TechSpot

Attempt to remove Vista Gaurd virus may have caused bigger issue

By dmo
Nov 23, 2010
  1. Earlier this year, my computer got infected with Vista Guard. I downloaded the free malwarebytes to remove it and that appeared to work, but it re-appeared this past Monday. This time around, it wasn't as bad since I could actually open my programs around it, but I still wanted to remove it. For some reason, Malwarebytes wouldn't open, so I went to MajorGeeks and downloaded a-squared, their top anti-virus freeware. Apparently there has been some kind of change in business with that company because it changed into a different program mid-download, but I looked it over and it all seemed legit. I let it go and finished the download.

    The a-squared did remove three files, one of which I assume was the Vista Gaurd because it hasn't shown up since, but now I have a bigger issue.
    Ever since the download, many of my programs do not open. Instead I am asked to pick another program to open the file for the program I want. And with every attempt to open a program, I am also asked to pick an additional program to open another file, that I don't even recognize. This additional file is any of these 3: MSASCui.exe, ssvagent.exe, and rstui.exe.
    ssvagent is by far the file that pops-up the most often.

    Because of this, I cannot open many of my media programs and the ACER empowering technology no longer loads on start-up. (Oh, I have an ACER Extensa 5420)

    There is one other little set-back to the problem. I do not have access to everything on this computer, nor do I have all the paperwork. It was donated to me through a third-party, and the man who gave it to me got it me did not give me all of the information. I only know that it was set-up through geek squad. He even has programs on here that are password protected, and he didn't give me the password, so I have been kept from different areas of the computer based on that.

    Ideally, I can fix whatever is going on with my computer without paying anything. I plan on buying a new one in Feb or March and I don't want to put any money into something that I won't use for much longer. I don't have the money anyways.

    Oh, and I can't give my specs either. This 'pick-a-program' issue wont let me use download from online, and all of my Windows related activities keep giving me an 'application not found' box.

    Please, if anyone can help me I would really appreciate it.
     
  2. Broni

    Broni Malware Annihilator Posts: 52,895   +344

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ========================================================================

    Download and run exeHelper.


    • * Please download exeHelper from Raktor to your desktop.
      * Double-click on exeHelper.com to run the fix.
      * A black window should pop up, press any key to close once the fix is completed.
      * A log file named log.txt will be created in the directory where you ran exeHelper.com
      * Attach the log.txt file to your next message.

    Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

    See, if after using the above program you're able to open applications, which didn't want to open before.
     
  3. dmo

    dmo TS Rookie Topic Starter

    Thank you!

    That seems to have worked. All of my programs are opening again and even my start-up programs are working. My computer is still going slow though.

    Here is the log from the exeHelper:

    exeHelper by Raktor
    Build 20100414
    Run at 09:21:22 on 11/24/10
    Now searching...
    Checking for numerical processes...
    Checking for sysguard processes...
    Checking for bad processes...
    Checking for bad files...
    Checking for bad registry entries...
    Resetting filetype association for .exe
    Resetting filetype association for .com
    Resetting userinit and shell values...
    Resetting policies...
    --Finished--
     
  4. Broni

    Broni Malware Annihilator Posts: 52,895   +344

    Good news :)

    We need to run more checks...

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.
     
  5. dmo

    dmo TS Rookie Topic Starter

    Avira AntiVir Personal
    Report file date: Thursday, November 25, 2010 10:02

    Scanning for 3091541 virus strains and unwanted programs.

    The program is running as an unrestricted full version.
    Online services are available:

    Licensee : Avira AntiVir Personal - FREE Antivirus
    Serial number : 0000149996-ADJIE-0000001
    Platform : Windows Vista
    Windows version : (plain) [6.0.6000]
    Boot mode : Normally booted
    Username : My Shadow
    Computer name : MYSHADOW-PC

    Version information:
    BUILD.DAT : 10.0.0.592 31823 Bytes 8/9/2010 11:00:00
    AVSCAN.EXE : 10.0.3.1 434344 Bytes 8/3/2010 00:09:56
    AVSCAN.DLL : 10.0.3.0 46440 Bytes 4/1/2010 21:57:04
    LUKE.DLL : 10.0.2.3 104296 Bytes 8/3/2010 00:10:00
    LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 08:40:49
    VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 18:05:36
    VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 04:27:49
    VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 02:37:42
    VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 01:37:42
    VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 20:29:03
    VBASE005.VDF : 7.10.6.82 2494464 Bytes 4/15/2010 00:10:03
    VBASE006.VDF : 7.10.7.218 2294784 Bytes 6/2/2010 00:10:04
    VBASE007.VDF : 7.10.9.165 4840960 Bytes 7/23/2010 00:10:06
    VBASE008.VDF : 7.10.11.133 3454464 Bytes 9/13/2010 17:59:23
    VBASE009.VDF : 7.10.13.80 2265600 Bytes 11/2/2010 17:59:27
    VBASE010.VDF : 7.10.13.81 2048 Bytes 11/2/2010 17:59:28
    VBASE011.VDF : 7.10.13.82 2048 Bytes 11/2/2010 17:59:28
    VBASE012.VDF : 7.10.13.83 2048 Bytes 11/2/2010 17:59:28
    VBASE013.VDF : 7.10.13.116 147968 Bytes 11/4/2010 17:59:29
    VBASE014.VDF : 7.10.13.147 146944 Bytes 11/7/2010 17:59:31
    VBASE015.VDF : 7.10.13.180 123904 Bytes 11/9/2010 17:59:32
    VBASE016.VDF : 7.10.13.211 122368 Bytes 11/11/2010 17:59:32
    VBASE017.VDF : 7.10.13.243 147456 Bytes 11/15/2010 17:59:33
    VBASE018.VDF : 7.10.14.15 142848 Bytes 11/17/2010 17:59:35
    VBASE019.VDF : 7.10.14.41 134144 Bytes 11/19/2010 17:59:35
    VBASE020.VDF : 7.10.14.63 128000 Bytes 11/22/2010 17:59:36
    VBASE021.VDF : 7.10.14.87 143872 Bytes 11/24/2010 17:59:37
    VBASE022.VDF : 7.10.14.88 2048 Bytes 11/24/2010 17:59:37
    VBASE023.VDF : 7.10.14.89 2048 Bytes 11/24/2010 17:59:37
    VBASE024.VDF : 7.10.14.90 2048 Bytes 11/24/2010 17:59:37
    VBASE025.VDF : 7.10.14.91 2048 Bytes 11/24/2010 17:59:38
    VBASE026.VDF : 7.10.14.92 2048 Bytes 11/24/2010 17:59:38
    VBASE027.VDF : 7.10.14.93 2048 Bytes 11/24/2010 17:59:38
    VBASE028.VDF : 7.10.14.94 2048 Bytes 11/24/2010 17:59:39
    VBASE029.VDF : 7.10.14.95 2048 Bytes 11/24/2010 17:59:39
    VBASE030.VDF : 7.10.14.96 2048 Bytes 11/24/2010 17:59:39
    VBASE031.VDF : 7.10.14.104 55808 Bytes 11/25/2010 17:59:40
    Engineversion : 8.2.4.112
    AEVDF.DLL : 8.1.2.1 106868 Bytes 8/3/2010 00:09:54
    AESCRIPT.DLL : 8.1.3.47 1294716 Bytes 11/25/2010 17:59:57
    AESCN.DLL : 8.1.7.2 127349 Bytes 11/25/2010 17:59:55
    AESBX.DLL : 8.1.3.2 254324 Bytes 11/25/2010 17:59:59
    AERDL.DLL : 8.1.9.2 635252 Bytes 11/25/2010 17:59:55
    AEPACK.DLL : 8.2.3.11 471416 Bytes 11/25/2010 17:59:53
    AEOFFICE.DLL : 8.1.1.10 201084 Bytes 11/25/2010 17:59:52
    AEHEUR.DLL : 8.1.2.44 3076471 Bytes 11/25/2010 17:59:51
    AEHELP.DLL : 8.1.14.0 246134 Bytes 11/25/2010 17:59:45
    AEGEN.DLL : 8.1.4.2 401781 Bytes 11/25/2010 17:59:44
    AEEMU.DLL : 8.1.3.0 393589 Bytes 11/25/2010 17:59:43
    AECORE.DLL : 8.1.18.1 196984 Bytes 11/25/2010 17:59:42
    AEBB.DLL : 8.1.1.0 53618 Bytes 8/3/2010 00:09:48
    AVWINLL.DLL : 10.0.0.0 19304 Bytes 8/3/2010 00:09:56
    AVPREF.DLL : 10.0.0.0 44904 Bytes 8/3/2010 00:09:55
    AVREP.DLL : 10.0.0.8 62209 Bytes 6/17/2010 23:27:13
    AVREG.DLL : 10.0.3.2 53096 Bytes 8/3/2010 00:09:55
    AVSCPLR.DLL : 10.0.3.1 83816 Bytes 8/3/2010 00:09:56
    AVARKT.DLL : 10.0.0.14 227176 Bytes 8/3/2010 00:09:54
    AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 8/3/2010 00:09:55
    SQLITE3.DLL : 3.6.19.0 355688 Bytes 6/17/2010 23:27:22
    AVSMTP.DLL : 10.0.0.17 63848 Bytes 8/3/2010 00:09:56
    NETNT.DLL : 10.0.0.0 11624 Bytes 6/17/2010 23:27:21
    RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 1/28/2010 22:10:20
    RCTEXT.DLL : 10.0.58.0 97128 Bytes 8/3/2010 00:10:08

    Configuration settings for the scan:
    Jobname.............................: Short system scan after installation
    Configuration file..................: c:\program files\avira\antivir desktop\setupprf.dat
    Logging.............................: low
    Primary action......................: interactive
    Secondary action....................: ignore
    Scan master boot sector.............: on
    Scan boot sector....................: on
    Process scan........................: on
    Scan registry.......................: on
    Search for rootkits.................: off
    Integrity checking of system files..: off
    Scan all files......................: Intelligent file selection
    Scan archives.......................: on
    Recursion depth.....................: 20
    Smart extensions....................: on
    Macro heuristic.....................: on
    File heuristic......................: medium

    Start of the scan: Thursday, November 25, 2010 10:02

    The scan of running processes will be started
    Scan process 'avscan.exe' - '1' Module(s) have been scanned
    Scan process 'chrome.exe' - '1' Module(s) have been scanned
    Scan process 'avcenter.exe' - '1' Module(s) have been scanned
    Scan process 'avconfig.exe' - '1' Module(s) have been scanned
    Scan process 'taskeng.exe' - '1' Module(s) have been scanned
    Scan process 'avgnt.exe' - '1' Module(s) have been scanned
    Scan process 'sched.exe' - '1' Module(s) have been scanned
    Scan process 'avshadow.exe' - '1' Module(s) have been scanned
    Scan process 'avguard.exe' - '1' Module(s) have been scanned
    Scan process 'setup.exe' - '1' Module(s) have been scanned
    Scan process 'msiexec.exe' - '1' Module(s) have been scanned
    Scan process 'presetup.exe' - '1' Module(s) have been scanned
    Scan process 'avira_antivir_personal_en.exe' - '1' Module(s) have been scanned
    Scan process 'chrome.exe' - '1' Module(s) have been scanned
    Scan process 'chrome.exe' - '1' Module(s) have been scanned
    Scan process 'chrome.exe' - '1' Module(s) have been scanned
    Scan process 'chrome.exe' - '1' Module(s) have been scanned
    Scan process 'chrome.exe' - '1' Module(s) have been scanned
    Scan process 'TmProxy.exe' - '1' Module(s) have been scanned
    Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
    Scan process 'iPodService.exe' - '1' Module(s) have been scanned
    Scan process 'sidebar.exe' - '1' Module(s) have been scanned
    Scan process 'ERAGENT.EXE' - '1' Module(s) have been scanned
    Scan process 'ehmsas.exe' - '1' Module(s) have been scanned
    Scan process 'ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE' - '1' Module(s) have been scanned
    Scan process 'soffice.bin' - '1' Module(s) have been scanned
    Scan process 'EPOWER_DMC.EXE' - '1' Module(s) have been scanned
    Scan process 'ENMTRAY.EXE' - '1' Module(s) have been scanned
    Scan process 'soffice.exe' - '1' Module(s) have been scanned
    Scan process 'unsecapp.exe' - '1' Module(s) have been scanned
    Scan process 'ehtray.exe' - '1' Module(s) have been scanned
    Scan process 'sidebar.exe' - '1' Module(s) have been scanned
    Scan process 'SpySweeperUI.exe' - '1' Module(s) have been scanned
    Scan process 'mswinext.exe' - '1' Module(s) have been scanned
    Scan process 'AdobeARM.exe' - '1' Module(s) have been scanned
    Scan process 'jusched.exe' - '1' Module(s) have been scanned
    Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
    Scan process 'ZuneLauncher.exe' - '1' Module(s) have been scanned
    Scan process 'DefMgr.exe' - '1' Module(s) have been scanned
    Scan process 'LManager.exe' - '1' Module(s) have been scanned
    Scan process 'RtkBtMnt.exe' - '1' Module(s) have been scanned
    Scan process 'unsecapp.exe' - '1' Module(s) have been scanned
    Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
    Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
    Scan process 'ePowerSvc.exe' - '1' Module(s) have been scanned
    Scan process 'TMBMSRV.exe' - '1' Module(s) have been scanned
    Scan process 'capuserv.exe' - '1' Module(s) have been scanned
    Scan process 'eRecoveryService.exe' - '1' Module(s) have been scanned
    Scan process 'xaudio.exe' - '1' Module(s) have been scanned
    Scan process 'SearchIndexer.exe' - '1' Module(s) have been scanned
    Scan process 'UfSeAgnt.exe' - '1' Module(s) have been scanned
    Scan process 'SpySweeper.exe' - '1' Module(s) have been scanned
    Scan process 'IObit SmartDefrag.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'taskeng.exe' - '1' Module(s) have been scanned
    Scan process 'eDSLoader.exe' - '1' Module(s) have been scanned
    Scan process 'SfCtlCom.exe' - '1' Module(s) have been scanned
    Scan process 'RtHDVCpl.exe' - '1' Module(s) have been scanned
    Scan process 'SeaPort.exe' - '1' Module(s) have been scanned
    Scan process 'MSASCui.exe' - '1' Module(s) have been scanned
    Scan process 'GoogleUpdate.exe' - '1' Module(s) have been scanned
    Scan process 'taskeng.exe' - '1' Module(s) have been scanned
    Scan process 'o2flash.exe' - '1' Module(s) have been scanned
    Scan process 'MobilityService.exe' - '1' Module(s) have been scanned
    Scan process 'LSSrvc.exe' - '1' Module(s) have been scanned
    Scan process 'eNet Service.exe' - '1' Module(s) have been scanned
    Scan process 'Explorer.EXE' - '1' Module(s) have been scanned
    Scan process 'Dwm.exe' - '1' Module(s) have been scanned
    Scan process 'taskeng.exe' - '1' Module(s) have been scanned
    Scan process 'eLockServ.exe' - '1' Module(s) have been scanned
    Scan process 'eDSService.exe' - '1' Module(s) have been scanned
    Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
    Scan process 'ALUSchedulerSvc.exe' - '1' Module(s) have been scanned
    Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'Ati2evxx.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'SLsvc.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'Ati2evxx.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'winlogon.exe' - '1' Module(s) have been scanned
    Scan process 'lsm.exe' - '1' Module(s) have been scanned
    Scan process 'lsass.exe' - '1' Module(s) have been scanned
    Scan process 'services.exe' - '1' Module(s) have been scanned
    Scan process 'csrss.exe' - '1' Module(s) have been scanned
    Scan process 'wininit.exe' - '1' Module(s) have been scanned
    Scan process 'csrss.exe' - '1' Module(s) have been scanned
    Scan process 'smss.exe' - '1' Module(s) have been scanned

    Starting master boot sector scan:
    Master boot sector HD0
    [INFO] No virus was found!

    Start scanning boot sectors:

    Starting to scan executable files (registry).
    The registry was scanned ( '1757' files ).



    End of the scan: Thursday, November 25, 2010 10:06
    Used time: 03:57 Minute(s)

    The scan has been done completely.

    0 Scanned directories
    2284 Files were scanned
    0 Viruses and/or unwanted programs were found
    0 Files were classified as suspicious
    0 files were deleted
    0 Viruses and unwanted programs were repaired
    0 Files were moved to quarantine
    0 Files were renamed
    0 Files cannot be scanned
    2284 Files not concerned
    5 Archives were scanned
    0 Warnings
    0 Notes
     
  6. dmo

    dmo TS Rookie Topic Starter

    The Temporary File Cleaner is being recognized as a Trojan Program by the residual of Trend Micro Virus. (I can't renew it or remove it because it is one of the programs that was password protected when I got the computer)
     
  7. Broni

    Broni Malware Annihilator Posts: 52,895   +344

    Skip it for now.
     
  8. dmo

    dmo TS Rookie Topic Starter

    Malwarebytes' Anti-Malware 1.44
    Database version: 3772
    Windows 6.0.6000
    Internet Explorer 7.0.6000.17037

    11/27/2010 10:25:09 AM
    mbam-log-2010-11-27 (10-25-09).txt

    Scan type: Quick Scan
    Objects scanned: 123042
    Time elapsed: 20 minute(s), 36 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
  9. dmo

    dmo TS Rookie Topic Starter

    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit quick scan 2010-11-27 10:50:47
    Windows 6.0.6000 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HTS541616J9SA00 rev.SB4OC70P
    Running: 6tuvd5dv.exe; Driver: C:\Users\MYSHAD~1\AppData\Local\Temp\kwloqkow.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs SSFS0BB9.SYS (Spy Sweeper FileSystem Filter Driver/Webroot Software Inc (www.webroot.com))
    AttachedDevice \FileSystem\fastfat \Fat SSFS0BB9.SYS (Spy Sweeper FileSystem Filter Driver/Webroot Software Inc (www.webroot.com))
    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \Driver\tdx \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
    AttachedDevice \Driver\tdx \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

    ---- EOF - GMER 1.0.15 ----
     
  10. dmo

    dmo TS Rookie Topic Starter

    edit due to repeat post
     
  11. dmo

    dmo TS Rookie Topic Starter

    DDS (Ver_10-11-27.01) - NTFSx86
    Run by My Shadow at 10:54:36.53 on Sat 11/27/2010
    Internet Explorer: 7.0.6000.17037
    Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1790.836 [GMT -8:00]

    AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
    AV: Trend Micro AntiVirus *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
    AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
    SP: AntiVir Desktop *enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
    SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
    SP: Spy Sweeper *enabled* (Updated) {68A41C74-A1E9-48F8-B2E5-D8232211AB6D}
    SP: Norton Internet Security *enabled* (Updated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
    FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Windows\system32\Ati2evxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\Ati2evxx.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
    C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Acer\Empowering Technology\eNet\eNet Service.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Acer\Mobility Center\MobilityService.exe
    C:\Program Files\O2Micro Oz128 Driver\o2flash.exe
    C:\Program Files\Google\Update\GoogleUpdate.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\Windows\RtHDVCpl.exe
    C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
    C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\DRIVERS\xaudio.exe
    C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
    C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
    C:\Program Files\Trend Micro\BM\TMBMSRV.exe
    C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Users\MYSHAD~1\AppData\Local\Temp\RtkBtMnt.exe
    C:\Program Files\Launch Manager\LManager.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe
    C:\Program Files\Zune\ZuneLauncher.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Program Files\MSN Toolbar\Platform\6.3.2348.0\mswinext.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Windows\ehome\ehtray.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.exe
    C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE
    C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
    C:\Program Files\OpenOffice.org 3\program\soffice.bin
    C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
    C:\Windows\ehome\ehmsas.exe
    C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\Windows\system32\wuauclt.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Users\My Shadow\Downloads\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.com/
    uSEARCH PAGE = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
    uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
    uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
    mStart Page = hxxp://en.us.acer.yahoo.com
    mDefault_Page_URL = hxxp://en.us.acer.yahoo.com
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    BHO: MRI_DISABLED - No File
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
    BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\6.3.2348.0\npwinext.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
    TB: @c:\program files\msn toolbar\platform\6.3.2348.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\6.3.2348.0\npwinext.dll
    TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
    TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
    TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
    uRun: [Sidebar] "c:\program files\windows sidebar\sidebar.exe" /autoRun
    uRun: [StartCCC] "c:\program files\ati" technologies\ati.ace\core-static\CLIStart.exe
    uRun: [Acer Tour Reminder]
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    uRun: [PMCLoader] "c:\program files\pinnacle\tvcenter pro\PMCLoader.exe"
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\1.2.1128.5462\GoogleToolbarNotifier.exe"
    uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
    uRun: [EPSON Stylus Photo RX595 Series] "c:\windows\system32\spool\drivers\w32x86\3\e_faticla.exe" /fu "c:\windows\temp\E_S3F9F.tmp" /EF "HKCU"
    uRun: [WebEx Document Loader] "c:\windows\system32\spool\drivers\w32x86\3\e_faticla.exe" /fu "c:\windows\temp\E_S9D29.tmp" /EF "HKCU"
    uRun: [Skype] "c:\program files\skype\\phone\Skype.exe" /nosplash /minimized
    mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
    mRun: [RtHDVCpl] RtHDVCpl.exe
    mRun: [PLFSet] "rundll32.exe" c:\windows\PLFSet.dll,PLFDefSetting
    mRun: [StartCCC] "c:\program files\ati" technologies\ati.ace\core-static\CLIStart.exe
    mRun: [eDataSecurity Loader] "c:\acer\empowering technology\edatasecurity\eDSloader.exe"
    mRun: [LManager] c:\progra~1\launch~1\LManager.exe
    mRun: [Acer Product Registration] "c:\program files\acer registration\ACE1.exe" /startup
    mRun: [Acer Tour Reminder] c:\acer\acertour\Reminder.exe
    mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
    mRun: [Acer Assist Launcher] "c:\program files\acer assist\launcher.exe"
    mRun: [WarReg_PopUp] c:\acer\wr_popup\WarReg_PopUp.exe
    mRun: [LELA] "c:\program files\linksys\linksys easylink advisor\Linksys EasyLink Advisor.exe" /minimized
    mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
    mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
    mRun: [Bing Bar] "c:\program files\msn toolbar\platform\6.3.2348.0\mswinext.exe"
    mRun: [SpySweeper] c:\program files\webroot\spy sweeper\SpySweeperUI.exe /startintray
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    StartupFolder: c:\users\myshad~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\empowe~1.lnk - c:\acer\empowering technology\eAPLauncher.exe
    uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
    DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/VistaMSNPUplden-us.cab
    DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
    DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
    DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/VistaMSNPUplden-us.cab

    ============= SERVICES / DRIVERS ===============

    R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2007-4-3 39680]
    R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2007-4-2 35712]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-11-25 61960]
    R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2010-8-3 50256]
    R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2010-4-13 36368]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-31 135664]
    S3 netr28u;Linksys USB Wireless LAN Card Driver for Vista;c:\windows\system32\drivers\netr28u.sys [2007-12-14 570880]

    =============== Created Last 30 ================

    2010-11-26 22:27:56 6273872 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{b52e50f5-ed61-4d62-bd3e-360a7ee90d40}\mpengine.dll
    2010-11-25 17:54:32 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-11-25 17:54:18 -------- d-----w- c:\program files\Avira
    2010-11-25 17:54:18 -------- d-----w- c:\progra~2\Avira
    2010-11-21 22:49:36 -------- d-----w- c:\program files\Emsisoft Anti-Malware
    2010-10-29 20:04:37 -------- d-----w- c:\program files\Bing Bar Installer

    ==================== Find3M ====================

    2010-10-19 18:41:44 222080 ------w- c:\windows\system32\MpSigStub.exe

    ============= FINISH: 10:57:40.96 ===============
     
  12. dmo

    dmo TS Rookie Topic Starter

    Do you need the attach.txt log? I don't think that I should post that to the forum.
     
  13. Broni

    Broni Malware Annihilator Posts: 52,895   +344

    Yes, please.
     
  14. dmo

    dmo TS Rookie Topic Starter

    Is there sensitive information in it? Its telling me not to post it to a forum.
     
  15. Broni

    Broni Malware Annihilator Posts: 52,895   +344

    No. Post it, please.
     
  16. dmo

    dmo TS Rookie Topic Starter

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-11-27.01)

    Microsoft® Windows Vista™ Home Premium
    Boot Device: \Device\HarddiskVolume2
    Install Date: 12/5/2007 2:16:56 PM
    System Uptime: 11/24/2010 9:24:49 AM (73 hours ago)

    Motherboard: Acer | | Extensa 5420
    Processor: AMD Turion(tm) 64 X2 Mobile Technology TL-58 | Socket M2/S1G1 | 1600/200mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 70 GiB total, 0.991 GiB free.
    D: is FIXED (NTFS) - 70 GiB total, 69.547 GiB free.
    E: is CDROM ()

    ==== Disabled Device Manager Items =============

    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft 6to4 Adapter
    Device ID: ROOT\*6TO4MP\0004
    Manufacturer: Microsoft
    Name: 6TO4 Adapter
    PNP Device ID: ROOT\*6TO4MP\0004
    Service: tunnel

    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft 6to4 Adapter
    Device ID: ROOT\*6TO4MP\0008
    Manufacturer: Microsoft
    Name: 6TO4 Adapter
    PNP Device ID: ROOT\*6TO4MP\0008
    Service: tunnel

    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft 6to4 Adapter
    Device ID: ROOT\*6TO4MP\0016
    Manufacturer: Microsoft
    Name: 6TO4 Adapter
    PNP Device ID: ROOT\*6TO4MP\0016
    Service: tunnel

    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft 6to4 Adapter
    Device ID: ROOT\*6TO4MP\0017
    Manufacturer: Microsoft
    Name: Microsoft 6to4 Adapter #14
    PNP Device ID: ROOT\*6TO4MP\0017
    Service: tunnel

    ==== System Restore Points ===================

    RP556: 11/26/2010 2:26:37 PM - Windows Update

    ==== Installed Programs ======================

    Acer Assist
    Acer Crystal Eye webcam
    Acer eDataSecurity Management
    Acer eLock Management
    Acer Empowering Technology
    Acer eNet Management
    Acer ePower Management
    Acer ePresentation Management
    Acer eSettings Management
    Acer GridVista
    Acer Mobility Center Plug-In
    Acer Registration
    Acer ScreenSaver
    Acer Tour
    Acrobat.com
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.3.2
    Amazon MP3 Downloader 1.0.9
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    ATI Catalyst Install Manager
    Avira AntiVir Personal - Free Antivirus
    Bing Bar
    Bing Bar Platform
    Bing Rewards Client Installer
    Bonjour
    Catalyst Control Center - Branding
    Catalyst Control Center Core Implementation
    Catalyst Control Center Graphics Light
    Catalyst Control Center Localization Chinese Standard
    Catalyst Control Center Localization Chinese Traditional
    Catalyst Control Center Localization Czech
    Catalyst Control Center Localization Danish
    Catalyst Control Center Localization Dutch
    Catalyst Control Center Localization Finnish
    Catalyst Control Center Localization French
    Catalyst Control Center Localization German
    Catalyst Control Center Localization Greek
    Catalyst Control Center Localization Hungarian
    Catalyst Control Center Localization Italian
    Catalyst Control Center Localization Japanese
    Catalyst Control Center Localization Korean
    Catalyst Control Center Localization Norwegian
    Catalyst Control Center Localization Polish
    Catalyst Control Center Localization Portuguese
    Catalyst Control Center Localization Russian
    Catalyst Control Center Localization Spanish
    Catalyst Control Center Localization Swedish
    Catalyst Control Center Localization Thai
    Catalyst Control Center Localization Turkish
    ccc-core-static
    ccc-utility
    DesignPro 5.4 Limited Edition
    DivX Setup
    EA Download Manager
    EA Download Manager UI
    EPSON Print CD
    EPSON Printer Software
    EPSON RX595 User's Guide
    EPSON Scan
    EPSON Stylus Photo RX595 Series Scanner Driver Update
    Google Chrome
    Google Toolbar for Internet Explorer
    Google Update Helper
    HDAUDIO Soft Data Fax Modem with SmartCP
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    InstallMgr
    IObit SmartDefrag Beta4.03
    iTunes
    Java(TM) 6 Update 17
    Java(TM) 6 Update 3
    Java(TM) 6 Update 7
    Last.fm 1.5.4.27091
    Launch Manager
    LightScribe 1.4.142.1
    Linksys Dual-Band Wireless-N USB Network Adapter
    Linksys WUSB600N Dual-Band Wireless-N USB Network Adapter
    LiveUpdate 3.2 (Symantec Corporation)
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 3.5 SP1
    Microsoft Application Error Reporting
    Microsoft Default Manager
    Microsoft Search Enhancement Pack
    Microsoft Silverlight
    Microsoft SQL Server Native Client
    Microsoft SQL Server Setup Support Files (English)
    Microsoft SQL Server VSS Writer
    Microsoft UI Engine
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Move Media Player
    MSN Toolbar
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB941833)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 4.0 SP2 Parser and SDK
    O2Micro Flash Memory Card Reader Driver Installer(x86)
    OpenOffice.org 3.0
    Pinnacle TVCenter Pro
    QuickTime
    Realtek High Definition Audio Driver
    SecureW2 EAP Suite 2.0.4 for Windows
    Skype™ 4.2
    Spelling Dictionaries Support For Adobe Reader 9
    SPORE™
    Spy Sweeper
    Trend Micro AntiVirus
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    VC80CRTRedist - 8.0.50727.4053
    WebEx Support Manager for Internet Explorer
    Zune
    Zune Language Pack (DE)
    Zune Language Pack (ES)
    Zune Language Pack (FR)
    Zune Language Pack (IT)

    ==== Event Viewer Messages From Past Week ========

    11/26/2010 2:13:17 PM, Error: Service Control Manager [7000] - The LiveUpdate service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    11/26/2010 2:13:15 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the LiveUpdate service to connect.
    11/26/2010 2:13:14 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service LiveUpdate with arguments "" in order to run the server: {03E0E6C2-363B-11D3-B536-00902771A435}
    11/25/2010 9:56:40 AM, Error: Service Control Manager [7006] - The ScRegSetValueExW call failed for Start with the following error: Access is denied.
    11/21/2010 6:00:49 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD DfsC NetBIOS netbt nsiproxy PSched RasAcd rdbss Smb spldr Tcpip tdx tmtdi Wanarpv6
    11/21/2010 6:00:49 PM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    11/21/2010 6:00:49 PM, Error: Service Control Manager [7001] - The WebDav Client Redirector Driver service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
    11/21/2010 6:00:49 PM, Error: Service Control Manager [7001] - The WebClient service depends on the WebDav Client Redirector Driver service which failed to start because of the following error: The dependency service or group failed to start.
    11/21/2010 6:00:49 PM, Error: Service Control Manager [7001] - The TCP/IP Registry Compatibility service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    11/21/2010 6:00:49 PM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    11/21/2010 6:00:49 PM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
    11/21/2010 6:00:49 PM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    11/21/2010 6:00:49 PM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    11/21/2010 6:00:49 PM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service service which failed to start because of the following error: A device attached to the system is not functioning.
    11/21/2010 6:00:49 PM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    11/21/2010 6:00:49 PM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
    11/21/2010 6:00:49 PM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    11/21/2010 6:00:49 PM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    11/21/2010 6:00:49 PM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    11/21/2010 6:00:49 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
    11/21/2010 6:00:49 PM, Error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    11/21/2010 6:00:49 PM, Error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    11/21/2010 6:00:49 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
    11/21/2010 6:00:46 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
    11/21/2010 6:00:12 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
    11/21/2010 6:00:12 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
    11/21/2010 6:00:12 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
    11/21/2010 6:00:10 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    11/21/2010 6:00:02 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
    11/21/2010 5:59:39 PM, Error: EventLog [6008] - The previous system shutdown at 5:58:19 PM on 11/21/2010 was unexpected.
    11/21/2010 4:18:18 PM, Error: Service Control Manager [7034] - The SQL Server VSS Writer service terminated unexpectedly. It has done this 1 time(s).
    11/21/2010 4:18:17 PM, Error: Service Control Manager [7022] - The SQL Server VSS Writer service hung on starting.
    11/21/2010 4:16:55 PM, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    11/21/2010 4:16:55 PM, Error: Service Control Manager [7000] - The MCSTRM service failed to start due to the following error: The system cannot find the file specified.
    11/21/2010 1:13:41 PM, Error: bowser [8003] - The master browser has received a server announcement from the computer STEPHANIE-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{EF46E181-3812-4B24-A5B3-0D8DC. The master browser is stopping or an election is being forced.
    11/21/2010 1:06:03 PM, Error: volsnap [36] - The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.
    11/20/2010 12:08:54 PM, Error: volmgr [46] - Crash dump initialization failed!
    11/20/2010 12:08:46 PM, Error: ACPI [6] - IRQARB: ACPI BIOS does not contain an IRQ for the device in PCI slot 6, function 0. Please contact your system vendor for technical assistance.
    11/20/2010 12:08:45 PM, Error: ACPI [6] - IRQARB: ACPI BIOS does not contain an IRQ for the device in PCI slot 5, function 0. Please contact your system vendor for technical assistance.
    11/20/2010 12:08:45 PM, Error: ACPI [6] - IRQARB: ACPI BIOS does not contain an IRQ for the device in PCI slot 4, function 0. Please contact your system vendor for technical assistance.

    ==== End Of File ===========================
     
  17. Broni

    Broni Malware Annihilator Posts: 52,895   +344

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    Enter N to exit.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.

    ====================================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AVG Remover to uninstall it: http://www.avg.com/us-en/download-tools
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.pif
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  18. dmo

    dmo TS Rookie Topic Starter

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows Vista Home Premium Edition
    Windows Information: (build 6000), 32-bit
    Base Board Manufacturer: Acer
    BIOS Manufacturer: Phoenix Technologies LTD
    System Manufacturer: Acer
    System Product Name: Extensa 5420
    Logical Drives Mask: 0x0000001c

    Kernel Drivers (total 165):
    0x82400000 \SystemRoot\system32\ntkrnlpa.exe
    0x827A1000 \SystemRoot\system32\hal.dll
    0x802C6000 \SystemRoot\system32\kdcom.dll
    0x802BD000 \SystemRoot\system32\PSHED.dll
    0x802B5000 \SystemRoot\system32\BOOTVID.dll
    0x8027A000 \SystemRoot\system32\CLFS.SYS
    0x8051F000 \SystemRoot\system32\CI.dll
    0x80209000 \SystemRoot\system32\drivers\Wdf01000.sys
    0x80511000 \SystemRoot\system32\drivers\WDFLDR.SYS
    0x804CE000 \SystemRoot\system32\drivers\acpi.sys
    0x80200000 \SystemRoot\system32\drivers\WMILIB.SYS
    0x804C6000 \SystemRoot\system32\drivers\msisadrv.sys
    0x804A1000 \SystemRoot\system32\drivers\pci.sys
    0x80492000 \SystemRoot\system32\drivers\volmgr.sys
    0x80489000 \SystemRoot\SYSTEM32\Drivers\SSHRMD.SYS
    0x80480000 \SystemRoot\SYSTEM32\Drivers\SSFS0BB9.SYS
    0x80454000 \SystemRoot\SYSTEM32\Drivers\SSIDRV.SYS
    0x80429000 \SystemRoot\SYSTEM32\Drivers\msrpc.sys
    0x807C7000 \SystemRoot\SYSTEM32\Drivers\NETIO.SYS
    0x806C3000 \SystemRoot\SYSTEM32\Drivers\NDIS.SYS
    0x8041E000 \SystemRoot\SYSTEM32\Drivers\TDI.SYS
    0x8041B000 \SystemRoot\system32\DRIVERS\compbatt.sys
    0x80411000 \SystemRoot\system32\DRIVERS\BATTC.SYS
    0x80401000 \SystemRoot\System32\drivers\mountmgr.sys
    0x80699000 \SystemRoot\system32\DRIVERS\pcmcia.sys
    0x80692000 \SystemRoot\system32\drivers\pciide.sys
    0x80684000 \SystemRoot\system32\drivers\PCIIDEX.SYS
    0x8063A000 \SystemRoot\System32\drivers\volmgrx.sys
    0x80632000 \SystemRoot\system32\drivers\atapi.sys
    0x80614000 \SystemRoot\system32\drivers\ataport.SYS
    0x8060A000 \SystemRoot\system32\DRIVERS\o2media.sys
    0x823DA000 \SystemRoot\system32\DRIVERS\SCSIPORT.SYS
    0x80601000 \SystemRoot\system32\DRIVERS\o2sd.sys
    0x823A9000 \SystemRoot\system32\drivers\fltmgr.sys
    0x82399000 \SystemRoot\system32\drivers\fileinfo.sys
    0x82390000 \SystemRoot\system32\DRIVERS\psdfilter.sys
    0x82288000 \SystemRoot\System32\Drivers\Ntfs.sys
    0x8221E000 \SystemRoot\System32\Drivers\ksecdd.sys
    0x877CA000 \SystemRoot\system32\drivers\volsnap.sys
    0x82216000 \SystemRoot\System32\Drivers\spldr.sys
    0x82204000 \SystemRoot\system32\drivers\psdvdisk.sys
    0x877C1000 \SystemRoot\system32\drivers\PSDNServ.sys
    0x877B2000 \SystemRoot\System32\drivers\partmgr.sys
    0x877A3000 \SystemRoot\System32\Drivers\mup.sys
    0x8777E000 \SystemRoot\System32\drivers\ecache.sys
    0x8776D000 \SystemRoot\system32\drivers\disk.sys
    0x8774C000 \SystemRoot\system32\drivers\CLASSPNP.SYS
    0x87743000 \SystemRoot\system32\drivers\crcdisk.sys
    0x88408000 \SystemRoot\system32\DRIVERS\tunnel.sys
    0x88420000 \SystemRoot\system32\DRIVERS\tunmp.sys
    0x88194000 \SystemRoot\system32\DRIVERS\amdk8.sys
    0x88429000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
    0x8B6D8000 \SystemRoot\system32\DRIVERS\atikmdag.sys
    0x89C33000 \SystemRoot\System32\drivers\dxgkrnl.sys
    0x88413000 \SystemRoot\System32\drivers\watchdog.sys
    0x8B652000 \SystemRoot\system32\DRIVERS\bcmwl6.sys
    0x89C29000 \SystemRoot\system32\DRIVERS\usbohci.sys
    0x8B615000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0x89C1B000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0x88118000 \SystemRoot\system32\drivers\Afc.sys
    0x89C03000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0x88021000 \SystemRoot\system32\DRIVERS\NTIDrvr.sys
    0x8854E000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
    0x8AFEE000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0x884E4000 \SystemRoot\system32\DRIVERS\CmBatt.sys
    0x8AFDB000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0x8AFD1000 \SystemRoot\system32\DRIVERS\DKbFltr.sys
    0x8AE40000 \SystemRoot\System32\Drivers\sskbfd.sys
    0x8AFC6000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0x8B60A000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0x880A8000 \SystemRoot\system32\DRIVERS\nscirda.sys
    0x88444000 \SystemRoot\system32\drivers\irenum.sys
    0x89D90000 \SystemRoot\system32\DRIVERS\ohci1394.sys
    0x8BFA2000 \SystemRoot\system32\DRIVERS\1394BUS.SYS
    0x8BF77000 \SystemRoot\system32\DRIVERS\msiscsi.sys
    0x8BF37000 \SystemRoot\system32\DRIVERS\storport.sys
    0x8BF20000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0x8BF15000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0x8BEF2000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0x8AF10000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0x8BEDF000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0x8AF1F000 \SystemRoot\system32\DRIVERS\termdd.sys
    0x8801D000 \SystemRoot\system32\DRIVERS\swenum.sys
    0x8BEB5000 \SystemRoot\system32\DRIVERS\ks.sys
    0x8B600000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0x8AE5A000 \SystemRoot\system32\DRIVERS\umbus.sys
    0x8BE81000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0x89DC0000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0x8C025000 \SystemRoot\system32\drivers\RTKVHDA.sys
    0x8BE04000 \SystemRoot\system32\drivers\portcls.sys
    0x8C000000 \SystemRoot\system32\drivers\drmk.sys
    0x8C3C3000 \SystemRoot\system32\DRIVERS\HSXHWAZL.sys
    0x8C2C0000 \SystemRoot\system32\DRIVERS\HSX_DPV.sys
    0x8C20C000 \SystemRoot\system32\DRIVERS\HSX_CNXT.sys
    0x8AE67000 \SystemRoot\system32\drivers\modem.sys
    0x8845F000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0x885D6000 \SystemRoot\System32\Drivers\Null.SYS
    0x885DD000 \SystemRoot\System32\Drivers\Beep.SYS
    0x8C200000 \SystemRoot\System32\drivers\vga.sys
    0x8C5DF000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
    0x880B8000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0x880C0000 \SystemRoot\system32\drivers\rdpencdd.sys
    0x8C4B4000 \SystemRoot\System32\Drivers\Msfs.SYS
    0x8C4A6000 \SystemRoot\System32\Drivers\Npfs.SYS
    0x88468000 \SystemRoot\System32\DRIVERS\rasacd.sys
    0x8C50A000 \SystemRoot\System32\drivers\tcpip.sys
    0x8C483000 \SystemRoot\System32\drivers\fwpkclnt.sys
    0x8C46E000 \SystemRoot\system32\DRIVERS\tdx.sys
    0x8C45A000 \SystemRoot\system32\DRIVERS\smb.sys
    0x8C7B9000 \SystemRoot\system32\drivers\afd.sys
    0x8C787000 \SystemRoot\System32\DRIVERS\netbt.sys
    0x8C404000 \SystemRoot\system32\DRIVERS\pacer.sys
    0x8C4FC000 \SystemRoot\system32\DRIVERS\netbios.sys
    0x8C4E9000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0x8AF2E000 \SystemRoot\system32\DRIVERS\tmtdi.sys
    0x8C740000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0x8C49C000 \SystemRoot\system32\drivers\nsiproxy.sys
    0x8C729000 \SystemRoot\System32\Drivers\dfsc.sys
    0x8C859000 \SystemRoot\system32\DRIVERS\snp2uvc.sys
    0x8AE74000 \SystemRoot\system32\DRIVERS\STREAM.SYS
    0x885E4000 \SystemRoot\system32\DRIVERS\sncduvc.SYS
    0x8801B000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0x8C6B1000 \SystemRoot\System32\Drivers\fastfat.SYS
    0x94E00000 \SystemRoot\System32\win32k.sys
    0x8C4DF000 \SystemRoot\System32\drivers\Dxapi.sys
    0x8AFB5000 \SystemRoot\system32\DRIVERS\monitor.sys
    0x96400000 \SystemRoot\System32\TSDDD.dll
    0x96410000 \SystemRoot\System32\cdd.dll
    0x95E95000 \SystemRoot\system32\drivers\luafv.sys
    0x8AEE9000 \SystemRoot\system32\DRIVERS\tmpreflt.sys
    0x982BE000 \SystemRoot\system32\DRIVERS\vsapint.sys
    0x95E4C000 \SystemRoot\system32\DRIVERS\tmxpflt.sys
    0x96276000 \SystemRoot\system32\drivers\WudfPf.sys
    0x99372000 \SystemRoot\system32\drivers\spsys.sys
    0x99354000 \SystemRoot\system32\DRIVERS\irda.sys
    0x95C20000 \SystemRoot\system32\DRIVERS\lltdio.sys
    0x99329000 \SystemRoot\system32\DRIVERS\nwifi.sys
    0x95C8A000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0x97205000 \SystemRoot\system32\DRIVERS\rspndr.sys
    0x9A597000 \SystemRoot\system32\drivers\HTTP.sys
    0x9A54B000 \SystemRoot\System32\DRIVERS\srvnet.sys
    0x9A4B4000 \SystemRoot\system32\DRIVERS\bowser.sys
    0x9A4A0000 \SystemRoot\System32\drivers\mpsdrv.sys
    0x9A480000 \SystemRoot\system32\drivers\mrxdav.sys
    0x9A462000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0x9A429000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
    0x99230000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
    0x9A405000 \SystemRoot\System32\DRIVERS\srv2.sys
    0x9ADAF000 \SystemRoot\System32\DRIVERS\srv.sys
    0x885B3000 \??\C:\Acer\Empowering Technology\eRecovery\int15.sys
    0x9CFFC000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
    0x9CF6A000 \SystemRoot\system32\DRIVERS\cdfs.sys
    0x9CE4C000 \SystemRoot\system32\drivers\peauth.sys
    0x95CA8000 \SystemRoot\System32\Drivers\secdrv.SYS
    0x962E8000 \SystemRoot\System32\drivers\tcpipreg.sys
    0x97355000 \SystemRoot\system32\DRIVERS\tmcomm.sys
    0x8AFA6000 \SystemRoot\system32\DRIVERS\tmevtmgr.sys
    0x98438000 \SystemRoot\system32\DRIVERS\xaudio.sys
    0x972C2000 \SystemRoot\system32\DRIVERS\tmactmon.sys
    0x8AEDC000 \SystemRoot\System32\Drivers\crashdmp.sys
    0xAE88B000 \SystemRoot\system32\DRIVERS\avipbb.sys
    0xAE822000 \SystemRoot\system32\DRIVERS\avgntflt.sys
    0xB97C2000 \SystemRoot\system32\DRIVERS\yk60x86.sys
    0xB9628000 \??\C:\Users\MYSHAD~1\AppData\Local\Temp\kwloqkow.sys
    0x77870000 \Windows\System32\ntdll.dll

    Processes (total 89):
    0 System Idle Process
    4 System
    412 C:\Windows\System32\smss.exe
    556 csrss.exe
    612 C:\Windows\System32\wininit.exe
    624 csrss.exe
    656 C:\Windows\System32\services.exe
    668 C:\Windows\System32\lsass.exe
    676 C:\Windows\System32\lsm.exe
    744 C:\Windows\System32\winlogon.exe
    864 C:\Windows\System32\svchost.exe
    956 C:\Windows\System32\svchost.exe
    992 C:\Windows\System32\svchost.exe
    1088 C:\Windows\System32\Ati2evxx.exe
    1104 C:\Windows\System32\svchost.exe
    1172 C:\Windows\System32\svchost.exe
    1212 C:\Windows\System32\svchost.exe
    1276 C:\Windows\System32\audiodg.exe
    1324 C:\Windows\System32\SLsvc.exe
    1384 C:\Windows\System32\svchost.exe
    1404 C:\Windows\System32\Ati2evxx.exe
    1596 C:\Windows\System32\svchost.exe
    1812 C:\Windows\System32\spoolsv.exe
    1840 C:\Windows\System32\svchost.exe
    244 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    348 C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    12 C:\Program Files\Bonjour\mDNSResponder.exe
    1268 C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
    1052 C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
    708 C:\Windows\System32\taskeng.exe
    1364 C:\Windows\System32\dwm.exe
    1940 C:\Windows\explorer.exe
    2132 C:\Acer\Empowering Technology\eNet\eNet Service.exe
    2240 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    2296 C:\Acer\Mobility Center\MobilityService.exe
    2368 C:\Program Files\O2Micro Oz128 Driver\o2flash.exe
    2416 C:\Program Files\Google\Update\GoogleUpdate.exe
    2472 C:\Program Files\Windows Defender\MSASCui.exe
    2492 C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    2500 C:\Windows\RtHDVCpl.exe
    2608 C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
    2628 C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe
    2772 C:\Windows\System32\taskeng.exe
    2808 C:\Windows\System32\svchost.exe
    2964 C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    3060 C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
    3408 C:\Windows\System32\SearchIndexer.exe
    3432 C:\Windows\System32\drivers\XAudio.exe
    3448 C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
    3536 C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
    3648 C:\Program Files\Trend Micro\BM\TMBMSRV.exe
    3692 C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
    3828 WmiPrvSE.exe
    4052 WmiPrvSE.exe
    1168 unsecapp.exe
    2432 C:\Users\MYSHAD~1\AppData\Local\Temp\RtkBtMnt.exe
    3444 C:\Program Files\Launch Manager\LManager.exe
    4136 C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe
    4144 C:\Program Files\Zune\ZuneLauncher.exe
    4188 C:\Program Files\iTunes\iTunesHelper.exe
    4224 C:\Program Files\Java\jre6\bin\jusched.exe
    4280 C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    4292 C:\Program Files\MSN Toolbar\Platform\6.3.2348.0\mswinext.exe
    4328 C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
    4348 C:\Program Files\Windows Sidebar\sidebar.exe
    4372 C:\Windows\ehome\ehtray.exe
    4412 C:\Windows\System32\wbem\unsecapp.exe
    4716 C:\Acer\Empowering Technology\eNet\eNMTray.exe
    4744 C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
    4804 C:\Acer\Empowering Technology\Acer.Empowering.Framework.Supervisor.exe
    4876 C:\Windows\ehome\ehmsas.exe
    4896 C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
    5664 C:\Program Files\Windows Sidebar\sidebar.exe
    6076 C:\Program Files\iPod\bin\iPodService.exe
    4860 C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
    3288 C:\Program Files\Avira\AntiVir Desktop\sched.exe
    4616 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    6128 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    7376 C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    8124 C:\Windows\System32\wuauclt.exe
    6588 C:\Program Files\Google\Chrome\Application\chrome.exe
    6112 C:\Program Files\Google\Chrome\Application\chrome.exe
    3148 C:\Program Files\Google\Chrome\Application\chrome.exe
    5372 C:\Program Files\Google\Chrome\Application\chrome.exe
    6724 C:\Program Files\Google\Chrome\Application\chrome.exe
    7924 C:\Program Files\Google\Chrome\Application\chrome.exe
    7176 C:\Windows\System32\SearchProtocolHost.exe
    5044 C:\Windows\System32\SearchFilterHost.exe
    7152 C:\Users\My Shadow\Downloads\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000002`71100000 (NTFS)
    \\.\D: --> \\.\PhysicalDrive0 at offset 0x00000013`da600000 (NTFS)

    PhysicalDrive0 Model Number: HitachiHTS541616J9SA00, Rev: SB4OC70P

    Size Device Name MBR Status
    --------------------------------------------
    149 GB \\.\PhysicalDrive0 Unknown MBR code
    SHA1: DA67949D8E80AE4B877B861155C27C0550D2F7A3


    Found non-standard or infected MBR.
    Enter 'Y' and hit ENTER for more options, or 'N' to exit:

    Done!
     
  19. dmo

    dmo TS Rookie Topic Starter

    ComboFix 10-11-27.01 - My Shadow 11/27/2010 13:18:12.1.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1790.976 [GMT -8:00]
    Running from: c:\users\My Shadow\Downloads\ComboFix.exe
    AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
    AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
    AV: Trend Micro AntiVirus *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
    FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
    SP: AntiVir Desktop *disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
    SP: Norton Internet Security *enabled* (Updated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
    SP: Spy Sweeper *enabled* (Updated) {68A41C74-A1E9-48F8-B2E5-D8232211AB6D}
    SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\users\My Shadow\AppData\Local\Microsoft\Windows\Temporary Internet Files\23kBPk0y.jpg
    c:\users\My Shadow\AppData\Local\Microsoft\Windows\Temporary Internet Files\8A73M6BnX.jpg
    c:\users\My Shadow\AppData\Local\Microsoft\Windows\Temporary Internet Files\pJOx0.jpg
    c:\users\My Shadow\AppData\Local\Microsoft\Windows\Temporary Internet Files\Xkm0m.jpg
    c:\windows\system32\sdra64.exe

    .
    ((((((((((((((((((((((((( Files Created from 2010-10-27 to 2010-11-27 )))))))))))))))))))))))))))))))
    .

    2010-11-27 21:59 . 2010-11-27 22:35 -------- d-----w- c:\users\My Shadow\AppData\Local\temp
    2010-11-27 21:59 . 2010-11-27 21:59 -------- d-----w- c:\users\Stephanie\AppData\Local\temp
    2010-11-27 21:59 . 2010-11-27 21:59 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-11-27 21:59 . 2010-11-27 21:59 -------- d-----w- c:\users\Guest\AppData\Local\temp
    2010-11-27 20:54 . 2010-11-27 20:57 -------- d-----w- C:\32788R22FWJFW
    2010-11-26 22:27 . 2010-11-10 04:33 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{B52E50F5-ED61-4D62-BD3E-360A7EE90D40}\mpengine.dll
    2010-11-25 17:54 . 2010-11-26 22:15 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-11-25 17:54 . 2010-08-03 00:10 126856 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2010-11-25 17:54 . 2010-11-25 17:54 -------- d-----w- c:\programdata\Avira
    2010-11-25 17:54 . 2010-11-25 17:54 -------- d-----w- c:\program files\Avira
    2010-11-21 22:49 . 2010-11-22 01:09 -------- d-----w- c:\program files\Emsisoft Anti-Malware
    2010-10-29 20:04 . 2010-10-29 20:17 -------- d-----w- c:\program files\Bing Bar Installer

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-10-19 18:41 . 2009-10-02 23:24 222080 ------w- c:\windows\system32\MpSigStub.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-28 1232896]
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-12-23 171448]
    "Skype"="c:\program files\Skype\\Phone\Skype.exe" [2010-04-06 26102056]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RtHDVCpl"="RtHDVCpl.exe" [2007-08-17 4702208]
    "PLFSet"="c:\windows\PLFSet.dll" [2007-04-25 45056]
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
    "eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-04-26 457216]
    "LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2007-04-04 813840]
    "Acer Product Registration"="c:\program files\Acer Registration\ACE1.exe" [2007-02-02 3383296]
    "Acer Tour Reminder"="c:\acer\AcerTour\Reminder.exe" [2007-05-22 151552]
    "UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-07-29 1398024]
    "Acer Assist Launcher"="c:\program files\Acer Assist\launcher.exe" [2007-02-02 1261568]
    "WarReg_PopUp"="c:\acer\WR_PopUp\WarReg_PopUp.exe" [2006-11-06 57344]
    "Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-07-17 288080]
    "Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-01-07 158448]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
    "Bing Bar"="c:\program files\MSN Toolbar\Platform\6.3.2348.0\mswinext.exe" [2010-10-11 273672]
    "SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-05 5367664]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-03 281768]

    c:\users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000]

    c:\users\Stephanie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000]

    c:\users\My Shadow\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000]

    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2007-9-10 535336]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-06-01 135664]
    R3 netr28u;Linksys USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28u.sys [2007-12-15 570880]
    S0 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2media.sys [2007-04-03 39680]
    S0 O2SDRDR;O2SDRDR;c:\windows\system32\DRIVERS\o2sd.sys [2007-04-02 35712]
    S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-08-03 135336]
    S2 tmevtmgr;tmevtmgr;c:\windows\system32\DRIVERS\tmevtmgr.sys [x]
    S2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys [2009-12-04 36368]
    S3 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [x]


    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - SSMDRV
    .
    Contents of the 'Scheduled Tasks' folder

    2010-11-27 c:\windows\Tasks\AutoSmartDefrag.job
    - c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2008-01-28 08:29]

    2010-11-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-06-01 00:43]

    2010-11-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-06-01 00:43]

    2010-08-23 c:\windows\Tasks\SmartDefrag.job
    - c:\program files\IObit\IObit SmartDefrag\schedule.exe [2008-01-28 07:05]

    2010-11-16 c:\windows\Tasks\wrSpySweeper_L74534F1688144710A61FFEB8BE5EEA10.job
    - c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-01-29 05:56]

    2010-11-16 c:\windows\Tasks\wrSpySweeper_L74534F1688144710A61FFEB8BE5EEA10.job
    - c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-01-29 05:56]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uSEARCH PAGE = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
    uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
    mStart Page = hxxp://en.us.acer.yahoo.com
    mDefault_Page_URL = hxxp://en.us.acer.yahoo.com
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    .
    - - - - ORPHANS REMOVED - - - -

    WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
    HKCU-Run-Acer Tour Reminder - (no file)
    HKCU-Run-PMCLoader - c:\program files\Pinnacle\TVCenter Pro\PMCLoader.exe
    HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
    HKLM-Run-LELA - c:\program files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe
    HKLM-Run-DivXUpdate - c:\program files\DivX\DivX Update\DivXUpdate.exe
    SafeBoot-WudfPf
    SafeBoot-WudfRd



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-11-27 14:35
    Windows 6.0.6000 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-1397172104-1989430188-3832168033-1003\Software\SecuROM\License information*]
    "datasecu"=hex:2e,52,c4,6d,2c,1b,5d,7d,d4,53,46,b9,29,77,24,fc,2d,28,ca,24,38,
    3d,51,0c,2c,c3,4c,a2,3a,55,84,8b,d9,69,ec,32,6d,b2,e7,53,b5,0a,12,40,7a,3e,\
    "rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    Completion time: 2010-11-27 15:14:26
    ComboFix-quarantined-files.txt 2010-11-27 23:14

    Pre-Run: 1,394,769,920 bytes free
    Post-Run: 2,942,689,280 bytes free

    - - End Of File - - 857152301C9DFAA6F34228132CE3802A
     
  20. Broni

    Broni Malware Annihilator Posts: 52,895   +344

  21. dmo

    dmo TS Rookie Topic Starter

    I can't get rid of Trend, I've tried. Its password protected and I don't have the password.
     
  22. Broni

    Broni Malware Annihilator Posts: 52,895   +344

  23. dmo

    dmo TS Rookie Topic Starter

    I will try again tomorrow, I have to get off the computer for today
     
  24. Broni

    Broni Malware Annihilator Posts: 52,895   +344

    No problem :)
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...