[Not curable - Sality) Acer Aspire 4520 and lost user needs help

By roughworld
Mar 31, 2012
  1. Not great with computers. have an acer aspire laptop amd athlon 64x2 tk-55 1.8ghz running windows vista hp. 4gb ram 120gb hdd. having problems with a virus or malware to currantly able to fix alone and unable to resolve with programs on the computer now.


    i have microsoft firewall, avira antivirus, microsoft security essentals, ran basic check> avira anti virus , malware bytes, gmer, dds and have logs, any help would be ever so greatfully apriciated. i really dont know whta to do so am following
    (http://www.techspot.com/vb/topic58138.html , http://www.dslreports.com/faq/8428 )


    mwbm log
    Malwarebytes Anti-Malware 1.60.1.1000
    www.malwarebytes.org

    Database version: v2012.03.31.01

    Windows Vista Service Pack 2 x86 NTFS
    Internet Explorer 9.0.8112.16421
    Owner :: OWNER-PC [administrator]

    3/31/2012 7:30:09 PM
    mbam-log-2012-03-31 (19-30-09).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 205920
    Time elapsed: 8 minute(s), 40 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)


    gmer log
    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-03-31 18:36:36
    Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4 ST9120822AS rev.3.ALD
    Running: rto9612z.exe; Driver: C:\Users\Owner\AppData\Local\Temp\pwloapow.sys


    ---- System - GMER 1.0.15 ----

    SSDT 9003E8C6 ZwCreateSection
    SSDT 9003E8CB ZwSetContextThread
    SSDT 9003E867 ZwTerminateProcess

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!KeSetEvent + 215 82EB0998 2 Bytes [C6, E8]
    .text ntkrnlpa.exe!KeSetEvent + 218 82EB099B 1 Byte [90]
    .text ntkrnlpa.exe!KeSetEvent + 56D 82EB0CF0 4 Bytes CALL A7939CF8
    .text ntkrnlpa.exe!KeSetEvent + 621 82EB0DA4 4 Bytes CALL 881A9DAC
    .text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8F80B340, 0x3FA057, 0xE8000020]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe[1872] kernel32.dll!CreateThread + 1A 774DCB48 4 Bytes CALL 0044C909 C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe (IObit Malware Fighter Service/IObit)

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe[1872] @ C:\Windows\system32\shell32.dll [KERNEL32.dll!QueueUserWorkItem] [0044CA60] C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe (IObit Malware Fighter Service/IObit)
    IAT C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe[1872] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!QueueUserWorkItem] [0044CA60] C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe (IObit Malware Fighter Service/IObit)
    IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [744B7817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [7450A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [744BBB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [744AF695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [744B75E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [744AE7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [744E8395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [744BDA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [744AFFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [744AFF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [744A71CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [7453CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [744DC8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [744AD968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [744A6853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [744A687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[2816] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [744B2AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000a3a648745
    Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000a3a648745@0022b478a70b 0xAC 0x6B 0xBE 0x04 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000a3a648745@00210620ce1c 0xE8 0x7C 0x96 0xBD ...
    Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000a3a648745 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000a3a648745@0022b478a70b 0xAC 0x6B 0xBE 0x04 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000a3a648745@00210620ce1c 0xE8 0x7C 0x96 0xBD ...

    ---- EOF - GMER 1.0.15 ----


    dds logs
    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_29
    Run by Owner at 18:43:42 on 2012-03-31
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3069.1786 [GMT -4:00]
    .
    AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
    AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
    SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
    SP: IObit Malware Fighter *Disabled/Updated* {A751AC20-3B48-5237-898A-78C4436BB78D}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Program Files\IObit\Advanced SystemCare 5\ASCService.exe
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k rpcss
    c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\rundll32.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
    C:\Windows\system32\agrsmsvc.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Windows\system32\svchost.exe -k bthsvcs
    C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
    C:\Windows\system32\svchost.exe -k hpdevmgmt
    C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe
    C:\Program Files\Motorola\Moto Helper Service\MotoHelper.exe
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\System32\alg.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\system32\svchost.exe -k WindowsMobile
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Windows\System32\rundll32.exe
    C:\Program Files\Synaptics\SynTP\SynTPStart.exe
    C:\Windows\WindowsMobile\wmdc.exe
    C:\Windows\PLFSetL.exe
    C:\Program Files\Launch Manager\QtZgAcer.EXE
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Windows\PLFSetI.exe
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\Program Files\HP\HP Software Update\hpwuschd2.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\Motorola\MotoConnectService\MotoConnect.exe
    C:\Program Files\McAfee Security Scan\2.1.121\SSScheduler.exe
    C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = *.local;<local>
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    uURLSearchHooks: H - No File
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - No File
    BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
    TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
    EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
    uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    uRun: [Advanced SystemCare 5] "c:\program files\iobit\advanced systemcare 5\ASCTray.exe" /AutoStart
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
    mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
    mRun: [mumservice] c:\program files\motorola\software update\mumservice.exe
    mRun: [PLFSetL] c:\windows\PLFSetL.exe
    mRun: [eAudio] "c:\acer\empowering technology\eaudio\eAudio.exe"
    mRun: [LManager] c:\progra~1\launch~1\QtZgAcer.EXE
    mRun: [PLFSetI] c:\windows\PLFSetI.exe
    mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
    mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [IObit Malware Fighter] "c:\program files\iobit\iobit malware fighter\IMF.exe" /autostart
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\empowe~1.lnk - c:\acer\empowering technology\eAPLauncher.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.1.121\SSScheduler.exe
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
    IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
    IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
    IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
    IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
    IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
    DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: DhcpNameServer = 71.2.28.14 63.162.197.99
    TCP: Interfaces\{2B665679-485A-4BC1-9114-6A3E985F55E8} : DhcpNameServer = 71.2.28.14 63.162.197.99
    TCP: Interfaces\{487A9A4D-420B-4818-90C4-2801B2F60AB1} : DhcpNameServer = 71.2.28.14 63.162.197.99
    TCP: Interfaces\{DB36F33E-5C8F-46F6-9C58-F07EAFB0D87F} : DhcpNameServer = 169.254.2.2
    Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\owner\appdata\roaming\mozilla\firefox\profiles\eooy1g4w.default\
    FF - prefs.js: browser.search.selectedEngine - Bing
    FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/?pc=Z152&install_date=20110913
    FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z152&form=ZGAADF&install_date=20110913&q=
    FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
    FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll
    FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
    FF - plugin: c:\users\owner\appdata\local\google\update\1.3.21.111\npGoogleUpdate3.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [2011-9-21 15672]
    R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165648]
    R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2011-6-6 64952]
    R2 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files\iobit\advanced systemcare 5\ASCService.exe [2011-12-22 494424]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-9-15 136360]
    R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-9-15 269480]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-9-15 66616]
    R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
    R2 IMFservice;IMF Service;c:\program files\iobit\iobit malware fighter\IMFsrv.exe [2011-9-21 821592]
    R2 MotoConnect Service;MotoConnect Service;c:\program files\motorola\motoconnectservice\MotoConnectService.exe [2010-6-24 91456]
    R2 MotoHelper.exe;Motorola Helper;c:\program files\motorola\moto helper service\MotoHelper.exe [2010-4-21 6656]
    R3 RegFilter;RegFilter;c:\program files\iobit\iobit malware fighter\drivers\wlh_x86\RegFilter.sys [2012-2-2 30600]
    R3 winbondcir;Winbond IR Transceiver;c:\windows\system32\drivers\winbondcir.sys [2007-3-28 43008]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S3 BTWAMPFL;btwampfl;c:\windows\system32\drivers\btwampfl.sys [2011-2-12 300584]
    S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2011-2-12 33320]
    S3 CH341SER;CH341SER;c:\windows\system32\drivers\CH341SER.SYS [2010-10-27 39632]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-3-30 40776]
    S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.1.121\McCHSvc.exe [2010-9-3 227232]
    S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2009-6-19 19712]
    S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2009-1-29 8320]
    S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2009-10-27 23936]
    S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-10-24 43392]
    S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 65024]
    S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2011-4-27 208944]
    S3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2012-3-10 20080]
    S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
    S3 UrlFilter;UrlFilter;c:\program files\iobit\iobit malware fighter\drivers\wlh_x86\UrlFilter.sys [2012-2-2 19792]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    S4 FileMonitor;FileMonitor;c:\program files\iobit\iobit malware fighter\drivers\wlh_x86\FileMonitor.sys [2012-2-2 20336]
    .
    =============== Created Last 30 ================
    .
    2012-03-31 21:14:05 592824 ----a-w- c:\program files\mozilla firefox\gkmedias.dll
    2012-03-31 21:14:05 44472 ----a-w- c:\program files\mozilla firefox\mozglue.dll
    2012-03-31 19:33:04 6582328 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{3737ef47-c3ba-4b0d-a053-fc5aacda8b68}\mpengine.dll
    2012-03-31 05:52:58 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{4dd4ad4d-6ca7-4edd-92be-716513e7c27e}\offreg.dll
    2012-03-31 01:51:31 6582328 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{4dd4ad4d-6ca7-4edd-92be-716513e7c27e}\mpengine.dll
    2012-03-31 01:28:29 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2012-03-30 23:19:58 -------- d-----w- c:\users\owner\appdata\local\temp
    2012-03-30 23:18:21 -------- d-sh--w- C:\$RECYCLE.BIN
    2012-03-30 23:04:15 98816 ----a-w- c:\windows\sed.exe
    2012-03-30 23:04:15 518144 ----a-w- c:\windows\SWREG.exe
    2012-03-30 23:04:15 256000 ----a-w- c:\windows\PEV.exe
    2012-03-30 23:04:15 208896 ----a-w- c:\windows\MBR.exe
    2012-03-30 23:04:10 -------- d-----w- C:\ComboFix
    2012-03-29 21:56:51 57344 ----a-w- c:\programdata\microsoft\microsoft antimalware\localcopy\{287AD1D8-3668-40F0-9EAD-D391AC6B5ABF}-amcap.exe
    2012-03-29 21:46:58 57344 ----a-w- c:\programdata\microsoft\microsoft antimalware\localcopy\{58309256-1DC9-41E9-8983-4EE732325202}-amcap.exe
    2012-03-29 21:41:21 262144 ----a-w- c:\programdata\microsoft\microsoft antimalware\localcopy\{2B08A5D8-CB8E-4D39-9983-7FE2EEDB2BA7}-LicenseTool.exe
    2012-03-29 21:26:57 262144 ----a-w- c:\programdata\microsoft\microsoft antimalware\localcopy\{07E2886F-E700-4A61-A895-0CE5E455ACF5}-LicenseTool.exe
    2012-03-29 20:09:13 58368 ----a-w- c:\programdata\microsoft\microsoft antimalware\localcopy\{69EBAE4C-A384-4235-B116-537A80C1B02E}-msmoney.exe
    2012-03-29 20:09:11 39936 ----a-w- c:\programdata\microsoft\microsoft antimalware\localcopy\{E4176D69-7D96-402B-BF21-63622E36A158}-mnywaba.exe
    2012-03-29 20:09:10 8192 ----a-w- c:\programdata\microsoft\microsoft antimalware\localcopy\{BAF5C105-D1FB-4338-8774-7982DA01F28E}-mnyimprt.exe
    2012-03-29 20:09:10 1001984 ----a-w- c:\programdata\microsoft\microsoft antimalware\localcopy\{01D21C10-A8CB-424E-B97E-9FBE2BBC707A}-mnyinst.exe
    2012-03-29 20:09:09 10240 ----a-w- c:\programdata\microsoft\microsoft antimalware\localcopy\{A6917E89-62A4-4DF7-A18A-2AB1621AF827}-mnybbsvc.exe
    2012-03-29 20:09:07 139264 ----a-w- c:\programdata\microsoft\microsoft antimalware\localcopy\{1FA64291-DBFF-4531-9A81-95036F93B9C6}-daupdate.exe
    2012-03-29 20:09:06 132608 ----a-w- c:\programdata\microsoft\microsoft antimalware\localcopy\{142832CB-252D-4D47-9CF3-811775857D57}-copymar.exe
    2012-03-29 20:08:54 17505792 ----a-w- c:\programdata\microsoft\microsoft antimalware\localcopy\{06E59350-901B-423C-9046-00B6D3781C61}-WindowBlinds602_enhanced -razorbite.exe
    2012-03-29 20:08:43 17505792 ----a-w- c:\programdata\microsoft\microsoft antimalware\localcopy\{8D7AD46F-C335-4814-B37B-FC3AA6638D16}-WindowBlinds602_enhanced -razorbite.exe
    2012-03-29 16:58:45 57344 ----a-w- c:\programdata\microsoft\microsoft antimalware\localcopy\{555738A0-A713-47E9-8FDE-F7810225F339}-amcap.exe
    2012-03-29 16:58:05 262144 ----a-w- c:\programdata\microsoft\microsoft antimalware\localcopy\{51820DD5-EBD1-40EF-AF4D-1804B5AEF2A8}-LicenseTool.exe
    2012-03-29 16:58:02 827392 ----a-w- c:\programdata\microsoft\microsoft antimalware\localcopy\{DD70740B-3ABA-49E4-B9D7-7712BFF37372}-PixieTool.exe
    2012-03-29 16:57:53 827392 ----a-w- c:\programdata\microsoft\microsoft antimalware\localcopy\{7D1FAEF6-7E99-4D85-B884-712D17395C05}-PixieTool.exe
    2012-03-28 18:09:36 94208 ----a-w- c:\windows\PLFSetL.exe
    2012-03-28 18:09:36 35072 ----a-w- c:\windows\system32\drivers\x64\sncduvc.sys
    2012-03-28 18:09:36 28032 ----a-w- c:\windows\system32\drivers\sncduvc.sys
    2012-03-28 18:09:36 1792128 ----a-w- c:\windows\system32\drivers\x64\snp2uvc.sys
    2012-03-28 18:09:36 1749376 ----a-w- c:\windows\system32\drivers\snp2uvc.sys
    2012-03-28 18:09:36 -------- d-----w- c:\windows\system32\drivers\x64
    2012-03-28 18:09:36 -------- d-----w- c:\windows\SUYIN NB Cam
    2012-03-28 18:09:32 286720 ----a-w- c:\windows\system32\vsnp2uvc.dll
    2012-03-28 18:09:32 172032 ----a-w- c:\windows\system32\rsnp2uvc.dll
    2012-03-28 18:09:31 53248 ----a-w- c:\windows\system32\csnp2uvc.dll
    2012-03-28 18:09:31 -------- d-----w- c:\program files\common files\snp2uvc
    2012-03-28 17:52:09 -------- d-----w- c:\program files\SUYIN
    2012-03-28 17:52:09 -------- d-----w- c:\program files\ACER Crystal Eye webcam
    2012-03-22 19:12:12 4435968 ----a-w- c:\windows\system32\GPhotos.scr
    2012-03-18 03:49:21 177152 ----a-w- c:\programdata\microsoft\microsoft antimalware\localcopy\{337EFD86-3240-40A6-9266-A9DC38E0E41D}-A0045212.exe
    2012-03-17 23:14:53 190976 ----a-w- c:\programdata\microsoft\microsoft antimalware\localcopy\{AE496534-80EE-4CF1-879E-F749D10D2CA3}-SETUP.EXE
    2012-03-17 23:14:52 62464 ----a-w- c:\programdata\microsoft\microsoft antimalware\localcopy\{4BB8C434-5D9A-4D02-95E2-8BEB21B856FF}-autorun.exe
    2012-03-17 23:14:52 190976 ----a-w- c:\programdata\microsoft\microsoft antimalware\localcopy\{426EA8DC-DF83-4F51-B702-8303E1D5EB3A}-SETUP.EXE
    2012-03-17 23:14:22 17505792 ----a-w- c:\programdata\microsoft\microsoft antimalware\localcopy\{2589557E-C7CA-4805-B85A-184E504FE553}-WindowBlinds602_enhanced -razorbite.exe
    2012-03-17 23:11:06 17281536 ----a-w- c:\programdata\microsoft\microsoft antimalware\localcopy\{8F14CB80-9E0A-4F5A-B4F6-68B358F2DCA1}-WindowBlinds601_vibes.exe
    2012-03-17 18:54:10 -------- d-----w- c:\program files\iPod
    2012-03-17 18:54:07 -------- d-----w- c:\program files\iTunes
    2012-03-15 21:49:17 2044416 ----a-w- c:\windows\system32\win32k.sys
    2012-03-15 21:49:16 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
    2012-03-15 21:49:16 1068544 ----a-w- c:\windows\system32\DWrite.dll
    2012-03-15 21:49:15 683008 ----a-w- c:\windows\system32\d2d1.dll
    2012-03-15 21:49:15 160768 ----a-w- c:\windows\system32\d3d10_1.dll
    2012-03-15 21:49:15 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
    2012-03-15 21:49:13 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
    2012-03-15 21:48:24 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
    2012-03-15 21:48:24 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
    2012-03-15 21:48:16 613376 ----a-w- c:\windows\system32\rdpencom.dll
    2012-03-15 21:48:16 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2012-03-11 05:19:40 -------- d-----w- c:\users\owner\appdata\roaming\AVG8
    2012-03-11 02:04:39 -------- d-----w- c:\program files\PeerBlock
    2012-03-02 23:28:50 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
    2012-03-02 23:28:50 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
    2012-03-02 23:28:50 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
    2012-03-02 23:28:50 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
    2012-03-02 23:28:50 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
    2012-03-02 23:28:50 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
    2012-03-02 23:28:50 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
    .
    ==================== Find3M ====================
    .
    2012-02-23 17:47:44 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-02-23 13:18:36 237072 ------w- c:\windows\system32\MpSigStub.exe
    2012-02-15 23:58:45 1127424 ----a-w- c:\windows\system32\wininet.dll
    2012-02-15 23:58:32 2382848 ----a-w- c:\windows\system32\mshtml.tlb
    2012-02-15 23:58:28 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
    2012-02-15 23:58:25 1798656 ----a-w- c:\windows\system32\jscript9.dll
    2012-02-15 23:56:46 680448 ----a-w- c:\windows\system32\msvcrt.dll
    2012-02-15 16:01:50 4547944 ----a-w- c:\windows\system32\usbaaplrc.dll
    2012-02-15 16:01:50 43520 ----a-w- c:\windows\system32\drivers\usbaapl.sys
    .
    ============= FINISH: 18:44:08.73 ===============
    and
  2. Broni

    Broni Malware Annihilator Posts: 46,433   +252

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ====================================================================

    You're not saying what your computer issues are.

    I still need Attach.txt part of DDS.

    You're running two AV programs, Avira and MSE.
    One of them has to go.
    Your choice.
  3. roughworld

    roughworld Newcomer, in training Topic Starter

    more info...

    sorry it should be there i posted the entire thing cut into sections. i can see it in my posts under username but its not in the thread?.....


    sorry in advance. but thank you so much for the help.

    o k. im getting random lockups white or pixelated screens., a notification of the w.sality.p ? virus. losing memory at a bad rate. im almost full a 120 gb hdd shows 111/ and dropped from 20+avail to less than ten in days and floats around 3-5gb free. i can clean and scan and remove old restore/shadow copys and get 8-9gb but its gone the next day and im worried. dont want to botch it ive scaned and updated.
    but no avail. yet.... but i remain opptimistic. i have followed the 5 steps and am reading more awaiting orders.


    as for the condition. i bought a used laptop 2 year old a couple years ago and havent changed much from then. just movies pics music. research. ... i do not want to let this crash. i have what i was recomended.if i should remove one of the programs id be glad too. avira bothers me, advanced sysem care/iorbit/ sucks,mcaffe security scan plus is a bore.malwarebites helped with a program before so i left it on. microsoft security essentials seemed good and windows defender says it blocks things sometimes. i think i might even have a paid antivirus i was given. somewhere. im not very good at computers but i seem to bumble along. i think microsoft updated and gave me some new scanner too. ill be glad to resolve but im not sure which files to keep and which is the better to have?

    Attached Files:

  4. Broni

    Broni Malware Annihilator Posts: 46,433   +252

    I'm afraid I have very bad news.

    You are infected with a polymorphic file infector (Sality). This infection can and will infect all the machine's executable files .exe, .scr, .rar, .zip, .htm, .html. Because there are a number of bugs in its code, it may create executable files that are corrupted beyond repair resulting in an inoperative machine.

    Malware experts say that a Complete Reformat and Reinstall is the only way to clean the infection. This includes All Drives that contain following files:
    *.exe
    *.scr
    *.htm
    *.html
    *.xml
    *.zip
    *.rar
    *.doc
    *.jpg
    *.pdf

    Backup all your documents and important items only.
    DO NOT backup any files mentioned above.

    I suggest you do the following immediately:

    * Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
    * From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.
    * DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

    For more information on Virut, and why you need to reformat, have a read of miekiemoes blog here.

    To find out how to carry out an XP Reformat and Reinstall, please see this page. If you are using Vista, then check this page instead.

    Once you have reformatted and reinstalled Windows, have a look at this page for some useful tips on staying clean, along with links to some freeware to help.

    To find out more information about how you may have got infected in the first place, you can read this article.

    I am sorry I cannot give any better news.
  5. roughworld

    roughworld Newcomer, in training Topic Starter

    is there anything to do?

    i have years worth of pics and research. notepad docs, text files and some not backed up? is there any way to disinfect to be able to save most important things
    ?
    ?
    even my backup hdd may have been connected at some point? please.
  6. Broni

    Broni Malware Annihilator Posts: 46,433   +252

    You can backup your data.
    Format the drive and reinstall Windows.

    Then...
    Install Panda USB Vaccine, or BitDefender’s USB Immunizer to protect the computer from any infected USB device.

    Now you're ready to plug in your external drive and scan it with your AV program.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.