[Closed] I have two Chromes open

[ilam96]

when there should only be one running. I was told I have a duplicating program, which I should get rid of. After reading around the site I decided to follow the updated 8-step Viruses/spyware/malware Preliminary Removal Instructions. I did so and got as far as step 5, for after downloading DDS by sUBs a screen popped up saying "Windows cannot open this file: Pev.dat..." and i should choose webservice to find a program to open it with or select a program from my files. I chose Notepad, which opened up with a lot of programming language, hence I closed the original black DDS screen...and here I am...looking from help from there.

 

[Bobbye]

Before continuing> have you tried to close both of the Chrome browsers, then reboot?

If not, please do so> then let me know what is happening.

 

[ilam96]

have done so, opened task manager and i still have two Chromes open one with more memory usage than the other :-(
will i need to re-do the instructions from step one?...and how do i disable script blocking protection...?

 

[Bobbye]

Have you highlighted one of them> End Task? What happens?

 

[ilam96]

both close

 

[Bobbye]

Okay> so what happens if you launch Chrome again?

Do you understand that it is normal to see more than one entry for Chrome in the Task Manager when you only have one browser Window open> Just like IEv8 can have more than one iexplore.exe process showing with only one active Window.

 

[ilam96]

I understand what your are saying...only, I do not open two browser windows. Now it seems its getting worse, i'm getting duplicate keystrokes too :-( oh what have i done! you know like when i type like it comes out llliiikkeee, but its only happening with my logins/passwords (i'm presuming). definitely my logins

 

[Bobbye]

Okay, please do these scans and leave the logs in your next reply:

If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

When you have finished, leave the logs for review in your next reply .
NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

 

[ilam96]

I have three users on my PC - my husband (mostly used, bcoz he doesn't require a password to login), my teenaged daughter (who I suspect downloaded the malware); and mine. I am the admin, under which do i run the steps?

 

[Bobbye]

Use the Administrative account.

 

[ilam96]

k, thx, next weekend tho, i'm a working mom. i apologize for taking so long.

 

[Bobbye]

Okay, making a note to myself. Do as soon as you can.

Keep thread open.

 

[ilam96]

sorry it took so long, service was down most of yest. i have run the malware and the log is pasted below:


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6123

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19019

3/21/2011 6:17:44 PM
mbam-log-2011-03-21 (18-17-44).txt

Scan type: Quick scan
Objects scanned: 174982
Time elapsed: 15 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

[ilam96]

this is the DDS.txt

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Lety at 18:37:57.46 on Mon 03/21/2011
Internet Explorer: 8.0.6001.19019
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2039.897 [GMT -5:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
AV: Norton AntiVirus *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton AntiVirus *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Windows\System32\svchost.exe -k Akamai
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Norton AntiVirus\Engine\18.5.0.125\ccSvcHst.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Norton Safe Web Lite\Engine\1.2.0.6\ccSvcHst.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Norton AntiVirus\Engine\18.5.0.125\ccSvcHst.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\wuauclt.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Lety\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/webhp?hl=en
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyn1.dll
mURLSearchHooks: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyn1.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\18.5.0.125\ips\IPSBHO.DLL
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyn1.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - c:\program files\windows live\companion\companioncore.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\6.3.2348.0\npwinext.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Norton Safe Web Lite BHO: {f0da78e9-6b60-42fb-bc26-ef2cfb8c8ff3} - c:\program files\norton safe web lite\engine\1.2.0.6\coIEPlg.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: @c:\program files\msn toolbar\platform\6.3.2348.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\6.3.2348.0\npwinext.dll
TB: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyn1.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Norton Safe Web Lite: {30ceeea2-3742-40e4-85dd-812bf1cbb83d} - c:\program files\norton safe web lite\engine\1.2.0.6\coIEPlg.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
mRun: [<NO NAME>]
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-2-1 64288]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nav\1205000.07d\symds.sys [2011-1-6 340016]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1205000.07d\symefa.sys [2011-1-6 652336]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.1.0.37\definitions\bashdefs\20110309.001\BHDrvx86.sys [2011-3-10 800376]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_18.1.0.37\definitions\ipsdefs\20110317.002\IDSvix86.sys [2011-3-17 353912]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nav\1205000.07d\ironx86.sys [2011-1-6 136312]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\nav\1205000.07d\symtdiv.sys [2011-1-6 330360]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2008-1-20 21504]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-12-3 1405384]
R2 NAV;Norton AntiVirus;c:\program files\norton antivirus\engine\18.5.0.125\ccsvchst.exe [2011-1-6 130000]
R2 NSL;Norton Safe Web Lite;c:\program files\norton safe web lite\engine\1.2.0.6\ccSvcHst.exe [2011-2-4 130000]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-2-1 102448]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-10-28 136176]
S3 GamesAppService;GamesAppService;c:\program files\wildtangent games\app\GamesAppService.exe [2010-10-12 206072]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-12-3 15232]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
.
=============== Created Last 30 ================
.
2011-03-20 23:46:06 -------- d-----w- c:\users\lety\appdata\local\{4FE78D2E-68A1-4806-9F82-2D3FE28983E7}
2011-03-18 22:08:48 -------- d-----w- c:\program files\iPod
2011-03-18 22:08:44 -------- d-----w- c:\program files\iTunes
2011-03-12 16:44:12 94848 ----a-w- C:\kwddafob.sys
2011-03-12 16:18:51 -------- d-----w- c:\users\lety\appdata\local\{F67106AC-39EC-4ECE-B493-63C0864549F1}
2011-03-12 15:52:39 -------- d-----w- c:\users\lety\appdata\roaming\Malwarebytes
2011-03-12 15:52:21 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-12 15:52:21 -------- d-----w- c:\progra~2\Malwarebytes
2011-03-12 15:52:17 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-12 15:52:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-09 13:19:41 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-03-09 13:19:41 322560 ----a-w- c:\windows\system32\sbe.dll
2011-03-09 13:19:41 177664 ----a-w- c:\windows\system32\mpg2splt.ax
2011-03-09 13:19:41 153088 ----a-w- c:\windows\system32\sbeio.dll
2011-03-09 13:19:39 2067968 ----a-w- c:\windows\system32\mstscax.dll
2011-03-09 13:19:38 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-03-08 20:33:02 -------- d-----w- c:\users\lety\appdata\local\{43BAC96B-D283-41F5-BDDA-4A22501F232E}
2011-03-07 22:54:13 815104 ----a-w- c:\windows\system32\xvidcore.dll
2011-03-07 22:54:13 77824 ----a-w- c:\windows\system32\xvid.ax
2011-03-07 22:54:13 180224 ----a-w- c:\windows\system32\xvidvfw.dll
2011-03-07 22:54:13 -------- d-----w- c:\program files\Xvid
2011-03-07 22:52:26 -------- d-----w- c:\program files\common files\xing shared
2011-03-07 22:46:02 -------- d-----w- c:\users\lety\appdata\local\{56D91CCF-DECB-4212-A326-B3FB97BB8C80}
2011-03-05 17:50:27 -------- d-----w- c:\progra~2\Immortal Lovers
2011-03-04 23:24:55 -------- d-----w- c:\program files\Bonjour
.
==================== Find3M ====================
.
2011-03-07 22:51:59 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-03-07 22:51:59 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-02-18 22:36:58 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-08 12:55:21 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-01-20 16:08:16 478720 ----a-w- c:\windows\system32\dxgi.dll
2011-01-20 16:08:06 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-01-20 16:08:06 189952 ----a-w- c:\windows\system32\d3d10core.dll
2011-01-20 16:08:06 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2011-01-20 16:08:06 1029120 ----a-w- c:\windows\system32\d3d10.dll
2011-01-20 16:07:58 37376 ----a-w- c:\windows\system32\cdd.dll
2011-01-20 16:07:42 258048 ----a-w- c:\windows\system32\winspool.drv
2011-01-20 16:07:16 586240 ----a-w- c:\windows\system32\stobject.dll
2011-01-20 16:06:38 2873344 ----a-w- c:\windows\system32\mf.dll
2011-01-20 16:06:35 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2011-01-20 16:04:54 98816 ----a-w- c:\windows\system32\mfps.dll
2011-01-20 16:04:54 209920 ----a-w- c:\windows\system32\mfplat.dll
2011-01-20 14:28:38 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2011-01-20 14:27:50 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-01-20 14:26:30 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2011-01-20 14:25:25 847360 ----a-w- c:\windows\system32\OpcServices.dll
2011-01-20 14:24:32 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-01-20 14:24:26 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2011-01-20 14:15:10 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2011-01-20 14:14:39 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
2011-01-20 14:14:03 302592 ----a-w- c:\windows\system32\mfmp4src.dll
2011-01-20 14:14:03 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
2011-01-20 14:12:46 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2011-01-20 14:11:34 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2011-01-20 13:47:51 683008 ----a-w- c:\windows\system32\d2d1.dll
2011-01-20 13:44:05 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-01-20 13:44:03 797184 ----a-w- c:\windows\system32\FntCache.dll
2011-01-08 08:47:50 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-08 06:28:49 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:57:01 2039808 ----a-w- c:\windows\system32\win32k.sys
2010-12-28 15:55:03 413696 ----a-w- c:\windows\system32\odbc32.dll
.
============= FINISH: 18:38:52.51 ===============

 

[ilam96]

this is the attach.txt

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 10/7/2010 12:18:48 AM
System Uptime: 3/21/2011 6:00:51 PM (0 hours ago)
.
Motherboard: ELITEGROUP | | 945GCT-M3
Processor: Intel(R) Celeron(R) CPU E1200 @ 1.60GHz | Socket 775 | 1600/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 287 GiB total, 151.976 GiB free.
D: is FIXED (NTFS) - 11 GiB total, 5.198 GiB free.
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
32 Bit HP CIO Components Installer
Ad-Aware
Adobe AIR
Adobe Community Help
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Media Player
Adobe Reader X (10.0.1)
Adobe Shockwave Player 11.5
Akamai NetSession Interface
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ArcSoft Print Creations
ArcSoft Print Creations - Album Page
ArcSoft Print Creations - Funhouse
ArcSoft Print Creations - Greeting Card
ArcSoft Print Creations - Photo Book
ArcSoft Print Creations - Photo Calendar
ArcSoft Print Creations - Scrapbook
ArcSoft Print Creations - Slimline Card
Bing Bar
Bing Bar Platform
Bing Rewards Client Installer
Bonjour
BufferChm
CameraHelperMsi
CCScore
Crystal Maze
CustomerResearchQFolder
D3DX10
Dancing with the Stars
Deadtime Stories
DJ_AIO_03_F4200_Software
DJ_AIO_03_F4200_Software_Min
eMachines Games
erLT
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESSini
ESSPCD
ESSPDock
ESSTOOLS
essvatgt
eSupportQFolder
Fashion Fits!
fflink
Final Drive Fury
Ghost Town Mysteries - Bodie
Goddess Chronicles
Google Chrome
Google Earth Plug-in
Google Toolbar for Internet Explorer
Google Update Helper
Greeting Card Factory Photo Card Maker
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
House, MD
HP Deskjet F4200 All-In-One Driver Software 10.0 Rel .3
Immortal Lovers
iTunes
Java Auto Updater
Java(TM) 6 Update 20
Java(TM) 6 Update 23
Logitech Vid HD
Logitech Webcam Software
LWS Facebook
LWS Gallery
LWS Help_main
LWS Launcher
LWS Motion Detection
LWS Pictures And Video
LWS Twitter
LWS Video Mask Maker
LWS VideoEffects
LWS Webcam Software
LWS WLM Plugin
LWS YouTube Plugin
Magic Academy
Malwarebytes' Anti-Malware
Mesh Runtime
Messenger Companion
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Default Manager
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft UI Engine
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft_VC80_ATL_x86
Microsoft_VC80_CRT_x86
Microsoft_VC80_MFC_x86
Microsoft_VC80_MFCLOC_x86
Microsoft_VC90_ATL_x86
Microsoft_VC90_CRT_x86
Microsoft_VC90_MFC_x86
MobileMe Control Panel
Mortimer Beckett and the Lost King
Mortimer Beckett and the Secrets of Spooky Manor
Mortimer Beckett and the Time Paradox
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Mystery P.I. - Stolen in San Francisco
Mystery P.I. - The Lottery Ticket
netbrdg
Nightfall Mysteries: Asylum Conspiracy
Nightfall Mysteries: Curse of the Opera
Norton AntiVirus
Norton Safe Web Lite
OfotoXMI
OpenOffice.org 3.2
Operation Mania
Peggle
Peggle Nights
Posh Boutique
QuickTime
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealPlayer
RealUpgrade 1.1
Scan
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Segoe UI
SFR
SHASTA
skin0001
SKINXSDK
Soft Data Fax Modem with SmartCP
staticcr
Toolbox
tooltips
UnloadSupport
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update Installer for WildTangent Games App
Vampire Brides - Love Over Death
Virtual City
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VPRINTOL
WebReg
WildTangent Games App (eMachines Games)
Winamp
Winamp Detector Plug-in
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Mesh
Windows Live Messenger
Windows Live Messenger Companion Core
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live Remote Client
Windows Live Remote Client Resources
Windows Live Remote Service
Windows Live Remote Service Resources
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
WIRELESS
Xvid 1.2.1 final uninstall
Yahoo! Messenger
Yahoo! Software Update
Yahoo! Toolbar
Youda Survivor
Zynga Toolbar
.
==== End Of File ===========================

 

[ilam96]

this is the gmer log

GMER 1.0.15.15570 - http://www.gmer.net
Rootkit quick scan 2011-03-21 18:30:33
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-2 ST3320820AS rev.3.AAD
Running: 6mccl3r9.exe; Driver: C:\Users\Lety\AppData\Local\Temp\kwriafob.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Ip SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\Tcp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\Udp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\RawIp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)

---- EOF - GMER 1.0.15 ----

 

[Bobbye]

Okay, lets handle the security first: you have 2 antivirus programs running:
AV: Lavasoft Ad-Watch Live! Anti-Virus
AV: Norton AntiVirus
You should remove one of these. Please reboot the computer when finished.

Years ago, I used the paid AdAware. Basically, it was an antispyware program. The paid version also had AdWatch which would popups with an alert if any Registry change was being made. But it was not called an AV program. (I ended up disabling AdWatch because all changes in the Registry aren't 'bad' and AdWatch didn't know the difference! I have since uninstalled the program. They have done a couple of major upgrades and it seems that AdWatch is part AV and part antimalware. But representing the program as antivirus means you have to shut it down if you have another AV running!

There are some entries I'm going to need more information on- for instance, do you know what this is for?

2011-03-12 16:44:12 94848 ----a-w- C:\kwddafob.sys

======================================
I know you have a busy schedule, but I'd like you to run the following:

Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner

1. Tick the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the Active X control to install
4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
5. Click Start
6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
7. Click Scan
8. Wait for the scan to finish
9. Click on "Copy to Clipboard"> (you won't see the 'clipboard')
10. Click anywhere in the post where you want the logs to go, the do Ctrl V. The log will be sent from the clipboard and pasted in the post.
11. Re-enable your Antivirus software.
    NOTE: If you forget to copy to the clipboard you can find the log here:
    C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

==================================
Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop

• Double click combofix.exe & follow the prompts.
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
  
  
• .Click on Yes, to continue scanning for malware
• .If Combofix asks you to update the program, allow
• .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• .Close any open browsers.
• .Double click combofix.exe
  
  & follow the prompts to run.
• When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Post logs when you can.

 

[ilam96]

thanks for replying, i have removed Lavasoft. i now only have Norton running. as to the other entry c:\kwddafob.sys, i don't know for sure; the only thing i can think of that may be associated with is my kodak easy share program that i installed for my digital camera. is there any way i can find out for sure if its something i want to keep?

 

[Bobbye]

Yes, I can look into the file with script you'll run through Combofix. Please go ahead and run the Eset scan and Combofix.

I don't think that file is for Kodak Easyshare- if it was, I should be able to ID it.

 

[ilam96]

well i ran Eset but it took longer than an hour, afterwhich Norton turned on and Eset stalled at about 47%, i had to stop the scan, unfortunately my free trial was over. Now Eset is asking me to purchase or something else which i don't recal, but neither of which i'm able to do. should i uninstall and try downloading it again?

 

[Bobbye]

The Eset link we give it for a free online virus scan. It is not for a free trial. It is advised to use Internet Explorer. IF you are doing the scan through Firefox: you will get the following message:

You are trying to launch ESET Online Scanner in a different browser than Internet Explorer. Please agree to the download of ESET Smart Installer - an application which installs and launches ESET Online Scanner in a separate window. At the end of the scan, there will be an option to uninstall ESET Online Scanner and all its components.

Click on ESET Smart Installer
After successful installation of ESET Smart Installer is ESET Online Scanner launched in a new window.

ESET Online Scanner is not intended to be used as permanent replacement for your computer's security. It's designed to only detect and remove threats via on demand scan.
The following does not apply to you. You are doing an 'on demand scan' not buying a security program to actively run on your system at all time.
Try any ESET product free for 30-days and experience the peace of mind with every-day real-time protection.

Please uninstall whatever Eset program you have an start again:

Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.com/us/online-scanner#

1. Tick the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the Active X control to install
4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
5. Click Start
6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
7. Click Scan
8. Wait for the scan to finish
9. Click on "Copy to Clipboard"> (you won't see the 'clipboard')
10. Click anywhere in the post where you want the logs to go, the do Ctrl V. The log will be sent from the clipboard and pasted in the post.
11. Re-enable your Antivirus software.
    NOTE: If you forget to copy to the clipboard you can find the log here:
    C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

====================================
Please go ahead and run Combofix after this. IF there is still a problem, run Combofix anyway.

 

[Bobbye]

Thread will be closed in 2 days if there is no reply.