TechSpot

[Closed] Problems after removing Live Security Platinum

By Michael_NY
Sep 6, 2012
Topic Status:
Not open for further replies.
  1. My Asus netbook was infected with Live Security Platinum late last week. I eventually removed it from my system, but now I have other problems that I cannot solve.

    Upon startup, all my desktop icons auto-arrange to the left. I have tried many different combinations of desktop settings to fix that, but nothing helped. I also tried the workaround of creating a new profile, but that profile seems to have the same symptoms.

    My mouse cursor has an hourglass next to it almost all the time. It is up for about one second, then down for less than a quarter of a second. This cycle never stops.

    After being left on over night, my computer is unusable in the morning. Programs are very slow to respond and it took ten minutes just to get my computer to shut down this morning.

    Thank you for any suggestions you have.
    (let me know if this is posted in the wrong forum)
  2. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello, and welcome to TechSpot.


    [​IMG] Please see here for the board rules and other FAQ.

    Please feel free to introduce yourself, after you follow the steps below to get started.

    Information
    • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
    • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
    • If you have already asked for help somewhere, please post the link to the topic you were helped.
    • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
    • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

    Please review the 5-Step removal instructions and post the logs back here for my review.

    Also, include this scan:

    Download AdwCleaner by Xplode onto your Desktop.
    • Double click on AdwCleaner.exe to run the tool.
    • Click on Search.
    • A logfile will automatically open after the scan has finished.
    • Please post the content of that logfile in your reply.
    • You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.
  3. Michael_NY

    Michael_NY TS Rookie Topic Starter Posts: 23

    DragonMaster Jay,

    Sorry for the rude lack of introduction. My name is Michael

    Here are my reports. And thank you for all your help.

    ==========================================================
    Malwarebytes Anti-Malware (Trial) 1.62.0.1300
    www.malwarebytes.org

    Database version: v2012.09.06.11

    Windows 7 Service Pack 1 x86 NTFS
    Internet Explorer 8.0.7601.17514
    Michael :: MICHAEL-PC [administrator]

    Protection: Disabled

    9/6/2012 4:44:55 PM
    mbam-log-2012-09-06 (16-44-55).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 194938
    Time elapsed: 18 minute(s), 8 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2012-09-06 17:15:31
    Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HTS545025B9A300 rev.PB2OC60N
    Running: 16nmhmcd.exe; Driver: C:\Users\Michael\AppData\Local\Temp\uwliifow.sys


    ---- Devices - GMER 1.0.15 ----

    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 84CB71F8
    Device \Driver\atapi \Device\Ide\IdePort0 84CB71F8
    Device \Driver\atapi \Device\Ide\IdePort1 84CB71F8
    Device \Driver\amhfoohk \Device\Scsi\amhfoohk1 866741F8
    Device \Driver\amhfoohk \Device\Scsi\amhfoohk1Port2Path0Target0Lun0 866741F8
    Device \FileSystem\Ntfs \Ntfs 84CB91F8
    Device \FileSystem\fastfat \Fat A7BC21F8

    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \Driver\tdx \Device\Ip SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\tdx \Device\Tcp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\tdx \Device\Udp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\tdx \Device\RawIp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

    ---- Processes - GMER 1.0.15 ----

    Process hidden process (*** hidden *** ) 26248
    Process AsusSender.exe (*** hidden *** ) 30168
    Process hidden process (*** hidden *** ) 31120
    Process hidden process (*** hidden *** ) 35836
    Process HotkeyService. (*** hidden *** ) 35864
    Process hidden process (*** hidden *** ) 36964
    Process hidden process (*** hidden *** ) 37180
    Process hidden process (*** hidden *** ) 37288
    Process hidden process (*** hidden *** ) 37416
    Process hidden process (*** hidden *** ) 37616
    Process hidden process (*** hidden *** ) 38192
    Process hidden process (*** hidden *** ) 38452
    Process hidden process (*** hidden *** ) 38604
    Process hidden process (*** hidden *** ) 38676
    Process hidden process (*** hidden *** ) 38876

    ---- EOF - GMER 1.0.15 ----

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 10.7.2
    Run by Michael at 17:56:48 on 2012-09-06
    .
    ============== Running Processes ===============
    .
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://asus.msn.com
    uInternet Settings,ProxyOverride = <local>
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\17.9.0.12\IPSBHO.DLL
    BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre7\bin\ssv.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
    TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
    uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
    uRun: [Akamai NetSession Interface] "c:\users\michael\appdata\local\akamai\netsession_win.exe"
    mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
    mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
    mRun: [SuperHybridEngine] AsusSender.exe c:\program files\eeepc\she\SuperHybridEngine.exe
    mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [OOBESetup] c:\program files\asus\ooberegbackup\ooberegbackup.exe /restore -"c:\program files\asus\ooberegbackup\OOBEReg.ini"
    mRun: [HotkeyService] AsusSender.exe c:\program files\eeepc\hotkeyservice\HotkeyService.exe
    mRun: [HotkeyMon] AsusSender.exe c:\program files\eeepc\hotkeyservice\HotKeyMon.exe
    mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming
    mRun: [DigitalZoomControl] "c:\program files\asus\digitalzoomcontrol\DigitalZoomControl.exe"
    mRun: [BrStsWnd] c:\program files\brownie\BrstsWnd.exe Autorun
    mRun: [Boingo Wi-Fi] "c:\program files\boingo\boingo wi-fi\Boingo.lnk"
    mRun: [ASUS Screen Saver Protector] c:\windows\AsScrPro.exe
    mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [Ad-Aware Browsing Protection] "c:\programdata\ad-aware browsing protection\adawarebp.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
    mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
    IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
    IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
    IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    TCP: DhcpNameServer = 192.168.2.1
    TCP: Interfaces\{285938A6-8C45-4FEC-B7A5-6AC0A63DF19D} : DhcpNameServer = 192.168.2.1
    TCP: Interfaces\{285938A6-8C45-4FEC-B7A5-6AC0A63DF19D}\2456C6B696E6E253132424E2765756374737 : DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{285938A6-8C45-4FEC-B7A5-6AC0A63DF19D}\25D4C4055524C49434 : DhcpNameServer = 8.8.8.8 24.92.226.11 24.92.226.12
    TCP: Interfaces\{285938A6-8C45-4FEC-B7A5-6AC0A63DF19D}\4516B6169716029516D6167657368696D27657563747 : DhcpNameServer = 209.18.47.61 209.18.47.62 192.168.33.1
    TCP: Interfaces\{285938A6-8C45-4FEC-B7A5-6AC0A63DF19D}\544696D61687 : DhcpNameServer = 192.168.2.1
    TCP: Interfaces\{285938A6-8C45-4FEC-B7A5-6AC0A63DF19D}\C696E6B6379737 : DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{285938A6-8C45-4FEC-B7A5-6AC0A63DF19D}\E4544574541425 : DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{285938A6-8C45-4FEC-B7A5-6AC0A63DF19D}\F4365616E665965677 : DhcpNameServer = 209.18.47.61 209.18.47.62
    TCP: Interfaces\{B09B9D05-5626-45E7-86B0-683B10658108} : DhcpNameServer = 209.18.47.61 209.18.47.62
    Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\michael\appdata\roaming\mozilla\firefox\profiles\3jr7w82x.default\
    FF - prefs.js: network.proxy.type - 0
    FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
    FF - plugin: c:\program files\google\update\1.3.21.115\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
    FF - plugin: c:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
    FF - plugin: c:\users\michael\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll
    FF - plugin: c:\windows\system32\npDeployJava1.dll
    FF - plugin: c:\windows\system32\npmproxy.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    .
    =============== Created Last 30 ================
    .
    2012-09-06 20:43:1522344----a-w-c:\windows\system32\drivers\mbam.sys
    2012-09-06 20:43:15--------d-----w-c:\program files\Malwarebytes' Anti-Malware
    2012-09-05 21:25:17340088----a-w-c:\windows\system32\drivers\nav\1109000.00c\symtdiv.sys
    2012-09-05 21:25:1643696----a-w-c:\windows\system32\drivers\nav\1109000.00c\srtspx.sys
    2012-09-05 21:25:16328752----a-r-c:\windows\system32\drivers\nav\1109000.00c\symds.sys
    2012-09-05 21:25:16173176----a-w-c:\windows\system32\drivers\nav\1109000.00c\symefa.sys
    2012-09-05 21:25:15485512----a-w-c:\windows\system32\drivers\nav\1109000.00c\cchpx86.sys
    2012-09-05 21:25:15325680----a-w-c:\windows\system32\drivers\nav\1109000.00c\srtsp.sys
    2012-09-05 21:25:15116784----a-w-c:\windows\system32\drivers\nav\1109000.00c\ironx86.sys
    2012-09-05 21:24:40--------d-----w-c:\windows\system32\drivers\nav\1109000.00C
    2012-09-05 13:58:53--------d-----w-C:\RegBackup
    2012-09-05 12:40:44--------d-----w-C:\Tweaking.com_Windows_Repair_Logs
    2012-09-05 12:40:32--------d-----w-c:\program files\Tweaking.com
    2012-09-04 09:17:3093672----a-w-c:\windows\system32\WindowsAccessBridge.dll
    2012-09-04 00:47:10--------d-----w-c:\program files\ESET
    2012-09-04 00:33:08--------d-sh--w-C:\$RECYCLE.BIN
    2012-09-04 00:33:05--------d-----w-c:\users\michael\appdata\local\temp
    2012-09-03 23:42:0798816----a-w-c:\windows\sed.exe
    2012-09-03 23:42:07518144----a-w-c:\windows\SWREG.exe
    2012-09-03 23:42:07256000----a-w-c:\windows\PEV.exe
    2012-09-03 23:42:07208896----a-w-c:\windows\MBR.exe
    2012-09-03 22:27:56124976----a-w-c:\windows\system32\drivers\SYMEVENT.SYS
    2012-09-03 22:27:14--------d-----w-c:\program files\Symantec
    2012-09-03 22:27:14--------d-----w-c:\program files\common files\Symantec Shared
    2012-09-03 22:26:47--------d-----w-c:\windows\system32\drivers\NAV
    2012-09-03 22:26:46--------d-----w-c:\program files\Norton AntiVirus
    2012-09-03 22:18:51--------d-----w-c:\program files\NortonInstaller
    2012-08-31 18:25:48--------d-----w-c:\programdata\GFI Software
    2012-08-31 17:48:01--------d-----w-c:\users\michael\appdata\local\adaware
    2012-08-31 17:47:59--------d-----w-c:\programdata\Ad-Aware Browsing Protection
    2012-08-31 17:46:36--------d-----w-c:\program files\Ad-Aware Antivirus
    2012-08-31 17:45:54--------d-----w-c:\users\michael\appdata\local\Downloaded Installations
    2012-08-31 17:25:0312872----a-w-c:\windows\system32\bootdelete.exe
    2012-08-30 19:28:29--------d-----w-c:\programdata\HitmanPro
    2012-08-30 18:11:51--------d-----w-c:\users\michael\appdata\roaming\Malwarebytes
    2012-08-30 18:11:42--------d-----w-c:\programdata\Malwarebytes
    2012-08-30 17:09:43--------d-----w-c:\users\michael\appdata\local\NPE
    2012-08-30 15:16:26--------d-----w-c:\users\michael\appdata\roaming\Tific
    2012-08-30 15:16:22--------d-----w-c:\users\michael\appdata\local\Symantec
    2012-08-30 15:07:46--------d-----w-c:\programdata\6C82D0E019ABEDFBC30823FBF875F020
    2012-08-16 07:00:22393728----a-w-c:\windows\system32\drivers\bthport.sys
    2012-08-16 01:19:13400896----a-w-c:\windows\system32\srcore.dll
    2012-08-16 01:19:112345984----a-w-c:\windows\system32\win32k.sys
    2012-08-16 01:19:09492032----a-w-c:\windows\system32\win32spl.dll
    2012-08-16 01:19:09317440----a-w-c:\windows\system32\spoolsv.exe
    2012-08-16 01:19:0441984----a-w-c:\windows\system32\browcli.dll
    2012-08-16 01:19:04102912----a-w-c:\windows\system32\browser.dll
    2012-08-16 01:19:02769024----a-w-c:\windows\system32\localspl.dll
    .
    ==================== Find3M ====================
    .
    2012-09-04 09:17:01821736----a-w-c:\windows\system32\npDeployJava1.dll
    2012-09-04 09:17:01746984----a-w-c:\windows\system32\deployJava1.dll
    .
    ============= FINISH: 17:59:20.51 ===============

    [Window Title]
    Asus Eee PC Hotkey Service

    [Main Instruction]
    Asus Eee PC Hotkey Service has stopped working

    [Content]
    Windows is checking for a solution to the problem...

    [Cancel]

    ============================================
  4. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    That's fine. Hi Michael!

    Please download and run TDSSKiller to your desktop as outlined below:

    Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    For Windows XP, double-click to start.
    For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.


    [​IMG]

    -------------------------

    Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

    [​IMG]

    ------------------------

    Click the Start Scan button.

    [​IMG]

    -----------------------

    If a suspicious object is detected, the default action will be Skip, click on Continue
    If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
    Skip and click on Continue


    [​IMG]

    ----------------------

    If malicious objects are found, they will show in the Scan results and offer three (3) options.

    Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.


    [​IMG]


    --------------------

    A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.
    Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

    -------------------

    Here's a summary of what to do if you would like to print it out:

    If a suspicious object is detected, the default action will be Skip, click on Continue
    If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
    Skip and click on Continue

    If malicious objects are found, they will show in the Scan results and offer three (3) options.

    Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed..


    Please download aswMBR from here

    • Save aswMBR.exe to your Desktop
    • Double click aswMBR.exe to run it
    • Click the Scan button to start the scan as illustrated below

    [​IMG]

    Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives

    • Once the scan finishes click Save log to save the log to your Desktop
      [​IMG]
    • Copy and paste the contents of aswMBR.txt back here for review
  5. Michael_NY

    Michael_NY TS Rookie Topic Starter Posts: 23

    Thank you, DragonMaster

    I attached the new reports as Anti Virus Report - 2

    Michael

    Attached Files:

  6. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Good work.

    Please download AdwCleaner by Xplode onto your Desktop.
    • Double click on AdwCleaner.exe to run the tool.
    • Click on Search.
    • A logfile will automatically open after the scan has finished.
    • Please post the content of that logfile in your reply.
    • You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.

    ESET Online Scan

    Please run a free online scan with the ESET Online Scanner
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • When asked, allow the ActiveX control to install, or it will ask to download an installer. Please do so an install it.
    • Click Start or wait for the scanner to load.
    • Make sure that the options Remove found threats and the option Scan unwanted applications are checked.
    • Click Scan (This scan can take several hours, so please be patient)
    • Once the scan is completed, there are a couple of things to keep in mind:
    • 1. If NO threats were found, allow the scanner to Uninstall on close and then close the Window.
    • 2. If threats WERE detected, click on List of Threats Found, Export to Text File...save it as ESET-Scan-Log.txt. Click the back button/link, put a checkmark to Uninstall Application on Close and then close the window.
    • Open the logfile from wherever you saved it
    • Copy and paste the contents in your next reply.
  7. Michael_NY

    Michael_NY TS Rookie Topic Starter Posts: 23

    ESET found nothing.

    # AdwCleaner v2.000 - Logfile created 09/07/2012 at 14:50:23
    # Updated 30/08/2012 by Xplode
    # Operating system : Windows 7 Home Premium Service Pack 1 (32 bits)
    # User : Michael - MICHAEL-PC
    # Boot Mode : Normal
    # Running from : C:\Users\Michael\Desktop\adwcleaner.exe
    # Option [Search]


    ***** [Services] *****


    ***** [Files / Folders] *****


    ***** [Registry] *****


    ***** [Internet Browsers] *****

    -\\ Internet Explorer v8.0.7601.17514

    [OK] Registry is clean.

    -\\ Mozilla Firefox v6.0.2 (en-US)

    Profile name : default
    File : C:\Users\Michael\AppData\Roaming\Mozilla\Firefox\Profiles\3jr7w82x.default\prefs.js

    [OK] File is clean.

    -\\ Google Chrome v [Unable to get version]

    File : C:\Users\Michael\AppData\Local\Google\Chrome\User Data\Default\Preferences

    [OK] File is clean.

    *************************

    AdwCleaner[R1].txt - [983 octets] - [06/09/2012 18:02:13]
    AdwCleaner[R2].txt - [915 octets] - [07/09/2012 14:50:23]

    ########## EOF - C:\AdwCleaner[R2].txt - [974 octets] ##########
  8. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hi! Your logs appear to be clean. If there are no more issues, then we shall finish up!

    Clean up System Restore

    Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

    To manually create a new Restore Point
    • Go to Control Panel and select System and Maintenance
    • Select System
    • On the left select Advance System Settings and accept the warning if you get one
    • Select System Protection Tab
    • Select Create at the bottom
    • Type in a name I.e. Clean
    • Select Create
    Now we can purge the infected ones
    • Go back to the System and Maintenance page
    • Select Performance Information and Tools
    • On the left select Open Disk Cleanup
    • Select Files from all users and accept the warning if you get one
    • In the drop down box select your main drive I.e. C
    • For a few moments the system will make some calculations:
      [​IMG]
    • Select the More Options tab
      [​IMG]
    • In the System Restore and Shadow Backups select Clean up
      [​IMG]
    • Select Delete on the pop up
    • Select OK
    • Select Delete

    Run OTC to remove our tools

    To remove all of the tools we used and the files and folders they created, please do the following:
    Please download OTC.exe by OldTimer:
    • Save it to your Desktop.
    • Double click OTC.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

    Purge old temporary files

    Download CCleaner Slim and save it to your Desktop - Alternate download link

    When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
    Follow the prompts to install the program.

    * Double-click the CCleaner shortcut on the desktop to start the program.
    * Click on the Options block on the left, then choose Cookies.
    * Under Cookies to Delete, highlight any cookies you would like to retain permanently
    * Click the right arrow > to move them to the Cookies to Keep window.
    * Go into Options > Advanced & uncheck Only delete files in Windows Temp folders older than 48 hours
    * Click Cleaner on the left then Run Cleaner on the right to run the program.
    * Important: Make sure that ALL browser windows are closed before selecting Run Cleaner

    Caution: Only use the Registry feature if you are very familiar with the registry.
    Always back up your registry before making any changes. Exit CCleaner after it has completed it's process.

    Security Check

    Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  9. Michael_NY

    Michael_NY TS Rookie Topic Starter Posts: 23

    So far, I have been unable to make a Restore Point. I get a transient error (0x800423F3).
    I shall keep trying.
  10. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Try one or more of the steps, one after the other.
    1. Try create a System Restore point manually and make a note of the Error Message you get. If you don’t get one, check if one has been created or not.
    2. Make sure that System Restore is enabled on the drives where you want System Restore enabled
    3. Make sure that you have sufficient disk space on all the drives where System Restore is enabled
    4. Type Services.msc in Start Menu Search Box, hit Enter. Make sure that the Volume Shadow Copy & Task Schedular Services is Running and set on Automatic. If the Status of System Restore Service is not Started, Start it. Also set it on Automatic if it is not. A reboot may be required. Re-confirm again, and now try.
    5. Type eventvwr.msc /s in Start Menu Search Box & hit Enter to open the Event Viewer. Double-click on Applications & Services Logs and see if you are able to evaluate the event description or the cause of problem.
    6. Reset the Repository. To do so follows these steps:
    Boot into Safe Mode without networking and open a command prompt as administrator.
    Now Type net stop winmgmt and hit Enter. This will stop the Windows Management Instrumentation Service
    Next go to C:WindowsSystem32wbem and rename the repository folder to repositoryold
    Restart.
    Now again open a command prompt as administrator, type net stop winmgmt and hit Enter.
    Next Type winmgmt /resetRepository and hit Enter.
    Restart.
    Now see if you can create a System Restore Point manually.

    Info obtained here
  11. Michael_NY

    Michael_NY TS Rookie Topic Starter Posts: 23

    I had to turn off System Protection, then I was able to create a System Restore Point

    Malwarebytes was not automatically removed. I did that manually.

    I still have Tweaking.com for Windows on my system from trying to fix this before. Should I remove it?

    When running Security Check, I had the following error;
    AutoIt Error
    Error: Variable must be of type "Object".

    Later, I had another thing pop up, but it went away too quickly.
    Error... Description...

    Here is the report
    ================================================
    Results of screen317's Security Check version 0.99.50
    Windows 7 Service Pack 1 x86 (UAC is disabled!)
    Internet Explorer 8 Out of date!
    ``````````````Antivirus/Firewall Check:``````````````
    Windows Firewall Enabled!
    WMI entry may not exist for antivirus; attempting automatic update.
    `````````Anti-malware/Other Utilities Check:`````````
    Ad-Aware
    CCleaner
    JavaFX 2.1.1
    Java(TM) 6 Update 30
    Java(TM) 6 Update 31
    Java 7 Update 7
    Adobe Flash Player 10 Flash Player out of Date!
    Adobe Flash Player11.0.1.152
    Adobe Reader X (10.1.4)
    Mozilla Firefox (6.0.2)
    Google Chrome 21.0.1180.83
    Google Chrome 21.0.1180.89
    ````````Process Check: objlist.exe by Laurent````````
    Ad-Aware AAWService.exe is disabled!
    Ad-Aware AAWTray.exe is disabled!
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C: 1%
    ````````````````````End of Log``````````````````````

    Thank you.
     
  12. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Tweaking.com's app is up to you. I'm fairly neutral about tweaking apps, while they have good provisions, it can also cause problems.

    Please remove these from the Program List:

    • Java(TM) 6 Update 30
    • Java(TM) 6 Update 31
    Read on why, here: http://secureconnexion.wordpress.com/2012/07/26/java-flaws-becoming-serious-issue/

    Adobe Flash Player Update!

    Please download the newest version of Adobe Flash Player from Adobe.com

    Before installing: it is important to remove older versions of Flash Player since it does not do so automatically and old versions still leave you vulnerable.
    Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
    Search in the list for all previous installed versions of Adobe Flash Player. Uninstall/Remove each of them.

    Once old versions are gone, please install the newest version.


    Personal Tips on Preventing Malware

    See this page for more info about malware and prevention.

    Any other questions before I mark this topic solved?
  13. Michael_NY

    Michael_NY TS Rookie Topic Starter Posts: 23

    DragonMaster Jay,

    Thank you for all the tips. I am almost certain that the flaws in Java caused my initial problem.

    However, the symptoms that I stated in my first post have not gone away. My icons still auto-arrange themselves at startup and my mouse pointer still gets an hourglass next to it 90% of the time.

    I have noticed the following as well;

    The Task Manager has AsusSender.exe show as running, then going away, every half second or so. Same with HotkeyService.exe, and a few rundll32.exe, and WefFault.exe.


    For the past several days, upon trying to show down, I get the following;
    -------------------------------
    The instruction at 0x00418556 referenced memeory at
    0x00000000. The memory could not be read.

    Click OK to terminate the program
    --------------------------------

    I also have the following;
    -----------------------------------
    (Waiting for) AsusAcpiService
    This program is preventing Windows from shutting down.

    AsusAcpiService:HotkeyService.exe - Application Error
    ---------------------------------
    After hitting OK to terminate the first warning, the other two programs go away, then my computer spends several seconds "Waiting for background programs to close", with no programs listed.

    Any suggestions on how to repair any of this?
  14. Michael_NY

    Michael_NY TS Rookie Topic Starter Posts: 23

    I also noticed that the Restore Point I created earlier is gone. I have no restore points
  15. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Check with the following tool here, for diagnostics...

    Please download Farbar Service Scanner and run it on the computer with the issue.
    • Check the following options: Internet Services, Windows Firewall, System restore, Security Center/Action Center, Windows Update, and Windows Defender
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.
  16. Michael_NY

    Michael_NY TS Rookie Topic Starter Posts: 23

    Here you go

    Farbar Service Scanner Version: 06-08-2012
    Ran by Michael (administrator) on 11-09-2012 at 16:40:37
    Running from "C:\Users\Michael\Desktop"
    Windows 7 Home Premium Service Pack 1 (X86)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo IP is accessible.
    Yahoo.com is accessible.


    Windows Firewall:
    =============

    Firewall Disabled Policy:
    ==================


    System Restore:
    ============

    System Restore Disabled Policy:
    ========================


    Action Center:
    ============

    Windows Update:
    ============

    Windows Autoupdate Disabled Policy:
    ============================


    Windows Defender:
    ==============
    WinDefend Service is not running. Checking service configuration:
    The start type of WinDefend service is set to Demand. The default start type is Auto.
    The ImagePath of WinDefend service is OK.
    The ServiceDll of WinDefend service is OK.


    Windows Defender Disabled Policy:
    ==========================
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
    "DisableAntiSpyware"=DWORD:1


    Other Services:
    ==============


    File Check:
    ========
    C:\windows\system32\nsisvc.dll => MD5 is legit
    C:\windows\system32\Drivers\nsiproxy.sys => MD5 is legit
    C:\windows\system32\dhcpcore.dll => MD5 is legit
    C:\windows\system32\Drivers\afd.sys => MD5 is legit
    C:\windows\system32\Drivers\tdx.sys => MD5 is legit
    C:\windows\system32\Drivers\tcpip.sys => MD5 is legit
    C:\windows\system32\dnsrslvr.dll => MD5 is legit
    C:\windows\system32\mpssvc.dll => MD5 is legit
    C:\windows\system32\bfe.dll => MD5 is legit
    C:\windows\system32\Drivers\mpsdrv.sys => MD5 is legit
    C:\windows\system32\SDRSVC.dll => MD5 is legit
    C:\windows\system32\vssvc.exe => MD5 is legit
    C:\windows\system32\wscsvc.dll => MD5 is legit
    C:\windows\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\windows\system32\wuaueng.dll => MD5 is legit
    C:\windows\system32\qmgr.dll => MD5 is legit
    C:\windows\system32\es.dll => MD5 is legit
    C:\windows\system32\cryptsvc.dll => MD5 is legit
    C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
    C:\windows\system32\svchost.exe => MD5 is legit
    C:\windows\system32\rpcss.dll => MD5 is legit


    **** End of log ****
  17. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    These tasks can be ended...
    For the auto-arrange problem, right-click on the Desktop and mouseover View > select Auto arrange icons (make sure unchecked).

    Open CCleaner, click Tools > Startup. Let it load for a bit, then click Save to text file... - once that's done, please post the contents of that log in your next reply.
  18. Michael_NY

    Michael_NY TS Rookie Topic Starter Posts: 23

    I cannot end those tasks. Each of them are up for less than a second before ending on their own and then starting again; repeat.

    I have made sure that Auto arrange is unchecked. On a related note; I have tried to turn it on (just so I could convince my computer that I really do want it off), but upon restarting my computer, it is unchecked again. I seem unable to alter any of my desktop properties (at least as they relate to my icons).

    Here is the report;

    YesHKCU:RunAkamai NetSession InterfaceAkamai Technologies, Inc."C:\Users\Michael\AppData\Local\Akamai\netsession_win.exe"
    YesHKCU:RunDAEMON Tools LiteDT Soft Ltd"C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
    YesHKCU:RunNortonUpdateAgentSymantec CorporationC:\ProgramData\Norton\NUA.exe
    YesHKLM:RunAd-Aware Browsing ProtectionLavasoft"C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe"
    YesHKLM:RunAdobe ARMAdobe Systems Incorporated"C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    YesHKLM:RunAPSDaemonApple Inc."C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
    YesHKLM:RunASUS Screen Saver ProtectorASUSC:\Windows\AsScrPro.exe
    YesHKLM:RunBoingo Wi-Fi"C:\Program Files\Boingo\Boingo Wi-Fi\Boingo.lnk"
    YesHKLM:RunBrStsWndbrotherC:\Program Files\Brownie\BrstsWnd.exe Autorun
    YesHKLM:RunDigitalZoomControlASUSTek"C:\Program Files\ASUS\DigitalZoomControl\DigitalZoomControl.exe"
    YesHKLM:RunEvtMgr6Logitech, Inc.C:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGaming
    YesHKLM:RunHotkeyMonASUSTek Computer Inc.AsusSender.exe C:\Program Files\EeePC\HotkeyService\HotKeyMon.exe
    YesHKLM:RunHotkeyServiceASUSTek Computer Inc.AsusSender.exe C:\Program Files\EeePC\HotkeyService\HotkeyService.exe
    YesHKLM:RunOOBESetupASUSTeK Computer Inc.C:\Program Files\asus\OOBERegBackup\OOBERegBackup.exe /restore -"C:\Program Files\asus\OOBERegBackup\OOBEReg.ini"
    YesHKLM:RunQuickTime TaskApple Inc."C:\Program Files\QuickTime\QTTask.exe" -atboottime
    YesHKLM:RunRtHDVCplRealtek SemiconductorC:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s
    YesHKLM:RunSuperHybridEngineASUSTek Computer Inc.AsusSender.exe C:\Program Files\EeePC\SHE\SuperHybridEngine.exe
    YesHKLM:RunSynTPEnhSynaptics Incorporated%ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
    YesHKLM:RunWinampAgentNullsoft, Inc."C:\Program Files\Winamp\winampa.exe"
    YesStartup CommonBluetooth.lnkBroadcom Corporation.C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    YesStartup CommonMicrosoft Find Fast.lnkC:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    YesStartup CommonOffice Startup.lnkC:\Program Files\Microsoft Office\Office\OSA.EXE

    Thank you
  19. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    • Download RogueKiller and save it on your desktop.
    • Quit all programs
    • Start RogueKiller.exe.
    • Wait until Prescan has finished ...
    • Click on Scan
    [​IMG]

    • Wait for the end of the scan.
    • The report has been created on the desktop.
    • Click on the Delete button.
    [​IMG]

    • The report has been created on the desktop.
    • Next click on the ShortcutsFix

      [​IMG]
    • The report has been created on the desktop.
    Please post:

    All RKreport.txt text files located on your desktop.
  20. Michael_NY

    Michael_NY TS Rookie Topic Starter Posts: 23

    DragonMaster Jay,

    Thanks for all you are doing. Here are the three reports.

    ----------------------------------------------------

    RogueKiller V8.0.2 [08/31/2012] by Tigzy
    mail: tigzyRK<at>gmail<dot>com
    Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Blog: http://tigzyrk.blogspot.com

    Operating System: Windows 7 (6.1.7601 Service Pack 1) 32 bits version
    Started in : Normal mode
    User : Michael [Admin rights]
    Mode : Scan -- Date : 09/13/2012 08:08:15

    ¤¤¤ Bad processes : 4 ¤¤¤
    [SUSP PATH][DLL] explorer.exe -- C:\Windows\explorer.exe : C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.dll -> UNLOADED
    [SUSP PATH] NUA.exe -- C:\ProgramData\Norton\NUA.exe -> KILLED [TermProc]
    [SUSP PATH][DLL] rundll32.exe -- C:\Windows\System32\rundll32.exe : -> KILLED [TermProc]
    [SUSP PATH][DLL] rundll32.exe -- C:\Windows\System32\rundll32.exe : -> KILLED [TermProc]

    ¤¤¤ Registry Entries : 9 ¤¤¤
    [RUN][SUSP PATH] HKCU\[...]\Run : NortonUpdateAgent (C:\ProgramData\Norton\NUA.exe) -> FOUND
    [RUN][SUSP PATH] HKUS\S-1-5-21-3716613784-1258854080-1605684737-1000[...]\Run : NortonUpdateAgent (C:\ProgramData\Norton\NUA.exe) -> FOUND
    [TASK][RESIDU] ProgramDataUpdater : C:\Windows\System32\rundll32.exe -> FOUND
    [TASK][RESIDU] Proxy : C:\Windows\System32\rundll32.exe -> FOUND
    [TASK][RESIDU] SR : C:\Windows\System32\rundll32.exe -> FOUND
    [TASK][RESIDU] IpAddressConflict1 : C:\Windows\System32\rundll32.exe -> FOUND
    [TASK][RESIDU] IpAddressConflict2 : C:\Windows\System32\rundll32.exe -> FOUND
    [HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
    [HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver : [LOADED] ¤¤¤
    SSDT[13] : NtAlertResumeThread @ 0x832FCCA9 -> HOOKED (Unknown @ 0x86D4DB18)
    SSDT[14] : NtAlertThread @ 0x8324FBC0 -> HOOKED (Unknown @ 0x86D4C388)
    SSDT[19] : NtAllocateVirtualMemory @ 0x83248BCC -> HOOKED (Unknown @ 0x86FE07E8)
    SSDT[22] : NtAlpcConnectPort @ 0x8329444E -> HOOKED (Unknown @ 0x865170B8)
    SSDT[43] : NtAssignProcessToJobObject @ 0x8321DFCA -> HOOKED (Unknown @ 0x86D79128)
    SSDT[74] : NtCreateMutant @ 0x8322F28E -> HOOKED (Unknown @ 0x86FE7720)
    SSDT[86] : NtCreateSymbolicLinkObject @ 0x832208ED -> HOOKED (Unknown @ 0x86477E98)
    SSDT[87] : NtCreateThread @ 0x832FAED6 -> HOOKED (Unknown @ 0x86FE67F0)
    SSDT[88] : NtCreateThreadEx @ 0x8328F34B -> HOOKED (Unknown @ 0x86477F68)
    SSDT[96] : NtDebugActiveProcess @ 0x832CCDB0 -> HOOKED (Unknown @ 0x86D73A90)
    SSDT[111] : NtDuplicateObject @ 0x8325065A -> HOOKED (Unknown @ 0x86FE0940)
    SSDT[131] : NtFreeVirtualMemory @ 0x830D847A -> HOOKED (Unknown @ 0x86FE7E68)
    SSDT[145] : NtImpersonateAnonymousToken @ 0x832148BC -> HOOKED (Unknown @ 0x86D61350)
    SSDT[147] : NtImpersonateThread @ 0x8329884C -> HOOKED (Unknown @ 0x86D612D8)
    SSDT[155] : NtLoadDriver @ 0x831E4BFC -> HOOKED (Unknown @ 0x8629DA98)
    SSDT[168] : NtMapViewOfSection @ 0x83265512 -> HOOKED (Unknown @ 0x86FE7D88)
    SSDT[177] : NtOpenEvent @ 0x8322EC8A -> HOOKED (Unknown @ 0x86D6A628)
    SSDT[190] : NtOpenProcess @ 0x83230AD4 -> HOOKED (Unknown @ 0x86FE0AE0)
    SSDT[191] : NtOpenProcessToken @ 0x8328321F -> HOOKED (Unknown @ 0x86CEC948)
    SSDT[194] : NtOpenSection @ 0x8328889B -> HOOKED (Unknown @ 0x86D6E130)
    SSDT[198] : NtOpenThread @ 0x8327CF95 -> HOOKED (Unknown @ 0x86FE0A10)
    SSDT[215] : NtProtectVirtualMemory @ 0x83261581 -> HOOKED (Unknown @ 0x86FE7058)
    SSDT[304] : NtResumeThread @ 0x8328F572 -> HOOKED (Unknown @ 0x86D3C920)
    SSDT[316] : NtSetContextThread @ 0x832FC755 -> HOOKED (Unknown @ 0x86D2E118)
    SSDT[333] : NtSetInformationProcess @ 0x8325776D -> HOOKED (Unknown @ 0x86FE7C30)
    SSDT[350] : NtSetSystemInformation @ 0x8326D26C -> HOOKED (Unknown @ 0x86D73048)
    SSDT[366] : NtSuspendProcess @ 0x832FCBE3 -> HOOKED (Unknown @ 0x86D6FF90)
    SSDT[367] : NtSuspendThread @ 0x832B4085 -> HOOKED (Unknown @ 0x86D3C068)
    SSDT[370] : NtTerminateProcess @ 0x83279BCD -> HOOKED (Unknown @ 0x86CEA4C8)
    SSDT[371] : NtTerminateThread @ 0x83297584 -> HOOKED (Unknown @ 0x86D32B90)
    SSDT[385] : NtUnmapViewOfSection @ 0x8328385A -> HOOKED (Unknown @ 0x86D25760)
    SSDT[399] : NtWriteVirtualMemory @ 0x8327E92A -> HOOKED (Unknown @ 0x86FE7F38)
    S_SSDT[318] : Unknown -> HOOKED (Unknown @ 0x87E1D2E8)
    S_SSDT[402] : Unknown -> HOOKED (Unknown @ 0x87E0E2C8)
    S_SSDT[434] : Unknown -> HOOKED (Unknown @ 0x87E02390)
    S_SSDT[436] : Unknown -> HOOKED (Unknown @ 0x87E26E00)
    S_SSDT[448] : Unknown -> HOOKED (Unknown @ 0x87BCC210)
    S_SSDT[490] : Unknown -> HOOKED (Unknown @ 0x87E41E08)
    S_SSDT[508] : Unknown -> HOOKED (Unknown @ 0x87E1A7A8)
    S_SSDT[509] : Unknown -> HOOKED (Unknown @ 0x87E29E08)
    S_SSDT[585] : Unknown -> HOOKED (Unknown @ 0x87BD90B0)
    S_SSDT[588] : Unknown -> HOOKED (Unknown @ 0x87E111D8)
    IRP[IRP_MJ_CREATE] : \SystemRoot\system32\drivers\atapi.sys -> HOOKED ([MAJOR] Unknown @ 0x850B71F8)
    IRP[IRP_MJ_CLOSE] : \SystemRoot\system32\drivers\atapi.sys -> HOOKED ([MAJOR] Unknown @ 0x850B71F8)
    IRP[IRP_MJ_DEVICE_CONTROL] : \SystemRoot\system32\drivers\atapi.sys -> HOOKED ([MAJOR] Unknown @ 0x850B71F8)
    IRP[IRP_MJ_INTERNAL_DEVICE_CONTROL] : \SystemRoot\system32\drivers\atapi.sys -> HOOKED ([MAJOR] Unknown @ 0x850B71F8)
    IRP[IRP_MJ_POWER] : \SystemRoot\system32\drivers\atapi.sys -> HOOKED ([MAJOR] Unknown @ 0x850B71F8)
    IRP[IRP_MJ_SYSTEM_CONTROL] : \SystemRoot\system32\drivers\atapi.sys -> HOOKED ([MAJOR] Unknown @ 0x850B71F8)
    IRP[IRP_MJ_PNP] : \SystemRoot\system32\drivers\atapi.sys -> HOOKED ([MAJOR] Unknown @ 0x850B71F8)

    ¤¤¤ Infection : ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    --> C:\windows\system32\drivers\etc\hosts

    127.0.0.1 localhost


    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: +++++
    --- User ---
    [MBR] 5f9074452f51f11d2d580847a94ef254
    [BSP] 8e7f089651944c89a69681dea7db699e : Windows 7 MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 102400 Mo
    1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 209717248 | Size: 125816 Mo
    2 - [XXXXXX] FAT32 (0x1b) [HIDDEN!] Offset (sectors): 467388416 | Size: 10240 Mo
    3 - [XXXXXX] UNKNOWN (0xef) [VISIBLE] Offset (sectors): 488359936 | Size: 15 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    Finished : << RKreport[1].txt >>
    RKreport[1].txt

    RogueKiller V8.0.2 [08/31/2012] by Tigzy
    mail: tigzyRK<at>gmail<dot>com
    Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Blog: http://tigzyrk.blogspot.com

    Operating System: Windows 7 (6.1.7601 Service Pack 1) 32 bits version
    Started in : Normal mode
    User : Michael [Admin rights]
    Mode : Remove -- Date : 09/13/2012 08:10:25

    ¤¤¤ Bad processes : 4 ¤¤¤
    [SUSP PATH][DLL] explorer.exe -- C:\Windows\explorer.exe : C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.dll -> UNLOADED
    [SUSP PATH] NUA.exe -- C:\ProgramData\Norton\NUA.exe -> KILLED [TermProc]
    [SUSP PATH][DLL] rundll32.exe -- C:\Windows\System32\rundll32.exe : -> KILLED [TermProc]
    [SUSP PATH][DLL] rundll32.exe -- C:\Windows\System32\rundll32.exe : -> KILLED [TermProc]

    ¤¤¤ Registry Entries : 8 ¤¤¤
    [RUN][SUSP PATH] HKCU\[...]\Run : NortonUpdateAgent (C:\ProgramData\Norton\NUA.exe) -> DELETED
    [TASK][RESIDU] ProgramDataUpdater : C:\Windows\System32\rundll32.exe -> DELETED
    [TASK][RESIDU] Proxy : C:\Windows\System32\rundll32.exe -> DELETED
    [TASK][RESIDU] SR : C:\Windows\System32\rundll32.exe -> DELETED
    [TASK][RESIDU] IpAddressConflict1 : C:\Windows\System32\rundll32.exe -> DELETED
    [TASK][RESIDU] IpAddressConflict2 : C:\Windows\System32\rundll32.exe -> DELETED
    [HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> REPLACED (2)
    [HJ] HKLM\[...]\System : EnableLUA (0) -> REPLACED (1)

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver : [LOADED] ¤¤¤
    SSDT[13] : NtAlertResumeThread @ 0x832FCCA9 -> HOOKED (Unknown @ 0x86D4DB18)
    SSDT[14] : NtAlertThread @ 0x8324FBC0 -> HOOKED (Unknown @ 0x86D4C388)
    SSDT[19] : NtAllocateVirtualMemory @ 0x83248BCC -> HOOKED (Unknown @ 0x86FE07E8)
    SSDT[22] : NtAlpcConnectPort @ 0x8329444E -> HOOKED (Unknown @ 0x865170B8)
    SSDT[43] : NtAssignProcessToJobObject @ 0x8321DFCA -> HOOKED (Unknown @ 0x86D79128)
    SSDT[74] : NtCreateMutant @ 0x8322F28E -> HOOKED (Unknown @ 0x86FE7720)
    SSDT[86] : NtCreateSymbolicLinkObject @ 0x832208ED -> HOOKED (Unknown @ 0x86477E98)
    SSDT[87] : NtCreateThread @ 0x832FAED6 -> HOOKED (Unknown @ 0x86FE67F0)
    SSDT[88] : NtCreateThreadEx @ 0x8328F34B -> HOOKED (Unknown @ 0x86477F68)
    SSDT[96] : NtDebugActiveProcess @ 0x832CCDB0 -> HOOKED (Unknown @ 0x86D73A90)
    SSDT[111] : NtDuplicateObject @ 0x8325065A -> HOOKED (Unknown @ 0x86FE0940)
    SSDT[131] : NtFreeVirtualMemory @ 0x830D847A -> HOOKED (Unknown @ 0x86FE7E68)
    SSDT[145] : NtImpersonateAnonymousToken @ 0x832148BC -> HOOKED (Unknown @ 0x86D61350)
    SSDT[147] : NtImpersonateThread @ 0x8329884C -> HOOKED (Unknown @ 0x86D612D8)
    SSDT[155] : NtLoadDriver @ 0x831E4BFC -> HOOKED (Unknown @ 0x8629DA98)
    SSDT[168] : NtMapViewOfSection @ 0x83265512 -> HOOKED (Unknown @ 0x86FE7D88)
    SSDT[177] : NtOpenEvent @ 0x8322EC8A -> HOOKED (Unknown @ 0x86D6A628)
    SSDT[190] : NtOpenProcess @ 0x83230AD4 -> HOOKED (Unknown @ 0x86FE0AE0)
    SSDT[191] : NtOpenProcessToken @ 0x8328321F -> HOOKED (Unknown @ 0x86CEC948)
    SSDT[194] : NtOpenSection @ 0x8328889B -> HOOKED (Unknown @ 0x86D6E130)
    SSDT[198] : NtOpenThread @ 0x8327CF95 -> HOOKED (Unknown @ 0x86FE0A10)
    SSDT[215] : NtProtectVirtualMemory @ 0x83261581 -> HOOKED (Unknown @ 0x86FE7058)
    SSDT[304] : NtResumeThread @ 0x8328F572 -> HOOKED (Unknown @ 0x86D3C920)
    SSDT[316] : NtSetContextThread @ 0x832FC755 -> HOOKED (Unknown @ 0x86D2E118)
    SSDT[333] : NtSetInformationProcess @ 0x8325776D -> HOOKED (Unknown @ 0x86FE7C30)
    SSDT[350] : NtSetSystemInformation @ 0x8326D26C -> HOOKED (Unknown @ 0x86D73048)
    SSDT[366] : NtSuspendProcess @ 0x832FCBE3 -> HOOKED (Unknown @ 0x86D6FF90)
    SSDT[367] : NtSuspendThread @ 0x832B4085 -> HOOKED (Unknown @ 0x86D3C068)
    SSDT[370] : NtTerminateProcess @ 0x83279BCD -> HOOKED (Unknown @ 0x86CEA4C8)
    SSDT[371] : NtTerminateThread @ 0x83297584 -> HOOKED (Unknown @ 0x86D32B90)
    SSDT[385] : NtUnmapViewOfSection @ 0x8328385A -> HOOKED (Unknown @ 0x86D25760)
    SSDT[399] : NtWriteVirtualMemory @ 0x8327E92A -> HOOKED (Unknown @ 0x86FE7F38)
    S_SSDT[318] : Unknown -> HOOKED (Unknown @ 0x87E1D2E8)
    S_SSDT[402] : Unknown -> HOOKED (Unknown @ 0x87E0E2C8)
    S_SSDT[434] : Unknown -> HOOKED (Unknown @ 0x87E02390)
    S_SSDT[436] : Unknown -> HOOKED (Unknown @ 0x87E26E00)
    S_SSDT[448] : Unknown -> HOOKED (Unknown @ 0x87BCC210)
    S_SSDT[490] : Unknown -> HOOKED (Unknown @ 0x87E41E08)
    S_SSDT[508] : Unknown -> HOOKED (Unknown @ 0x87E1A7A8)
    S_SSDT[509] : Unknown -> HOOKED (Unknown @ 0x87E29E08)
    S_SSDT[585] : Unknown -> HOOKED (Unknown @ 0x87BD90B0)
    S_SSDT[588] : Unknown -> HOOKED (Unknown @ 0x87E111D8)
    IRP[IRP_MJ_CREATE] : \SystemRoot\system32\drivers\atapi.sys -> HOOKED ([MAJOR] Unknown @ 0x850B71F8)
    IRP[IRP_MJ_CLOSE] : \SystemRoot\system32\drivers\atapi.sys -> HOOKED ([MAJOR] Unknown @ 0x850B71F8)
    IRP[IRP_MJ_DEVICE_CONTROL] : \SystemRoot\system32\drivers\atapi.sys -> HOOKED ([MAJOR] Unknown @ 0x850B71F8)
    IRP[IRP_MJ_INTERNAL_DEVICE_CONTROL] : \SystemRoot\system32\drivers\atapi.sys -> HOOKED ([MAJOR] Unknown @ 0x850B71F8)
    IRP[IRP_MJ_POWER] : \SystemRoot\system32\drivers\atapi.sys -> HOOKED ([MAJOR] Unknown @ 0x850B71F8)
    IRP[IRP_MJ_SYSTEM_CONTROL] : \SystemRoot\system32\drivers\atapi.sys -> HOOKED ([MAJOR] Unknown @ 0x850B71F8)
    IRP[IRP_MJ_PNP] : \SystemRoot\system32\drivers\atapi.sys -> HOOKED ([MAJOR] Unknown @ 0x850B71F8)

    ¤¤¤ Infection : ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    --> C:\windows\system32\drivers\etc\hosts

    127.0.0.1 localhost


    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: +++++
    --- User ---
    [MBR] 5f9074452f51f11d2d580847a94ef254
    [BSP] 8e7f089651944c89a69681dea7db699e : Windows 7 MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 102400 Mo
    1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 209717248 | Size: 125816 Mo
    2 - [XXXXXX] FAT32 (0x1b) [HIDDEN!] Offset (sectors): 467388416 | Size: 10240 Mo
    3 - [XXXXXX] UNKNOWN (0xef) [VISIBLE] Offset (sectors): 488359936 | Size: 15 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    Finished : << RKreport[2].txt >>
    RKreport[1].txt ; RKreport[2].txt



    RogueKiller V8.0.2 [08/31/2012] by Tigzy
    mail: tigzyRK<at>gmail<dot>com
    Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Blog: http://tigzyrk.blogspot.com

    Operating System: Windows 7 (6.1.7601 Service Pack 1) 32 bits version
    Started in : Normal mode
    User : Michael [Admin rights]
    Mode : Shortcuts HJfix -- Date : 09/13/2012 08:12:36

    ¤¤¤ Bad processes : 4 ¤¤¤
    [SUSP PATH][DLL] explorer.exe -- C:\Windows\explorer.exe : C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.dll -> UNLOADED
    [SUSP PATH] NUA.exe -- C:\ProgramData\Norton\NUA.exe -> KILLED [TermProc]
    [SUSP PATH][DLL] rundll32.exe -- C:\Windows\System32\rundll32.exe : -> KILLED [TermProc]
    [SUSP PATH][DLL] rundll32.exe -- C:\Windows\System32\rundll32.exe : -> KILLED [TermProc]

    ¤¤¤ Driver : [LOADED] ¤¤¤

    ¤¤¤ File attributes restored: ¤¤¤
    Desktop: Success 0 / Fail 0
    Quick launch: Success 0 / Fail 0
    Programs: Success 1 / Fail 0
    Start menu: Success 0 / Fail 0
    User folder: Success 27 / Fail 0
    My documents: Success 0 / Fail 0
    My favorites: Success 0 / Fail 0
    My pictures: Success 0 / Fail 0
    My music: Success 0 / Fail 0
    My videos: Success 0 / Fail 0
    Local drives: Success 26 / Fail 6
    Backup: [NOT FOUND]

    Drives:
    [C:] \Device\HarddiskVolume1 -- 0x3 --> Restored
    [D:] \Device\HarddiskVolume2 -- 0x3 --> Restored
    [E:] \Device\CdRom0 -- 0x5 --> Skipped
    [F:] \Device\HarddiskVolume5 -- 0x2 --> Restored

    ¤¤¤ Infection : ¤¤¤

    Finished : << RKreport[3].txt >>
    RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt


    Michael
  21. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Now, how are things running?
  22. Michael_NY

    Michael_NY TS Rookie Topic Starter Posts: 23

    They are running roughly the same as before. I still have the hourglass show up by my mouse cursor all the time and the startup seems slow. Desktop icons continue to auto-arrange at startup. The machine seems better than it did a week or so ago, but not as good as before I picked up Live Security Platinum.
  23. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Download Windows Repair (all in one) from this site

    Install the program then run it.

    Go to Step 2 and allow it to run CheckDisk by clicking on Do It button:

    [​IMG]



    Once that is done then go to Step 3 and allow it to run System File Check by clicking on Do It button:

    [​IMG]


    Go to Step 4 and under "System Restore" click on Create button:

    [​IMG]


    Go to Start Repairs tab and click Start button.

    [​IMG]


    Please ensure that ONLY items seen in the image below are ticked as indicated (they're all checked by default):

    [​IMG]

    Click on box next to the Restart System when Finished. Then click on Start.
  24. Michael_NY

    Michael_NY TS Rookie Topic Starter Posts: 23

    DMJ,

    I no longer seem to have the background programs running and things seem to be quicker now. I still have been unable to get the desktop to stop auto-arranging at startup, but I've been away for a few days and haven't been able to try all setting. Thanks for all the assistance.

    Michael
  25. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Let's see if the Desktop icon layout will solve itself, if we do the following...

    Please download OTM

    • Save it to your0 desktop.
    • Please double-click OTM to run it. (Note for Vista: Right-click on the file and choose Run As Administrator).
    • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL C (or, after highlighting, right-click and choose Copy):

    • Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
    • Click the red Moveit! button.
    • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTM and reboot your PC.
    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and
    open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.