Do I need to do malware removal?

Solved
By mom26gr8kids
May 9, 2012
Topic Status:
Not open for further replies.
  1. Several weeks ago when I ran my weekly SuperAntiSpyware scan a couple of threats came up. Usually my SAS has to remove a few tracking cookies, but that's all, this time it found something called Adware HBHelper and Browser Hijacker Deskbar. After rebooting my computer and running an SAS scan again there was no further evidence of these programs, but when we use Mozilla instead of Google being our homepage I get this Iminent Search page. I have reset Google as my hompage several times, but after a few days it reverts to this other page. Today when I was going through my program files to see if there was anything that I could delete (that we no longer use) I found program files for Iminent and Iminent toolbar. My first instinct was to delete them, but I know sometimes these types of programs can use other files on your computer.

    So, my question is twofold. Can I delete the Iminent programs? and Do I need to run the 5 steps again? I rarely use my PC for anything personal anymore, I use my laptop and let the kids use this for their games and homework, etc. Still, would like to keep their information private. Looking forward to your help.

    Kendra
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Hi Kendra, I think we've met before. From what you are saying, firstly, I would strongly recommend that you run the steps- again. You are being redirected and the Iminent Search shouldn't stay on the system. Chances are it will take more than a
    delete/reset to get rid of it, so let's have a look.

    Please follow these steps: Preliminary Virus and Malware Removal.

    NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.
    =========================================
    These won't violate their privacy. It may show if there is malware on a document, but the scans don't open the document and 'read the letter'.
    ========================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't follow directions given to someone else
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    Threads are closed after 5 days if there is no reply.

    Edit: I reviewed the thread I helped you with last Dec. You didn't particularly want to run the scans then either, but they found-and removed-a significant amount of malware. Also, remind me to give you information to rest the Cookies so SAS won't have to work so hard removing them!
  3. mom26gr8kids

    mom26gr8kids TechSpot Maniac Topic Starter Posts: 387

    Malwarebytes Anti-Malware 1.61.0.1400
    www.malwarebytes.org

    Database version: v2012.05.10.01

    Windows Vista Service Pack 2 x86 NTFS
    Internet Explorer 9.0.8112.16421
    Dad :: DAD-PC [administrator]

    09/05/2012 10:42:06 PM
    mbam-log-2012-05-09 (22-42-06).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 236048
    Time elapsed: 12 minute(s), 31 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 1
    C:\Users\Dad\Downloads\SoftonicDownloader_for_hamachi.exe (PUP.ToolbarDownloader) -> Quarantined and deleted successfully.

    (end)

    these are the mbam logs. Will run the remaining scans tomorrow and post the remaining logs.
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Okay, post when ready.

    So far, a download (by 'Dad) found a potentially unwanted program (PUP) Toolbar Downloader, for Hamachi: See http://hamachi.en.softonic.com/.
    The operative word here is potentially'
  5. mom26gr8kids

    mom26gr8kids TechSpot Maniac Topic Starter Posts: 387

    GGMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2012-05-10 14:20:13
    Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\0000005a Hitachi_ rev.ST2O
    Running: j9w6jq2g.exe; Driver: C:\Users\Dad\AppData\Local\Temp\kxtdapow.sys


    ---- System - GMER 1.0.15 ----

    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x9547ED92]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)
    Device \FileSystem\fastfat \Fat aswSP.SYS (avast! self protection module/AVAST Software)

    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \Driver\tdx \Device\Ip cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
    AttachedDevice \Driver\tdx \Device\Tcp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
    AttachedDevice \Driver\tdx \Device\Udp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
    AttachedDevice \Driver\tdx \Device\RawIp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)

    ---- EOF - GMER 1.0.15 ----
  6. mom26gr8kids

    mom26gr8kids TechSpot Maniac Topic Starter Posts: 387

    dds logs

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_30
    Run by Dad at 14:51:49 on 2012-05-10
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2814.1495 [GMT -6:00]
    .
    AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: COMODO Defense+ *Enabled/Updated* {CE351521-78FA-2048-BB22-B68A4A5CA7EC}
    FW: COMODO Firewall *Enabled* {4D6F75E0-14AF-2E9E-AACD-24CDCF08AA2A}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
    C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
    C:\Windows\system32\agrsmsvc.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
    C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
    C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
    C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
    C:\Windows\system32\PnkBstrA.exe
    C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Program Files\Acer\Empowering Technology\SysMonitor.exe
    C:\Program Files\Acer\Empowering Technology\Framework.Launcher.exe
    C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
    C:\Program Files\AVAST Software\Avast\AvastUI.exe
    C:\Program Files\COMODO\COMODO GeekBuddy\CLPS.exe
    C:\Program Files\Comodo\COMODO Internet Security\cfp.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Iminent\Iminent.exe
    C:\Program Files\Iminent\Iminent.Messengers.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 15\minimavis.exe
    C:\Windows\ehome\ehsched.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\ehome\ehRecvr.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
    C:\Windows\system32\wuauclt.exe
    C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\SyncServer.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=1&o=vp32&d=1006&m=aspire_x1300
    uDefault_Search_URL = hxxp://www.google.com/ie
    mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=1&o=vp32&d=1006&m=aspire_x1300
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    uURLSearchHooks: H - No File
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
    BHO: TBSB01620 Class: {58124a0b-dc32-4180-9bff-e0e21ae34026} - c:\program files\iminent toolbar\tbcore3.dll
    BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
    BHO: ShowBarObj Class: {83a2f9b1-01a2-4aa5-87d1-45b6b8505e96} - c:\program files\acer\empowering technology\edatasecurity\x86\ActiveToolBand.dll
    BHO: {84FF7BD6-B47F-46F8-9130-01B2696B36CB} - No File
    BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: IMinent WebBooster (BHO): {a09ab6eb-31b5-454c-97ec-9b294d92ee2a} - c:\program files\iminent\Iminent.WebBooster.InternetExplorer.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\program files\acer\empowering technology\edatasecurity\x86\eDStoolbar.dll
    TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
    TB: IMinent Toolbar: {977ae9cc-af83-45e8-9e03-e2798216e2d5} - c:\program files\iminent toolbar\tbcore3.dll
    uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    uRun: [Spotify] "c:\users\dad\appdata\roaming\spotify\Spotify.exe" /uri spotify:autostart
    uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
    uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
    mRun: [Acer Empowering Technology Monitor] c:\program files\acer\empowering technology\SysMonitor.exe
    mRun: [EmpoweringTechnology] c:\program files\acer\empowering technology\Framework.Launcher.exe boot
    mRun: [eDataSecurity Loader] c:\program files\acer\empowering technology\edatasecurity\x86\eDSloader.exe
    mRun: [PCMMediaSharing] c:\program files\acer arcade live\acer homemedia connect\kernel\dms\PCMMediaSharing.exe
    mRun: [CarboniteSetupLite] "c:\program files\carbonite\CarbonitePreinstaller.exe" /preinstalled
    mRun: [Acer Product Registration] "c:\program files\acer\acer registration\ACE1.exe" /startup
    mRun: [Acer Assist Launcher] c:\program files\acer\acer assist\launcher.exe
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
    mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
    mRun: [COMODO] c:\program files\comodo\comodo geekbuddy\CLPSLA.exe
    mRun: [CPA] c:\program files\comodo\comodo geekbuddy\VALA.exe
    mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [LogMeIn Hamachi Ui] "c:\program files\logmein hamachi\hamachi-2-ui.exe" --auto-start
    mRun: [Iminent] c:\program files\iminent\Iminent.exe /warmup "F77F87E5-A6BD-4922-A530-EDF63D7E9F8C"
    mRun: [IminentMessenger] c:\program files\iminent\Iminent.Messengers.exe /startup
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\person~1.lnk - c:\program files\broderbund\mavis beacon teaches typing 15\minimavis.exe
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
    DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
    TCP: DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{209691AC-D76C-4989-96DB-91FF190476EE} : NameServer = 8.26.56.26,156.154.70.22
    TCP: Interfaces\{209691AC-D76C-4989-96DB-91FF190476EE} : DhcpNameServer = 192.168.1.1
    Handler: lbxfile - {56831180-F115-11d2-B6AA-00104B2B9943} - c:\program files\libronix dls\system\FileProt.dll
    Handler: lbxres - {24508F1B-9E94-40EE-9759-9AF5795ADF52} - c:\program files\libronix dls\system\ResProt.dll
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
    AppInit_DLLs: c:\progra~1\google\google~1\googledesktopnetwork3.dll c:\windows\system32\guard32.dll c:\windows\system32\guard32.dll c:\windows\system32\guard32.dll c:\windows\system32\guard32.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\dad\appdata\roaming\mozilla\firefox\profiles\svjtkm5q.default\
    FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
    FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/
    FF - prefs.js: keyword.URL - hxxp://search.avg.com/?d=4dd2ebf0&I=23&tp=ab&nt=1&q=
    FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
    FF - plugin: c:\program files\emusic download manager\plugin\npemusic.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
    FF - plugin: c:\program files\google\update\1.3.21.111\npGoogleUpdate3.dll
    FF - plugin: c:\program files\iwonei\installr\1.bin\NPjfEISb.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\NPcol400.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\NPcol500.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npigl.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npijjiautoinstallpluginff.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npijjiFFPlugin1.dll
    FF - plugin: c:\program files\musicnotes\npmusicn.dll
    FF - plugin: c:\program files\musicnotes\NPSibelius.dll
    FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll
    FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dvstreaming.dll
    FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
    FF - plugin: c:\users\dad\appdata\local\roblox\versions\version-fb3436d54f9e4598\NPRobloxProxy.dll
    FF - plugin: c:\users\dad\appdata\locallow\sony online entertainment\npsoe.dll
    FF - plugin: c:\users\dad\appdata\locallow\sony online entertainment\npsoeact.dll
    FF - plugin: c:\users\dad\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll
    FF - plugin: c:\users\dad\appdata\roaming\mozilla\firefox\profiles\svjtkm5q.default\extensions\battlefieldplay4free@ea.com\plugins\npBP4FUpdater.dll
    FF - plugin: c:\users\dad\appdata\roaming\mozilla\firefox\profiles\svjtkm5q.default\extensions\support@ancestry.com\plugins\npImgCtl.dll
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - true
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-7-15 612184]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-7-15 337880]
    R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2011-12-19 491816]
    R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2011-12-19 38616]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-9-4 12880]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-9-4 67664]
    R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCORE.EXE [2010-10-18 116608]
    R2 Acer HomeMedia Connect Service;Acer HomeMedia Connect Service;c:\program files\acer arcade live\acer homemedia connect\kernel\dms\CLMSServer.exe [2009-1-19 269448]
    R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-1-3 63928]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-7-15 20696]
    R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-7-15 57688]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-7-15 44768]
    R2 CLPSLS;COMODO livePCsupport Service;c:\program files\comodo\comodo geekbuddy\CLPSLS.exe [2011-11-23 1052472]
    R2 ETService;Empowering Technology Service;c:\program files\acer\empowering technology\service\ETService.exe [2009-1-19 24576]
    R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
    R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\logmein hamachi\hamachi-2.exe [2012-2-28 1373576]
    R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\newtech infosystems\nti backup now 5\SchedulerSvc.exe [2008-9-23 144632]
    R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia updatus\daemonu.exe [2011-7-18 2214504]
    R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2011-7-18 1153368]
    R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2010-7-9 248936]
    R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-1-19 43552]
    S2 Application Updater;Application Updater;"c:\program files\application updater\applicationupdater.exe" --> c:\program files\application updater\ApplicationUpdater.exe [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-8-17 136176]
    S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-2-29 158856]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-8-17 136176]
    S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-8-21 18688]
    S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-8-21 8320]
    S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2007-6-18 23680]
    S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-4-26 129976]
    S3 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\newtech infosystems\nti backup now 5\BackupSvc.exe [2008-9-23 50424]
    S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-9-4 12872]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    .
    =============== Created Last 30 ================
    .
    2012-05-05 17:08:22 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2012-05-05 17:08:22 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
    2012-05-05 16:48:31 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
    2012-05-05 16:47:51 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
    2012-05-05 16:47:51 1068544 ----a-w- c:\windows\system32\DWrite.dll
    2012-05-05 16:47:50 683008 ----a-w- c:\windows\system32\d2d1.dll
    2012-05-05 16:47:50 160768 ----a-w- c:\windows\system32\d3d10_1.dll
    2012-05-05 16:47:50 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
    2012-05-05 16:47:48 613376 ----a-w- c:\windows\system32\rdpencom.dll
    2012-05-05 16:47:48 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2012-05-05 16:47:47 680448 ----a-w- c:\windows\system32\msvcrt.dll
    2012-05-05 16:47:34 2044416 ----a-w- c:\windows\system32\win32k.sys
    2012-04-26 17:05:26 -------- d-----w- c:\program files\Mozilla Maintenance Service
    2012-04-26 17:05:16 129976 ----a-w- c:\program files\mozilla firefox\maintenanceservice.exe
    2012-04-26 17:05:15 157352 ----a-w- c:\program files\mozilla firefox\maintenanceservice_installer.exe
    2012-04-23 19:42:10 -------- d-----w- c:\program files\common files\Steam
    2012-04-23 19:42:03 -------- d-----w- c:\program files\Steam
    2012-04-17 16:41:41 -------- d-----w- c:\program files\iPod
    2012-04-16 19:06:03 -------- d-----w- c:\users\dad\appdata\roaming\.spoutcraft
    .
    ==================== Find3M ====================
    .
    2012-04-04 21:56:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-03-22 20:22:46 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-03-22 19:12:12 4435968 ----a-w- c:\windows\system32\GPhotos.scr
    2012-03-18 03:59:39 138264 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
    2012-03-18 03:59:17 234768 ----a-w- c:\windows\system32\PnkBstrB.xtr
    2012-03-18 03:59:17 234768 ----a-w- c:\windows\system32\PnkBstrB.exe
    2012-03-18 03:10:28 138056 ----a-w- c:\users\dad\appdata\roaming\PnkBstrK.sys
    2012-03-18 03:10:03 75136 ----a-w- c:\windows\system32\PnkBstrA.exe
    2012-03-11 21:13:28 38616 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
    2012-03-11 21:13:26 491816 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
    2012-03-11 21:13:25 19600 ----a-w- c:\windows\system32\drivers\cmderd.sys
    2012-03-11 21:13:19 33984 ----a-w- c:\windows\system32\cmdcsr.dll
    2012-03-11 21:13:18 301224 ----a-w- c:\windows\system32\guard32.dll
    2012-03-07 00:15:19 41184 ----a-w- c:\windows\avastSS.scr
    2012-03-07 00:03:51 612184 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2012-03-07 00:01:48 57688 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2012-02-29 15:11:45 5120 ----a-w- c:\windows\system32\wmi.dll
    2012-02-29 15:11:42 172032 ----a-w- c:\windows\system32\wintrust.dll
    2012-02-29 15:09:53 157696 ----a-w- c:\windows\system32\imagehlp.dll
    2012-02-29 13:32:37 12800 ----a-w- c:\windows\system32\drivers\fs_rec.sys
    2012-02-28 01:18:55 1799168 ----a-w- c:\windows\system32\jscript9.dll
    2012-02-28 01:11:21 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
    2012-02-28 01:11:07 1127424 ----a-w- c:\windows\system32\wininet.dll
    2012-02-28 01:03:16 2382848 ----a-w- c:\windows\system32\mshtml.tlb
    2012-02-15 18:01:50 4547944 ----a-w- c:\windows\system32\usbaaplrc.dll
    2012-02-15 18:01:50 43520 ----a-w- c:\windows\system32\drivers\usbaapl.sys
    .
    ============= FINISH: 14:53:25.07 ===============
  7. mom26gr8kids

    mom26gr8kids TechSpot Maniac Topic Starter Posts: 387

    2nd dds log

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft® Windows Vista™ Home Premium
    Boot Device: \Device\HarddiskVolume2
    Install Date: 10/10/2006 7:16:20 PM
    System Uptime: 10/05/2012 12:38:54 PM (2 hours ago)
    .
    Motherboard: Acer | | WMCP78M
    Processor: AMD Athlon(tm) 7450 Dual-Core Processor | Socket AM2 | 1200/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 142 GiB total, 11.964 GiB free.
    D: is FIXED (NTFS) - 142 GiB total, 141.567 GiB free.
    E: is CDROM ()
    I: is Removable
    K: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {36fc9e60-c465-11cf-8056-444553540000}
    Description: USB Mass Storage Device
    Device ID: USB\VID_05AC&PID_120A\000A270018427AFC
    Manufacturer: Compatible USB storage device
    Name: USB Mass Storage Device
    PNP Device ID: USB\VID_05AC&PID_120A\000A270018427AFC
    Service: USBSTOR
    .
    ==== System Restore Points ===================
    .
    RP1817: 05/04/2012 3:59:50 PM - Installed LogMeIn Hamachi
    RP1818: 23/04/2012 1:41:05 PM - Installed Steam
    RP1819: 05/05/2012 10:51:53 AM - Windows Update
    .
    ==== Installed Programs ======================
    .
    Update for Microsoft Office 2007 (KB2508958)
    2002 Games
    7-Zip 9.20
    Ace of Spades
    Acer Arcade Live Main Page
    Acer Assist
    Acer DV Magician
    Acer DVDivine
    Acer eDataSecurity Management
    Acer Empowering Technology
    Acer eRecovery Management
    Acer HomeMedia
    Acer HomeMedia Connect
    Acer HomeMedia Trial Creator
    Acer Registration
    Acer ScreenSaver
    Acer SlideShow DVD
    Acer VideoMagician
    Acrobat.com
    Adobe Acrobat 4.0
    Adobe AIR
    Adobe Flash Player 11 ActiveX
    Adobe Flash Player 11 Plugin
    Adobe Reader X (10.1.3)
    Adobe Shockwave Player 11.6
    Agere Systems PCI-SV92EX Soft Modem
    Alice Greenfingers
    Alien Shooter
    Allmyapps
    Amazon MP3 Downloader 1.0.12
    Anna`s Ice Cream
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    AV Input Selection
    avast! Free Antivirus
    Avenue Flo - Special Delivery
    Babysitting Mania
    Batch Update
    Battlefield Play4Free
    Bible Data Type System Files
    Big Fish Games: Game Manager
    Bonjour
    Bookworm Adventures
    Build In Time
    Burger Shop
    C:\Program Files\Acer GameZone\GameConsole
    Cake Mania
    Chicken Invaders 2
    Chocolatier
    Choice Guard
    Common System Files
    Comodo Dragon
    COMODO GeekBuddy
    COMODO Internet Security
    Cookie Domination
    Cooking Academy
    Cooking Dash
    Cooking Dash Diner Town Studios
    Dairy Dash
    Direct Show Ogg Vorbis Filter (remove only)
    Doggie Dash
    Double Play Jojo’s Fashion Show 1 & 2
    Dream Day First Home
    Dream Day Wedding
    Dream Day Wedding Married in Manhattan
    eMusic Download Manager 4.1.4
    EPSON TWAIN 5
    ESET Online Scanner v3
    Family Feud 3
    Family Tree Maker 2005
    Fashion Dash
    Free Realms
    Free Realms Installer
    Galapago
    Garfield's Typing Pal
    Go-Go Gourmet
    Go Go Gourmet Chef of the Year
    Google Desktop
    Google Earth Plug-in
    Google SketchUp 8
    Google Update Helper
    Graphical Query Editor
    Hax264 Codec 2.1.0.8
    Heroes of Hellas
    HiJackThis
    Home Sweet Home
    Hotel Dash Suite Success
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    ijji REACTOR
    Iminent
    IMinent Toolbar
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 30
    Jessicas Cupcake Cafe
    Jewelleria
    Junk Mail filter update
    Kelly Green Garden Queen
    Kitchen Brigade
    LEGO Universe
    Libronix Digital Library System
    Libronix DLS Application
    Libronix DLS Shortcuts
    LibronixUpdate
    Lizard Safeguard - PDF Viewer 2.6.9
    LLS Resource Driver
    LogMeIn Hamachi
    Magic Farm
    Magic Match Adventures
    Malwarebytes Anti-Malware version 1.61.0.1400
    Math Missions Grades 3-5
    Math Missions Grades K-2
    Mavis Beacon Teaches Typing 15
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft Application Error Reporting
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office File Validation Add-In
    Microsoft Office Home and Student 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Small Business Edition 2003
    Microsoft Office Suite Activation Assistant
    Microsoft Office Word MUI (English) 2007
    Microsoft Silverlight
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Train Simulator
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Works
    Minecraft version Beta 1.8
    Mozilla Firefox 12.0 (x86 en-US)
    Mozilla Maintenance Service
    MSVCRT
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Musicnotes Software Suite 1.5.5
    Mystery Solitaire - Secret Island
    Norton Internet Security
    NTI Backup Now 5
    NTI Backup Now Standard
    NTI Media Maker 8
    NVIDIA Control Panel 275.33
    NVIDIA Display Control Panel
    NVIDIA Drivers
    NVIDIA Graphics Driver 275.33
    NVIDIA Install Application
    NVIDIA Stereoscopic 3D Driver
    NVIDIA Update 1.3.5
    NVIDIA Update Components
    OEB Resource Driver
    OGA Notifier 2.0.0048.0
    Orchard
    Passport to Perfume™
    PDF Resource Driver
    PDFCreator
    pdfforge Toolbar v4.3
    Picasa 3
    Plants vs. Zombies
    PlayReady PC runtime
    PunkBuster Services
    Puzzle and Board XP Championship
    QuickTime
    Roblox
    Roblox for Dad
    ScanToWeb
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2288931)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB2553089)
    Security Update for 2007 Microsoft Office System (KB2553090)
    Security Update for 2007 Microsoft Office System (KB2584063)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2598041) 32-Bit Edition
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
    Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    Security Update for Windows Media Encoder (KB2447961)
    Sentence Diagramming
    Shopmania
    Skype Click to Call
    Skype™ 5.8
    Spelling Dictionaries Support For Adobe Reader 9
    Spybot - Search & Destroy
    Steam
    Sunshine Acres
    SUPERAntiSpyware Free Edition
    swMSM
    System Requirements Lab
    Teach Yourself to Play Guitar 1.8.1
    Timez Attack
    U.B. Funkeys
    Uninstall Dual Mode Camera
    Unity Web Player
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
    Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
    Update for Microsoft Office 2007 System (KB2539530)
    Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office OneNote 2007 (KB980729)
    Update for Microsoft Office OneNote 2007 Help (KB963670)
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 Help (KB963665)
    Wedding Dash 2
    Wedding Dash Ready Aim Love
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Mail
    Windows Live Messenger
    Windows Live Photo Gallery
    Windows Live Sign-in Assistant
    Windows Live Sync
    Windows Live Upload Tool
    Windows Live Writer
    Windows Media Encoder 9 Series
    Yard Sale Junkie
    Year 2 year-plan
    Year 3 Curriculum
    Year 3 Interface
    Year 4 Curriculum
    Year 4 Government
    Year 4 Interface
    Year 4 MapAids
    .
    ==== Event Viewer Messages From Past Week ========
    .
    10/05/2012 2:07:26 PM, Error: nvstor32 [5] - A parity error was detected on \Device\RaidPort0.
    10/05/2012 12:40:16 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: i8042prt
    10/05/2012 12:40:13 PM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.
    10/05/2012 12:40:13 PM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.
    10/05/2012 12:40:13 PM, Error: Service Control Manager [7003] - The Internet Connection Sharing (ICS) service depends the following service: BFE. This service might not be installed.
    10/05/2012 12:40:13 PM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.
    07/05/2012 9:15:44 PM, Error: EventLog [6008] - The previous system shutdown at 9:14:14 PM on 5/7/2012 was unexpected.
    07/05/2012 9:11:19 PM, Error: Application Popup [56] - Driver USB returned invalid ID for a child device (0).
    05/05/2012 5:25:05 PM, Error: EventLog [6008] - The previous system shutdown at 5:23:28 PM on 5/5/2012 was unexpected.
    05/05/2012 11:10:03 AM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Update for Windows Live Sign-In Assistant (KB 967912).
    05/05/2012 11:09:00 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Search service to connect.
    05/05/2012 11:09:00 AM, Error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    05/05/2012 11:08:04 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
    .
    ==== End Of File ===========================
  8. mom26gr8kids

    mom26gr8kids TechSpot Maniac Topic Starter Posts: 387

    Bobbye

    It's funny you should mention that because when I was giving my kids the "please don't download anything without asking me" speech this morning one of my sons mentioned that he thought it was the hamachi. He has a lot of friends who are gamers that ask him to download things so he can play certain games with them, most of these friends have their own computers, but I am still curious how his friends can download these things and not also be infected.

    According to my son the Hamachi is so that he can play Minecraft on certain servers. So, if I keep this on my computer is this a safe program, or should I tell him that he can't play Minecraft on those servers? Since it appears that the Hamachi connects two computers is it possible for us to get a virus from someone else's network?

    Also I forgot to mention that part of the reason I was cleaning out the program files is because my C drive is almost out of space, and that is when I noticed the Imminent program files and those files are what is taking up so much space. I think you will see in the logs how many GB are taken up on my C drive. I am no longer being redirected to the Iminent search page though, so that's a good start.

    Thanks for your help
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Kendra, The Imminent program has put toolbars, BHOs and other processes all over the system. Something you might want to include in the 'download speech.'

    1. Be aware that many download screens have pre-checked boxes. If allowed, they add other processes to the ownload, some and some not- having to do with the program being downloaded.
    2. If/When you go to run the download that you have saved to the desktop and get a choice of Standard or Custom Download, always choose Custom. Doing so will allow you to NOT choose and additional features the program is offering.

    About how do some users get away with downloading and others, not:
    It is not always the download itself causing the problem- it may be the site or the program that is used to download it. For instance a program called Application Updater is on your system. I will be removing it with the script because it's Adware made by Spigot Inc. which comes bundled with other software. This startup entry is installed as a Windows service> Service Name: Application Updater
    -------------------------------
    About the Hard Drive:
    I can help you to some extent free up some space on the hard drive. The Windows install was in 2006. There are 14 Acer programs on the system. Did you ever check them out to see what you used and what you didn't want? It's one of those things that is best done soon after getting the computer- otherwise one forgets to check. Remind me when we finish up to give you the list of the Acer programs- you can check them out, find out what they do and determine if you use them. If not, they can be uninstalled.

    Another source of filling up the hard drive is the 25 plug-ins on Firefox. They all need 'living space' too!

    There are also 2 backup programs on the system: Carbonite came pre-installed. You also have NTI Backup Now 5 and NTI Backup Now Standard. Chances are you don't use both- possible neither.

    There are 2 antivirus programs installed: Avast and Norton Internet Security. Maybe Norton came pre-installed but you don't use it. But it should be uninstalled: you can use this> Norton Removal Tool
    ==============================================
    I'd like you to run the following. After Combofix, I will write some script to remove some entries and guide you into some programs to be uninstalled.
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HEREand save to the desktop
    • Double click combofix.exe [​IMG]& follow the prompts.
    • If prompted for Recovery Console, please allow.
    • Once installed, you should see a blue screen prompt that says:
      • The Recovery Console was successfully installed.[/b]
      • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
      • Note: No query will be made if the Recovery Console is already on the system.
    • .Close/disable all anti virus and anti malware programs
      (If you need help with this, please see HERE)
    • .Close any open browsers.
    • .Before you run the Combofix scan, please disable any security software you have running.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
    Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    =====================================
    To run the Eset Online Virus Scan:
    If you use Internet Explorer:
    1. Open the ESETOnlineScan
    2. Skip to #4 to "Continue with the directions"

      If you are using a browser other than Internet Explorer
    3. Open Eset Smart Installer
      [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
      [o] Double click on the desktop icon to run.
      [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
    4. Continue with the directions.
    5. Check 'Yes I accept terms of use.'
    6. Click Start button
    7. Accept any security warnings from your browser.
      [​IMG]
    8. Uncheck 'Remove found threats'
    9. Check 'Scan archives/
    10. Leave remaining settings as is.
    11. Press the Start button.
    12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    13. When the scan completes, press List of found threats
    14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    15. Push the Back button, then Finish
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    =======================================
    Please leave both logs in your next reply.
  10. mom26gr8kids

    mom26gr8kids TechSpot Maniac Topic Starter Posts: 387

    ComboFix 12-05-10.05 - Dad 10/05/2012 22:00:51.4.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2814.1502 [GMT -6:00]
    Running from: c:\users\Dad\Downloads\ComboFix.exe
    AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    FW: COMODO Firewall *Enabled* {4D6F75E0-14AF-2E9E-AACD-24CDCF08AA2A}
    SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: COMODO Defense+ *Enabled/Updated* {CE351521-78FA-2048-BB22-B68A4A5CA7EC}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\programdata\652400e0l875q556u474a6ojs2m2
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-04-11 to 2012-05-11 )))))))))))))))))))))))))))))))
    .
    .
    2012-05-11 04:31 . 2012-05-11 04:31 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
    2012-05-11 04:31 . 2012-05-11 04:31 -------- d-----w- c:\users\Public\AppData\Local\temp
    2012-05-11 04:31 . 2012-05-11 04:31 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-05-11 04:31 . 2012-05-11 04:31 -------- d-----w- c:\users\Administrator\AppData\Local\temp
    2012-05-05 17:08 . 2012-03-06 06:39 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2012-05-05 17:08 . 2012-03-06 06:39 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
    2012-05-05 16:48 . 2012-03-01 11:01 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
    2012-05-05 16:47 . 2012-02-14 15:45 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
    2012-05-05 16:47 . 2012-02-13 13:44 1068544 ----a-w- c:\windows\system32\DWrite.dll
    2012-05-05 16:47 . 2012-02-14 15:45 160768 ----a-w- c:\windows\system32\d3d10_1.dll
    2012-05-05 16:47 . 2012-02-13 14:12 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
    2012-05-05 16:47 . 2012-02-13 13:47 683008 ----a-w- c:\windows\system32\d2d1.dll
    2012-05-05 16:47 . 2012-01-09 15:54 613376 ----a-w- c:\windows\system32\rdpencom.dll
    2012-05-05 16:47 . 2012-01-09 13:58 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2012-05-05 16:47 . 2011-12-14 16:17 680448 ----a-w- c:\windows\system32\msvcrt.dll
    2012-05-05 16:47 . 2012-02-02 15:16 2044416 ----a-w- c:\windows\system32\win32k.sys
    2012-04-26 17:05 . 2012-04-26 17:05 -------- d-----w- c:\program files\Mozilla Maintenance Service
    2012-04-26 17:05 . 2012-04-26 17:05 129976 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice.exe
    2012-04-26 17:05 . 2012-04-26 17:05 157352 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice_installer.exe
    2012-04-23 19:42 . 2012-04-29 12:35 -------- d-----w- c:\program files\Common Files\Steam
    2012-04-23 19:42 . 2012-05-10 18:41 -------- d-----w- c:\program files\Steam
    2012-04-17 16:41 . 2012-04-17 16:41 -------- d-----w- c:\program files\iPod
    2012-04-16 19:06 . 2012-05-10 22:15 -------- d-----w- c:\users\Dad\AppData\Roaming\.spoutcraft
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-04-04 21:56 . 2011-12-17 07:27 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-03-22 20:22 . 2011-06-03 15:34 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-03-22 19:12 . 2012-03-22 19:12 4435968 ----a-w- c:\windows\system32\GPhotos.scr
    2012-03-18 03:59 . 2012-03-18 03:10 138264 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
    2012-03-18 03:59 . 2012-03-18 03:59 234768 ----a-w- c:\windows\system32\PnkBstrB.xtr
    2012-03-18 03:59 . 2012-03-18 03:10 234768 ----a-w- c:\windows\system32\PnkBstrB.exe
    2012-03-18 03:10 . 2012-03-18 03:10 138056 ----a-w- c:\users\Dad\AppData\Roaming\PnkBstrK.sys
    2012-03-18 03:10 . 2012-03-18 03:10 75136 ----a-w- c:\windows\system32\PnkBstrA.exe
    2012-03-11 21:13 . 2011-12-20 01:59 82400 ----a-w- c:\windows\system32\drivers\inspect.sys
    2012-03-11 21:13 . 2011-12-20 01:59 38616 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
    2012-03-11 21:13 . 2011-12-20 01:59 491816 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
    2012-03-11 21:13 . 2011-12-20 01:59 19600 ----a-w- c:\windows\system32\drivers\cmderd.sys
    2012-03-11 21:13 . 2011-12-20 01:58 33984 ----a-w- c:\windows\system32\cmdcsr.dll
    2012-03-11 21:13 . 2011-12-20 01:58 301224 ----a-w- c:\windows\system32\guard32.dll
    2012-03-07 00:15 . 2011-07-16 05:08 41184 ----a-w- c:\windows\avastSS.scr
    2012-03-07 00:15 . 2011-07-16 05:08 201352 ----a-w- c:\windows\system32\aswBoot.exe
    2012-03-07 00:03 . 2011-07-16 05:10 612184 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2012-03-07 00:03 . 2011-07-16 05:10 337880 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2012-03-07 00:02 . 2011-07-16 05:10 35672 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2012-03-07 00:01 . 2011-07-16 05:10 53848 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2012-03-07 00:01 . 2011-07-16 05:10 57688 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2012-03-07 00:01 . 2011-07-16 05:10 20696 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2012-02-15 18:01 . 2012-02-15 18:01 4547944 ----a-w- c:\windows\system32\usbaaplrc.dll
    2012-02-15 18:01 . 2012-02-15 18:01 43520 ----a-w- c:\windows\system32\drivers\usbaapl.sys
    2012-04-26 17:05 . 2011-03-24 02:39 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{58124A0B-DC32-4180-9BFF-E0E21AE34026}]
    2010-07-02 15:54 2607872 ----a-w- c:\program files\IMinent Toolbar\tbcore3.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{977AE9CC-AF83-45E8-9E03-E2798216E2D5}"= "c:\program files\IMinent Toolbar\tbcore3.dll" [2010-07-02 2607872]
    .
    [HKEY_CLASSES_ROOT\clsid\{977ae9cc-af83-45e8-9e03-e2798216e2d5}]
    [HKEY_CLASSES_ROOT\TBSB01620.TBSB01620.3]
    [HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
    [HKEY_CLASSES_ROOT\TBSB01620.TBSB01620]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
    @="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
    [HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
    2008-07-30 01:52 121392 ----a-w- c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-04-28 3905920]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-07-03 135680]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
    "Steam"="c:\program files\Steam\Steam.exe" [2012-04-23 1242448]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Acer Empowering Technology Monitor"="c:\program files\Acer\Empowering Technology\SysMonitor.exe" [2008-10-01 319488]
    "EmpoweringTechnology"="c:\program files\Acer\Empowering Technology\Framework.Launcher.exe" [2008-10-01 323584]
    "eDataSecurity Loader"="c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-07-30 526896]
    "PCMMediaSharing"="c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\PCMMediaSharing.exe" [2008-05-21 204908]
    "CarboniteSetupLite"="c:\program files\Carbonite\CarbonitePreinstaller.exe" [2008-10-03 294544]
    "Acer Product Registration"="c:\program files\Acer\Acer Registration\ACE1.exe" [2007-11-26 3387392]
    "Acer Assist Launcher"="c:\program files\Acer\Acer Assist\launcher.exe" [2007-11-19 1261568]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-07 4241512]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
    "COMODO"="c:\program files\COMODO\COMODO GeekBuddy\CLPSLA.exe" [2011-11-23 208184]
    "CPA"="c:\program files\COMODO\COMODO GeekBuddy\VALA.exe" [2011-11-23 182584]
    "COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2012-03-11 6749512]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    "LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2012-02-28 1987976]
    "Iminent"="c:\program files\Iminent\Iminent.exe" [2011-12-23 445416]
    "IminentMessenger"="c:\program files\Iminent\Iminent.Messengers.exe" [2011-12-23 881144]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Personal Coach.lnk - c:\program files\Broderbund\Mavis Beacon Teaches Typing 15\minimavis.exe [2010-12-28 2392064]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-09-06 113024]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 21:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll c:\windows\System32\guard32.dll c:\windows\System32\guard32.dll c:\windows\System32\guard32.dll c:\windows\System32\guard32.dll
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]
    @="Service"
    .
    S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-09-06 116608]
    S2 Acer HomeMedia Connect Service;Acer HomeMedia Connect Service;c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe [2008-05-21 269448]
    S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    xmlpros REG_MULTI_SZ XMLProvS
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-05-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-08-17 19:41]
    .
    2012-05-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-08-17 19:41]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=1&o=vp32&d=1006&m=aspire_x1300
    uDefault_Search_URL = hxxp://www.google.com/ie
    mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=1&o=vp32&d=1006&m=aspire_x1300
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    TCP: Interfaces\{209691AC-D76C-4989-96DB-91FF190476EE}: NameServer = 8.26.56.26,156.154.70.22
    FF - ProfilePath - c:\users\Dad\AppData\Roaming\Mozilla\Firefox\Profiles\svjtkm5q.default\
    FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
    FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/
    FF - prefs.js: keyword.URL - hxxp://search.avg.com/?d=4dd2ebf0&I=23&tp=ab&nt=1&q=
    FF - user.js: yahoo.homepage.dontask - true
    .
    - - - - ORPHANS REMOVED - - - -
    .
    URLSearchHooks-{84FF7BD6-B47F-46F8-9130-01B2696B36CB} - (no file)
    BHO-{84FF7BD6-B47F-46F8-9130-01B2696B36CB} - (no file)
    ShellIconOverlayIdentifiers-{472083B0-C522-11CF-8763-00608CC02F24} - (no file)
    HKCU-Run-Spotify - c:\users\Dad\AppData\Roaming\Spotify\Spotify.exe
    .
    .
    .
    **************************************************************************
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files:
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'lsass.exe'(7504)
    c:\windows\system32\guard32.dll
    .
    - - - - - - - > 'Explorer.exe'(6228)
    c:\windows\system32\guard32.dll
    c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
    c:\program files\Acer\Empowering Technology\eDataSecurity\x86\sysenv.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\COMODO\COMODO GeekBuddy\CLPSLS.exe
    c:\windows\system32\nvvsvc.exe
    c:\program files\COMODO\COMODO Internet Security\cmdagent.exe
    c:\program files\NVIDIA Corporation\Display\nvxdsync.exe
    c:\windows\system32\nvvsvc.exe
    c:\program files\AVAST Software\Avast\AvastSvc.exe
    c:\windows\system32\agrsmsvc.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
    c:\program files\Acer\Empowering Technology\Service\ETService.exe
    c:\program files\LogMeIn Hamachi\hamachi-2.exe
    c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
    c:\windows\system32\PnkBstrA.exe
    c:\program files\CyberLink\Shared Files\RichVideo.exe
    c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
    c:\windows\system32\WUDFHost.exe
    c:\program files\Spybot - Search & Destroy\SDWinSec.exe
    c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
    c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
    c:\program files\Windows Media Player\wmpnetwk.exe
    c:\windows\servicing\TrustedInstaller.exe
    .
    **************************************************************************
    .
    Completion time: 2012-05-10 22:43:23 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-05-11 04:43
    .
    Pre-Run: 22,290,374,656 bytes free
    Post-Run: 21,586,939,904 bytes free
    .
    - - End Of File - - F48E580F8C9D36906BC7BE9D18F269A7
  11. mom26gr8kids

    mom26gr8kids TechSpot Maniac Topic Starter Posts: 387

    After the eset scan I did create a text document, but I didn't look closely at it. When I opened it this morning this was all that was there

    C:\Users\Dad\Downloads\gimp_app_1201.exe Win32/InstallIQ application

    Not only was my C drive almost out of space, but the bar that shows how full it is was highlighted in red. Today it is back to it's normal color. So, there are still programs I will be removing once we are done with the cleaning process, but things seem to be better on this end.

    You are right though, so many of the programs on here we have never used and I waited to see if we would use them, but things like that get moved to the bottom of the priority list. I also tend not to delete programs when I'm not sure what they are because I don't want to remove something that my computer needs, so some of the Acer programs we don't use, but I may have left them because they came with the computer and I am paranoid about which programs are necessary for the computer to run and which ones are just extras. My kids also have a lot of games on here they don't play anymore, so when we're finished I will spend next week cleaning the computer.

    Thanks for your help. Honestly last month when my SAS found the Browser Hijacker my first instinct was to come here and do the Malware removal again, but I guess I didn't want to believe that my computer was infected again, or maybe I was too proud to admit that my kids had infected my computer again. I appreciate that you don't get tired of helping me.
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Okay, Mom, let's see if we can clean up the system for your special day! I will comment that the Iminent program is overly generous in putting processes on the system! I think I have them all included in the script below:

    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    KillAll::
    File::
    c:\program files\application updater\applicationupdater.exe
    DDS::
    TB: IMinent Toolbar: {977ae9cc-af83-45e8-9e03-e2798216e2d5} - c:\program files\iminent toolbar\tbcore3.dll
    BHO: TBSB01620 Class: {58124a0b-dc32-4180-9bff-e0e21ae34026} - c:\program files\iminent toolbar\tbcore3.dll
    mRun: [Iminent] c:\program files\iminent\Iminent.exe /warmup "F77F87E5-A6BD-4922-A530-EDF63D7E9F8C"
    mRun: [IminentMessenger] c:\program files\iminent\Iminent.Messengers.exe /startup
    mRun: [CarboniteSetupLite] "c:\program files\carbonite\CarbonitePreinstaller.exe" /preinstalled
    DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
    Registry::
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{58124A0B-DC32-4180-9BFF-E0E21AE34026}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{977AE9CC-AF83-45E8-9E03-E2798216E2D5}"= "c:\program files\IMinent Toolbar\tbcore3.dll" [2010-07-02 2607872]
    [HKEY_CLASSES_ROOT\clsid\{977ae9cc-af83-45e8-9e03-e2798216e2d5}]
    [HKEY_CLASSES_ROOT\TBSB01620.TBSB01620.3]
    [HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
    [HKEY_CLASSES_ROOT\TBSB01620.TBSB01620]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CarboniteSetupLite"=-
    "Iminent"=-
    "IminentMessenger"=-
     
    Clearjavacache::
     
    Driver::
    Application Updater
     
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
    Please download OTMovit by Old Timerand save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Processes 
      :Files
      C:\Users\Dad\Downloads\gimp_app_1201.exe
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ============================================
    Please go to Add/Remove Programs> look for:
    Iminent
    Iminent Toolbar
    IminentMessenger
    Uninstall ALL.
    Use Windows Explorer (Windows key+E) to access Computer> Local Drive(C)> Programs> Find program folders for:
    Iminent
    Iminent Toolbar
    IminentMessenger
    Do a right click> Delete on each.
    ===========================================
    Reboot the computer

    Run TFC (Temp File Cleaner)
    Download TFC to your desktop
    • Open the file and close any other windows.
    • It will close all programs itself when run, make sure to let it run uninterrupted.
    • Click the Start button to begin the process. The program should not take long to finish its job
    • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean
    ==================================
    Empty the Recycle Bin
    =================================
    You have been carrying the following around for 6 years: Install Date: 10/10/2006
    Search the internet to see what they do. If you don't need them or use them, uninstall> then delete program folders as above.

    ======================================
    Is Hamachi safe? Your son is setting up Virtual Network Computing (VNC) with Hamachi. the VNC of itself, is not a secure protocol. Please review Setting up a secure VNC with Hamachi to make sure the settings are set as securely as possible.
  13. mom26gr8kids

    mom26gr8kids TechSpot Maniac Topic Starter Posts: 387

    Bobbye--in my attempt to run the custom Script I accidentally clicked on Combofix again. I did attempt to close the program, but it would not let me and I know once the window opens I can stall it if I click on it, so I let the program run again. So I thought I would paste that log just to make sure that I did not mess anything up. If everything still looks the same then just let me know it's okay to run the Custom Script, OT Move it and TFC and I will get that done today. I will be more careful next time. Thanks




    ComboFix 12-05-10.05 - Dad 14/05/2012 9:28.5.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2814.1526 [GMT -6:00]
    Running from: c:\users\Dad\Downloads\ComboFix.exe
    AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    FW: COMODO Firewall *Enabled* {7DB03214-694B-060B-1600-BD4715C36DBB}
    SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: COMODO Defense+ *Enabled/Updated* {FEEA52D5-051E-08DD-07EF-2F009097607D}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    Infected copy of c:\windows\system32\Drivers\atapi.sys was found and disinfected
    Restored copy from - c:\windows\ERDNT\cache\atapi.sys
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-04-14 to 2012-05-14 )))))))))))))))))))))))))))))))
    .
    .
    2012-05-14 15:40 . 2012-05-14 15:43 -------- d-----w- c:\users\Dad\AppData\Local\temp
    2012-05-14 15:40 . 2012-05-14 15:40 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
    2012-05-14 15:40 . 2012-05-14 15:40 -------- d-----w- c:\users\Public\AppData\Local\temp
    2012-05-14 15:40 . 2012-05-14 15:40 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-05-14 15:40 . 2012-05-14 15:40 -------- d-----w- c:\users\Administrator\AppData\Local\temp
    2012-05-05 17:08 . 2012-03-06 06:39 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2012-05-05 17:08 . 2012-03-06 06:39 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
    2012-05-05 16:48 . 2012-03-01 11:01 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
    2012-05-05 16:47 . 2012-02-14 15:45 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
    2012-05-05 16:47 . 2012-02-13 13:44 1068544 ----a-w- c:\windows\system32\DWrite.dll
    2012-05-05 16:47 . 2012-02-14 15:45 160768 ----a-w- c:\windows\system32\d3d10_1.dll
    2012-05-05 16:47 . 2012-02-13 14:12 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
    2012-05-05 16:47 . 2012-02-13 13:47 683008 ----a-w- c:\windows\system32\d2d1.dll
    2012-05-05 16:47 . 2012-01-09 15:54 613376 ----a-w- c:\windows\system32\rdpencom.dll
    2012-05-05 16:47 . 2012-01-09 13:58 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2012-05-05 16:47 . 2011-12-14 16:17 680448 ----a-w- c:\windows\system32\msvcrt.dll
    2012-05-05 16:47 . 2012-02-02 15:16 2044416 ----a-w- c:\windows\system32\win32k.sys
    2012-04-26 17:05 . 2012-04-26 17:05 -------- d-----w- c:\program files\Mozilla Maintenance Service
    2012-04-26 17:05 . 2012-04-26 17:05 129976 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice.exe
    2012-04-26 17:05 . 2012-04-26 17:05 157352 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice_installer.exe
    2012-04-23 19:42 . 2012-04-29 12:35 -------- d-----w- c:\program files\Common Files\Steam
    2012-04-23 19:42 . 2012-05-14 15:15 -------- d-----w- c:\program files\Steam
    2012-04-17 16:41 . 2012-04-17 16:41 -------- d-----w- c:\program files\iPod
    2012-04-16 19:06 . 2012-05-14 01:33 -------- d-----w- c:\users\Dad\AppData\Roaming\.spoutcraft
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-04-04 21:56 . 2011-12-17 07:27 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-03-22 20:22 . 2011-06-03 15:34 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-03-22 19:12 . 2012-03-22 19:12 4435968 ----a-w- c:\windows\system32\GPhotos.scr
    2012-03-18 03:59 . 2012-03-18 03:10 138264 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
    2012-03-18 03:59 . 2012-03-18 03:59 234768 ----a-w- c:\windows\system32\PnkBstrB.xtr
    2012-03-18 03:59 . 2012-03-18 03:10 234768 ----a-w- c:\windows\system32\PnkBstrB.exe
    2012-03-18 03:10 . 2012-03-18 03:10 138056 ----a-w- c:\users\Dad\AppData\Roaming\PnkBstrK.sys
    2012-03-18 03:10 . 2012-03-18 03:10 75136 ----a-w- c:\windows\system32\PnkBstrA.exe
    2012-03-11 21:13 . 2011-12-20 01:59 82400 ----a-w- c:\windows\system32\drivers\inspect.sys
    2012-03-11 21:13 . 2011-12-20 01:59 38616 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
    2012-03-11 21:13 . 2011-12-20 01:59 491816 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
    2012-03-11 21:13 . 2011-12-20 01:59 19600 ----a-w- c:\windows\system32\drivers\cmderd.sys
    2012-03-11 21:13 . 2011-12-20 01:58 33984 ----a-w- c:\windows\system32\cmdcsr.dll
    2012-03-11 21:13 . 2011-12-20 01:58 301224 ----a-w- c:\windows\system32\guard32.dll
    2012-03-07 00:15 . 2011-07-16 05:08 41184 ----a-w- c:\windows\avastSS.scr
    2012-03-07 00:15 . 2011-07-16 05:08 201352 ----a-w- c:\windows\system32\aswBoot.exe
    2012-03-07 00:03 . 2011-07-16 05:10 612184 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2012-03-07 00:03 . 2011-07-16 05:10 337880 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2012-03-07 00:02 . 2011-07-16 05:10 35672 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2012-03-07 00:01 . 2011-07-16 05:10 53848 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2012-03-07 00:01 . 2011-07-16 05:10 57688 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2012-03-07 00:01 . 2011-07-16 05:10 20696 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2012-02-15 18:01 . 2012-02-15 18:01 4547944 ----a-w- c:\windows\system32\usbaaplrc.dll
    2012-02-15 18:01 . 2012-02-15 18:01 43520 ----a-w- c:\windows\system32\drivers\usbaapl.sys
    2012-04-26 17:05 . 2011-03-24 02:39 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{58124A0B-DC32-4180-9BFF-E0E21AE34026}]
    2010-07-02 15:54 2607872 ----a-w- c:\program files\IMinent Toolbar\tbcore3.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{977AE9CC-AF83-45E8-9E03-E2798216E2D5}"= "c:\program files\IMinent Toolbar\tbcore3.dll" [2010-07-02 2607872]
    .
    [HKEY_CLASSES_ROOT\clsid\{977ae9cc-af83-45e8-9e03-e2798216e2d5}]
    [HKEY_CLASSES_ROOT\TBSB01620.TBSB01620.3]
    [HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
    [HKEY_CLASSES_ROOT\TBSB01620.TBSB01620]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
    @="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
    [HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
    2008-07-30 01:52 121392 ----a-w- c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-04-28 3905920]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-07-03 135680]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
    "Steam"="c:\program files\Steam\Steam.exe" [2012-04-23 1242448]
    "Spotify"="c:\users\Dad\AppData\Roaming\Spotify\Spotify.exe" [BU]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Acer Empowering Technology Monitor"="c:\program files\Acer\Empowering Technology\SysMonitor.exe" [2008-10-01 319488]
    "EmpoweringTechnology"="c:\program files\Acer\Empowering Technology\Framework.Launcher.exe" [2008-10-01 323584]
    "eDataSecurity Loader"="c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-07-30 526896]
    "PCMMediaSharing"="c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\PCMMediaSharing.exe" [2008-05-21 204908]
    "CarboniteSetupLite"="c:\program files\Carbonite\CarbonitePreinstaller.exe" [2008-10-03 294544]
    "Acer Product Registration"="c:\program files\Acer\Acer Registration\ACE1.exe" [2007-11-26 3387392]
    "Acer Assist Launcher"="c:\program files\Acer\Acer Assist\launcher.exe" [2007-11-19 1261568]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-07 4241512]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
    "COMODO"="c:\program files\COMODO\COMODO GeekBuddy\CLPSLA.exe" [2011-11-23 208184]
    "CPA"="c:\program files\COMODO\COMODO GeekBuddy\VALA.exe" [2011-11-23 182584]
    "COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2012-03-11 6749512]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    "LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2012-02-28 1987976]
    "Iminent"="c:\program files\Iminent\Iminent.exe" [2011-12-23 445416]
    "IminentMessenger"="c:\program files\Iminent\Iminent.Messengers.exe" [2011-12-23 881144]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Personal Coach.lnk - c:\program files\Broderbund\Mavis Beacon Teaches Typing 15\minimavis.exe [2010-12-28 2392064]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-09-06 113024]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 21:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll c:\windows\System32\guard32.dll c:\windows\System32\guard32.dll c:\windows\System32\guard32.dll c:\windows\System32\guard32.dll
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]
    @="Service"
    .
    S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-09-06 116608]
    S2 Acer HomeMedia Connect Service;Acer HomeMedia Connect Service;c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe [2008-05-21 269448]
    S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    xmlpros REG_MULTI_SZ XMLProvS
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-05-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-08-17 19:41]
    .
    2012-05-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-08-17 19:41]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=1&o=vp32&d=1006&m=aspire_x1300
    uDefault_Search_URL = hxxp://www.google.com/ie
    mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=1&o=vp32&d=1006&m=aspire_x1300
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    TCP: Interfaces\{209691AC-D76C-4989-96DB-91FF190476EE}: NameServer = 8.26.56.26,156.154.70.22
    FF - ProfilePath - c:\users\Dad\AppData\Roaming\Mozilla\Firefox\Profiles\svjtkm5q.default\
    FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
    FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/
    FF - prefs.js: keyword.URL - hxxp://search.avg.com/?d=4dd2ebf0&I=23&tp=ab&nt=1&q=
    FF - user.js: yahoo.homepage.dontask - true
    .
    - - - - ORPHANS REMOVED - - - -
    .
    URLSearchHooks-{84FF7BD6-B47F-46F8-9130-01B2696B36CB} - (no file)
    BHO-{84FF7BD6-B47F-46F8-9130-01B2696B36CB} - (no file)
    .
    .
    .
    **************************************************************************
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files:
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'lsass.exe'(708)
    c:\windows\system32\guard32.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\COMODO\COMODO GeekBuddy\CLPSLS.exe
    c:\windows\system32\nvvsvc.exe
    c:\program files\COMODO\COMODO Internet Security\cmdagent.exe
    c:\program files\NVIDIA Corporation\Display\nvxdsync.exe
    c:\windows\system32\nvvsvc.exe
    c:\program files\AVAST Software\Avast\AvastSvc.exe
    c:\windows\system32\agrsmsvc.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
    c:\program files\Acer\Empowering Technology\Service\ETService.exe
    c:\program files\LogMeIn Hamachi\hamachi-2.exe
    c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
    c:\windows\system32\PnkBstrA.exe
    c:\program files\CyberLink\Shared Files\RichVideo.exe
    c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
    c:\windows\system32\WUDFHost.exe
    c:\program files\Spybot - Search & Destroy\SDWinSec.exe
    c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
    c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
    c:\windows\system32\PhotoScreensaver.scr
    .
    **************************************************************************
    .
    Completion time: 2012-05-14 09:49:25 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-05-14 15:49
    ComboFix2.txt 2012-05-11 04:43
    .
    Pre-Run: 19,186,479,104 bytes free
    Post-Run: 19,150,733,312 bytes free
    .
    - - End Of File - - 7C6200CC0FEA7AF42E626DCC82F332AB
  14. mom26gr8kids

    mom26gr8kids TechSpot Maniac Topic Starter Posts: 387

    The problem I seem to be having is that I cannot find the ComboFix.exe file to save the CFScript to. The CFScript won't save in the ComboFix folder because when I click on it it says "No items match your search" I know ComboFix is still on my computer, so how can I find it to save CFScript to it? Or can I save it somewhere else and then still drag it over to ComboFix? Wouldn't think it would be this hard to locate a program. I searched for Combofix in the search bar as well and it said that no items match my search. Thanks
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    It's important that you save Combofix to the desktop when you download it.
    Then when you copy the script, it's important that you Save this as CFScript.txt, in the same location as ComboFix.exe which will be the desktop.
    If you don't do that, you won't be able to drag the script as instructed.

    If you did not do this originally, please uninstall the Combofix you have now as follows:

    Click START> then RUN> type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

    Then download Combofix again> make sure you save to the desktop:

    Please disable the security before you do the scan:

    Follow these directions to copy the script> Save this as CFScript.txt, in the same location as ComboFix.exe which will be the desktop. Now you should be able to drag the script.

    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    KillAll::
    File::
    c:\program files\application updater\applicationupdater.exe
    Folder::
    c:\users\Dad\AppData\Local\temp
    c:\users\UpdatusUser\AppData\Local\temp
    c:\users\Public\AppData\Local\temp
    c:\users\Default\AppData\Local\temp
    c:\users\Administrator\AppData\Local\temp
    DDS::
    TB: IMinent Toolbar: {977ae9cc-af83-45e8-9e03-e2798216e2d5} - c:\program files\iminent toolbar\tbcore3.dll
    BHO: TBSB01620 Class: {58124a0b-dc32-4180-9bff-e0e21ae34026} - c:\program files\iminent toolbar\tbcore3.dll
    mRun: [Iminent] c:\program files\iminent\Iminent.exe /warmup "F77F87E5-A6BD-4922-A530-EDF63D7E9F8C"
    mRun: [IminentMessenger] c:\program files\iminent\Iminent.Messengers.exe /startup
    mRun: [CarboniteSetupLite] "c:\program files\carbonite\CarbonitePreinstaller.exe" /preinstalled
    DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
     
    Registry::
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{58124A0B-DC32-4180-9BFF-E0E21AE34026}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{977AE9CC-AF83-45E8-9E03-E2798216E2D5}"= "c:\program files\IMinent Toolbar\tbcore3.dll"
    [HKEY_CLASSES_ROOT\clsid\{977ae9cc-af83-45e8-9e03-e2798216e2d5}]
    [HKEY_CLASSES_ROOT\TBSB01620.TBSB01620.3]
    [HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
    [HKEY_CLASSES_ROOT\TBSB01620.TBSB01620]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CarboniteSetupLite"=-
    "Iminent"=-
    "IminentMessenger"=-
     
    Clearjavacache::
     
    Driver::
    Application Updater
     
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
  16. mom26gr8kids

    mom26gr8kids TechSpot Maniac Topic Starter Posts: 387

    Here is the ComboFix Log after running the custom Script. I am running the OT MoveIt now.

    ComboFix 12-05-16.02 - Dad 16/05/2012 18:41:37.7.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2814.1520 [GMT -6:00]
    Running from: c:\users\Dad\Downloads\ComboFix.exe
    Command switches used :: c:\users\Dad\Desktop\CFScript.lnk
    AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    FW: COMODO Firewall *Disabled* {7DB03214-694B-060B-1600-BD4715C36DBB}
    SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: COMODO Defense+ *Disabled/Updated* {FEEA52D5-051E-08DD-07EF-2F009097607D}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-04-17 to 2012-05-17 )))))))))))))))))))))))))))))))
    .
    .
    2012-05-17 00:51 . 2012-05-17 00:51 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
    2012-05-17 00:51 . 2012-05-17 00:51 -------- d-----w- c:\users\Public\AppData\Local\temp
    2012-05-17 00:51 . 2012-05-17 00:52 -------- d-----w- c:\users\Dad\AppData\Local\temp
    2012-05-17 00:51 . 2012-05-17 00:51 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-05-17 00:51 . 2012-05-17 00:51 -------- d-----w- c:\users\Administrator\AppData\Local\temp
    2012-05-05 17:08 . 2012-03-06 06:39 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2012-05-05 17:08 . 2012-03-06 06:39 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
    2012-05-05 16:48 . 2012-03-01 11:01 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
    2012-05-05 16:47 . 2012-02-14 15:45 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
    2012-05-05 16:47 . 2012-02-13 13:44 1068544 ----a-w- c:\windows\system32\DWrite.dll
    2012-05-05 16:47 . 2012-02-14 15:45 160768 ----a-w- c:\windows\system32\d3d10_1.dll
    2012-05-05 16:47 . 2012-02-13 14:12 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
    2012-05-05 16:47 . 2012-02-13 13:47 683008 ----a-w- c:\windows\system32\d2d1.dll
    2012-05-05 16:47 . 2012-01-09 15:54 613376 ----a-w- c:\windows\system32\rdpencom.dll
    2012-05-05 16:47 . 2012-01-09 13:58 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2012-05-05 16:47 . 2011-12-14 16:17 680448 ----a-w- c:\windows\system32\msvcrt.dll
    2012-05-05 16:47 . 2012-02-02 15:16 2044416 ----a-w- c:\windows\system32\win32k.sys
    2012-04-26 17:05 . 2012-04-26 17:05 -------- d-----w- c:\program files\Mozilla Maintenance Service
    2012-04-26 17:05 . 2012-04-26 17:05 129976 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice.exe
    2012-04-26 17:05 . 2012-04-26 17:05 157352 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice_installer.exe
    2012-04-23 19:42 . 2012-04-29 12:35 -------- d-----w- c:\program files\Common Files\Steam
    2012-04-23 19:42 . 2012-05-16 13:52 -------- d-----w- c:\program files\Steam
    2012-04-17 16:41 . 2012-04-17 16:41 -------- d-----w- c:\program files\iPod
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-04-04 21:56 . 2011-12-17 07:27 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-03-22 20:22 . 2011-06-03 15:34 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-03-22 19:12 . 2012-03-22 19:12 4435968 ----a-w- c:\windows\system32\GPhotos.scr
    2012-03-18 03:59 . 2012-03-18 03:10 138264 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
    2012-03-18 03:59 . 2012-03-18 03:59 234768 ----a-w- c:\windows\system32\PnkBstrB.xtr
    2012-03-18 03:59 . 2012-03-18 03:10 234768 ----a-w- c:\windows\system32\PnkBstrB.exe
    2012-03-18 03:10 . 2012-03-18 03:10 138056 ----a-w- c:\users\Dad\AppData\Roaming\PnkBstrK.sys
    2012-03-18 03:10 . 2012-03-18 03:10 75136 ----a-w- c:\windows\system32\PnkBstrA.exe
    2012-03-11 21:13 . 2011-12-20 01:59 82400 ----a-w- c:\windows\system32\drivers\inspect.sys
    2012-03-11 21:13 . 2011-12-20 01:59 38616 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
    2012-03-11 21:13 . 2011-12-20 01:59 491816 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
    2012-03-11 21:13 . 2011-12-20 01:59 19600 ----a-w- c:\windows\system32\drivers\cmderd.sys
    2012-03-11 21:13 . 2011-12-20 01:58 33984 ----a-w- c:\windows\system32\cmdcsr.dll
    2012-03-11 21:13 . 2011-12-20 01:58 301224 ----a-w- c:\windows\system32\guard32.dll
    2012-03-07 00:15 . 2011-07-16 05:08 41184 ----a-w- c:\windows\avastSS.scr
    2012-03-07 00:15 . 2011-07-16 05:08 201352 ----a-w- c:\windows\system32\aswBoot.exe
    2012-03-07 00:03 . 2011-07-16 05:10 612184 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2012-03-07 00:03 . 2011-07-16 05:10 337880 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2012-03-07 00:02 . 2011-07-16 05:10 35672 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2012-03-07 00:01 . 2011-07-16 05:10 53848 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2012-03-07 00:01 . 2011-07-16 05:10 57688 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2012-03-07 00:01 . 2011-07-16 05:10 20696 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2012-04-26 17:05 . 2011-03-24 02:39 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{58124A0B-DC32-4180-9BFF-E0E21AE34026}]
    2010-07-02 15:54 2607872 ----a-w- c:\program files\IMinent Toolbar\tbcore3.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{977AE9CC-AF83-45E8-9E03-E2798216E2D5}"= "c:\program files\IMinent Toolbar\tbcore3.dll" [2010-07-02 2607872]
    .
    [HKEY_CLASSES_ROOT\clsid\{977ae9cc-af83-45e8-9e03-e2798216e2d5}]
    [HKEY_CLASSES_ROOT\TBSB01620.TBSB01620.3]
    [HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
    [HKEY_CLASSES_ROOT\TBSB01620.TBSB01620]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
    @="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
    [HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
    2008-07-30 01:52 121392 ----a-w- c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-04-28 3905920]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-07-03 135680]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
    "Steam"="c:\program files\Steam\Steam.exe" [2012-04-23 1242448]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Acer Empowering Technology Monitor"="c:\program files\Acer\Empowering Technology\SysMonitor.exe" [2008-10-01 319488]
    "EmpoweringTechnology"="c:\program files\Acer\Empowering Technology\Framework.Launcher.exe" [2008-10-01 323584]
    "eDataSecurity Loader"="c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-07-30 526896]
    "PCMMediaSharing"="c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\PCMMediaSharing.exe" [2008-05-21 204908]
    "CarboniteSetupLite"="c:\program files\Carbonite\CarbonitePreinstaller.exe" [2008-10-03 294544]
    "Acer Product Registration"="c:\program files\Acer\Acer Registration\ACE1.exe" [2007-11-26 3387392]
    "Acer Assist Launcher"="c:\program files\Acer\Acer Assist\launcher.exe" [2007-11-19 1261568]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-07 4241512]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
    "COMODO"="c:\program files\COMODO\COMODO GeekBuddy\CLPSLA.exe" [2011-11-23 208184]
    "CPA"="c:\program files\COMODO\COMODO GeekBuddy\VALA.exe" [2011-11-23 182584]
    "COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2012-03-11 6749512]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    "LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2012-02-28 1987976]
    "Iminent"="c:\program files\Iminent\Iminent.exe" [2011-12-23 445416]
    "IminentMessenger"="c:\program files\Iminent\Iminent.Messengers.exe" [2011-12-23 881144]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Personal Coach.lnk - c:\program files\Broderbund\Mavis Beacon Teaches Typing 15\minimavis.exe [2010-12-28 2392064]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-09-06 113024]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 21:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll c:\windows\System32\guard32.dll c:\windows\System32\guard32.dll c:\windows\System32\guard32.dll c:\windows\System32\guard32.dll
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]
    @="Service"
    .
    S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-09-06 116608]
    S2 Acer HomeMedia Connect Service;Acer HomeMedia Connect Service;c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe [2008-05-21 269448]
    S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    xmlpros REG_MULTI_SZ XMLProvS
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-05-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-08-17 19:41]
    .
    2012-05-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-08-17 19:41]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=1&o=vp32&d=1006&m=aspire_x1300
    uDefault_Search_URL = hxxp://www.google.com/ie
    mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=1&o=vp32&d=1006&m=aspire_x1300
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    TCP: Interfaces\{209691AC-D76C-4989-96DB-91FF190476EE}: NameServer = 8.26.56.26,156.154.70.22
    FF - ProfilePath - c:\users\Dad\AppData\Roaming\Mozilla\Firefox\Profiles\svjtkm5q.default\
    FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
    FF - prefs.js: browser.startup.homepage - hxxp://search.iminent.com/?appId=bf14df5d-56a0-4e2d-8efc-7b60325de338&lcid=1033&ref=homepage
    FF - prefs.js: keyword.URL - hxxp://search.avg.com/?d=4dd2ebf0&I=23&tp=ab&nt=1&q=
    FF - user.js: yahoo.homepage.dontask - true
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-05-16 18:52
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    detected NTDLL code modification:
    ZwClose
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'lsass.exe'(1176)
    c:\windows\system32\guard32.dll
    .
    - - - - - - - > 'Explorer.exe'(7840)
    c:\windows\system32\guard32.dll
    c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
    c:\program files\Acer\Empowering Technology\eDataSecurity\x86\sysenv.dll
    .
    Completion time: 2012-05-16 18:53:57
    ComboFix-quarantined-files.txt 2012-05-17 00:53
    ComboFix2.txt 2012-05-17 00:05
    ComboFix3.txt 2012-05-14 15:49
    .
    Pre-Run: 22,612,557,824 bytes free
    Post-Run: 22,580,817,920 bytes free
    .
    - - End Of File - - D1B00EB115C4B0E327219F85A172FB1C
  17. mom26gr8kids

    mom26gr8kids TechSpot Maniac Topic Starter Posts: 387

    OTMoveIt

    All processes killed
    ========== PROCESSES ==========
    ========== FILES ==========
    C:\Users\Dad\Downloads\gimp_app_1201.exe moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: All Users

    User: Dad
    ->Temp folder emptied: 31832 bytes
    ->Temporary Internet Files folder emptied: 884453474 bytes
    ->Java cache emptied: 86698 bytes
    ->FireFox cache emptied: 99157539 bytes
    ->Flash cache emptied: 668476 bytes

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    User: UpdatusUser
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 127 bytes
    %systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 517996 bytes
    %systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 939.00 mb


    OTM by OldTimer - Version 3.1.19.0 log created on 05162012_190203
  18. mom26gr8kids

    mom26gr8kids TechSpot Maniac Topic Starter Posts: 387

    Okay, I am done with the steps you instructed, except I am still deleting some of the Acer programs that I don't use. My son says he is not using Hamachi right now, so I would prefer to just delete it altogether. I assume that I can just do that by uninstalling it like the other programs? Also I have Hijack This on my computer. I am not sure from what since I don't recall ever using that here in the malware removal forum. I would like to delete that, but I know some of the malware removal programs have to be uninstalled a certain way, is that the case here as well?

    Thanks
  19. mom26gr8kids

    mom26gr8kids TechSpot Maniac Topic Starter Posts: 387

    Bobbye

    As I was getting ready for bed this evening I was looking through my Avast logs and noticed that it found a virus on it's scan yesterday. However, the virus that it found was in the temporary internet files. Would it have been deleted when I ran the Temp File Cleaner (or the Combofix) or do I need to run Malware bytes, gmer, dds again? I cannot figure out how to copy or paste the Avast scan log, but I can type out what it says if you need more information. Avast moved the virus to the chest, but other than the computer saying that it found a virus my system is not giving me any issues.
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Did you copy all the entries I had in the CF Script? All of the Iminent entries I had written script for removal are still loading.

    I don't want the Avast log. Did it quarantine what it found? Let's update and scan with Eset again to be sure please.

    You can uninstall HJT the usual way> Add/Remove Programs, then delete program file using Windows Explorer>>>OR>>>> you could wait until we finish and I have you remove the tools and logs.
  21. mom26gr8kids

    mom26gr8kids TechSpot Maniac Topic Starter Posts: 387

    My CFScript log looks exactly the same as what you had here, and I dragged it into Combofix just as instructed. The Combofix on my desktop says ComboFix shortcut, but when I dragged the script there to launched Combofix. Would you like me to try it again?

    Avast did Quarantine the viruses it found. Here is the eset log:

    C:\_OTM\MovedFiles\05162012_190203\C_Users\Dad\Downloads\gimp_app_1201.exe Win32/InstallIQ application
  22. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You need to get this configured correctly:

    Instructions: .......................................................................................What you have:
    Download Combofix from HERE or HERE and save to the desktop | Running from: c:\users\Dad\Downloads\ComboFix.exe

    Instructions:.................................................................................... What you have:
    Save this as CFScript.txt, in the same location as ComboFix.exe | Command switches used :: c:\users\Dad\Desktop\CFScript.lnk

    Examples of what you should see:

    Running from: c:\documents and settings\Dad\Desktop\ComboFix.exe

    Command switches used :: c:\documents and settings\Dad\Desktop\CFscript.txt

    The code won't work when it's in one place and the program is in another. The Command switch has a .txt file extension, not .ink

    (When finished, it will produce a log for you at C:\ComboFix.txt)

    Uninstall Combofix. Reinstall correctly. Then run the fix
  23. mom26gr8kids

    mom26gr8kids TechSpot Maniac Topic Starter Posts: 387

    I already uninstalled and then reinstalled ComboFix. There is no option for me to save it to the desktop. The only two options that come up are Save File or Cancel. Once it downloads and I click on it that starts running the program. If there is a way to save it somewhere other than where my computer saves it I am not given that option (perhaps that is an issue with my downloads manager). And I did save the CFSCript as a .txt file, so I am not sure why it has an .ink file extension.

    Let me know how I can save ComboFix to the desktop so that I can run the fix that you requested.
  24. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You can choose a location on your computer where downloads should be saved by default. This means that whenever you using Save As in the File> Save As or when you choose to Save a download, it will automatically default to the location you have set.
    You may find that setting the Default Download Location to your Desktop the most
    convenient.
    If you want to move the file later, you can. If you want to delete the file, it will be most handy on the Desktop. For the cleaning and scanning programs we use, almost all are directed to be saved to the desktop.

    Set Default Download Location in Browsers:

    Chrome:
    Open Chrome> Customize and control> Options> Under the Hood> Downloads> Change> Select Desktop> OK
    (Don't check 'ask where to save each time....')

    Firefox:
    Open Firefox> Tools> Options> Main/General> Downloads Section> Save Files to> Browse> Navigate to and select Desktop> OK

    IE9
    Open IE> Gear icon> View Downloads> Options> Browse to and select Desktop> OK

    There may be a slight difference in the path dependent on the browser version. There may also be a box to check to "Ask me the location each time". I do not asvise checking that box.
  25. mom26gr8kids

    mom26gr8kids TechSpot Maniac Topic Starter Posts: 387

    Bobbye

    I changed the Downloads so they will download to the Desktop and I ran Combofix, but I still could not get the CFScript to run. I keep getting this message
    c:\Users\Dad\Desktop\Desktop\ComboFix.exe The directory name is invalid.

    So, I thought it created a folder on the desktop to save them into, so I went back into Firefox to change it so that it saved directly to the desktop, but then when I tried to uninstall it so I could re-download and install it I got the same message about the directory name being invalid. So, now I can't uninstall it, and I can't get the CFScript to run.

    When I go into to the Firefox settings to have it download to the desktop, no matter what I click on it comes up with the
    c:\Users\Dad\Desktop\Desktop as the path for the folder, even when I just click on Desktop and then click select folder.

    Guess I am going to need more help to get this figured out so I can run the CF Script
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.