTISchedulerSvc) -- C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe (NewTech Infosystems, Inc.)

SRV - (NTIBackupSvc) -- C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe (NewTech InfoSystems, Inc.)

SRV - (lxbu_device) -- C:\Windows\SysWow64\lxbucoms.exe ( )

 

 

========== Driver Services (SafeList) ==========

 

DRV:64bit: - (SymEvent) -- C:\Windows\SysNative\drivers\SYMEVENT64x86.SYS (Symantec Corporation)

DRV:64bit: - (afcdp) -- C:\Windows\SysNative\drivers\afcdp.sys (Acronis)

DRV:64bit: - (tdrpman258) Acronis Try&Decide and Restore Points filter (build 258) -- C:\Windows\SysNative\drivers\tdrpm258.sys (Acronis)

DRV:64bit: - (timounter) -- C:\Windows\SysNative\drivers\timntr.sys (Acronis)

DRV:64bit: - (snapman) -- C:\Windows\SysNative\drivers\snapman.sys (Acronis)

DRV:64bit: - (motmodem) -- C:\Windows\SysNative\drivers\motmodem.sys (Motorola)

DRV:64bit: - (motccgp) -- C:\Windows\SysNative\drivers\motccgp.sys (Motorola)

DRV:64bit: - (SYMTDIv) -- C:\Windows\SysNative\drivers\NISx64\1108000.005\symtdiv.sys (Symantec Corporation)

DRV:64bit: - (SymIM) -- C:\Windows\SysNative\drivers\SymIMV.sys (Symantec Corporation)

DRV:64bit: - (SymIRON) -- C:\Windows\SysNative\drivers\NISx64\1108000.005\ironx64.sys (Symantec Corporation)

DRV:64bit: - (fssfltr) -- C:\Windows\SysNative\drivers\fssfltr.sys (Microsoft Corporation)

DRV:64bit: - (SymEFA) -- C:\Windows\SysNative\drivers\NISx64\1108000.005\symefa64.sys (Symantec Corporation)

DRV:64bit: - (SRTSP) -- C:\Windows\SysNative\drivers\NISx64\1108000.005\srtsp64.sys (Symantec Corporation)

DRV:64bit: - (SRTSPX) Symantec Real Time Storage Protection (PEL) -- C:\Windows\SysNative\drivers\NISx64\1108000.005\srtspx64.sys (Symantec Corporation)

DRV:64bit: - (USBAAPL64) -- C:\Windows\SysNative\drivers\usbaapl64.sys (Apple, Inc.)

DRV:64bit: - (Motousbnet) -- C:\Windows\SysNative\drivers\Motousbnet.sys (Motorola)

DRV:64bit: - (ccHP) -- C:\Windows\SysNative\drivers\NISx64\1108000.005\cchpx64.sys (Symantec Corporation)

DRV:64bit: - (SASDIFSV) -- C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)

DRV:64bit: - (SASKUTIL) -- C:\Program Files\SUPERAntiSpyware\saskutil64.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)

DRV:64bit: - (silabser) -- C:\Windows\SysNative\drivers\silabser.sys (Silicon Laboratories)

DRV:64bit: - (silabenm) -- C:\Windows\SysNative\drivers\silabenm.sys (Silicon Laboratories, Inc.)

DRV:64bit: - (motusbdevice) -- C:\Windows\SysNative\drivers\motusbdevice.sys (Motorola Inc)

DRV:64bit: - (SymDS) -- C:\Windows\SysNative\drivers\NISx64\1108000.005\symds64.sys (Symantec Corporation)

DRV:64bit: - (igfx) -- C:\Windows\SysNative\drivers\igdkmd64.sys (Intel Corporation)

DRV:64bit: - (amdsata) -- C:\Windows\SysNative\drivers\amdsata.sys (Advanced Micro Devices)

DRV:64bit: - (amdxata) -- C:\Windows\SysNative\drivers\amdxata.sys (Advanced Micro Devices)

DRV:64bit: - (amdsbs) -- C:\Windows\SysNative\drivers\amdsbs.sys (AMD Technologies Inc.)

DRV:64bit: - (LSI_SAS2) -- C:\Windows\SysNative\drivers\lsi_sas2.sys (LSI Corporation)

DRV:64bit: - (HpSAMD) -- C:\Windows\SysNative\drivers\HpSAMD.sys (Hewlett-Packard Company)

DRV:64bit: - (stexstor) -- C:\Windows\SysNative\drivers\stexstor.sys (Promise Technology)

DRV:64bit: - (purendis) -- C:\Windows\SysNative\drivers\purendis.sys (Cisco Systems, Inc.)

DRV:64bit: - (pnarp) -- C:\Windows\SysNative\drivers\pnarp.sys (Cisco Systems, Inc.)

DRV:64bit: - (Ntfs) -- C:\Windows\SysNative\wbem\ntfs.mof ()

DRV:64bit: - (e1yexpress) Intel® -- C:\Windows\SysNative\drivers\e1y60x64.sys (Intel Corporation)

DRV:64bit: - (ebdrv) -- C:\Windows\SysNative\drivers\evbda.sys (Broadcom Corporation)

DRV:64bit: - (b06bdrv) -- C:\Windows\SysNative\drivers\bxvbda.sys (Broadcom Corporation)

DRV:64bit: - (b57nd60a) -- C:\Windows\SysNative\drivers\b57nd60a.sys (Broadcom Corporation)

DRV:64bit: - (hcw85cir) -- C:\Windows\SysNative\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.)

DRV:64bit: - (iaStor) -- C:\Windows\SysNative\drivers\iaStor.sys (Intel Corporation)

DRV:64bit: - (GEARAspiWDM) -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys (GEAR Software Inc.)

DRV:64bit: - (MotDev) -- C:\Windows\SysNative\drivers\motodrv.sys (Motorola Inc)

DRV:64bit: - (WDC_SAM) -- C:\Windows\SysNative\drivers\wdcsam64.sys (Western Digital Technologies)

DRV:64bit: - (motccgpfl) -- C:\Windows\SysNative\drivers\motccgpfl.sys (Motorola)

DRV:64bit: - (BTCFilterService) -- C:\Windows\SysNative\drivers\motfilt.sys (Motorola Inc)

DRV:64bit: - (mwlPSDVDisk) -- C:\Windows\SysNative\drivers\mwlPSDVDisk.sys (Egis Incorporated.)

DRV:64bit: - (mwlPSDFilter) -- C:\Windows\SysNative\drivers\mwlPSDFilter.sys (Egis Incorporated.)

DRV:64bit: - (mwlPSDNServ) -- C:\Windows\SysNative\drivers\mwlPSDNserv.sys (Egis Incorporated.)

DRV:64bit: - (IntcHdmiAddService) Intel® -- C:\Windows\SysNative\drivers\IntcHdmi.sys (Intel® Corporation)

DRV:64bit: - (NTIDrvr) -- C:\Windows\SysNative\drivers\NTIDrvr.sys (NewTech Infosystems, Inc.)

DRV:64bit: - (MotoSwitchService) -- C:\Windows\SysNative\drivers\motswch.sys (Motorola)

DRV:64bit: - (UsbFltr) -- C:\Windows\SysNative\drivers\UsbFltr.sys (Waytech Development, Inc.)

DRV - (NAVEX15) -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\VirusDefs\20110102.003\EX64.SYS (Symantec Corporation)

DRV - (NAVENG) -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\VirusDefs\20110102.003\ENG64.SYS (Symantec Corporation)

DRV - (BHDrvx64) -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\BASHDefs\20101123.003\BHDrvx64.sys (Symantec Corporation)

DRV - (IDSVia64) -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\IPSDefs\20101231.001\IDSviA64.sys (Symantec Corporation)

DRV - (eeCtrl) -- C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys (Symantec Corporation)

DRV - (EraserUtilRebootDrv) -- C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys (Symantec Corporation)

 

 

========== Standard Registry (SafeList) ==========

 

 

========== Internet Explorer ==========

 

IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACAW&l=1009&s=1&o=vp64&d=0410&m=aspire_m5800/m3800

IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://homepage.acer.com/rdr.aspx?b=ACAW&l=1009&s=1&o=vp64&d=0410&m=aspire_m5800/m3800

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

 

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACAW&l=1009&s=1&o=vp64&d=0410&m=aspire_m5800/m3800

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://global.acer.com [binary data]

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.cnbc.com/

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://ca.msn.com/?lang=en-ca&OCID=iehp

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-ca

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = E5 D7 B8 FD 1C 00 CB 01 [binary data]

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

 

========== FireFox ==========

 

FF - prefs.js..browser.startup.homepage: "http://www.cnbc.com/"

FF - prefs.js..extensions.enabledItems: litmus-ff@f-secure.com:1.10

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21

FF - prefs.js..network.proxy.no_proxies_on: "*.local,192.168.0.0/16"

FF - prefs.js..network.proxy.type: 0

 

FF - HKLM\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\IPSFFPlgn\ [2010/11/07 08:54:39 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Firefox\Extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\coFFPlgn\ [2010/11/06 05:10:28 | 000,000,000 | ---D | M]

 

[2010/08/18 06:16:39 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Owner\AppData\Roaming\mozilla\Extensions

[2010/06/25 07:12:16 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Owner\AppData\Roaming\mozilla\Extensions\home2@tomtom.com

[2010/10/11 19:57:28 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Owner\AppData\Roaming\mozilla\Firefox\Profiles\0jjnl8xl.default\extensions

[2010/08/18 06:36:24 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Owner\AppData\Roaming\mozilla\Firefox\Profiles\0jjnl8xl.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

[2010/11/06 08:54:47 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions

[2010/08/18 06:33:18 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

[2010/10/23 20:00:12 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

[2010/11/06 05:01:13 | 000,000,000 | ---D | M] (No name found) -- C:\PROGRAM FILES (X86)\COGECO SECURITY SERVICES\NRS\LITMUS-FF@F-SECURE.COM

[2010/09/15 03:50:38 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll

[jjoue]

OTL log # 2

 

OTL log # 2

 

O1 HOSTS File: ([2006/09/18 16:37:24 | 000,000,761 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O1 - Hosts: ::1 localhost

O2:64bit: - BHO: (Windows Live Family Safety Browser Helper Class) - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Program Files\Windows Live\Family Safety\fssbho.dll (Microsoft Corporation)

O2:64bit: - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg64.dll (Google Inc.)

O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\17.8.0.5\coieplg.dll (Symantec Corporation)

O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\17.8.0.5\ipsbho.dll (Symantec Corporation)

O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll (Google Inc.)

O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\17.8.0.5\coieplg.dll (Symantec Corporation)

O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

O3 - HKCU\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\17.8.0.5\coieplg.dll (Symantec Corporation)

O4:64bit: - HKLM..\Run: [Acronis Scheduler2 Service] C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe (Acronis)

O4:64bit: - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe (Intel Corporation)

O4:64bit: - HKLM..\Run: [iAAnotif] C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe (Intel Corporation)

O4:64bit: - HKLM..\Run: [igfxTray] C:\Windows\SysNative\igfxtray.exe (Intel Corporation)

O4:64bit: - HKLM..\Run: [LXBUCATS] C:\Windows\SysNative\spool\DRIVERS\x64\3\LXBUtime.DLL ()

O4:64bit: - HKLM..\Run: [mwlDaemon] C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe (EgisTec Inc.)

O4:64bit: - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe (Intel Corporation)

O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)

O4:64bit: - HKLM..\Run: [skytel] C:\Program Files\Realtek\Audio\HDA\SkyTel.exe (Realtek Semiconductor Corp.)

O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)

O4 - HKLM..\Run: [CLMLServer] C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe (CyberLink)

O4 - HKLM..\Run: [DNS7reminder] C:\Program Files (x86)\Nuance\NaturallySpeaking10\Ereg\Ereg.exe (Nuance Communications, Inc.)

O4 - HKLM..\Run: [EgisTecLiveUpdate] C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe (EgisTec Inc.)

O4 - HKLM..\Run: [iObit Security 360] C:\Program Files (x86)\IObit\IObit Security 360\IS360tray.exe (IObit)

O4 - HKLM..\Run: [MDS_Menu] C:\Program Files (x86)\CyberLink\MediaShow4\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)

O4 - HKLM..\Run: [mumservice] C:\Program Files\Motorola\Software Update\mumservice.exe File not found

O4 - HKLM..\Run: [nmapp] C:\Program Files (x86)\Pure Networks\Network Magic\nmapp.exe (Cisco Systems, Inc.)

O4 - HKLM..\Run: [nmctxth] C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth.exe (Cisco Systems, Inc.)

O4 - HKLM..\Run: [sSBkgdUpdate] C:\Program Files (x86)\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe (Nuance Communications, Inc.)

O4 - HKLM..\Run: [TrueImageMonitor.exe] C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe (Acronis)

O4 - HKCU..\Run: [iSUSPM] C:\Program Files (x86)\Common Files\InstallShield\UpdateService\ISUSPM.exe (Macrovision Corporation)

O4 - HKCU..\Run: [msnmsgr] C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe File not found

O4 - HKCU..\Run: [PC Cleaner] C:\Program Files (x86)\PC Cleaner\PCCleanerTray.exe ()

O4 - HKCU..\Run: [swg] C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)

O4 - HKCU..\Run: [TomTomHOME.exe] C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe (TomTom)

O4 - HKCU..\Run: [WeatherEye] C:\Users\Owner\AppData\Local\TheWeatherNetwork\WeatherEye\WeatherEye.exe (Pelmorex Media Inc.)

O4 - HKLM..\RunOnce: [uninstall Adobe Download Manager] C:\Users\Owner\AppData\Local\Temp\getPlusUninst_Adobe.exe (NOS Microsystems Ltd.)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktopCleanupWizard = 1

O8:64bit: - Extra context menu item: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll (Google Inc.)

O8 - Extra context menu item: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll (Google Inc.)

O10:64bit: - NameSpace_Catalog5\Catalog_Entries\000000000009 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000009 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)

O13 - gopher Prefix: missing

O13 - gopher Prefix: missing

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab (QuickTime Object)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)

O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Java Plug-in 1.6.0_03)

O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (Reg Error: Value error.)

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 24.226.1.93 24.226.10.193

O18:64bit: - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found

O18:64bit: - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - Reg Error: Key error. File not found

O18:64bit: - Protocol\Handler\pure-go {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\amd64\puresp4.dll (Cisco Systems, Inc.)

O18:64bit: - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - Reg Error: Key error. File not found

O18 - Protocol\Handler\pure-go {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\puresp4.dll (Cisco Systems, Inc.)

O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)

O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)

O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found

O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found

O20:64bit: - Winlogon\Notify\igfxcui: DllName - Reg Error: Key error. - C:\Windows\SysNative\igfxdev.dll (Intel Corporation)

O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.

O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.

O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\Acer01.jpg

O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\Acer01.jpg

O32 - HKLM CDRom: AutoRun - 1

O33 - MountPoints2\{5f38cfda-e9ac-11df-9c53-0025113605ea}\Shell - "" = AutoRun

O33 - MountPoints2\{5f38cfda-e9ac-11df-9c53-0025113605ea}\Shell\AutoRun\command - "" = K:\WD SmartWare.exe -- File not found

O33 - MountPoints2\{b1badcb7-b36d-11df-8010-0025113605ea}\Shell - "" = AutoRun

O33 - MountPoints2\{b1badcb7-b36d-11df-8010-0025113605ea}\Shell\AutoRun\command - "" = L:\LaunchU3.exe -- File not found

O33 - MountPoints2\{d34a97f3-603d-11df-aeb2-0025113605ea}\Shell - "" = AutoRun

O33 - MountPoints2\{d34a97f3-603d-11df-aeb2-0025113605ea}\Shell\AutoRun\command - "" = L:\setup.exe -- File not found

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O34 - HKLM BootExecute: (auto_reactivate \\?\Volume{1e8be8cd-425f-11df-981b-806e6f6e6963}\bootwiz\asrm.bin) - File not found

O35:64bit: - HKLM\..comfile [open] -- "%1" %*

O35:64bit: - HKLM\..exefile [open] -- "%1" %*

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*

O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

 

========== Files/Folders - Created Within 30 Days ==========

 

[2011/01/03 06:54:37 | 000,000,000 | ---D | C] -- C:\Users\Owner\AppData\Roaming\Google

[2011/01/03 06:50:30 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Adobe AIR

[2011/01/03 06:50:16 | 000,000,000 | ---D | C] -- C:\Program Files\Google

[2011/01/03 06:49:51 | 000,000,000 | ---D | C] -- C:\ProgramData\NOS

[2011/01/03 06:49:51 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\NOS

[2011/01/02 22:59:06 | 000,000,000 | ---D | C] -- C:\Users\Owner\AppData\Roaming\PC Cleaner

[2011/01/02 22:59:02 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Cleaner

[2011/01/02 22:59:01 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\PC Cleaner

[2011/01/02 22:55:35 | 000,000,000 | ---D | C] -- C:\Users\Owner\Desktop\JavaRa

[2011/01/02 22:54:54 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\javaws.exe

[2011/01/02 22:54:54 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\javaw.exe

[2011/01/02 22:54:54 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\java.exe

[2011/01/02 22:51:04 | 001,186,240 | ---- | C] (PC HelpSoft ) -- C:\Users\Owner\Desktop\pc-cleaner.exe

[2011/01/02 22:48:18 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Owner\Desktop\OTL.exe

[2011/01/02 22:42:16 | 000,884,000 | ---- | C] (Sun Microsystems, Inc.) -- C:\Users\Owner\Desktop\jre-6u23-windows-i586-iftw.exe

[2010/12/31 08:33:34 | 001,169,408 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\taskschd.dll

[2010/12/31 08:33:33 | 000,524,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wmicmiplugin.dll

[2010/12/31 08:33:33 | 000,496,128 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\taskschd.dll

[2010/12/31 08:33:33 | 000,473,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\taskcomp.dll

[2010/12/31 08:33:33 | 000,464,384 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\taskeng.exe

[2010/12/31 08:33:33 | 000,305,152 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\taskcomp.dll

[2010/12/31 08:33:33 | 000,285,696 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\schtasks.exe

[2010/12/31 08:33:33 | 000,179,712 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\schtasks.exe

[2010/12/31 08:33:14 | 000,703,488 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msfeeds.dll

[2010/12/31 08:33:14 | 000,599,040 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\msfeeds.dll

[2010/12/31 08:33:14 | 000,256,000 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iepeers.dll

[2010/12/31 08:33:14 | 000,247,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll

[2010/12/31 08:33:14 | 000,185,856 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iepeers.dll

[2010/12/31 08:33:14 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll

[2010/12/31 08:33:14 | 000,097,280 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmled.dll

[2010/12/31 08:33:14 | 000,067,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmled.dll

[2010/12/31 08:33:14 | 000,057,856 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\licmgr10.dll

[2010/12/31 08:33:14 | 000,044,544 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\licmgr10.dll

[2010/12/31 08:33:14 | 000,012,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\msfeedssync.exe

[2010/12/31 08:33:14 | 000,012,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msfeedssync.exe

[2010/12/31 08:33:13 | 000,482,816 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\html.iec

[2010/12/31 08:33:13 | 000,386,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\html.iec

[2010/12/31 08:33:13 | 000,367,104 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\SysNative\atmfd.dll

[2010/12/31 08:33:13 | 000,294,400 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\atmfd.dll

[2010/12/31 08:33:13 | 000,046,080 | ---- | C] (Adobe Systems) -- C:\Windows\SysNative\atmlib.dll

[2010/12/31 08:33:13 | 000,034,304 | ---- | C] (Adobe Systems) -- C:\Windows\SysWow64\atmlib.dll

[2010/12/31 08:33:12 | 000,395,776 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\webio.dll

[2010/12/31 08:33:12 | 000,314,368 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\webio.dll

[2010/12/31 08:33:11 | 000,112,000 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\consent.exe

[2010/12/29 07:50:44 | 000,000,000 | ---D | C] -- C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\thinkorswim

[2010/12/29 07:50:37 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\thinkorswim

[2010/12/29 07:44:42 | 000,000,000 | R--D | C] -- C:\Users\Owner\Desktop\Security

[2010/12/23 06:42:17 | 000,000,000 | R--D | C] -- C:\Users\Owner\My Music

[2010/12/23 05:54:37 | 000,000,000 | R--D | C] -- C:\Users\Owner\My Pictures

[2010/12/22 07:06:19 | 000,000,000 | ---D | C] -- C:\Users\Owner\AppData\Local\CrashDumps

[2010/12/22 06:49:25 | 000,000,000 | ---D | C] -- C:\Users\Owner\Documents\New folder

[2010/12/21 05:56:16 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware

[2010/12/21 05:56:14 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysWow64\drivers\mbamswissarmy.sys

[2010/12/21 05:56:13 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware

[2010/12/20 20:15:52 | 000,000,000 | ---D | C] -- C:\Users\Owner\AppData\Roaming\SUPERAntiSpyware.com

[2010/12/20 20:15:52 | 000,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com

[2010/12/20 20:15:48 | 000,000,000 | ---D | C] -- C:\ProgramData\!SASCORE

[2010/12/20 20:15:47 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware

[2010/12/20 20:15:46 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware

[2010/12/20 20:05:32 | 000,000,000 | ---D | C] -- C:\Users\Owner\Documents\Iobit reports

[2010/12/16 20:24:21 | 000,446,464 | ---- | C] (OldTimer Tools) -- C:\Users\Owner\Desktop\TFC.exe

[2010/12/04 14:39:41 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\IObit Security 360

[2010/12/04 14:39:41 | 000,000,000 | ---D | C] -- C:\Users\Owner\AppData\Roaming\IObit

[2010/12/04 14:39:40 | 000,000,000 | ---D | C] -- C:\ProgramData\IObit

[2010/12/04 14:39:38 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\IObit

[2010/12/04 08:43:25 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Trend Micro

[2010/12/04 08:43:25 | 000,000,000 | ---D | C] -- C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HiJackThis

[2010/05/15 12:14:50 | 001,224,704 | ---- | C] ( ) -- C:\Windows\SysWow64\lxbuserv.dll

[2010/05/15 12:14:50 | 000,995,328 | ---- | C] ( ) -- C:\Windows\SysWow64\lxbuusb1.dll

[2010/05/15 12:14:50 | 000,643,072 | ---- | C] ( ) -- C:\Windows\SysWow64\lxbupmui.dll

[2010/05/15 12:14:50 | 000,585,728 | ---- | C] ( ) -- C:\Windows\SysWow64\lxbulmpm.dll

[2010/05/15 12:14:50 | 000,413,696 | ---- | C] ( ) -- C:\Windows\SysWow64\lxbuinpa.dll

[2010/05/15 12:14:50 | 000,397,312 | ---- | C] ( ) -- C:\Windows\SysWow64\lxbuiesc.dll

[2010/05/15 12:14:50 | 000,163,840 | ---- | C] ( ) -- C:\Windows\SysWow64\lxbuprox.dll

[2010/05/15 12:14:50 | 000,094,208 | ---- | C] ( ) -- C:\Windows\SysWow64\lxbupplc.dll

[2010/05/15 12:14:49 | 000,696,320 | ---- | C] ( ) -- C:\Windows\SysWow64\lxbuhbn3.dll

[2010/05/15 12:14:49 | 000,684,032 | ---- | C] ( ) -- C:\Windows\SysWow64\lxbucomc.dll

[2010/05/15 12:14:49 | 000,421,888 | ---- | C] ( ) -- C:\Windows\SysWow64\lxbucomm.dll

[2009/03/27 14:53:10 | 000,049,152 | R--- | C] ( ) -- C:\Windows\Interop.IWshRuntimeLibrary.dll

 

========== Files - Modified Within 30 Days ==========

 

[2011/01/03 07:00:40 | 000,011,952 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

[2011/01/03 07:00:40 | 000,011,952 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

[2011/01/03 06:55:05 | 000,000,896 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job

[2011/01/03 06:55:00 | 000,000,892 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job

[2011/01/03 06:53:11 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat

[2011/01/03 06:53:09 | 3193,810,944 | -HS- | M] () -- C:\hiberfil.sys

[2011/01/03 06:51:46 | 000,002,023 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader X.lnk

[2011/01/03 06:47:00 | 000,000,908 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3647204596-2866022314-460741649-1000UA.job

[2011/01/02 22:59:02 | 000,001,030 | ---- | M] () -- C:\Users\Owner\Desktop\PC Cleaner.lnk

[2011/01/02 22:51:06 | 001,186,240 | ---- | M] (PC HelpSoft ) -- C:\Users\Owner\Desktop\pc-cleaner.exe

[2011/01/02 22:48:21 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Owner\Desktop\OTL.exe

[2011/01/02 22:43:51 | 000,159,757 | ---- | M] () -- C:\Users\Owner\Desktop\JavaRa.zip

[2011/01/02 22:42:18 | 000,884,000 | ---- | M] (Sun Microsystems, Inc.) -- C:\Users\Owner\Desktop\jre-6u23-windows-i586-iftw.exe

[2011/01/02 09:38:09 | 000,000,856 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3647204596-2866022314-460741649-1000Core.job

[2011/01/01 20:46:44 | 000,001,142 | ---- | M] () -- C:\Users\Owner\Documents\DF2009-Settings.ini

[2011/01/01 14:53:30 | 000,717,798 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI

[2011/01/01 14:53:30 | 000,621,822 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat

[2011/01/01 14:53:30 | 000,108,602 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat

[2011/01/01 10:24:35 | 000,000,464 | ---- | M] () -- C:\Users\Owner\Desktop\FreeStockCharts.com - Web's Best Streaming Realtime Stock Charts - Free (2).url

[2010/12/31 08:44:56 | 000,002,018 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk

[2010/12/31 08:43:01 | 000,352,584 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT

[2010/12/29 07:50:44 | 000,001,949 | ---- | M] () -- C:\Users\Owner\Desktop\thinkorswim.lnk

[2010/12/20 20:48:29 | 000,002,363 | ---- | M] () -- C:\Users\Owner\Desktop\Google Chrome.lnk

[2010/12/20 18:09:00 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysWow64\drivers\mbamswissarmy.sys

[2010/12/20 18:08:40 | 000,024,152 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys

[2010/12/16 20:25:09 | 000,624,640 | ---- | M] () -- C:\Users\Owner\dds.pif

[2010/12/16 20:24:23 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Users\Owner\Desktop\TFC.exe

 

========== Files Created - No Company Name ==========

 

[2011/01/03 06:51:46 | 000,002,023 | ---- | C] () -- C:\Users\Public\Desktop\Adobe Reader X.lnk

[2011/01/03 06:50:24 | 000,000,896 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job

[2011/01/03 06:50:24 | 000,000,892 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job

[2011/01/02 22:59:02 | 000,001,030 | ---- | C] () -- C:\Users\Owner\Desktop\PC Cleaner.lnk

[2011/01/02 22:43:47 | 000,159,757 | ---- | C] () -- C:\Users\Owner\Desktop\JavaRa.zip

[2011/01/01 10:24:35 | 000,000,464 | ---- | C] () -- C:\Users\Owner\Desktop\FreeStockCharts.com - Web's Best Streaming Realtime Stock Charts - Free (2).url

[2010/12/31 08:44:56 | 000,002,018 | ---- | C] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk

[2010/12/29 07:50:44 | 000,001,949 | ---- | C] () -- C:\Users\Owner\Desktop\thinkorswim.lnk

[2010/12/21 07:19:29 | 000,000,830 | ---- | C] () -- C:\Users\Owner\checkup.txt

[2010/12/20 22:33:30 | 000,029,080 | ---- | C] () -- C:\Users\Owner\SUPERAntiSpyware Scan Log - 12-20-2010 - 22-25-32.log

[2010/12/16 20:25:07 | 000,624,640 | ---- | C] () -- C:\Users\Owner\dds.pif

[2010/11/12 05:20:44 | 000,007,625 | ---- | C] () -- C:\Users\Owner\AppData\Local\Resmon.ResmonCfg

[2010/10/06 15:45:08 | 000,000,069 | ---- | C] () -- C:\Windows\NeroDigital.ini

[2010/07/03 20:39:54 | 000,002,558 | ---- | C] () -- C:\Users\Owner\AppData\Roaming\SAS7_000.DAT

[2010/05/15 12:14:50 | 000,385,024 | ---- | C] () -- C:\Windows\SysWow64\lxbucomx.dll

[2010/05/15 12:14:50 | 000,274,432 | ---- | C] () -- C:\Windows\SysWow64\LXBUinst.dll

[2010/04/10 14:37:28 | 000,001,437 | ---- | C] () -- C:\Users\Owner\AppData\Local\MyWinLockerInstaller.txt-20100410.log

[2010/04/08 19:13:32 | 000,041,624 | ---- | C] () -- C:\Windows\SysWow64\drivers\fsbts.sys

[2010/04/08 19:13:11 | 000,730,812 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI

[2010/04/07 13:25:08 | 000,117,248 | ---- | C] () -- C:\Windows\SysWow64\EhStorAuthn.dll

[2010/04/07 12:38:48 | 000,000,044 | ---- | C] () -- C:\Windows\Acer(Normal).ini

[2010/04/07 12:38:48 | 000,000,042 | ---- | C] () -- C:\Windows\Acer(Wide).ini

[2009/07/13 18:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll

[2009/07/13 16:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll

 

========== LOP Check ==========

 

[2010/04/07 16:02:29 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\Acer

[2010/04/07 16:02:29 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\Acer GameZone Console

[2010/09/26 19:08:33 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\Acronis

[2010/07/23 20:26:46 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\BlocksDataDownloader

[2010/04/10 14:10:04 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1

[2010/10/18 21:09:40 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\Easy Thumbnails

[2010/09/11 07:23:25 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\GoodSync

[2010/08/20 21:07:30 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\HomeMedia Connect

[2010/12/04 14:39:41 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\IObit

[2010/04/07 16:02:29 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\Leadertech

[2010/05/31 08:16:09 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\motorola

[2010/07/03 06:05:26 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\Nuance

[2011/01/02 22:59:06 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\PC Cleaner

[2010/08/22 09:37:57 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\PowerCinema

[2010/08/20 21:07:24 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\SoftDMA

[2010/06/25 07:12:15 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\TomTom

[2010/11/28 16:16:07 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\Western Digital

[2010/06/09 20:49:11 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\Worden Brothers, Inc

[2009/07/14 00:08:49 | 000,018,328 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

 

========== Purity Check ==========

 

 

 

========== Alternate Data Streams ==========

 

@Alternate Data Stream - 205 bytes -> C:\ProgramData\Temp:F35A93AD

 

< End of report >

[Superdave]

Please download the Sophos Anti-Rootkit Scanner and save it to your desktop.

 

You will need to enter your name, e-mail address and location in order to access the download page.

 

• Once you have downloaded the file, double click the sarsfx icon
  
• Review the licence agreement and click on the Accept button
  
• The scanner will prompt you to extract the files to C:\SOPHTEMP - DO NOT change this location, simply click the Install button
   
  
• Once the files have been extracted; using Windows Explorer, navigate to C:\SOPHTEMP and double click on the blue shield icon called sargui
  
• Ensure that there are checkmarks next to Running processes, Windows registry and Local hard drives, then click Start scan
  
• Allow the program to scan your computer - please be patient as it may take some time
  
• Once the scan has completed a window will pop-up with the results of the scan - click OK to this
  
• In the main window, you will see each of the entries found by the scan (if any)
  
  • If the scanner generated any warning messages, please click on each warning and copy and paste the text of it into this thread for me to review
    
  • Once you have posted any warning messages here, you can close the scanner and wait for me to get back to you
    

  [*]If you have not had any warnings, any entries which can be cleaned up by the scanner will have a box with a green checkmark in it next to the entry

  [*]To clean up these entries click on the Clean up checked items button

  [*]If you accidentally check a file NOT recommended for clean up, you will get a warning message and if necessary can re-select the entries you want to clean up

  [*]Once you have cleaned the selected files, you will be prompted to re-boot your computer - please do so

  [*]When you have re-booted, please tell me how your computer is running now

.

[jjoue]

Same problem

 

Unfortunately my problem is not solved. After you started helping me in mid December and around XMas It seemed that the upload #s on my internet usage were normal (historically low). Suddenly, on January 1, they jumped back up. I monitor my internet usage #s everyday and when my computer is on line for the whole day which is my normal usage, they have been 10x to 20x higher than normal including last week. For internet usage, I have been and continue to use my wife's computer, until this problem is solved. Could it be one of those worms that decomposes itself to avoid scanning and recomposes itself after scanning ?

 

I would appreciate your thoughts.

 

Thanks

[Superdave]

ESET Online Scan

 

Scan your computer with the ESET FREE Online Virus Scan

 

* Click the ESET Online Scanner button.

 

* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop

* Double click on the esetsmartinstaller_enu.exe icon on your desktop.

* Place a check mark next to YES, I accept the Terms of Use.

 

* Click the Start button.

* Accept any security warnings from your browser.

* Leave the check mark next to Remove found threats and place a check next to Scan archives.

* Click the Start button.

* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.

* When the scan completes, click List of found threats.

* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.

* Click the Back button then click Finish.

 

In your next reply please include the ESET Online Scan Log

[jjoue]

Eset

 

I have done the scan and it found 1 virus. Lets hope this is the ONE ?

ESETSCan.txt

[Superdave]

Please run the SysProt Antirootkit scan as instructed in Reply # 10

[jjoue]

I did as you suggested, waited a few days to check my usage and unfortunately, no change. The virus is still there.

[Superdave]

Windows 7 on a 64 bit machine is a very hard computer to infect but once infected, it becomes a very hard task to clean. I have very few tools that will run on such a computer and I've already used them all up. The only thing if can suggest is to have a good third-party firewall in place to block those uploads.

[jjoue]

What would be a strong firewall ?

[Superdave]

What would be a strong firewall ?

Any third-party firewall kept up-to-date. See list below.

 

Firewalls protect against hackers and malicious intruders. You need to download a free firewall from one of these reliable vendors.

 

Remember only install ONE firewall

 

1) Comodo Personal Firewall (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and uncheck any HopSurf and/or Ask.com options if you choose this one)

2) Online Armor

3) Agnitum Outpost

4) PC Tools Firewall Plus

 

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.