persistent TR/Crypt.Xpack.gen

[Crush]

Hi an8el,

I can rule them out as legitimate vs malicious by researching . But, if you want to scan again I certainly won't stop you 

[an8el]

3rd scan is done now. Similar results. Sort of disappointing after going through the third three hour routine. Thought there would not be "?? error getting file info" if I had internet access after doing the scan. Evidently internet access is only needed if you would like to ask the Kapersky website for help.

Results of system analysis

Kaspersky Virus Removal Tool 2010 9.0.0.722 (database released 24/06/2010; 22:34)
List of processes
File name   PID   Description   Copyright   MD5   Information
csrss.exe
Script: Quarantine, Delete, BC delete, Terminate   328           ??   error getting file info
Command line:
csrss.exe
Script: Quarantine, Delete, BC delete, Terminate   372           ??   error getting file info
Command line:
lsass.exe
Script: Quarantine, Delete, BC delete, Terminate   440           ??   error getting file info
Command line:
lsm.exe
Script: Quarantine, Delete, BC delete, Terminate   448           ??   error getting file info
Command line:
SASCore64.exe
Script: Quarantine, Delete, BC delete, Terminate   928           ??   error getting file info
Command line:
services.exe
Script: Quarantine, Delete, BC delete, Terminate   432           ??   error getting file info
Command line:
smss.exe
Script: Quarantine, Delete, BC delete, Terminate   240           ??   error getting file info
Command line:
winlogon.exe
Script: Quarantine, Delete, BC delete, Terminate   480           ??   error getting file info
Command line:
Detected:21, recognized as trusted 13
Module name   Handle   Description   Copyright   MD5   Used by processes
Modules detected:143, recognized as trusted 143

[Crush]

Those are all legitimate files. Are things running any better now?

[an8el]

thanks for doing that research, Crush.
I've still got my delete key adding a dot instead of deleting everything to the right. It's as though my keyboard works like a MAC that doesn't use a delete key, but only uses a backspace. So this is the main reason that makes me think I could still have problems. If this was a keylogger, they wouldn't want anything deleted.

duh - no light for indicating the Numlock was on. Now the delete key works just fine! Lemme check out the other stuff I listed to see if things are back to normal...

[Crush]

hi an8el,

Let's do one more scan and see if anything is hiding

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan[/i]

• Tick the box next to YES, I accept the Terms of Use
  
• Click Start
  
• When asked, allow the ActiveX control to install
• Click Start
  
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  
• Click Scan (This scan can take several hours, so please be patient)
  
• Once the scan is completed, you may close the window
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  
• Copy and paste that log as a reply to this topic

[an8el]

OK, I followed your destructions. It didn't find anything! 

Here's the report from the log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK

I guess since the first evidence that I hadn't cleaned the trojan completely out was from Hijackthis not being able to write to notepad and Avira Scanner taking forever - shall I do those scans too to verify that they're working as designed?

Thanks!

[Crush]

Yes. Please do

[an8el]

Here's my Avira file. It took about an hour, which is what it used to take before I got the virus.  It told me there was no problems.

Avira AntiVir Personal
Report file date: Monday, June 28, 2010  00:40

Scanning for 2271330 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee        : Avira AntiVir Personal - FREE Antivirus
Serial number   : 0000149996-ADJIE-0000001
Platform        : Windows 7 x64
Windows version : (plain)  [6.1.7600]
Boot mode       : Normally booted
Username        : SYSTEM
Computer name   : ACERTAIN

Version information:
BUILD.DAT       : 10.0.0.567     32097 Bytes   4/19/2010 15:07:00
AVSCAN.EXE      : 10.0.3.0      433832 Bytes    4/1/2010 23:37:38
AVSCAN.DLL      : 10.0.3.0       46440 Bytes    4/1/2010 23:57:04
LUKE.DLL        : 10.0.2.3      104296 Bytes    3/8/2010 05:33:04
LUKERES.DLL     : 10.0.0.1       12648 Bytes   2/11/2010 10:40:49
VBASE000.VDF    : 7.10.0.0    19875328 Bytes   11/6/2009 20:05:36
VBASE001.VDF    : 7.10.1.0     1372672 Bytes  11/19/2009 06:27:49
VBASE002.VDF    : 7.10.3.1     3143680 Bytes   1/20/2010 04:37:42
VBASE003.VDF    : 7.10.3.75     996864 Bytes   1/26/2010 03:37:42
VBASE004.VDF    : 7.10.4.203   1579008 Bytes    3/5/2010 22:29:03
VBASE005.VDF    : 7.10.6.82    2494464 Bytes   4/15/2010 22:44:29
VBASE006.VDF    : 7.10.7.218   2294784 Bytes    6/2/2010 22:44:41
VBASE007.VDF    : 7.10.7.219      2048 Bytes    6/2/2010 22:44:42
VBASE008.VDF    : 7.10.7.220      2048 Bytes    6/2/2010 22:44:42
VBASE009.VDF    : 7.10.7.221      2048 Bytes    6/2/2010 22:44:42
VBASE010.VDF    : 7.10.7.222      2048 Bytes    6/2/2010 22:44:43
VBASE011.VDF    : 7.10.7.223      2048 Bytes    6/2/2010 22:44:43
VBASE012.VDF    : 7.10.7.224      2048 Bytes    6/2/2010 22:44:43
VBASE013.VDF    : 7.10.8.37     270336 Bytes   6/10/2010 08:59:46
VBASE014.VDF    : 7.10.8.69     138752 Bytes   6/14/2010 08:59:47
VBASE015.VDF    : 7.10.8.102    130560 Bytes   6/16/2010 08:59:49
VBASE016.VDF    : 7.10.8.135    152064 Bytes   6/21/2010 10:14:38
VBASE017.VDF    : 7.10.8.163    432128 Bytes   6/23/2010 23:45:17
VBASE018.VDF    : 7.10.8.164      2048 Bytes   6/23/2010 23:45:18
VBASE019.VDF    : 7.10.8.165      2048 Bytes   6/23/2010 23:45:18
VBASE020.VDF    : 7.10.8.166      2048 Bytes   6/23/2010 23:45:18
VBASE021.VDF    : 7.10.8.167      2048 Bytes   6/23/2010 23:45:18
VBASE022.VDF    : 7.10.8.168      2048 Bytes   6/23/2010 23:45:19
VBASE023.VDF    : 7.10.8.169      2048 Bytes   6/23/2010 23:45:19
VBASE024.VDF    : 7.10.8.170      2048 Bytes   6/23/2010 23:45:19
VBASE025.VDF    : 7.10.8.171      2048 Bytes   6/23/2010 23:45:19
VBASE026.VDF    : 7.10.8.172      2048 Bytes   6/23/2010 23:45:20
VBASE027.VDF    : 7.10.8.173      2048 Bytes   6/23/2010 23:45:20
VBASE028.VDF    : 7.10.8.174      2048 Bytes   6/23/2010 23:45:20
VBASE029.VDF    : 7.10.8.175      2048 Bytes   6/23/2010 23:45:20
VBASE030.VDF    : 7.10.8.176      2048 Bytes   6/23/2010 23:45:21
VBASE031.VDF    : 7.10.8.192    134656 Bytes   6/28/2010 10:38:47
Engineversion   : 8.2.4.2   
AEVDF.DLL       : 8.1.2.0       106868 Bytes    6/7/2010 22:45:13
AESCRIPT.DLL    : 8.1.3.33     1356155 Bytes   6/26/2010 23:45:39
AESCN.DLL       : 8.1.6.1       127347 Bytes    6/7/2010 22:45:08
AESBX.DLL       : 8.1.3.1       254324 Bytes    6/7/2010 22:45:14
AERDL.DLL       : 8.1.4.6       541043 Bytes    6/7/2010 22:45:07
AEPACK.DLL      : 8.2.2.5       430453 Bytes   6/26/2010 23:45:36
AEOFFICE.DLL    : 8.1.1.0       201081 Bytes    6/7/2010 22:45:04
AEHEUR.DLL      : 8.1.1.38     2724214 Bytes   6/26/2010 23:45:34
AEHELP.DLL      : 8.1.11.6      242038 Bytes   6/26/2010 23:45:26
AEGEN.DLL       : 8.1.3.12      377204 Bytes   6/26/2010 23:45:24
AEEMU.DLL       : 8.1.2.0       393588 Bytes    6/7/2010 22:44:55
AECORE.DLL      : 8.1.15.3      192886 Bytes    6/7/2010 22:44:53
AEBB.DLL        : 8.1.1.0        53618 Bytes    6/7/2010 22:44:52
AVWINLL.DLL     : 10.0.0.0       19304 Bytes   1/14/2010 23:03:38
AVPREF.DLL      : 10.0.0.0       44904 Bytes   1/14/2010 23:03:35
AVREP.DLL       : 10.0.0.8       62209 Bytes   2/19/2010 03:47:40
AVREG.DLL       : 10.0.3.0       53096 Bytes    4/1/2010 23:35:46
AVSCPLR.DLL     : 10.0.3.0       83816 Bytes    4/1/2010 23:39:51
AVARKT.DLL      : 10.0.0.14     227176 Bytes    4/1/2010 23:22:13
AVEVTLOG.DLL    : 10.0.0.8      203112 Bytes   1/26/2010 20:53:30
SQLITE3.DLL     : 3.6.19.0      355688 Bytes   1/28/2010 23:57:58
AVSMTP.DLL      : 10.0.0.17      63848 Bytes   3/17/2010 02:38:56
NETNT.DLL       : 10.0.0.0       11624 Bytes   2/20/2010 01:41:00
RCIMAGE.DLL     : 10.0.0.26    2550120 Bytes   1/29/2010 00:10:20
RCTEXT.DLL      : 10.0.53.0      97128 Bytes   4/10/2010 01:14:29

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: C:\Program Files (x86)\Avira\AntiVir Desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Extended process scan...............: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Monday, June 28, 2010  00:40

Starting search for hidden objects.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Applets\SysTray\BattMeter\Flyout\381b4222-f694-41f0-9685-ff5bb260df2e
    [NOTE]      The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Applets\SysTray\BattMeter\Flyout\8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
    [NOTE]      The registry entry is invisible.

The scan of running processes will be started
Scan process 'avscan.exe' - '87' Module(s) have been scanned
Scan process 'GoogleUpdate.exe' - '39' Module(s) have been scanned
Scan process 'BrMfcmon.exe' - '35' Module(s) have been scanned
Scan process 'brccMCtl.exe' - '72' Module(s) have been scanned
Scan process 'avgnt.exe' - '70' Module(s) have been scanned
Scan process 'jusched.exe' - '27' Module(s) have been scanned
Scan process 'PMVService.exe' - '51' Module(s) have been scanned
Scan process 'BrMfcWnd.exe' - '45' Module(s) have been scanned
Scan process 'pptd40nt.exe' - '28' Module(s) have been scanned
Scan process 'ArcadeDeluxeAgent.exe' - '53' Module(s) have been scanned
Scan process 'LManager.exe' - '55' Module(s) have been scanned
Scan process 'EgisUpdate.exe' - '40' Module(s) have been scanned
Scan process 'AWC.exe' - '78' Module(s) have been scanned
Scan process 'GoogleToolbarNotifier.exe' - '70' Module(s) have been scanned
Scan process 'UpdaterService.exe' - '23' Module(s) have been scanned
Scan process 'SchedulerSvc.exe' - '39' Module(s) have been scanned
Scan process 'MWLService.exe' - '42' Module(s) have been scanned
Scan process 'GregHSRW.exe' - '24' Module(s) have been scanned
Scan process 'avguard.exe' - '68' Module(s) have been scanned
Scan process 'sched.exe' - '50' Module(s) have been scanned

Starting master boot sector scan:
Master boot sector HD0
    [INFO]      No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
    [INFO]      No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '116' files ).


Starting the file scan:

Begin scan in 'C:\' <Acer>


End of the scan: Monday, June 28, 2010  01:47
Used time:  1:06:24 Hour(s)

The scan has been done completely.

  24330 Scanned directories
 754132 Files were scanned
      0 Viruses and/or unwanted programs were found
      0 Files were classified as suspicious
      0 files were deleted
      0 Viruses and unwanted programs were repaired
      0 Files were moved to quarantine
      0 Files were renamed
      0 Files cannot be scanned
 754132 Files not concerned
   6228 Archives were scanned
      0 Warnings
      0 Notes
 657736 Objects were scanned with rootkit scan
      2 Hidden objects were found

[an8el]

I'm hoping........!

Here's the HIJackThis Logfile:
 
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:21:33 AM, on 6/28/2010
Platform: Windows 7  (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files (x86)\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe
C:\Program Files (x86)\Launch Manager\LManager.exe
C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe
C:\Program Files (x86)\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files (x86)\Acer Arcade Deluxe\PlayMovie\PMVService.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files (x86)\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\sniper.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_5532&r=27361109d545l0334z1h5t4852x232
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_5532&r=27361109d545l0334z1h5t4852x232
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_5532&r=27361109d545l0334z1h5t4852x232
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [EgisTecLiveUpdate] "C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe
O4 - HKLM\..\Run: [ArcadeDeluxeAgent] "C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe"
O4 - HKLM\..\Run: [Acer Assist Launcher] C:\Program Files (x86)\Acer\Acer Assist\launcher.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files (x86)\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files (x86)\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files (x86)\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [PlayMovie] "C:\Program Files (x86)\Acer Arcade Deluxe\PlayMovie\PMVService.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Users\Franis\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: Acer ePower Service (ePowerSvc) - Acer Incorporated - C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files (x86)\Acer Games\Acer Game Console\GameConsoleService.exe
O23 - Service: GRegService (Greg_Service) - Acer Incorporated - C:\Program Files (x86)\Acer\Registration\GregHSRW.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: MyWinLocker Service (MWLService) - Egis Technology Inc. - C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\\MWLService.exe
O23 - Service: NTI Backup Now 5 Backup Service (NTIBackupSvc) - NewTech InfoSystems, Inc. - C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
O23 - Service: NTI Backup Now 5 Scheduler Service (NTISchedulerSvc) - NewTech Infosystems, Inc. - C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: SAS Core Service (SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: Updater Service - Acer - C:\Program Files\Acer\Acer Updater\UpdaterService.exe
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 11260 bytes

[Crush]

Hi again .

Windows Vista and 7 wreak havoc on some of the tools we use. One of them is HijackThis. But as far as I can tell you're clean. Any symptoms to suggest otherwise?

[an8el]

Just did the last scan by this software, and it gave me a log this time!!

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/28/2010 at 03:12 AM

Application Version : 4.38.1004

Core Rules Database Version : 5126
Trace Rules Database Version: 2938

Scan type       : Quick Scan
Total Scan Time : 00:46:34

Memory items scanned      : 528
Memory threats detected   : 0
Registry items scanned    : 669
Registry threats detected : 0
File items scanned        : 29277
File threats detected     : 0


Hey Crush! I have something for you....!

[an8el]

Will take you to see your cousins in Hawaii when you come and visit! As you can see, only a couple of feet of water is required...!

I'm very Haaapppppeeey!

[Crush]

  I love it.

It's been a ton of fun. You've been a pleasure to work with

Congratulations!! Your PC is all clean! 

There are many things you can do to keep this from happening again. You can think of a computer like a car. It requires basic maintenance to keep in tip top shape and ready to go. Would you drive your car 100,000 miles without changing the oil? The same principle applies here.

Cleaning

Now that your PC is free of malware, it is important to clean up your PC. There are several good free cleaners available. You should make sure to clean up your temp files regularly, at least once a week.

ATF Cleaner
CCleaner

Defragmenting Your Hard Disk

Over time your PC can become fragmented, Windows comes with a defragmenting utility, however, it is very slow, and there are other options available.

To use the defragmenter included with Windows either go to Start/Run and type dfrg.msc, hit enter; or
right-click My Computer, choose Manage, Storage, Disk Defragmenter.

In the Defragmenter utility, select your main partition/HD, generally C:\ and select analyze . The analysis report will tell you whether or not your disk needs to be defragmented, if it does, click defragment. Be patient, this can take a long time.

Repeat for multiple partitions/hard disks.

System Restore Cleanup Instructions

If you are using Windows ME or XP then it is good to disable and re-enable system restore to make sure there are no infected files left in a restore point. (All restore points will be deleted that way)
You can find instructions on how to disable and re-enable system restore here:

Windows ME System Restore Guide

Windows XP System Restore Guide

Reading Tip:
Computer Health
Keep Your System Updated

Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Please ensure that you visit the following websites regularly or do update your system regularly.

Install the updates immediately, if they are found. Reboot your computer if necessary, revisit Windows Update and Office update sites until there are no more updates to be installed.

To update Windows and office

Go to Start > All Programs > Microsoft Update

Alternatively, you can visit the link below to update Windows and Office products.

Microsoft Update

If you are forgetful, you can change some settings so that you will be informed of updates. Here's how:

1. Go to Start > Control Panel > Automatic Updates
2. Select Automatic (recommended) radio button if you want the updates to be downloaded and installed without prompting you.
3. Select Download updates for me, but let me chose when to install them radio button if you want the updates to be downloaded automatically but to be installed at another time.4. Select Notify me but don't automatically download or install them radio button if you want to be notified of the updates.

Please make sure that you update your antivirus, firewall and anti-spyware programs at least once a week.

Be careful when opening attachments and downloading files.

1. Never open email attachments, not even if they are from someone you know. If you need to open them, scan them with your antivirus program before opening.
2. Never open emails from unknown senders.
3. Beware of emails that warn about viruses that are spreading, especially those from antivirus vendors. These are called hoaxes. The email addresses used in the hoaxes can be easily spoofed. Check the antivirus vendor websites to be sure.
4. Be careful of what you download. Only download files from known sources. Also, avoid cracked programs. If you need a particular program that costs too much for you, try finding free alternatives on Sourceforge or Pricelessware.

Surf safely

Many security exploits on websites are directed to users of Internet Explorer and Firefox.

If you use Firefox, try the No-script Add On - which, by default, disables all scripts on all websites. If you trust the website, you can manually allow scripts to work.

Backup regularly

You never know when your PC will become unstable or become so infected that you can't recover it. Follow this Microsoft Article to learn how to backup. Follow This Article by Microsoft to restore your backups.

Alternatively, you can use 3rd-party programs to back up your data. Examples of these can be found at
Bleeping Computer

Avoid P2P

I see you have P2P software installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

Prevent A Re-infection

1. Winpatrol

Winpatrol is a heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features Here

You can get a Free Copy of Winpatrol or use the Plus Version for more features.

You can read Win Patrol FAQ if you run into problems.

2. Hosts File

A Hosts file is like a phone book. You look up someone's name in the phone book before calling him/her. Similarly, your PC will look up the website's IP address before you can view the website.

Hosts file will replace your current Hosts file with another one containing well-known advertisement sites, spyware sites and other bad sites. This new Hosts file will protect you by re-directing these bad sites to 127.0.0.1.

Here are some Hosts files:
MVPS Hosts File
Blue Tack’s Hosts File
Blue Tack’s Hosts Manager

3. Spybot Search and Destroy

Spybot Search & Destroy is another program for scanning spyware and adware. You are strongly encouraged to run a scan at least once per week.

Spybot Search & Destroy can be downloaded from here.

If you need help in using Spybot Search & Destroy, you can read Spybot Search and Destroy tutorial at Bleeping Computer.

4. SiteHound Toolbar

SiteHound is a toolbar that warns you if you go to a site that is known to scam people, that has potentially lots of viruses or spyware or other questionable content. If you know the site, you can enter it; if you don't, it will bring you back to the previous page. Currently, SiteHound works for Internet Explorer and Firefox only.

====

Stand Up and Be Counted ---> Malware Complaints<--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
============================================================
See this page for more info about malware and prevention.

Thank you for choosing ComputerHope
 
Before the thread is archived, do you have any more questions?

Happy surfing and stay clean!

[an8el]

Yeah, all that in the advice of how to not get malware - AND my most important advice is to make sure to turn off the auto-updates on the Acer game site, which is what got me the Trojan in the first place. ;o((  (You'd think that the manufacturer's endorsed website would be free of malware! But nooooooo.)

What I'm going to do is to install Linux and hang out online using that instead of windows most of the time. Only use this OS when I MUST because some software requires Windows for a certain purpose, or that I am traveling with this laptop.

...and Crush, you were very patient to be working with me. I can't imagine that you were anything but an expert  - (probably Figuring that you are a famous Humblistic person in disguise.)

Am serious about showing you a good time if you want to come visit Hawaii! I'm on the Big Island where there are lots of turtles...who will come visit you, even if you can't swim with them.

[an8el]

OK - how do I mark this one [solved] ?