Jump to content


Photo

Please Check My Computer System


  • This topic is locked This topic is locked
21 replies to this topic

#1 CSlim08

CSlim08

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 17 May 2011 - 07:23 PM

Hello,

I would like to thank you for your time in advance. I was downloading some files maybe about a month ago (maybe a little less) and I started encountering problems on my Windows Vista laptop. I knew something was wrong because when I typed a search term in the google toolbar box (that is normally displayed in the right hand corner), it didn't direct to me the search results page; instead it redirected me to a page that looked like a set up- in the web bar, instead of it reading something like "www.google.com/search....", it read something like "www.google.html/system32/user/roaming..." and thank goodness I noticed that! I've tried not to use any private information since and I've been using my on-screen keyboard just in case. I immediately ran a system scan with Windows Defender and it found & removed a trojan. I then downloaded & ran Microsoft Security Essentials, which found & removed some things too. also noticed that when I click "ctl-alt-dlt" my Task Manager option wasn't popping up. I researched this and fixed it through the RegEditor.
You all were going to be my next step, and I'm just getting around to that. I ran all the instructed programs and the logs are below. I would just like for you to check to see if I've removed all harmful objects and make sure there isn't anything left that shouldn't be. If so, please instruct me.
Once again, thanks so much; it is very appreciated.
(Oh, and earlier today, I selected "Show Hidden Files" in the Control Panel, and I had to go through RegEditor for that too because my Folder Options weren't showing, but that part's been fixed).

The M-BAM log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6601

Windows 6.0.6002 Service Pack 2
Internet Explorer 9.0.8112.16421

5/17/2011 6:54:09 PM
mbam-log-2011-05-17 (18-54-09).txt

Scan type: Quick scan
Objects scanned: 147993
Time elapsed: 6 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\.Net Framework (Trojan.Agent) -> Value: .Net Framework -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\Users\~Sarah~\AppData\Roaming\Bifrost (Backdoor.Bifrose) -> Quarantined and deleted successfully.

Files Infected:
c:\Users\~Sarah~\AppData\Roaming\addons.dat (Bifrose.Trace) -> Quarantined and deleted successfully.
c:\Users\~Sarah~\AppData\Roaming\cglogs.dat (Malware.Trace) -> Quarantined and deleted successfully.
c:\Users\~Sarah~\AppData\Roaming\logs.dat (Bifrose.Trace) -> Quarantined and deleted successfully.
c:\Users\~Sarah~\AppData\Roaming\Bifrost\logg.dat (Backdoor.Bifrose) -> Quarantined and deleted successfully.


The DDS Log:

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by ~Sarah~ at 19:02:42.00 on Tue 05/17/2011
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_22
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1013.363 [GMT -5:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\LEXBCES.EXE
C:\Windows\System32\LEXPPS.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\agrsmsvc.exe
C:\Windows\System32\svchost.exe -k Akamai
C:\Acer\ALaunch\ALaunchSvc.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
C:\Windows\system32\dlbccoms.exe
C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
C:\Acer\Empowering Technology\eNet\eNet Service.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Acer\Mobility Center\MobilityService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\servicing\TrustedInstaller.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\~Sarah~\Downloads\dds.scr
C:\Windows\System32\osk.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://aol.com/
mStart Page = hxxp://en.us.acer.yahoo.com
mDefault_Page_URL = hxxp://en.us.acer.yahoo.com
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\acer\empowering technology\edatasecurity\x86\eDStoolbar.dll
EB: GoogleBar: {950dd287-7c12-4d2b-8a9a-729ab0553e65} - c:\users\~sarah~\appdata\roaming\google.com\google bar\adxloader.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
mRun: [eRecoveryService]
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\monitor.lnk - c:\program files\arcsoft\media card companion\MCC Monitor.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: dinerdash.com
Trusted Zone: kerasotes.com\www
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: playfirst.com
Trusted Zone: wgci.com
Trusted Zone: windowsupdate.com\download
Trusted Zone: yahoo.com\games
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\~sarah~\appdata\roaming\mozilla\firefox\profiles\qupm5d11.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.att.net/
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 MpKsl0d4b1d05;MpKsl0d4b1d05;c:\programdata\microsoft\microsoft antimalware\definition updates\{d1c27200-1b8f-426f-ab92-cf6516fc4f4c}\MpKsl0d4b1d05.sys [2011-5-17 28752]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2008-1-20 21504]
R2 ALaunchService;ALaunch Service;c:\acer\alaunch\ALaunchSvc.exe [2008-3-21 51200]
R2 dlbc_device;dlbc_device;c:\windows\system32\dlbccoms.exe -service --> c:\windows\system32\dlbccoms.exe -service [?]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2008-3-21 180736]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-10-24 43392]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 54144]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2010-11-11 206360]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-05-17 23:43:47 -------- d-----w- c:\users\~sarah~\appdata\roaming\Malwarebytes
2011-05-17 23:43:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-17 23:43:06 -------- d-----w- c:\progra~2\Malwarebytes
2011-05-17 23:43:03 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-17 23:43:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-17 23:40:11 388096 ----a-r- c:\users\~sarah~\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-05-17 23:40:11 -------- d-----w- c:\program files\Trend Micro
2011-05-17 23:18:55 28752 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{d1c27200-1b8f-426f-ab92-cf6516fc4f4c}\MpKsl0d4b1d05.sys
2011-05-17 21:36:44 7071056 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{d1c27200-1b8f-426f-ab92-cf6516fc4f4c}\mpengine.dll
2011-05-11 14:34:47 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2011-05-02 01:55:03 -------- d-----w- c:\users\~sarah~\Catalog
2011-05-02 01:54:59 -------- d-----w- c:\users\~sarah~\Report Files
2011-05-01 15:59:14 7071056 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{cf0c1f65-7ec5-448e-bcc8-24a8b4a57e60}\mpengine.dll
2011-04-27 18:28:46 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2011-04-27 18:28:45 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2011-04-27 18:24:40 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-04-26 19:35:32 7071056 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2011-04-26 05:07:46 439632 ------w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{62a113c4-7c5a-42fc-9cd1-e516ced7a97b}\gapaengine.dll
2011-04-26 04:30:15 -------- d-----w- c:\program files\Microsoft Security Client
2011-04-26 04:29:00 221568 ----a-w- c:\windows\system32\drivers\netio.sys
2011-04-25 20:22:20 -------- d-----w- c:\users\~sarah~\appdata\local\Apps
2011-04-25 00:48:13 -------- d-----w- c:\windows\Microsoft
.
==================== Find3M ====================
.
2011-03-10 17:03:51 1162240 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-10 17:03:51 1136640 ----a-w- c:\windows\system32\mfc42.dll
2011-03-03 15:42:03 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-03 15:40:07 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2011-03-03 15:40:05 542720 ----a-w- c:\windows\apppatch\AcLayers.dll
2011-03-03 15:40:05 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2011-03-03 15:40:04 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll
2011-03-03 13:25:11 2041856 ----a-w- c:\windows\system32\win32k.sys
2011-03-02 15:44:27 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-02-22 14:13:01 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-02-22 13:33:12 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-02-22 13:33:09 797696 ----a-w- c:\windows\system32\FntCache.dll
.
============= FINISH: 19:05:14.62 ===============


The HiJack This Log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:35:48 PM, on 5/17/2011
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Safe mode

Running processes:
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aol.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.us.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\RunOnce: [] OSK.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O15 - Trusted Zone: *.dinerdash.com
O15 - Trusted Zone: http://www.kerasotes.com
O15 - Trusted Zone: *.playfirst.com
O15 - Trusted Zone: http://*.wgci.com
O15 - Trusted Zone: http://download.windowsupdate.com
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: ALaunch Service (ALaunchService) - Unknown owner - C:\Acer\ALaunch\ALaunchSvc.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: dlbc_device - - C:\Windows\system32\dlbccoms.exe
O23 - Service: eDataSecurity Service - Egis Incorporated - C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\Windows\System32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 5711 bytes


Finally, the Security check-up Log:

Results of screen317's Security Check version 0.99.7
Windows Vista Service Pack 2 (UAC is enabled)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
Microsoft Security Essentials
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
Java™ 6 Update 22
Java™ 6 Update 20
Java™ 6 Update 7
Out of date Java installed!
Adobe Flash Player 10.1.85.3
Adobe Reader 9
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Windows Defender MSMpEng.exe
Microsoft Security Essentials msseces.exe
Empowering Technology eSettings Service capuserv.exe
Microsoft Security Client Antimalware MsMpEng.exe
``````````End of Log````````````

Thanks again!

#2 duckfeet

duckfeet

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 1,451 posts

Posted 18 May 2011 - 12:11 AM

Hello, and welcome to SWI, I'm duckfeet and I'll be helping you. During these scans and cleanup, if you have any removable USB drives (flash drives, pen drives, backup drives) make sure they are installed. Are you using a router? If so, are other computers using this router, and are they infected too? Well done with the scans and programs you ran: you got rid of some serious trojans and I'll have you run some further checks to insure they are gone:

First, I see you have several sites in 'trusted zones' .
O15 - Trusted Zone: *.dinerdash.com
O15 - Trusted Zone: http://www.kerasotes.com
O15 - Trusted Zone: *.playfirst.com
O15 - Trusted Zone: http://*.wgci.com

O15 - Trusted Zone: yahoo.com\games

Putting a site in 'trusted zone' gives them complete access and freedom to do what they will and is unnecessary. Please open Internet Explorer and go to Tools->Internet Options->Security->Trusted sites->Sites. Remove any sites found there. Also, please run HijackThis again, and remove any O15's in trusted zones that remain, and post a fresh HJT log. See: Trusted Zones

----


  • Please download aswMBR.exe and save it to your desktop.
  • Double click aswMBR.exe to start the tool. (Vista/Windows 7 users - right click to run as administrator)
  • Click Scan
  • Upon completion of the scan, click Save log and save it to Desktop, and post that log in your next reply. Note - do NOT attempt any Fix yet!
  • You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well.

----


Please download ComboFix.exe. Visit this webpage for download links, and instructions for running the tool:
how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please go here to see a list of programs that should be disabled.

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall**

Please include the aswmbr log and C:\ComboFix.txt in your next reply for further review. Let me know how your computer is running now, and if redirections continue.
My help is free. However, Donations in support of this website are always appreciated!

#3 CSlim08

CSlim08

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 18 May 2011 - 09:27 AM

Hi,

Thanks so much for your quick response! I really appreciate it. No, I'm not currently using a router. I'm using e-thernet. I have used a router in the past, but it was way before this.

As far as the trusted sites, some of these are sites I regularly use for programs on my laptop and they need internet access & can't gain it otherwise. What should I do to those?

I'll proceed with all the other scans and come back to the new HiJack Log when you respond.

THANKS SO MUCH! You're awesome!

PS: The redirecting of the sites (such as google) that I talked about earlier had BEEN stopped when I removed some things on my own (before I came to you all) so that is no longer a problem. I just want to ensure that everything is clean.


Also, when I click on the aswMBR.exe link you posted, it keeps saying the connection has timed out and the server is taking too long to respond. I know it's not my internet because every other site is loading fine.

Thanks.

Edited by CSlim08, 18 May 2011 - 09:35 AM.


#4 duckfeet

duckfeet

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 1,451 posts

Posted 18 May 2011 - 11:05 AM

As far as the trusted sites, some of these are sites I regularly use for programs on my laptop and they need internet access & can't gain it otherwise. What should I do to those?

As long as you totally trust these sites, and your are sure they need you to give them this kind of access, then you can disregard my warning. IT is totally up to you. And I do not need to see another HijackThis log.

----

The redirecting of the sites (such as google) that I talked about earlier had BEEN stopped when I removed some things on my own (before I came to you all) so that is no longer a problem. I just want to ensure that everything is clean.

Good, I understand, and it does seem like you got the worst of it. We just need to be sure.

----

Also, when I click on the aswMBR.exe link you posted, it keeps saying the connection has timed out and the server is taking too long to respond. I know it's not my internet because every other site is loading fine.

Sounds like your antivirus program is blocking it. Make sure your av is turned off. See To temporarily disable antivirus antispyware firewall http://www.bleepingc...opic114351.html

Next, Download RogueKiller to your desktop. If you have trouble with this link, please go here: http://www.geekstogo...13-roguekiller/

  • Quit all running programs
  • For Vista/Win 7, right click -> run as administrator, for XP simply run RogueKiller.exe
  • When prompted, type 1 and validate
  • The RKreport.txt shall be generated next to the executable.
  • If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe
Please post the contents of the RKreport.txt in your next Reply. And as soon as you finish RogueKiller, please try running aswMBR again--and ComboFix--and post the results here. If you can't get aswmbr to run, go ahead and try ComboFix anyway.
My help is free. However, Donations in support of this website are always appreciated!

#5 CSlim08

CSlim08

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 18 May 2011 - 03:39 PM

Hi!

No matter what I did, I couldn't get the aswMBR to work- I disabled my firewall, put it as an allowed site and everything, nothing ran it. I did do the other two that you asked, and their logs are below.

Thanks so much for your help & patience.

RogueKiller log:

RogueKiller V5.1.4 [05/18/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-to...-Remontees.html

Operating System: Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User: ~Sarah~ [Admin rights]
Mode: Scan -- Date : 05/18/2011 15:41:04

Bad processes: 0

Registry Entries: 0

HOSTS File:
127.0.0.1 localhost
::1 localhost


Finished : << RKreport[1].txt >>
RKreport[1].txt


ComboFix log:

ComboFix 11-05-17.01 - ~Sarah~ 05/18/2011 16:14:10.1.1 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1013.374 [GMT -5:00]
Running from: c:\users\~Sarah~\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Acer Crystal Eye Webcam Video Class Camera
c:\programdata\Microsoft\Windows\Start Menu\Programs\Acer Crystal Eye Webcam Video Class Camera \Uninstall.lnk
c:\users\~Sarah~\AppData\Roaming\.#
c:\windows\MICROSOFT
.
.
((((((((((((((((((((((((( Files Created from 2011-04-18 to 2011-05-18 )))))))))))))))))))))))))))))))
.
.
2011-05-18 21:23 . 2011-05-18 21:23 -------- d-----w- c:\users\~Sarah~\AppData\Local\temp
2011-05-18 21:23 . 2011-05-18 21:23 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-05-17 23:43 . 2011-05-17 23:43 -------- d-----w- c:\users\~Sarah~\AppData\Roaming\Malwarebytes
2011-05-17 23:43 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-17 23:43 . 2011-05-17 23:43 -------- d-----w- c:\programdata\Malwarebytes
2011-05-17 23:43 . 2011-05-17 23:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-17 23:43 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-17 23:40 . 2011-05-17 23:40 388096 ----a-r- c:\users\~Sarah~\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-05-17 23:40 . 2011-05-17 23:40 -------- d-----w- c:\program files\Trend Micro
2011-05-17 21:36 . 2011-04-18 14:15 7071056 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D1C27200-1B8F-426F-AB92-CF6516FC4F4C}\mpengine.dll
2011-05-11 14:34 . 2011-04-07 12:01 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-05-02 01:55 . 2011-05-02 01:55 -------- d-----w- c:\users\~Sarah~\Catalog
2011-05-02 01:54 . 2011-05-02 01:54 -------- d-----w- c:\users\~Sarah~\Report Files
2011-05-01 15:59 . 2011-04-11 07:04 7071056 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{CF0C1F65-7EC5-448E-BCC8-24A8B4A57E60}\mpengine.dll
2011-04-27 18:28 . 2011-03-03 15:40 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2011-04-27 18:28 . 2011-03-03 13:35 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2011-04-27 18:24 . 2011-03-12 21:55 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-04-26 19:35 . 2011-04-18 14:15 7071056 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-04-26 05:07 . 2010-11-30 16:43 439632 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{62A113C4-7C5A-42FC-9CD1-E516CED7A97B}\gapaengine.dll
2011-04-26 04:30 . 2011-04-26 04:31 -------- d-----w- c:\program files\Microsoft Security Client
2011-04-26 04:29 . 2010-04-05 20:00 221568 ----a-w- c:\windows\system32\drivers\netio.sys
2011-04-25 20:22 . 2011-04-25 20:22 -------- d-----w- c:\users\~Sarah~\AppData\Local\Apps
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-10 17:03 . 2011-04-14 14:35 1162240 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-10 17:03 . 2011-04-14 14:35 1136640 ----a-w- c:\windows\system32\mfc42.dll
2011-03-03 15:42 . 2011-04-14 14:34 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-03 15:40 . 2011-04-27 18:28 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2011-03-03 15:40 . 2011-04-27 18:28 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2011-03-03 15:40 . 2011-04-27 18:28 542720 ----a-w- c:\windows\apppatch\AcLayers.dll
2011-03-03 15:40 . 2011-04-27 18:28 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll
2011-03-03 13:25 . 2011-04-14 14:34 2041856 ----a-w- c:\windows\system32\win32k.sys
2011-03-02 15:44 . 2011-04-14 14:35 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-02-22 14:13 . 2011-03-23 13:30 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-02-22 13:33 . 2011-03-23 13:30 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-02-22 13:33 . 2011-03-23 13:30 797696 ----a-w- c:\windows\system32\FntCache.dll
2011-02-22 13:24 . 2011-04-14 14:35 213504 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-02-22 13:24 . 2011-04-14 14:35 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-02-22 13:23 . 2011-04-14 14:35 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-22 13:23 . 2011-04-14 14:35 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
2011-02-18 14:03 . 2011-04-14 14:35 305152 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-18 14:03 . 2011-04-14 14:35 146432 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-02-18 14:03 . 2011-04-14 14:35 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-04-29 18:22 . 2011-04-15 01:07 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-01-03 09:00 39472 ----a-w- c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 133656]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Monitor.lnk - c:\program files\ArcSoft\Media Card Companion\MCC Monitor.exe [2009-5-29 110592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^$McRebootA5E6DEAA56$.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\$McRebootA5E6DEAA56$.lnk
backup=c:\windows\pss\$McRebootA5E6DEAA56$.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Empowering Technology Launcher.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Empowering Technology Launcher.lnk
backup=c:\windows\pss\Empowering Technology Launcher.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^~Sarah~^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\users\~Sarah~\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Assist Launcher]
2007-11-19 22:17 1261568 ----a-w- c:\program files\Acer\Acer Assist\launcher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Product Registration]
2007-11-26 18:21 3387392 ----a-w- c:\program files\Acer\Acer Registration\ACE1.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-06-12 07:38 34672 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
2010-03-06 08:44 500208 ------w- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2007-07-21 10:18 159744 ----a-w- c:\program files\Apoint2K\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eDataSecurity Loader]
2008-03-05 13:15 525360 ----a-w- c:\acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
2008-01-04 17:30 768520 ----a-w- c:\progra~1\LAUNCH~1\LManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2008-01-25 20:25 155648 ------w- c:\program files\Acer\Acer Arcade\PCMService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PLFSetL]
2007-07-05 19:35 94208 ----a-w- c:\windows\PLFSetL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 23:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2008-03-11 09:53 5296128 ----a-w- c:\windows\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skytel]
2007-11-20 10:15 1826816 ----a-w- c:\windows\SkyTel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2008-09-16 18:16 1833296 ------w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 16:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:33 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Mobile-based device management]
2007-05-31 22:21 648072 ----a-w- c:\windows\WindowsMobile\wmdcBase.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
R1 MpKsl041aa044;MpKsl041aa044;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A9820885-81E8-4039-8F7F-C9DCA4B6D844}\MpKsl041aa044.sys [x]
R1 MpKsl09106137;MpKsl09106137;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{05C713DB-ABBC-40B6-8A67-F201B05F6ACE}\MpKsl09106137.sys [x]
R1 MpKsl2b01d0f8;MpKsl2b01d0f8;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{458EE6ED-B353-4C18-8897-A3884F90038B}\MpKsl2b01d0f8.sys [x]
R1 MpKsl457b8281;MpKsl457b8281;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{309AB6FE-B04B-4045-82AF-023B75A9AE53}\MpKsl457b8281.sys [x]
R1 MpKsl7cd42399;MpKsl7cd42399;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D1C27200-1B8F-426F-AB92-CF6516FC4F4C}\MpKsl7cd42399.sys [x]
R1 MpKsl997aaa4e;MpKsl997aaa4e;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{489F1BA2-7200-48EF-A4BB-50C908F132D7}\MpKsl997aaa4e.sys [x]
R1 MpKslc0cc9b24;MpKslc0cc9b24;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{441C1772-E0C8-4F2C-A6BB-148DB11B9887}\MpKslc0cc9b24.sys [x]
R1 MpKslc4e5604a;MpKslc4e5604a;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{458EE6ED-B353-4C18-8897-A3884F90038B}\MpKslc4e5604a.sys [x]
R1 MpKsle1b89aed;MpKsle1b89aed;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{458EE6ED-B353-4C18-8897-A3884F90038B}\MpKsle1b89aed.sys [x]
R1 MpKsle64cbe3e;MpKsle64cbe3e;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D1C27200-1B8F-426F-AB92-CF6516FC4F4C}\MpKsle64cbe3e.sys [x]
R1 MpKslfafa9b52;MpKslfafa9b52;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{489F1BA2-7200-48EF-A4BB-50C908F132D7}\MpKslfafa9b52.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-10-25 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2010-10-25 54144]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 206360]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2008-01-21 21504]
S2 ALaunchService;ALaunch Service;c:\acer\ALaunch\ALaunchSvc.exe [2007-09-19 51200]
S2 dlbc_device;dlbc_device;c:\windows\system32\dlbccoms.exe [2007-03-01 538096]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-07-22 180736]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2010-12-15 c:\windows\Tasks\User_Feed_Synchronization-{C154EDE5-1B45-4909-973B-1537C178A3FE}.job
- c:\windows\system32\msfeedssync.exe [2011-04-26 01:44]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://aol.com/
mStart Page = hxxp://en.us.acer.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: dinerdash.com
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: playfirst.com
Trusted Zone: wgci.com
Trusted Zone: windowsupdate.com\download
FF - ProfilePath - c:\users\~Sarah~\AppData\Roaming\Mozilla\Firefox\Profiles\qupm5d11.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.att.net/
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-eRecoveryService - (no file)
MSConfigStartUp-Acer Tour Reminder - c:\acer\AcerTour\Reminder.exe
MSConfigStartUp-AdobeCS5ServiceManager - c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe
MSConfigStartUp-ALaunch - c:\acer\ALaunch\AlaunchClient.exe
MSConfigStartUp-AVG_TRAY - c:\program files\AVG\AVG10\avgtray.exe
MSConfigStartUp-SetPanel - c:\acer\APanel\APanel.cmd
MSConfigStartUp-SwitchBoard - c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-18 16:23
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-05-18 16:26:56
ComboFix-quarantined-files.txt 2011-05-18 21:26
.
Pre-Run: 35,720,634,368 bytes free
Post-Run: 35,836,223,488 bytes free
.
- - End Of File - - 3A84EB8FFE959BAF0C481A4DEE27B6A2

#6 duckfeet

duckfeet

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 1,451 posts

Posted 18 May 2011 - 08:25 PM

No matter what I did, I couldn't get the aswMBR to work- I disabled my firewall, put it as an allowed site and everything, nothing ran it. I did do the other two that you asked, and their logs are below.

No worries on aswMBR. (EDIT: I think the site is down: others are having the same problem) Your logs are looking good. I'll have you run another scan just to make sure: I'm waiting to check with the experts on a couple of deletions that I think might not be malware related(Webcam camera)...and I'll get back to you as soon as I hear from them.


To remove remnants of McAfee antivirus still on your system. Please download and run the McAfee Consumer Products Removal tool (MCPR.exe) from here to remove any component from McAfee installed on your computer. For help, see: Mcafee.com
----

  • Please download GMER from here. Save it to your Desktop. Take note of the filename, as it is a randomly named .exe file.
  • Disconnect from the Internet and close all running programs while scan is running.
  • Make sure all antivirus and other real-time security programs are disabled. See here for directions.
  • Double-click on the downloaded file to start the program. (If running Vista or Win 7, right click on it and Run as an Administrator)
  • If possible rootkit activity is found, you will be asked if you would like to perform a full scan.-->Click on NO, then use the following settings for a more complete scan:

    Posted Image
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Click the Scan button to begin. (Please be patient: this can take some time.
  • When the scan is finished, click Save and type in gmer.txt and save to Desktop and copy/paste the contents in your next reply.
Note!: These types of scans can produce false positives. Do not take any action until a trained helper has seen the log.


----

I see you are using the P2P file sharing programs Limewire. Peer to Peer (P2P) file sharing programs are a security risk which can make your computer susceptible malware infections, remote attacks, exposure of personal information, and identity theft. Malicious worms, backdoor Trojans IRCBots, and rootkits spread across P2P file sharing networks. The best way to reduce the risk of infection is to not use any P2P applications. I strongly suggest going to Start->Control Panel->Programs and uninstalling any Limewire Peer2Peer file sharing programs or toolbars.
See:
http://aresgalaxy.so...et/p2prisks.htm
http://news.cnet.com...eached-via-p2p/
http://www.gazette.c...ls-prompts.html

----

Your version of Java is out of date and older versions contain vulnerabilities. Here are the steps to follow:

  • Download the latest JRE version from here
  • Go to Start > Control Panel > double-click on the Programs and Features icon. Search for all previous installed versions of Java. (J2SE Runtime Environment). Select each in turn and click Remove.
  • Install the latest version.

Please clean out your Java Cache, by going to Start -> Control Panel-> Programs Double-click on the Java Icon, which will open up the Java Control Panel.
  • Click Settings under Temporary Internet Files.
  • The Temporary Files dialog box appears.
  • Click on Delete Files
  • The Delete Temporary Files dialog box appears.
  • Make sure all are checked.
  • Click OK twice.
See
Clear Java Cache if you have problems.

----

ADOBE - Reader and Flash Player vulnerabilities.
Note!: On any of these downloads, I recommend you uncheck any optional installs (Free McAfee Security Scan or Free Google Toolbar)

Please get the latest updates.

The latest Adobe Reader is available here

Latest Security Update available for Adobe Flash Player here

The latest Flash Player is available here

----

Please include the gmer log in your next reply, and let me know how your computer is running now.

EDIT: aswMBR site appears to be back up also: you could try running that scan first, then run gmer anyway, and provide both logs--if they are up--in your next reply.

Edited by duckfeet, 18 May 2011 - 09:52 PM.

My help is free. However, Donations in support of this website are always appreciated!

#7 duckfeet

duckfeet

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 1,451 posts

Posted 18 May 2011 - 11:25 PM

I need you to please retrieve the Combofix log for me:

Please go to Start >Run > and copy/paste the following, then press Enter

C:\QooBox\ComboFix-quarantined-files.txt

A log file should open. Please post that in your next reply.


(To bring up the Runbox in Vista, go to Start and type: Run->Enter in the search box)
My help is free. However, Donations in support of this website are always appreciated!

#8 CSlim08

CSlim08

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 19 May 2011 - 09:41 AM

Hi!
Every time I try to perform the GMER scan, it freezes up my entire system. It starts up and freezes while scanning the devices, particularly "\CDFS" or either "\CDIS"- (typing this from memory but I think it was the first one).

Here's the ComboFix log:

2011-05-18 21:26:15 . 2011-05-18 21:26:15 934 -c--a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-SwitchBoard.reg.dat
2011-05-18 21:26:15 . 2011-05-18 21:26:15 842 -c--a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-SetPanel.reg.dat
2011-05-18 21:26:14 . 2011-05-18 21:26:14 870 -c--a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-AVG_TRAY.reg.dat
2011-05-18 21:26:14 . 2011-05-18 21:26:14 854 -c--a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-ALaunch.reg.dat
2011-05-18 21:26:14 . 2011-05-18 21:26:14 1,044 -c--a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-AdobeCS5ServiceManager.reg.dat
2011-05-18 21:26:14 . 2011-05-18 21:26:14 890 -c--a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-Acer Tour Reminder.reg.dat
2011-05-18 21:26:05 . 2011-05-18 21:26:05 80 -c--a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-eRecoveryService.reg.dat
2011-05-18 21:20:41 . 2011-05-18 21:20:41 7,303 -c--a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2011-05-18 21:11:26 . 2011-05-18 21:14:10 82 -c--a-w- C:\Qoobox\Quarantine\catchme.log
2008-04-15 17:13:08 . 2008-04-15 17:13:10 2,230 ----a-w- C:\Qoobox\Quarantine\C\ProgramData\Microsoft\Windows\Start Menu\Programs\Acer Crystal Eye Webcam Video Class Camera \Uninstall.lnk.vir

Thanks.

#9 duckfeet

duckfeet

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 1,451 posts

Posted 19 May 2011 - 11:22 AM

Every time I try to perform the GMER scan, it freezes up my entire system. It starts up and freezes while scanning the devices, particularly "\CDFS" or either "\CDIS"- (typing this from memory but I think it was the first one).

I'm sorry this is giving you difficulties. The aswmbr site is back up, and that scan runs quicker, so would you please try running aswmbr.exe again, and post the log it provides here? Also try:
Please download tdsskiller.exe and save it to your Desktop. Go here for information.


  • Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue
  • If a suspicious file is detected, the default action will be Skip, click on Continue
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file in your next reply.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply


My help is free. However, Donations in support of this website are always appreciated!

#10 CSlim08

CSlim08

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 19 May 2011 - 11:49 AM

Okay, here's the aswMBR log:

aswMBR version 0.9.5.256 Copyright© 2011 AVAST Software
Run date: 2011-05-19 12:39:10
-----------------------------
12:39:10.281 OS Version: Windows 6.0.6002 Service Pack 2
12:39:10.281 Number of processors: 1 586 0x1601
12:39:10.282 ComputerName: SARAH-PC UserName: ~Sarah~
12:39:40.284 Initialize success
12:40:11.931 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4
12:40:11.933 Disk 0 Vendor: TOSHIBA_MK1646GSX LB113J Size: 152627MB BusType: 3
12:40:13.988 Disk 0 MBR read successfully
12:40:13.992 Disk 0 MBR scan
12:40:13.995 Disk 0 unknown MBR code
12:40:15.998 Disk 0 scanning sectors +312578048
12:40:16.045 Disk 0 scanning C:\Windows\system32\drivers
12:40:21.997 Service scanning
12:40:24.397 Disk 0 trace - called modules:
12:40:24.422 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS PCIIDEX.SYS msahci.sys dxgkrnl.sys igdkmd32.sys
12:40:24.425 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8506fac8]
12:40:24.428 3 CLASSPNP.SYS[867a58b3] -> nt!IofCallDriver -> [0x8491b898]
12:40:24.432 5 acpi.sys[828a06bc] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-4[0x849118a0]
12:40:24.435 Scan finished successfully
12:41:38.245 Disk 0 MBR has been saved successfully to "C:\Users\~Sarah~\Desktop\MBR.dat"
12:41:38.250 The log file has been saved successfully to "C:\Users\~Sarah~\Desktop\aswMBR.txt"

The MBR data file is attached, as instructed.

Here's the TDSS log you requested:

2011/05/19 12:45:36.0636 4828 TDSS rootkit removing tool 2.5.1.0 May 13 2011 13:20:29
2011/05/19 12:45:37.0066 4828 ================================================================================
2011/05/19 12:45:37.0066 4828 SystemInfo:
2011/05/19 12:45:37.0066 4828
2011/05/19 12:45:37.0066 4828 OS Version: 6.0.6002 ServicePack: 2.0
2011/05/19 12:45:37.0066 4828 Product type: Workstation
2011/05/19 12:45:37.0066 4828 ComputerName: SARAH-PC
2011/05/19 12:45:37.0067 4828 UserName: ~Sarah~
2011/05/19 12:45:37.0067 4828 Windows directory: C:\Windows
2011/05/19 12:45:37.0067 4828 System windows directory: C:\Windows
2011/05/19 12:45:37.0067 4828 Processor architecture: Intel x86
2011/05/19 12:45:37.0067 4828 Number of processors: 1
2011/05/19 12:45:37.0067 4828 Page size: 0x1000
2011/05/19 12:45:37.0067 4828 Boot type: Normal boot
2011/05/19 12:45:37.0067 4828 ================================================================================
2011/05/19 12:45:37.0814 4828 Initialize success
2011/05/19 12:45:47.0308 4532 ================================================================================
2011/05/19 12:45:47.0308 4532 Scan started
2011/05/19 12:45:47.0308 4532 Mode: Manual;
2011/05/19 12:45:47.0308 4532 ================================================================================
2011/05/19 12:45:48.0592 4532 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
2011/05/19 12:45:48.0792 4532 adp94xx (04f0fcac69c7c71a3ac4eb97fafc8303) C:\Windows\system32\drivers\adp94xx.sys
2011/05/19 12:45:48.0957 4532 adpahci (60505e0041f7751bdbb80f88bf45c2ce) C:\Windows\system32\drivers\adpahci.sys
2011/05/19 12:45:49.0012 4532 adpu160m (8a42779b02aec986eab64ecfc98f8bd7) C:\Windows\system32\drivers\adpu160m.sys
2011/05/19 12:45:49.0174 4532 adpu320 (241c9e37f8ce45ef51c3de27515ca4e5) C:\Windows\system32\drivers\adpu320.sys
2011/05/19 12:45:49.0415 4532 AFD (a201207363aa900abf1a388468688570) C:\Windows\system32\drivers\afd.sys
2011/05/19 12:45:49.0634 4532 AgereSoftModem (d31d1a92479bd8c0d050a6ffbdd410d9) C:\Windows\system32\DRIVERS\AGRSM.sys
2011/05/19 12:45:49.0833 4532 agp440 (13f9e33747e6b41a3ff305c37db0d360) C:\Windows\system32\drivers\agp440.sys
2011/05/19 12:45:49.0924 4532 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
2011/05/19 12:45:50.0035 4532 aliide (9eaef5fc9b8e351afa7e78a6fae91f91) C:\Windows\system32\drivers\aliide.sys
2011/05/19 12:45:50.0123 4532 amdagp (c47344bc706e5f0b9dce369516661578) C:\Windows\system32\drivers\amdagp.sys
2011/05/19 12:45:50.0169 4532 amdide (9b78a39a4c173fdbc1321e0dd659b34c) C:\Windows\system32\drivers\amdide.sys
2011/05/19 12:45:50.0254 4532 AmdK7 (18f29b49ad23ecee3d2a826c725c8d48) C:\Windows\system32\drivers\amdk7.sys
2011/05/19 12:45:50.0330 4532 AmdK8 (93ae7f7dd54ab986a6f1a1b37be7442d) C:\Windows\system32\drivers\amdk8.sys
2011/05/19 12:45:50.0444 4532 ApfiltrService (0a0fbc30de483233124cdaef8e5cbcdd) C:\Windows\system32\DRIVERS\Apfiltr.sys
2011/05/19 12:45:50.0614 4532 arc (5d2888182fb46632511acee92fdad522) C:\Windows\system32\drivers\arc.sys
2011/05/19 12:45:50.0665 4532 arcsas (5e2a321bd7c8b3624e41fdec3e244945) C:\Windows\system32\drivers\arcsas.sys
2011/05/19 12:45:50.0803 4532 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
2011/05/19 12:45:50.0853 4532 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
2011/05/19 12:45:51.0027 4532 athr (044dcfc10b9144725b0e59ac319759e3) C:\Windows\system32\DRIVERS\athr.sys
2011/05/19 12:45:51.0256 4532 b57nd60x (aa6b367ca7da571dfc3374ec137d87a5) C:\Windows\system32\DRIVERS\b57nd60x.sys
2011/05/19 12:45:51.0423 4532 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
2011/05/19 12:45:51.0551 4532 blbdrive (d4df28447741fd3d953526e33a617397) C:\Windows\system32\drivers\blbdrive.sys
2011/05/19 12:45:51.0687 4532 bowser (35f376253f687bde63976ccb3f2108ca) C:\Windows\system32\DRIVERS\bowser.sys
2011/05/19 12:45:51.0834 4532 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
2011/05/19 12:45:51.0889 4532 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
2011/05/19 12:45:52.0055 4532 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
2011/05/19 12:45:52.0125 4532 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
2011/05/19 12:45:52.0225 4532 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
2011/05/19 12:45:52.0331 4532 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
2011/05/19 12:45:52.0445 4532 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
2011/05/19 12:45:52.0728 4532 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
2011/05/19 12:45:52.0809 4532 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
2011/05/19 12:45:52.0987 4532 circlass (e5d4133f37219dbcfe102bc61072589d) C:\Windows\system32\drivers\circlass.sys
2011/05/19 12:45:53.0167 4532 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
2011/05/19 12:45:53.0347 4532 CmBatt (99afc3795b58cc478fbbbcdc658fcb56) C:\Windows\system32\DRIVERS\CmBatt.sys
2011/05/19 12:45:53.0507 4532 cmdide (0ca25e686a4928484e9fdabd168ab629) C:\Windows\system32\drivers\cmdide.sys
2011/05/19 12:45:53.0556 4532 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\DRIVERS\compbatt.sys
2011/05/19 12:45:53.0608 4532 crcdisk (741e9dff4f42d2d8477d0fc1dc0df871) C:\Windows\system32\drivers\crcdisk.sys
2011/05/19 12:45:54.0105 4532 Crusoe (1f07becdca750766a96cda811ba86410) C:\Windows\system32\drivers\crusoe.sys
2011/05/19 12:45:54.0344 4532 DfsC (218d8ae46c88e82014f5d73d0236d9b2) C:\Windows\system32\Drivers\dfsc.sys
2011/05/19 12:45:54.0546 4532 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
2011/05/19 12:45:54.0713 4532 DKbFltr (73baf270d24fe726b9cd7f80bb17a23d) C:\Windows\system32\DRIVERS\DKbFltr.sys
2011/05/19 12:45:54.0856 4532 DritekPortIO (5c918d413f5837e67a85775c9873775e) C:\PROGRA~1\LAUNCH~1\DPortIO.sys
2011/05/19 12:45:55.0022 4532 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
2011/05/19 12:45:55.0105 4532 DXGKrnl (c68ac676b0ef30cfbb1080adce49eb1f) C:\Windows\System32\drivers\dxgkrnl.sys
2011/05/19 12:45:55.0635 4532 E1G60 (5425f74ac0c1dbd96a1e04f17d63f94c) C:\Windows\system32\DRIVERS\E1G60I32.sys
2011/05/19 12:45:55.0775 4532 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
2011/05/19 12:45:56.0071 4532 elxstor (23b62471681a124889978f6295b3f4c6) C:\Windows\system32\drivers\elxstor.sys
2011/05/19 12:45:56.0248 4532 ErrDev (3db974f3935483555d7148663f726c61) C:\Windows\system32\drivers\errdev.sys
2011/05/19 12:45:56.0480 4532 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
2011/05/19 12:45:56.0549 4532 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
2011/05/19 12:45:56.0691 4532 fdc (afe1e8b9782a0dd7fb46bbd88e43f89a) C:\Windows\system32\DRIVERS\fdc.sys
2011/05/19 12:45:56.0758 4532 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
2011/05/19 12:45:56.0807 4532 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
2011/05/19 12:45:57.0260 4532 flpydisk (85b7cf99d532820495d68d747fda9ebd) C:\Windows\system32\DRIVERS\flpydisk.sys
2011/05/19 12:45:57.0474 4532 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
2011/05/19 12:45:57.0666 4532 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
2011/05/19 12:45:57.0728 4532 gagp30kx (34582a6e6573d54a07ece5fe24a126b5) C:\Windows\system32\drivers\gagp30kx.sys
2011/05/19 12:45:57.0890 4532 HdAudAddService (cb04c744be0a61b1d648faed182c3b59) C:\Windows\system32\drivers\HdAudio.sys
2011/05/19 12:45:57.0975 4532 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
2011/05/19 12:45:58.0199 4532 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
2011/05/19 12:45:58.0264 4532 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
2011/05/19 12:45:58.0469 4532 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
2011/05/19 12:45:58.0588 4532 HpCISSs (16ee7b23a009e00d835cdb79574a91a6) C:\Windows\system32\drivers\hpcisss.sys
2011/05/19 12:45:58.0681 4532 HSFHWAZL (46d67209550973257601a533e2ac5785) C:\Windows\system32\DRIVERS\VSTAZL3.SYS
2011/05/19 12:45:58.0870 4532 HSF_DPV (3f53b4af98f8fd83b7f0b8b65d2d90a7) C:\Windows\system32\DRIVERS\HSX_DPV.sys
2011/05/19 12:45:59.0062 4532 HSXHWAZL (194bc52fc0f53e540faf9de8a9c05255) C:\Windows\system32\DRIVERS\HSXHWAZL.sys
2011/05/19 12:45:59.0139 4532 HTTP (0eeeca26c8d4bde2a4664db058a81937) C:\Windows\system32\drivers\HTTP.sys
2011/05/19 12:45:59.0338 4532 i2omp (c6b032d69650985468160fc9937cf5b4) C:\Windows\system32\drivers\i2omp.sys
2011/05/19 12:45:59.0550 4532 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
2011/05/19 12:45:59.0727 4532 iaStorV (54155ea1b0df185878e0fc9ec3ac3a14) C:\Windows\system32\drivers\iastorv.sys
2011/05/19 12:46:00.0004 4532 igfx (9378d57e2b96c0a185d844770ad49948) C:\Windows\system32\DRIVERS\igdkmd32.sys
2011/05/19 12:46:00.0209 4532 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
2011/05/19 12:46:00.0310 4532 int15 (c6e5276c00ebdeb096bb5ef4b797d1b6) C:\Acer\Empowering Technology\eRecovery\int15.sys
2011/05/19 12:46:00.0622 4532 IntcAzAudAddService (92bcc487f16892cda495dbd8160272d9) C:\Windows\system32\drivers\RTKVHDA.sys
2011/05/19 12:46:00.0847 4532 intelide (83aa759f3189e6370c30de5dc5590718) C:\Windows\system32\drivers\intelide.sys
2011/05/19 12:46:00.0910 4532 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
2011/05/19 12:46:01.0070 4532 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2011/05/19 12:46:01.0178 4532 IPMIDRV (b25aaf203552b7b3491139d582b39ad1) C:\Windows\system32\drivers\ipmidrv.sys
2011/05/19 12:46:01.0325 4532 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
2011/05/19 12:46:01.0376 4532 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
2011/05/19 12:46:01.0474 4532 isapnp (6c70698a3e5c4376c6ab5c7c17fb0614) C:\Windows\system32\drivers\isapnp.sys
2011/05/19 12:46:01.0585 4532 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
2011/05/19 12:46:01.0701 4532 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
2011/05/19 12:46:01.0802 4532 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
2011/05/19 12:46:01.0850 4532 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
2011/05/19 12:46:02.0011 4532 kbdhid (18247836959ba67e3511b62846b9c2e0) C:\Windows\system32\DRIVERS\kbdhid.sys
2011/05/19 12:46:02.0092 4532 KSecDD (86165728af9bf72d6442a894fdfb4f8b) C:\Windows\system32\Drivers\ksecdd.sys
2011/05/19 12:46:02.0322 4532 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
2011/05/19 12:46:02.0402 4532 LSI_FC (c7e15e82879bf3235b559563d4185365) C:\Windows\system32\drivers\lsi_fc.sys
2011/05/19 12:46:02.0454 4532 LSI_SAS (ee01ebae8c9bf0fa072e0ff68718920a) C:\Windows\system32\drivers\lsi_sas.sys
2011/05/19 12:46:02.0615 4532 LSI_SCSI (912a04696e9ca30146a62afa1463dd5c) C:\Windows\system32\drivers\lsi_scsi.sys
2011/05/19 12:46:02.0714 4532 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
2011/05/19 12:46:02.0821 4532 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\Windows\system32\DRIVERS\mdmxsdk.sys
2011/05/19 12:46:02.0914 4532 megasas (0001ce609d66632fa17b84705f658879) C:\Windows\system32\drivers\megasas.sys
2011/05/19 12:46:03.0015 4532 MegaSR (c252f32cd9a49dbfc25ecf26ebd51a99) C:\Windows\system32\drivers\megasr.sys
2011/05/19 12:46:03.0189 4532 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
2011/05/19 12:46:03.0256 4532 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
2011/05/19 12:46:03.0406 4532 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
2011/05/19 12:46:03.0458 4532 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
2011/05/19 12:46:03.0598 4532 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
2011/05/19 12:46:03.0666 4532 MpFilter (7e34bfa1a7b60bba1da03d677f16cd63) C:\Windows\system32\DRIVERS\MpFilter.sys
2011/05/19 12:46:03.0812 4532 mpio (511d011289755dd9f9a7579fb0b064e6) C:\Windows\system32\drivers\mpio.sys
2011/05/19 12:46:04.0039 4532 MpKsl175aaaf3 (5f53edfead46fa7adb78eee9ecce8fdf) C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{DC1AC5DA-40C5-40C5-89D6-F79560E392C3}\MpKsl175aaaf3.sys
2011/05/19 12:46:04.0559 4532 MpNWMon (f32e2d6a1640a469a9ed4f1929a4a861) C:\Windows\system32\DRIVERS\MpNWMon.sys
2011/05/19 12:46:04.0710 4532 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
2011/05/19 12:46:04.0797 4532 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
2011/05/19 12:46:04.0865 4532 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
2011/05/19 12:46:04.0995 4532 mrxsmb (5fe5cf325f5b02ebc60832d3440cb414) C:\Windows\system32\DRIVERS\mrxsmb.sys
2011/05/19 12:46:05.0164 4532 mrxsmb10 (30b9c769446af379a2afb72b0392604d) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2011/05/19 12:46:05.0331 4532 mrxsmb20 (fea239b3ec4877e2b7e23204af589ddf) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2011/05/19 12:46:05.0507 4532 msahci (28023e86f17001f7cd9b15a5bc9ae07d) C:\Windows\system32\drivers\msahci.sys
2011/05/19 12:46:05.0619 4532 msdsm (4468b0f385a86ecddaf8d3ca662ec0e7) C:\Windows\system32\drivers\msdsm.sys
2011/05/19 12:46:05.0718 4532 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
2011/05/19 12:46:05.0865 4532 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
2011/05/19 12:46:05.0955 4532 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
2011/05/19 12:46:06.0123 4532 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
2011/05/19 12:46:06.0210 4532 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
2011/05/19 12:46:06.0358 4532 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
2011/05/19 12:46:06.0549 4532 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
2011/05/19 12:46:06.0702 4532 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
2011/05/19 12:46:06.0775 4532 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
2011/05/19 12:46:06.0963 4532 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
2011/05/19 12:46:07.0080 4532 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
2011/05/19 12:46:07.0262 4532 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
2011/05/19 12:46:07.0346 4532 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
2011/05/19 12:46:07.0515 4532 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
2011/05/19 12:46:07.0640 4532 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
2011/05/19 12:46:07.0690 4532 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
2011/05/19 12:46:07.0773 4532 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
2011/05/19 12:46:07.0967 4532 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
2011/05/19 12:46:08.0034 4532 NisDrv (17e2c08c5ecfbe94a7c67b1c275ee9d9) C:\Windows\system32\DRIVERS\NisDrvWFP.sys
2011/05/19 12:46:08.0213 4532 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
2011/05/19 12:46:08.0261 4532 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
2011/05/19 12:46:08.0364 4532 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
2011/05/19 12:46:08.0574 4532 NTIDrvr (7f1c1f78d709c4a54cbb46ede7e0b48d) C:\Windows\system32\DRIVERS\NTIDrvr.sys
2011/05/19 12:46:08.0635 4532 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
2011/05/19 12:46:08.0742 4532 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
2011/05/19 12:46:08.0795 4532 nvraid (2edf9e7751554b42cbb60116de727101) C:\Windows\system32\drivers\nvraid.sys
2011/05/19 12:46:08.0874 4532 nvstor (abed0c09758d1d97db0042dbb2688177) C:\Windows\system32\drivers\nvstor.sys
2011/05/19 12:46:09.0052 4532 nv_agp (18bbdf913916b71bd54575bdb6eeac0b) C:\Windows\system32\drivers\nv_agp.sys
2011/05/19 12:46:09.0321 4532 ohci1394 (be32da025a0be1878f0ee8d6d9386cd5) C:\Windows\system32\drivers\ohci1394.sys
2011/05/19 12:46:09.0569 4532 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
2011/05/19 12:46:09.0728 4532 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
2011/05/19 12:46:09.0782 4532 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
2011/05/19 12:46:09.0953 4532 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
2011/05/19 12:46:10.0005 4532 pciide (fc175f5ddab666d7f4d17449a547626f) C:\Windows\system32\drivers\pciide.sys
2011/05/19 12:46:10.0140 4532 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
2011/05/19 12:46:10.0233 4532 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
2011/05/19 12:46:10.0459 4532 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
2011/05/19 12:46:10.0504 4532 Processor (2027293619dd0f047c584cf2e7df4ffd) C:\Windows\system32\drivers\processr.sys
2011/05/19 12:46:10.0586 4532 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
2011/05/19 12:46:10.0738 4532 PSDFilter (18de162f9b83079c24cd96f59292f5ed) C:\Windows\system32\DRIVERS\psdfilter.sys
2011/05/19 12:46:10.0783 4532 PSDNServ (bc1457a28e76ab3106d43802ac22a627) C:\Windows\system32\DRIVERS\PSDNServ.sys
2011/05/19 12:46:10.0995 4532 psdvdisk (ac151e5b0943304e368c98ec78b5fc4f) C:\Windows\system32\DRIVERS\PSDVdisk.sys
2011/05/19 12:46:11.0186 4532 ql2300 (0a6db55afb7820c99aa1f3a1d270f4f6) C:\Windows\system32\drivers\ql2300.sys
2011/05/19 12:46:11.0349 4532 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
2011/05/19 12:46:11.0407 4532 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
2011/05/19 12:46:11.0577 4532 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
2011/05/19 12:46:11.0635 4532 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
2011/05/19 12:46:11.0719 4532 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
2011/05/19 12:46:11.0851 4532 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
2011/05/19 12:46:11.0926 4532 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
2011/05/19 12:46:12.0074 4532 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
2011/05/19 12:46:12.0139 4532 rdpdr (fbc0bacd9c3d7f6956853f64a66e252d) C:\Windows\system32\drivers\rdpdr.sys
2011/05/19 12:46:12.0297 4532 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
2011/05/19 12:46:12.0377 4532 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys
2011/05/19 12:46:12.0583 4532 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
2011/05/19 12:46:12.0638 4532 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
2011/05/19 12:46:12.0797 4532 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
2011/05/19 12:46:12.0872 4532 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys
2011/05/19 12:46:12.0954 4532 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
2011/05/19 12:46:13.0037 4532 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
2011/05/19 12:46:13.0142 4532 sffdisk (3efa810bdca87f6ecc24f9832243fe86) C:\Windows\system32\drivers\sffdisk.sys
2011/05/19 12:46:13.0280 4532 sffp_mmc (e95d451f7ea3e583aec75f3b3ee42dc5) C:\Windows\system32\drivers\sffp_mmc.sys
2011/05/19 12:46:13.0351 4532 sffp_sd (3d0ea348784b7ac9ea9bd9f317980979) C:\Windows\system32\drivers\sffp_sd.sys
2011/05/19 12:46:13.0510 4532 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
2011/05/19 12:46:13.0597 4532 sisagp (1d76624a09a054f682d746b924e2dbc3) C:\Windows\system32\drivers\sisagp.sys
2011/05/19 12:46:13.0726 4532 SiSRaid2 (43cb7aa756c7db280d01da9b676cfde2) C:\Windows\system32\drivers\sisraid2.sys
2011/05/19 12:46:13.0799 4532 SiSRaid4 (a99c6c8b0baa970d8aa59ddc50b57f94) C:\Windows\system32\drivers\sisraid4.sys
2011/05/19 12:46:13.0942 4532 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
2011/05/19 12:46:14.0097 4532 SNP2UVC (d79fe8ff4c1a11cd650a8bbeac62be9f) C:\Windows\system32\DRIVERS\snp2uvc.sys
2011/05/19 12:46:14.0283 4532 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
2011/05/19 12:46:14.0367 4532 srv (41987f9fc0e61adf54f581e15029ad91) C:\Windows\system32\DRIVERS\srv.sys
2011/05/19 12:46:14.0548 4532 srv2 (a5940ca32ed206f90be9fabdf6e92de4) C:\Windows\system32\DRIVERS\srv2.sys
2011/05/19 12:46:14.0680 4532 srvnet (37aa1d560d5fa486c4b11c2f276ada61) C:\Windows\system32\DRIVERS\srvnet.sys
2011/05/19 12:46:14.0751 4532 sscdbus (d5dffeaa1e15d4effabb9d9a3068ac5b) C:\Windows\system32\DRIVERS\sscdbus.sys
2011/05/19 12:46:14.0894 4532 sscdmdfl (8a1be0c347814f482f493aea619d57f6) C:\Windows\system32\DRIVERS\sscdmdfl.sys
2011/05/19 12:46:14.0961 4532 sscdmdm (5ab0b1987f682a59b15b78f84c6ad7d0) C:\Windows\system32\DRIVERS\sscdmdm.sys
2011/05/19 12:46:15.0139 4532 sscdserd (751e66eb32efa80633b80f5d7ff0a1d8) C:\Windows\system32\DRIVERS\sscdserd.sys
2011/05/19 12:46:15.0265 4532 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
2011/05/19 12:46:15.0378 4532 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
2011/05/19 12:46:15.0492 4532 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
2011/05/19 12:46:15.0589 4532 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
2011/05/19 12:46:15.0755 4532 Tcpip (6a10afce0b38371064be41c1fbfd3c6b) C:\Windows\system32\drivers\tcpip.sys
2011/05/19 12:46:15.0871 4532 Tcpip6 (6a10afce0b38371064be41c1fbfd3c6b) C:\Windows\system32\DRIVERS\tcpip.sys
2011/05/19 12:46:15.0987 4532 tcpipreg (9bf343f4c878d6ad6922b2c5a4fefe0d) C:\Windows\system32\drivers\tcpipreg.sys
2011/05/19 12:46:16.0044 4532 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
2011/05/19 12:46:16.0138 4532 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
2011/05/19 12:46:16.0240 4532 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
2011/05/19 12:46:16.0348 4532 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
2011/05/19 12:46:16.0489 4532 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
2011/05/19 12:46:16.0596 4532 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
2011/05/19 12:46:16.0800 4532 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
2011/05/19 12:46:16.0969 4532 uagp35 (7d33c4db2ce363c8518d2dfcf533941f) C:\Windows\system32\drivers\uagp35.sys
2011/05/19 12:46:17.0090 4532 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
2011/05/19 12:46:17.0249 4532 uliagpkx (b0acfdc9e4af279e9116c03e014b2b27) C:\Windows\system32\drivers\uliagpkx.sys
2011/05/19 12:46:17.0347 4532 uliahci (9224bb254f591de4ca8d572a5f0d635c) C:\Windows\system32\drivers\uliahci.sys
2011/05/19 12:46:17.0462 4532 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
2011/05/19 12:46:17.0553 4532 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
2011/05/19 12:46:17.0669 4532 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
2011/05/19 12:46:17.0820 4532 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
2011/05/19 12:46:17.0879 4532 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
2011/05/19 12:46:18.0025 4532 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
2011/05/19 12:46:18.0096 4532 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
2011/05/19 12:46:18.0263 4532 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys
2011/05/19 12:46:18.0376 4532 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
2011/05/19 12:46:18.0492 4532 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2011/05/19 12:46:18.0588 4532 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
2011/05/19 12:46:18.0707 4532 usb_rndisx (35c9095fa7076466afbfc5b9ec4b779e) C:\Windows\system32\DRIVERS\usb8023x.sys
2011/05/19 12:46:18.0850 4532 vga (87b06e1f30b749a114f74622d013f8d4) C:\Windows\system32\DRIVERS\vgapnp.sys
2011/05/19 12:46:18.0917 4532 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
2011/05/19 12:46:19.0044 4532 viaagp (5d7159def58a800d5781ba3a879627bc) C:\Windows\system32\drivers\viaagp.sys
2011/05/19 12:46:19.0101 4532 ViaC7 (c4f3a691b5bad343e6249bd8c2d45dee) C:\Windows\system32\drivers\viac7.sys
2011/05/19 12:46:19.0283 4532 viaide (aadf5587a4063f52c2c3fed7887426fc) C:\Windows\system32\drivers\viaide.sys
2011/05/19 12:46:19.0430 4532 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
2011/05/19 12:46:19.0513 4532 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
2011/05/19 12:46:19.0692 4532 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
2011/05/19 12:46:19.0786 4532 vsmraid (587253e09325e6bf226b299774b728a9) C:\Windows\system32\drivers\vsmraid.sys
2011/05/19 12:46:19.0903 4532 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
2011/05/19 12:46:20.0008 4532 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2011/05/19 12:46:20.0036 4532 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2011/05/19 12:46:20.0158 4532 Wd (78fe9542363f297b18c027b2d7e7c07f) C:\Windows\system32\drivers\wd.sys
2011/05/19 12:46:20.0279 4532 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
2011/05/19 12:46:20.0490 4532 winachsf (c9c63410d8cf98f621b9cc62243fb877) C:\Windows\system32\DRIVERS\HSX_CNXT.sys
2011/05/19 12:46:20.0723 4532 WinUSB (676f4b665bdd8053eaa53ac1695b8074) C:\Windows\system32\DRIVERS\WinUSB.sys
2011/05/19 12:46:20.0907 4532 WmiAcpi (2e7255d172df0b8283cdfb7b433b864e) C:\Windows\system32\DRIVERS\wmiacpi.sys
2011/05/19 12:46:21.0049 4532 WpdUsb (de9d36f91a4df3d911626643debf11ea) C:\Windows\system32\DRIVERS\wpdusb.sys
2011/05/19 12:46:21.0233 4532 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
2011/05/19 12:46:21.0439 4532 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
2011/05/19 12:46:21.0502 4532 XAudio (2e579520e114a9ca309f13bf40ad8292) C:\Windows\system32\DRIVERS\xaudio.sys
2011/05/19 12:46:21.0689 4532 ================================================================================
2011/05/19 12:46:21.0690 4532 Scan finished
2011/05/19 12:46:21.0690 4532 ================================================================================

Lastly, I know earlier in our conversation you mentioned for me to have all drives, USB drives, etc plugged in while doing these scans, but I couldn't locate my USB drive that I had been using. I don't know where it is. If I ever find it, should I run scans on it?

Thank you!

#11 duckfeet

duckfeet

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 1,451 posts

Posted 19 May 2011 - 05:04 PM

Lastly, I know earlier in our conversation you mentioned for me to have all drives, USB drives, etc plugged in while doing these scans, but I couldn't locate my USB drive that I had been using. I don't know where it is. If I ever find it, should I run scans on it?

Well done on getting both those scans: your logs appear clean. The reason for my concern over USB drives is that lately we've been finding that USB drives are often the cause of recurring infections, so we want to not only *check* them, but also immunize them so that they cannot keep doing this. So yes, if/when, you find that USB drive, I'd run a Malwarebytes *full* scan, and make sure to check the drive that the USB flash drive has. See:: here and here...and take note of the 'flash drive' links and information.


  • Make sure that combofix.exe is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text inside the codebox below into it:

http://www.spywareinfoforum.com/index.php?/topic/131822-please-check-my-computer-system/
Suspect::
C:\Qoobox\Quarantine\C\ProgramData\Microsoft\Windows\Start Menu\Programs\Acer Crystal Eye Webcam Video Class Camera \Uninstall.lnk.vir


Save this as CFScript.txt, and as Type: All Files (*.*) in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I shall require in your next reply.

**Note**
-- When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture this file to submit for analysis.
Ensure you are connected to the internet and click OK on the message box.

Edited by duckfeet, 19 May 2011 - 05:43 PM.

My help is free. However, Donations in support of this website are always appreciated!

#12 CSlim08

CSlim08

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 19 May 2011 - 08:16 PM

Hi,

not sure what happened- I did what you told me and after it was done, I couldn't access any software on my laptop along with some files. I kept getting the message "Illegal operation attempted on a registry key that has been marked for deletion". I couldn't even access my internet. I didn't know what to do. I eventually restarted my laptop, pressed F8, and went in the Repair options. I attempted to restore my system from there (because I couldn't even access that option in Window's regular session) and it said it couldn't fully restore everything because some file is missing. I'm not sure what all was restored or what wasn't, but I do have my internet back.

Here's your log:

ComboFix 11-05-17.01 - ~Sarah~ 05/19/2011 20:09:03.2.1 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1013.391 [GMT -5:00]
Running from: c:\users\~Sarah~\Downloads\ComboFix.exe
Command switches used :: c:\users\~Sarah~\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
file zipped: c:\qoobox\Quarantine\C\ProgramData\Microsoft\Windows\Start Menu\Programs\Acer Crystal Eye Webcam Video Class Camera\Uninstall.lnk.vir
.
.
((((((((((((((((((((((((( Files Created from 2011-04-20 to 2011-05-20 )))))))))))))))))))))))))))))))
.
.
2011-05-20 01:18 . 2011-05-20 01:18 -------- d-----w- c:\users\~Sarah~\AppData\Local\temp
2011-05-20 01:18 . 2011-05-20 01:18 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-05-19 16:44 . 2011-05-19 16:44 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-19 14:50 . 2011-05-19 14:50 28752 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{DC1AC5DA-40C5-40C5-89D6-F79560E392C3}\MpKsl175aaaf3.sys
2011-05-19 02:33 . 2011-04-18 14:15 7071056 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{DC1AC5DA-40C5-40C5-89D6-F79560E392C3}\mpengine.dll
2011-05-17 23:43 . 2011-05-17 23:43 -------- d-----w- c:\users\~Sarah~\AppData\Roaming\Malwarebytes
2011-05-17 23:43 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-17 23:43 . 2011-05-17 23:43 -------- d-----w- c:\programdata\Malwarebytes
2011-05-17 23:43 . 2011-05-17 23:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-17 23:43 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-17 23:40 . 2011-05-17 23:40 388096 ----a-r- c:\users\~Sarah~\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-05-17 23:40 . 2011-05-17 23:40 -------- d-----w- c:\program files\Trend Micro
2011-05-11 14:34 . 2011-04-07 12:01 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-05-02 01:55 . 2011-05-02 01:55 -------- d-----w- c:\users\~Sarah~\Catalog
2011-05-02 01:54 . 2011-05-02 01:54 -------- d-----w- c:\users\~Sarah~\Report Files
2011-05-01 15:59 . 2011-04-11 07:04 7071056 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{CF0C1F65-7EC5-448E-BCC8-24A8B4A57E60}\mpengine.dll
2011-04-27 18:28 . 2011-03-03 15:40 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2011-04-27 18:28 . 2011-03-03 13:35 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2011-04-27 18:24 . 2011-03-12 21:55 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-04-26 19:35 . 2011-04-18 14:15 7071056 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-04-26 05:07 . 2010-11-30 16:43 439632 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{62A113C4-7C5A-42FC-9CD1-E516CED7A97B}\gapaengine.dll
2011-04-26 04:30 . 2011-04-26 04:31 -------- d-----w- c:\program files\Microsoft Security Client
2011-04-26 04:29 . 2010-04-05 20:00 221568 ----a-w- c:\windows\system32\drivers\netio.sys
2011-04-25 20:22 . 2011-04-25 20:22 -------- d-----w- c:\users\~Sarah~\AppData\Local\Apps
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-14 10:07 . 2010-05-20 11:14 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-03-10 17:03 . 2011-04-14 14:35 1162240 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-10 17:03 . 2011-04-14 14:35 1136640 ----a-w- c:\windows\system32\mfc42.dll
2011-03-03 15:42 . 2011-04-14 14:34 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-03 15:40 . 2011-04-27 18:28 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2011-03-03 15:40 . 2011-04-27 18:28 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2011-03-03 15:40 . 2011-04-27 18:28 542720 ----a-w- c:\windows\apppatch\AcLayers.dll
2011-03-03 15:40 . 2011-04-27 18:28 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll
2011-03-03 13:25 . 2011-04-14 14:34 2041856 ----a-w- c:\windows\system32\win32k.sys
2011-03-02 15:44 . 2011-04-14 14:35 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-02-22 14:13 . 2011-03-23 13:30 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-02-22 13:33 . 2011-03-23 13:30 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-02-22 13:33 . 2011-03-23 13:30 797696 ----a-w- c:\windows\system32\FntCache.dll
2011-02-22 13:24 . 2011-04-14 14:35 213504 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-02-22 13:24 . 2011-04-14 14:35 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-02-22 13:23 . 2011-04-14 14:35 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-22 13:23 . 2011-04-14 14:35 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
2011-04-29 18:22 . 2011-04-15 01:07 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-01-03 09:00 39472 ----a-w- c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 133656]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Monitor.lnk - c:\program files\ArcSoft\Media Card Companion\MCC Monitor.exe [2009-5-29 110592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^$McRebootA5E6DEAA56$.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\$McRebootA5E6DEAA56$.lnk
backup=c:\windows\pss\$McRebootA5E6DEAA56$.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Empowering Technology Launcher.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Empowering Technology Launcher.lnk
backup=c:\windows\pss\Empowering Technology Launcher.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^~Sarah~^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\users\~Sarah~\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Assist Launcher]
2007-11-19 22:17 1261568 ----a-w- c:\program files\Acer\Acer Assist\launcher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Product Registration]
2007-11-26 18:21 3387392 ----a-w- c:\program files\Acer\Acer Registration\ACE1.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 09:08 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
2010-03-06 08:44 500208 ------w- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2007-07-21 10:18 159744 ----a-w- c:\program files\Apoint2K\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eDataSecurity Loader]
2008-03-05 13:15 525360 ----a-w- c:\acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
2008-01-04 17:30 768520 ----a-w- c:\progra~1\LAUNCH~1\LManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware (reboot)]
2010-12-20 23:08 963976 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2008-01-25 20:25 155648 ------w- c:\program files\Acer\Acer Arcade\PCMService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PLFSetL]
2007-07-05 19:35 94208 ----a-w- c:\windows\PLFSetL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 23:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2008-03-11 09:53 5296128 ----a-w- c:\windows\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skytel]
2007-11-20 10:15 1826816 ----a-w- c:\windows\SkyTel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2008-09-16 18:16 1833296 ------w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-01-07 18:12 253672 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:33 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Mobile-based device management]
2007-05-31 22:21 648072 ----a-w- c:\windows\WindowsMobile\wmdcBase.exe
.
R1 MpKsl041aa044;MpKsl041aa044;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A9820885-81E8-4039-8F7F-C9DCA4B6D844}\MpKsl041aa044.sys [x]
R1 MpKsl09106137;MpKsl09106137;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{05C713DB-ABBC-40B6-8A67-F201B05F6ACE}\MpKsl09106137.sys [x]
R1 MpKsl2b01d0f8;MpKsl2b01d0f8;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{458EE6ED-B353-4C18-8897-A3884F90038B}\MpKsl2b01d0f8.sys [x]
R1 MpKsl457b8281;MpKsl457b8281;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{309AB6FE-B04B-4045-82AF-023B75A9AE53}\MpKsl457b8281.sys [x]
R1 MpKsl7cd42399;MpKsl7cd42399;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D1C27200-1B8F-426F-AB92-CF6516FC4F4C}\MpKsl7cd42399.sys [x]
R1 MpKsl997aaa4e;MpKsl997aaa4e;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{489F1BA2-7200-48EF-A4BB-50C908F132D7}\MpKsl997aaa4e.sys [x]
R1 MpKslc0cc9b24;MpKslc0cc9b24;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{441C1772-E0C8-4F2C-A6BB-148DB11B9887}\MpKslc0cc9b24.sys [x]
R1 MpKslc4e5604a;MpKslc4e5604a;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{458EE6ED-B353-4C18-8897-A3884F90038B}\MpKslc4e5604a.sys [x]
R1 MpKsle1b89aed;MpKsle1b89aed;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{458EE6ED-B353-4C18-8897-A3884F90038B}\MpKsle1b89aed.sys [x]
R1 MpKsle64cbe3e;MpKsle64cbe3e;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D1C27200-1B8F-426F-AB92-CF6516FC4F4C}\MpKsle64cbe3e.sys [x]
R1 MpKslfafa9b52;MpKslfafa9b52;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{489F1BA2-7200-48EF-A4BB-50C908F132D7}\MpKslfafa9b52.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-10-25 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2010-10-25 54144]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 206360]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S1 MpKsl175aaaf3;MpKsl175aaaf3;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{DC1AC5DA-40C5-40C5-89D6-F79560E392C3}\MpKsl175aaaf3.sys [2011-05-19 28752]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2008-01-21 21504]
S2 ALaunchService;ALaunch Service;c:\acer\ALaunch\ALaunchSvc.exe [2007-09-19 51200]
S2 dlbc_device;dlbc_device;c:\windows\system32\dlbccoms.exe [2007-03-01 538096]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-07-22 180736]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ASWMBR
*NewlyCreated* - KLMD25
*Deregistered* - aswMBR
*Deregistered* - klmd25
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2010-12-15 c:\windows\Tasks\User_Feed_Synchronization-{C154EDE5-1B45-4909-973B-1537C178A3FE}.job
- c:\windows\system32\msfeedssync.exe [2011-04-26 01:44]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://aol.com/
mStart Page = hxxp://en.us.acer.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: dinerdash.com
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: playfirst.com
Trusted Zone: wgci.com
Trusted Zone: windowsupdate.com\download
FF - ProfilePath - c:\users\~Sarah~\AppData\Roaming\Mozilla\Firefox\Profiles\qupm5d11.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.att.net/
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-19 20:18
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
[0] 0x4EDAD8EF
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(4864)
c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
c:\acer\Empowering Technology\eDataSecurity\x86\sysenv.dll
.
Completion time: 2011-05-19 20:21:49
ComboFix-quarantined-files.txt 2011-05-20 01:21
ComboFix2.txt 2011-05-18 21:26
.
Pre-Run: 36,937,961,472 bytes free
Post-Run: 36,935,938,048 bytes free
.
- - End Of File - - 006079F36DBD65155186207CC19D3AEB
Upload was successful

#13 duckfeet

duckfeet

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 1,451 posts

Posted 19 May 2011 - 08:23 PM

not sure what happened- I did what you told me and after it was done, I couldn't access any software on my laptop along with some files. I kept getting the message "Illegal operation attempted on a registry key that has been marked for deletion". I couldn't even access my internet. I didn't know what to do. I eventually restarted my laptop, pressed F8, and went in the Repair options. I attempted to restore my system from there (because I couldn't even access that option in Window's regular session) and it said it couldn't fully restore everything because some file is missing. I'm not sure what all was restored or what wasn't, but I do have my internet back.

That's strange: sometimes you do have to reboot, and perhaps that is what happened. But I will run this by an Expert who has helped me, and see what might have happened. I'll get back to you. Meanwhile, try rebooting, and see how your computer is running now, and meanwhile I'll check on this...thankyou, and I'm sorry this happened.

EDIT: Yes, I should have told that this could happen, and that a reboot would have fixed it...it happens sometimes on Vista or Windows 7. But your logs do look good, I would like you to run an ESET scan for remnants:

Please run the following scan:
ESET OnlineScan

-->> Click the Posted Image button.
-->> For alternate browsers only: (Microsoft Internet Explorer users can skip these 2 steps)
  • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Click Advanced Settings
  • Under "Current scan targets" click change.
  • Make sure all drives are checked, then click OK
  • Make sure that the option Remove found threats is not checked, and the option Scan unwanted applications is checked
  • Accept any security warnings from your browser.
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

In your next reply, please include the ESET report if any malware was found, and let me know what problems remain.

Edited by duckfeet, 19 May 2011 - 10:33 PM.

My help is free. However, Donations in support of this website are always appreciated!

#14 CSlim08

CSlim08

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 20 May 2011 - 02:28 PM

A simple reboot didn't fix it, I told you I had to do a system restore from the repair options during the boot. And as stated, I don't even know if everything got restored or what got restored because it didn't complete.

Here's the log you requested:

C:\ProgramData\SARAH-PC\snhost.exe Win32/Spy.VB.NHJ trojan
C:\ProgramData\SARAH-PC\taskenv.exe Win32/Spy.VB.NKP trojan
C:\ProgramData\SARAH-PC\taskenv.old Win32/Spy.VB.NKP trojan
C:\Users\All Users\SARAH-PC\snhost.exe Win32/Spy.VB.NHJ trojan
C:\Users\All Users\SARAH-PC\taskenv.exe Win32/Spy.VB.NKP trojan
C:\Users\All Users\SARAH-PC\taskenv.old Win32/Spy.VB.NKP trojan
C:\Users\~Sarah~\Desktop\sarah_dell.exe Win32/Spy.VB.NKP trojan
C:\Users\~Sarah~\Downloads\sarah_dell(1).exe Win32/Spy.VB.NKP trojan
C:\Users\~Sarah~\Downloads\sarah_dell.exe Win32/Spy.VB.NKP trojan
Operating memory Win32/Spy.VB.NKP trojan



Also, of all the programs you had me download/install, are there any that I should keep? Also, the logs- should I keep all of those or can I delete them?

#15 duckfeet

duckfeet

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 1,451 posts

Posted 20 May 2011 - 07:43 PM

A simple reboot didn't fix it, I told you I had to do a system restore from the repair options during the boot. And as stated, I don't even know if everything got restored or what got restored because it didn't complete.
<snip>
Also, of all the programs you had me download/install, are there any that I should keep? Also, the logs- should I keep all of those or can I delete them?

I understand what you are saying now. Usually, a simple reboot will fix the problem you were having:, and if System Restore didn't complete, it goes back to where it was, which is why I thought it might have just rebooted anyway. Hard to say, but you were there, and you got it working again. Also, when we are finished, you can delete all the logs and programs we downloaded. I'll have you run a cleanup tool which does it automatically.

  • Make sure that combofix.exe is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:

killall::
File::
C:\ProgramData\SARAH-PC\snhost.exe
C:\ProgramData\SARAH-PC\taskenv.exe
C:\ProgramData\SARAH-PC\taskenv.old
C:\Users\All Users\SARAH-PC\snhost.exe
C:\Users\All Users\SARAH-PC\taskenv.exe
C:\Users\All Users\SARAH-PC\taskenv.old
C:\Users\~Sarah~\Desktop\sarah_dell.exe
C:\Users\~Sarah~\Downloads\sarah_dell(1).exe
C:\Users\~Sarah~\Downloads\sarah_dell.exe


Save this as CFScript.txt, as Type: All Files (*.*) in the same location as ComboFix.exe

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I shall require in your next reply. Let me know how your computer is running now.

Edited by duckfeet, 20 May 2011 - 07:44 PM.

My help is free. However, Donations in support of this website are always appreciated!

#16 CSlim08

CSlim08

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 21 May 2011 - 12:31 AM

ComboFix 11-05-17.01 - ~Sarah~ 05/20/2011 23:20:12.3.1 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1013.445 [GMT -5:00]
Running from: c:\users\~Sarah~\Desktop\ComboFix.exe
Command switches used :: c:\users\~Sarah~\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\programdata\SARAH-PC\snhost.exe"
"c:\programdata\SARAH-PC\taskenv.exe"
"c:\programdata\SARAH-PC\taskenv.old"
"c:\users\~Sarah~\Desktop\sarah_dell.exe"
"c:\users\~Sarah~\Downloads\sarah_dell(1).exe"
"c:\users\~Sarah~\Downloads\sarah_dell.exe"
"c:\users\All Users\SARAH-PC\snhost.exe"
"c:\users\All Users\SARAH-PC\taskenv.exe"
"c:\users\All Users\SARAH-PC\taskenv.old"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\SARAH-PC
c:\programdata\SARAH-PC\drv05202011231112.inf
c:\programdata\SARAH-PC\drv05202011231212.inf
c:\programdata\SARAH-PC\drv05202011231313.inf
c:\programdata\SARAH-PC\drv05202011231414.inf
c:\programdata\SARAH-PC\drv05202011231515.inf
c:\programdata\SARAH-PC\live.jpg
c:\programdata\SARAH-PC\livekeylog.lkl
c:\programdata\SARAH-PC\snhost.exe
c:\programdata\SARAH-PC\syslog.txt
c:\programdata\SARAH-PC\system.zip
c:\programdata\SARAH-PC\taskenv.exe
c:\programdata\SARAH-PC\taskenv.old
c:\programdata\SARAH-PC\win05202011231100629.sys
c:\users\~Sarah~\Desktop\sarah_dell.exe
c:\users\~Sarah~\Downloads\sarah_dell(1).exe
c:\users\~Sarah~\Downloads\sarah_dell.exe
c:\users\All Users\SARAH-PC\snhost.exe
c:\users\All Users\SARAH-PC\taskenv.exe
c:\users\All Users\SARAH-PC\taskenv.old
.
.
((((((((((((((((((((((((( Files Created from 2011-04-21 to 2011-05-21 )))))))))))))))))))))))))))))))
.
.
2011-05-21 04:30 . 2011-05-21 04:49 -------- d-----w- c:\users\~Sarah~\AppData\Local\temp
2011-05-21 04:30 . 2011-05-21 04:30 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-05-20 17:43 . 2011-05-20 17:43 -------- d-----w- c:\program files\ESET
2011-05-19 16:44 . 2011-05-19 16:44 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-19 02:33 . 2011-04-18 14:15 7071056 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{DC1AC5DA-40C5-40C5-89D6-F79560E392C3}\mpengine.dll
2011-05-17 23:43 . 2011-05-17 23:43 -------- d-----w- c:\users\~Sarah~\AppData\Roaming\Malwarebytes
2011-05-17 23:43 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-17 23:43 . 2011-05-17 23:43 -------- d-----w- c:\programdata\Malwarebytes
2011-05-17 23:43 . 2011-05-17 23:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-17 23:43 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-17 23:40 . 2011-05-17 23:40 388096 ----a-r- c:\users\~Sarah~\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-05-17 23:40 . 2011-05-17 23:40 -------- d-----w- c:\program files\Trend Micro
2011-05-11 14:34 . 2011-04-07 12:01 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-05-02 01:55 . 2011-05-02 01:55 -------- d-----w- c:\users\~Sarah~\Catalog
2011-05-02 01:54 . 2011-05-02 01:54 -------- d-----w- c:\users\~Sarah~\Report Files
2011-05-01 15:59 . 2011-04-11 07:04 7071056 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{CF0C1F65-7EC5-448E-BCC8-24A8B4A57E60}\mpengine.dll
2011-04-27 18:28 . 2011-03-03 15:40 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2011-04-27 18:28 . 2011-03-03 13:35 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2011-04-27 18:24 . 2011-03-12 21:55 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-04-26 19:35 . 2011-04-18 14:15 7071056 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-04-26 05:07 . 2010-11-30 16:43 439632 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{62A113C4-7C5A-42FC-9CD1-E516CED7A97B}\gapaengine.dll
2011-04-26 04:30 . 2011-04-26 04:31 -------- d-----w- c:\program files\Microsoft Security Client
2011-04-26 04:29 . 2010-04-05 20:00 221568 ----a-w- c:\windows\system32\drivers\netio.sys
2011-04-25 20:22 . 2011-04-25 20:22 -------- d-----w- c:\users\~Sarah~\AppData\Local\Apps
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-14 10:07 . 2010-05-20 11:14 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-03-10 17:03 . 2011-04-14 14:35 1162240 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-10 17:03 . 2011-04-14 14:35 1136640 ----a-w- c:\windows\system32\mfc42.dll
2011-03-03 15:42 . 2011-04-14 14:34 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-03 15:40 . 2011-04-27 18:28 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2011-03-03 15:40 . 2011-04-27 18:28 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2011-03-03 15:40 . 2011-04-27 18:28 542720 ----a-w- c:\windows\apppatch\AcLayers.dll
2011-03-03 15:40 . 2011-04-27 18:28 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll
2011-03-03 13:25 . 2011-04-14 14:34 2041856 ----a-w- c:\windows\system32\win32k.sys
2011-03-02 15:44 . 2011-04-14 14:35 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-02-22 14:13 . 2011-03-23 13:30 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-02-22 13:33 . 2011-03-23 13:30 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-02-22 13:33 . 2011-03-23 13:30 797696 ----a-w- c:\windows\system32\FntCache.dll
2011-02-22 13:24 . 2011-04-14 14:35 213504 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-02-22 13:24 . 2011-04-14 14:35 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-02-22 13:23 . 2011-04-14 14:35 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-22 13:23 . 2011-04-14 14:35 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
2011-04-29 18:22 . 2011-04-15 01:07 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-01-03 09:00 39472 ----a-w- c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 133656]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Monitor.lnk - c:\program files\ArcSoft\Media Card Companion\MCC Monitor.exe [2009-5-29 110592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^$McRebootA5E6DEAA56$.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\$McRebootA5E6DEAA56$.lnk
backup=c:\windows\pss\$McRebootA5E6DEAA56$.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Empowering Technology Launcher.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Empowering Technology Launcher.lnk
backup=c:\windows\pss\Empowering Technology Launcher.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^~Sarah~^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\users\~Sarah~\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Assist Launcher]
2007-11-19 22:17 1261568 ----a-w- c:\program files\Acer\Acer Assist\launcher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Product Registration]
2007-11-26 18:21 3387392 ----a-w- c:\program files\Acer\Acer Registration\ACE1.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 09:08 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
2010-03-06 08:44 500208 ------w- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2007-07-21 10:18 159744 ----a-w- c:\program files\Apoint2K\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eDataSecurity Loader]
2008-03-05 13:15 525360 ----a-w- c:\acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
2008-01-04 17:30 768520 ----a-w- c:\progra~1\LAUNCH~1\LManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware (reboot)]
2010-12-20 23:08 963976 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2008-01-25 20:25 155648 ------w- c:\program files\Acer\Acer Arcade\PCMService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PLFSetL]
2007-07-05 19:35 94208 ----a-w- c:\windows\PLFSetL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 23:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2008-03-11 09:53 5296128 ----a-w- c:\windows\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skytel]
2007-11-20 10:15 1826816 ----a-w- c:\windows\SkyTel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2008-09-16 18:16 1833296 ------w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-01-07 18:12 253672 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:33 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Mobile-based device management]
2007-05-31 22:21 648072 ----a-w- c:\windows\WindowsMobile\wmdcBase.exe
.
R1 MpKsl041aa044;MpKsl041aa044;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A9820885-81E8-4039-8F7F-C9DCA4B6D844}\MpKsl041aa044.sys [x]
R1 MpKsl09106137;MpKsl09106137;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{05C713DB-ABBC-40B6-8A67-F201B05F6ACE}\MpKsl09106137.sys [x]
R1 MpKsl2b01d0f8;MpKsl2b01d0f8;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{458EE6ED-B353-4C18-8897-A3884F90038B}\MpKsl2b01d0f8.sys [x]
R1 MpKsl457b8281;MpKsl457b8281;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{309AB6FE-B04B-4045-82AF-023B75A9AE53}\MpKsl457b8281.sys [x]
R1 MpKsl7cd42399;MpKsl7cd42399;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D1C27200-1B8F-426F-AB92-CF6516FC4F4C}\MpKsl7cd42399.sys [x]
R1 MpKsl997aaa4e;MpKsl997aaa4e;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{489F1BA2-7200-48EF-A4BB-50C908F132D7}\MpKsl997aaa4e.sys [x]
R1 MpKslc0cc9b24;MpKslc0cc9b24;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{441C1772-E0C8-4F2C-A6BB-148DB11B9887}\MpKslc0cc9b24.sys [x]
R1 MpKslc4e5604a;MpKslc4e5604a;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{458EE6ED-B353-4C18-8897-A3884F90038B}\MpKslc4e5604a.sys [x]
R1 MpKsle1b89aed;MpKsle1b89aed;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{458EE6ED-B353-4C18-8897-A3884F90038B}\MpKsle1b89aed.sys [x]
R1 MpKsle64cbe3e;MpKsle64cbe3e;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D1C27200-1B8F-426F-AB92-CF6516FC4F4C}\MpKsle64cbe3e.sys [x]
R1 MpKslfafa9b52;MpKslfafa9b52;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{489F1BA2-7200-48EF-A4BB-50C908F132D7}\MpKslfafa9b52.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 CFcatchme;CFcatchme;c:\users\~Sarah~\AppData\Local\Temp\CFcatchme.sys [x]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-10-25 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2010-10-25 54144]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 206360]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2008-01-21 21504]
S2 ALaunchService;ALaunch Service;c:\acer\ALaunch\ALaunchSvc.exe [2007-09-19 51200]
S2 dlbc_device;dlbc_device;c:\windows\system32\dlbccoms.exe [2007-03-01 538096]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-07-22 180736]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2010-12-15 c:\windows\Tasks\User_Feed_Synchronization-{C154EDE5-1B45-4909-973B-1537C178A3FE}.job
- c:\windows\system32\msfeedssync.exe [2011-04-26 01:44]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://aol.com/
mStart Page = hxxp://en.us.acer.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: dinerdash.com
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: playfirst.com
Trusted Zone: wgci.com
Trusted Zone: windowsupdate.com\download
FF - ProfilePath - c:\users\~Sarah~\AppData\Roaming\Mozilla\Firefox\Profiles\qupm5d11.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.att.net/
FF - user.js: yahoo.homepage.dontask - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-20 23:49
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(2176)
c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
c:\acer\Empowering Technology\eDataSecurity\x86\sysenv.dll
c:\program files\WinSCP\DragExt.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\windows\System32\LEXBCES.EXE
c:\windows\System32\LEXPPS.EXE
c:\windows\system32\agrsmsvc.exe
c:\program files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
c:\program files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
c:\acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
c:\acer\Empowering Technology\eLock\Service\eLockServ.exe
c:\acer\Empowering Technology\eNet\eNet Service.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\acer\Mobility Center\MobilityService.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\acer\Empowering Technology\ePower\ePowerSvc.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
c:\acer\Empowering Technology\eRecovery\eRecoveryService.exe
c:\acer\Empowering Technology\eSettings\Service\capuserv.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2011-05-20 23:54:08 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-21 04:53
ComboFix2.txt 2011-05-20 01:22
ComboFix3.txt 2011-05-18 21:26
.
Pre-Run: 31,829,270,528 bytes free
Post-Run: 31,700,094,976 bytes free
.
- - End Of File - - 07823C8BBC86649E173E82C18EBF70FE

Thanks.

#17 duckfeet

duckfeet

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 1,451 posts

Posted 21 May 2011 - 09:36 AM

Your logs look clean now, after all that :) Two things in the following of special import: you had serious malware, that can steal passwords, and in the following suggestions I strongly suggest changing passwords at this point. Also, please--if you haven't already--take note of the router information and make sure to install a unique router password. The following will implement some cleanup procedures as well as reset System Restore points:

  • Please press the Windows Key and R on your keyboard. This will bring up the Run command. (If you don't see the Run command , go to Start, then type Run in the search box, it will bring up 'Run' under Programs. Click on 'Run' to bring up the 'Runbox'
  • Now copy/paste Combofix /Uninstall into the runbox and click OK. (Note the space between the ..x and the /U, it needs to be there.)
Posted Image

-----

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:
  • Save it to your Desktop.
  • Double click OTC.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.
Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

------

Please enable Automatic Updates under Start > All Programs > Windows Update. See: Windows Update Vista
It's important always to keep current with the latest security fixes from Microsoft. This can patch many of the security holes through which attackers can infect your computer and will include the very important Critical Updates.

-------

Make sure to re-enable your security programs. You already have Microsoft Security Essentials antivirus running: MSE includes protection against viruses, spyware and other forms of malicious software. You always want to have one--but only one!--antivirus and antispyware program running in real-time mode. Most reputable antivirus programs now also have some form of antispyware protection, so it is important to ensure no other antivirus/antispyware programs are running real-time protection at the same time as this can cause conflicts, false positives, and lessen the effectiveness of each.

The free edition of MBAM is also a passive protector and can be used to regularly scan the computer.

----

Make sure your programs are up to date - because older versions may contain Security Leaks.
To find out what programs need to be updated, please download and run the Update Checker regularly. Save the 'StandAlone' version to your Desktop.

----

Please, consider maintaining a firewall with HIPS (Host Intrusion Prevention Systems). Firewalls are extremely important and are the first part of your computer's defense. HIPS stops malware by monitoring its behavior and it's very important, too.

These firewalls are good and do have free versions available A tutorial on understanding and using firewalls may be found here.

----

To prevent the automatic running of programs when you insert a USB/flash drive I suggest downloading and installing Panda USB Vaccine or Flash Disinfector by sUBs Please see USB Flash Drive Safety for information and downloads.

----

Malware steals passwords! If you haven't changed all your passwords yet, I strongly recommend you do it now. Please create strong passwords and use a different one for every site. You can store all passwords in a KeePass.

----

Routers get infected too. To prevent this see:
How to Secure a Wireless Router
Every router is different, so to get more details and tutorials for your own router, just use google to find the info.
For example, if you have a linksys router, google: How to secure a linksys router.

----

Be very careful of 'rogue' and 'scareware' programs. These are fake security programs that mimic legitimate ones. Whether it is a popup saying you have malware, or a real infection that has a bogus 'antivirus' or 'security' name attached, these are simply attempts by online criminals to get your money. There are endless variations on these schemes. Don't click *anywhere* on security popups that you did not install yourself. If you are unsure--or have been infected--close your browser, and seek help in a security forum you trust.
See: Fake infection warnings

--------

For much more useful information see:
Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help. :)
My help is free. However, Donations in support of this website are always appreciated!

#18 CSlim08

CSlim08

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 23 May 2011 - 10:16 AM

Thanks so much, and of the programs we used, are there any I can keep and run at my own discretion? I will want these to stay.

Edited by CSlim08, 23 May 2011 - 10:18 AM.


#19 duckfeet

duckfeet

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 1,451 posts

Posted 23 May 2011 - 03:44 PM

Thanks so much, and of the programs we used, are there any I can keep and run at my own discretion? I will want these to stay.


You're welcome! :) -- Most of the tools will conflict with security programs you have running, which is why we remove them when no longer needed, or some can even cause a system to become inoperable. On my computer, I myself only have Microsoft Security Essentials and a good firewall, and I keep Malwarebytes, and run it--with updates--if I have problems. That's it. The other tools can cause havoc, if used inappropriately. So I'd go ahead and remove the others. If you are interested in learning how to use these tools, however, you are more than welcome to join our Boot Camp here at SWI, which is where I took my training.

Edited by duckfeet, 23 May 2011 - 03:44 PM.

My help is free. However, Donations in support of this website are always appreciated!

#20 CSlim08

CSlim08

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 23 May 2011 - 04:49 PM

I particularly like the online scan we did. Can I use that whenever I want? It worked really good.

#21 duckfeet

duckfeet

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 1,451 posts

Posted 23 May 2011 - 06:09 PM

I particularly like the online scan we did. Can I use that whenever I want? It worked really good.


Yes: that ESET scan is handy, and it's o.k.



My help is free. However, Donations in support of this website are always appreciated!

#22 duckfeet

duckfeet

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 1,451 posts

Posted 26 May 2011 - 11:12 PM

Glad we could help. :)

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
My help is free. However, Donations in support of this website are always appreciated!




Member of UNITE
Support SpywareInfo Forum - click the button