[Closed] Problems after removing Live Security Platinum

[Michael_NY]

My Asus netbook was infected with Live Security Platinum late last week. I eventually removed it from my system, but now I have other problems that I cannot solve.

Upon startup, all my desktop icons auto-arrange to the left. I have tried many different combinations of desktop settings to fix that, but nothing helped. I also tried the workaround of creating a new profile, but that profile seems to have the same symptoms.

My mouse cursor has an hourglass next to it almost all the time. It is up for about one second, then down for less than a quarter of a second. This cycle never stops.

After being left on over night, my computer is unusable in the morning. Programs are very slow to respond and it took ten minutes just to get my computer to shut down this morning.

Thank you for any suggestions you have.
(let me know if this is posted in the wrong forum)

 

[Jay Pfoutz]

Hello, and welcome to TechSpot.

Please see here for the board rules and other FAQ.

Please feel free to introduce yourself, after you follow the steps below to get started.

Information

• From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
• Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
• If you have already asked for help somewhere, please post the link to the topic you were helped.
• We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
• Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

Please review the 5-Step removal instructions and post the logs back here for my review.

Also, include this scan:

Download AdwCleaner by Xplode onto your Desktop.

• Double click on AdwCleaner.exe to run the tool.
• Click on Search.
• A logfile will automatically open after the scan has finished.
• Please post the content of that logfile in your reply.
• You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.

 

[Michael_NY]

DragonMaster Jay,

Sorry for the rude lack of introduction. My name is Michael

Here are my reports. And thank you for all your help.

==========================================================
Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org

Database version: v2012.09.06.11

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 8.0.7601.17514
Michael :: MICHAEL-PC [administrator]

Protection: Disabled

9/6/2012 4:44:55 PM
mbam-log-2012-09-06 (16-44-55).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 194938
Time elapsed: 18 minute(s), 8 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-09-06 17:15:31
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HTS545025B9A300 rev.PB2OC60N
Running: 16nmhmcd.exe; Driver: C:\Users\Michael\AppData\Local\Temp\uwliifow.sys


---- Devices - GMER 1.0.15 ----

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 84CB71F8
Device \Driver\atapi \Device\Ide\IdePort0 84CB71F8
Device \Driver\atapi \Device\Ide\IdePort1 84CB71F8
Device \Driver\amhfoohk \Device\Scsi\amhfoohk1 866741F8
Device \Driver\amhfoohk \Device\Scsi\amhfoohk1Port2Path0Target0Lun0 866741F8
Device \FileSystem\Ntfs \Ntfs 84CB91F8
Device \FileSystem\fastfat \Fat A7BC21F8

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Ip SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\Tcp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\Udp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\RawIp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

---- Processes - GMER 1.0.15 ----

Process hidden process (*** hidden *** ) 26248
Process AsusSender.exe (*** hidden *** ) 30168
Process hidden process (*** hidden *** ) 31120
Process hidden process (*** hidden *** ) 35836
Process HotkeyService. (*** hidden *** ) 35864
Process hidden process (*** hidden *** ) 36964
Process hidden process (*** hidden *** ) 37180
Process hidden process (*** hidden *** ) 37288
Process hidden process (*** hidden *** ) 37416
Process hidden process (*** hidden *** ) 37616
Process hidden process (*** hidden *** ) 38192
Process hidden process (*** hidden *** ) 38452
Process hidden process (*** hidden *** ) 38604
Process hidden process (*** hidden *** ) 38676
Process hidden process (*** hidden *** ) 38876

---- EOF - GMER 1.0.15 ----

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 10.7.2
Run by Michael at 17:56:48 on 2012-09-06
.
============== Running Processes ===============
.
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://asus.msn.com
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\17.9.0.12\IPSBHO.DLL
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
uRun: [Akamai NetSession Interface] "c:\users\michael\appdata\local\akamai\netsession_win.exe"
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [SuperHybridEngine] AsusSender.exe c:\program files\eeepc\she\SuperHybridEngine.exe
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [OOBESetup] c:\program files\asus\ooberegbackup\ooberegbackup.exe /restore -"c:\program files\asus\ooberegbackup\OOBEReg.ini"
mRun: [HotkeyService] AsusSender.exe c:\program files\eeepc\hotkeyservice\HotkeyService.exe
mRun: [HotkeyMon] AsusSender.exe c:\program files\eeepc\hotkeyservice\HotKeyMon.exe
mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming
mRun: [DigitalZoomControl] "c:\program files\asus\digitalzoomcontrol\DigitalZoomControl.exe"
mRun: [BrStsWnd] c:\program files\brownie\BrstsWnd.exe Autorun
mRun: [Boingo Wi-Fi] "c:\program files\boingo\boingo wi-fi\Boingo.lnk"
mRun: [ASUS Screen Saver Protector] c:\windows\AsScrPro.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Ad-Aware Browsing Protection] "c:\programdata\ad-aware browsing protection\adawarebp.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{285938A6-8C45-4FEC-B7A5-6AC0A63DF19D} : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{285938A6-8C45-4FEC-B7A5-6AC0A63DF19D}\2456C6B696E6E253132424E2765756374737 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{285938A6-8C45-4FEC-B7A5-6AC0A63DF19D}\25D4C4055524C49434 : DhcpNameServer = 8.8.8.8 24.92.226.11 24.92.226.12
TCP: Interfaces\{285938A6-8C45-4FEC-B7A5-6AC0A63DF19D}\4516B6169716029516D6167657368696D27657563747 : DhcpNameServer = 209.18.47.61 209.18.47.62 192.168.33.1
TCP: Interfaces\{285938A6-8C45-4FEC-B7A5-6AC0A63DF19D}\544696D61687 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{285938A6-8C45-4FEC-B7A5-6AC0A63DF19D}\C696E6B6379737 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{285938A6-8C45-4FEC-B7A5-6AC0A63DF19D}\E4544574541425 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{285938A6-8C45-4FEC-B7A5-6AC0A63DF19D}\F4365616E665965677 : DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{B09B9D05-5626-45E7-86B0-683B10658108} : DhcpNameServer = 209.18.47.61 209.18.47.62
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\michael\appdata\roaming\mozilla\firefox\profiles\3jr7w82x.default\
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\users\michael\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
2012-09-06 20:43:1522344----a-w-c:\windows\system32\drivers\mbam.sys
2012-09-06 20:43:15--------d-----w-c:\program files\Malwarebytes' Anti-Malware
2012-09-05 21:25:17340088----a-w-c:\windows\system32\drivers\nav\1109000.00c\symtdiv.sys
2012-09-05 21:25:1643696----a-w-c:\windows\system32\drivers\nav\1109000.00c\srtspx.sys
2012-09-05 21:25:16328752----a-r-c:\windows\system32\drivers\nav\1109000.00c\symds.sys
2012-09-05 21:25:16173176----a-w-c:\windows\system32\drivers\nav\1109000.00c\symefa.sys
2012-09-05 21:25:15485512----a-w-c:\windows\system32\drivers\nav\1109000.00c\cchpx86.sys
2012-09-05 21:25:15325680----a-w-c:\windows\system32\drivers\nav\1109000.00c\srtsp.sys
2012-09-05 21:25:15116784----a-w-c:\windows\system32\drivers\nav\1109000.00c\ironx86.sys
2012-09-05 21:24:40--------d-----w-c:\windows\system32\drivers\nav\1109000.00C
2012-09-05 13:58:53--------d-----w-C:\RegBackup
2012-09-05 12:40:44--------d-----w-C:\Tweaking.com_Windows_Repair_Logs
2012-09-05 12:40:32--------d-----w-c:\program files\Tweaking.com
2012-09-04 09:17:3093672----a-w-c:\windows\system32\WindowsAccessBridge.dll
2012-09-04 00:47:10--------d-----w-c:\program files\ESET
2012-09-04 00:33:08--------d-sh--w-C:\$RECYCLE.BIN
2012-09-04 00:33:05--------d-----w-c:\users\michael\appdata\local\temp
2012-09-03 23:42:0798816----a-w-c:\windows\sed.exe
2012-09-03 23:42:07518144----a-w-c:\windows\SWREG.exe
2012-09-03 23:42:07256000----a-w-c:\windows\PEV.exe
2012-09-03 23:42:07208896----a-w-c:\windows\MBR.exe
2012-09-03 22:27:56124976----a-w-c:\windows\system32\drivers\SYMEVENT.SYS
2012-09-03 22:27:14--------d-----w-c:\program files\Symantec
2012-09-03 22:27:14--------d-----w-c:\program files\common files\Symantec Shared
2012-09-03 22:26:47--------d-----w-c:\windows\system32\drivers\NAV
2012-09-03 22:26:46--------d-----w-c:\program files\Norton AntiVirus
2012-09-03 22:18:51--------d-----w-c:\program files\NortonInstaller
2012-08-31 18:25:48--------d-----w-c:\programdata\GFI Software
2012-08-31 17:48:01--------d-----w-c:\users\michael\appdata\local\adaware
2012-08-31 17:47:59--------d-----w-c:\programdata\Ad-Aware Browsing Protection
2012-08-31 17:46:36--------d-----w-c:\program files\Ad-Aware Antivirus
2012-08-31 17:45:54--------d-----w-c:\users\michael\appdata\local\Downloaded Installations
2012-08-31 17:25:0312872----a-w-c:\windows\system32\bootdelete.exe
2012-08-30 19:28:29--------d-----w-c:\programdata\HitmanPro
2012-08-30 18:11:51--------d-----w-c:\users\michael\appdata\roaming\Malwarebytes
2012-08-30 18:11:42--------d-----w-c:\programdata\Malwarebytes
2012-08-30 17:09:43--------d-----w-c:\users\michael\appdata\local\NPE
2012-08-30 15:16:26--------d-----w-c:\users\michael\appdata\roaming\Tific
2012-08-30 15:16:22--------d-----w-c:\users\michael\appdata\local\Symantec
2012-08-30 15:07:46--------d-----w-c:\programdata\6C82D0E019ABEDFBC30823FBF875F020
2012-08-16 07:00:22393728----a-w-c:\windows\system32\drivers\bthport.sys
2012-08-16 01:19:13400896----a-w-c:\windows\system32\srcore.dll
2012-08-16 01:19:112345984----a-w-c:\windows\system32\win32k.sys
2012-08-16 01:19:09492032----a-w-c:\windows\system32\win32spl.dll
2012-08-16 01:19:09317440----a-w-c:\windows\system32\spoolsv.exe
2012-08-16 01:19:0441984----a-w-c:\windows\system32\browcli.dll
2012-08-16 01:19:04102912----a-w-c:\windows\system32\browser.dll
2012-08-16 01:19:02769024----a-w-c:\windows\system32\localspl.dll
.
==================== Find3M ====================
.
2012-09-04 09:17:01821736----a-w-c:\windows\system32\npDeployJava1.dll
2012-09-04 09:17:01746984----a-w-c:\windows\system32\deployJava1.dll
.
============= FINISH: 17:59:20.51 ===============

[Window Title]
Asus Eee PC Hotkey Service

[Main Instruction]
Asus Eee PC Hotkey Service has stopped working

[Content]
Windows is checking for a solution to the problem...

[Cancel]

============================================

 

[Jay Pfoutz]

That's fine. Hi Michael!

Please download and run TDSSKiller to your desktop as outlined below:

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

For Windows XP, double-click to start.
For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

-------------------------

Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

------------------------

Click the Start Scan button.

-----------------------

If a suspicious object is detected, the default action will be Skip, click on Continue
If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
Skip and click on Continue

----------------------

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

--------------------

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.
Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

-------------------

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue
If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
Skip and click on Continue

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed..


Please download aswMBR from here

• Save aswMBR.exe to your Desktop
• Double click aswMBR.exe to run it
• Click the Scan button to start the scan as illustrated below

Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives

• Once the scan finishes click Save log to save the log to your Desktop
  
  
  
  
• Copy and paste the contents of aswMBR.txt back here for review

 

[Michael_NY]

Thank you, DragonMaster

I attached the new reports as Anti Virus Report - 2

Michael

 

[Jay Pfoutz]

Good work.

Please download AdwCleaner by Xplode onto your Desktop.

• Double click on AdwCleaner.exe to run the tool.
• Click on Search.
• A logfile will automatically open after the scan has finished.
• Please post the content of that logfile in your reply.
• You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.

ESET Online Scan

Please run a free online scan with the ESET Online Scanner

• Tick the box next to YES, I accept the Terms of Use
• Click Start
• When asked, allow the ActiveX control to install, or it will ask to download an installer. Please do so an install it.
• Click Start or wait for the scanner to load.
• Make sure that the options Remove found threats and the option Scan unwanted applications are checked.
• Click Scan (This scan can take several hours, so please be patient)
• Once the scan is completed, there are a couple of things to keep in mind:
• 1. If NO threats were found, allow the scanner to Uninstall on close and then close the Window.
• 2. If threats WERE detected, click on List of Threats Found, Export to Text File...save it as ESET-Scan-Log.txt. Click the back button/link, put a checkmark to Uninstall Application on Close and then close the window.
• Open the logfile from wherever you saved it
• Copy and paste the contents in your next reply.

 

[Michael_NY]

ESET found nothing.

# AdwCleaner v2.000 - Logfile created 09/07/2012 at 14:50:23
# Updated 30/08/2012 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (32 bits)
# User : Michael - MICHAEL-PC
# Boot Mode : Normal
# Running from : C:\Users\Michael\Desktop\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****


***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.7601.17514

[OK] Registry is clean.

-\\ Mozilla Firefox v6.0.2 (en-US)

Profile name : default
File : C:\Users\Michael\AppData\Roaming\Mozilla\Firefox\Profiles\3jr7w82x.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v [Unable to get version]

File : C:\Users\Michael\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [983 octets] - [06/09/2012 18:02:13]
AdwCleaner[R2].txt - [915 octets] - [07/09/2012 14:50:23]

########## EOF - C:\AdwCleaner[R2].txt - [974 octets] ##########

 

[Jay Pfoutz]

Hi! Your logs appear to be clean. If there are no more issues, then we shall finish up!

Clean up System Restore

Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

To manually create a new Restore Point

• Go to Control Panel and select System and Maintenance
• Select System
• On the left select Advance System Settings and accept the warning if you get one
• Select System Protection Tab
• Select Create at the bottom
• Type in a name I.e. Clean
• Select Create

Now we can purge the infected ones

• Go back to the System and Maintenance page
• Select Performance Information and Tools
• On the left select Open Disk Cleanup
• Select Files from all users and accept the warning if you get one
• In the drop down box select your main drive I.e. C
• For a few moments the system will make some calculations:
  
  
• Select the More Options tab
  
  
• In the System Restore and Shadow Backups select Clean up
  
  
• Select Delete on the pop up
• Select OK
• Select Delete

Run OTC to remove our tools

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:

• Save it to your Desktop.
• Double click OTC.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Purge old temporary files

Download CCleaner Slim and save it to your Desktop - Alternate download link

When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
Follow the prompts to install the program.

* Double-click the CCleaner shortcut on the desktop to start the program.
* Click on the Options block on the left, then choose Cookies.
* Under Cookies to Delete, highlight any cookies you would like to retain permanently
* Click the right arrow > to move them to the Cookies to Keep window.
* Go into Options > Advanced & uncheck Only delete files in Windows Temp folders older than 48 hours
* Click Cleaner on the left then Run Cleaner on the right to run the program.
* Important: Make sure that ALL browser windows are closed before selecting Run Cleaner

Caution: Only use the Registry feature if you are very familiar with the registry.
Always back up your registry before making any changes. Exit CCleaner after it has completed it's process.

Security Check

Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

[Michael_NY]

So far, I have been unable to make a Restore Point. I get a transient error (0x800423F3).
I shall keep trying.

 

[Jay Pfoutz]

Try one or more of the steps, one after the other.

1. Try create a System Restore point manually and make a note of the Error Message you get. If you don’t get one, check if one has been created or not.
2. Make sure that System Restore is enabled on the drives where you want System Restore enabled
3. Make sure that you have sufficient disk space on all the drives where System Restore is enabled
4. Type Services.msc in Start Menu Search Box, hit Enter. Make sure that the Volume Shadow Copy & Task Schedular Services is Running and set on Automatic. If the Status of System Restore Service is not Started, Start it. Also set it on Automatic if it is not. A reboot may be required. Re-confirm again, and now try.
5. Type eventvwr.msc /s in Start Menu Search Box & hit Enter to open the Event Viewer. Double-click on Applications & Services Logs and see if you are able to evaluate the event description or the cause of problem.
6. Reset the Repository. To do so follows these steps:

Boot into Safe Mode without networking and open a command prompt as administrator.
[CENTER] [/CENTER]
Now Type net stop winmgmt and hit Enter. This will stop the Windows Management Instrumentation Service
Next go to C:WindowsSystem32wbem and rename the repository folder to repositoryold
Restart.
Now again open a command prompt as administrator, type net stop winmgmt and hit Enter.
Next Type winmgmt /resetRepository and hit Enter.
Restart.
Now see if you can create a System Restore Point manually.

Info obtained here

 

[Michael_NY]

I had to turn off System Protection, then I was able to create a System Restore Point

Malwarebytes was not automatically removed. I did that manually.

I still have Tweaking.com for Windows on my system from trying to fix this before. Should I remove it?

When running Security Check, I had the following error;
AutoIt Error
Error: Variable must be of type "Object".

Later, I had another thing pop up, but it went away too quickly.
Error... Description...

Here is the report
================================================
Results of screen317's Security Check version 0.99.50
Windows 7 Service Pack 1 x86 (UAC is disabled!)
Internet Explorer 8 Out of date!
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
[size=1]WMI entry may not exist for antivirus; attempting automatic update.[/size]
`````````Anti-malware/Other Utilities Check:`````````
Ad-Aware
CCleaner
JavaFX 2.1.1
Java(TM) 6 Update 30
Java(TM) 6 Update 31
Java 7 Update 7
Adobe Flash Player 10 Flash Player out of Date!
Adobe Flash Player11.0.1.152
Adobe Reader X (10.1.4)
Mozilla Firefox (6.0.2)
Google Chrome 21.0.1180.83
Google Chrome 21.0.1180.89
````````Process Check: objlist.exe by Laurent````````
Ad-Aware AAWService.exe is disabled!
Ad-Aware AAWTray.exe is disabled!
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 1%
````````````````````End of Log``````````````````````

Thank you.

 

[Jay Pfoutz]

Tweaking.com's app is up to you. I'm fairly neutral about tweaking apps, while they have good provisions, it can also cause problems.

Please remove these from the Program List:

• Java(TM) 6 Update 30
• Java(TM) 6 Update 31

Read on why, here: http://secureconnexion.wordpress.com/2012/07/26/java-flaws-becoming-serious-issue/

Adobe Flash Player Update!

Please download the newest version of Adobe Flash Player from Adobe.com

Before installing: it is important to remove older versions of Flash Player since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
Search in the list for all previous installed versions of Adobe Flash Player. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.


Personal Tips on Preventing Malware

See this page for more info about malware and prevention.

Any other questions before I mark this topic solved?

 

[Michael_NY]

DragonMaster Jay,

Thank you for all the tips. I am almost certain that the flaws in Java caused my initial problem.

However, the symptoms that I stated in my first post have not gone away. My icons still auto-arrange themselves at startup and my mouse pointer still gets an hourglass next to it 90% of the time.

I have noticed the following as well;

The Task Manager has AsusSender.exe show as running, then going away, every half second or so. Same with HotkeyService.exe, and a few rundll32.exe, and WefFault.exe.


For the past several days, upon trying to show down, I get the following;
-------------------------------
The instruction at 0x00418556 referenced memeory at
0x00000000. The memory could not be read.

Click OK to terminate the program
--------------------------------

I also have the following;
-----------------------------------
(Waiting for) AsusAcpiService
This program is preventing Windows from shutting down.

AsusAcpiService:HotkeyService.exe - Application Error
---------------------------------
After hitting OK to terminate the first warning, the other two programs go away, then my computer spends several seconds "Waiting for background programs to close", with no programs listed.

Any suggestions on how to repair any of this?

 

[Michael_NY]

I also noticed that the Restore Point I created earlier is gone. I have no restore points

 

[Jay Pfoutz]

Check with the following tool here, for diagnostics...

Please download Farbar Service Scanner and run it on the computer with the issue.

• Check the following options: Internet Services, Windows Firewall, System restore, Security Center/Action Center, Windows Update, and Windows Defender
• Press "Scan".
• It will create a log (FSS.txt) in the same directory the tool is run.
• Please copy and paste the log to your reply.

 

[Michael_NY]

Here you go

Farbar Service Scanner Version: 06-08-2012
Ran by Michael (administrator) on 11-09-2012 at 16:40:37
Running from "C:\Users\Michael\Desktop"
Windows 7 Home Premium Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\windows\system32\nsisvc.dll => MD5 is legit
C:\windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\windows\system32\dhcpcore.dll => MD5 is legit
C:\windows\system32\Drivers\afd.sys => MD5 is legit
C:\windows\system32\Drivers\tdx.sys => MD5 is legit
C:\windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\windows\system32\dnsrslvr.dll => MD5 is legit
C:\windows\system32\mpssvc.dll => MD5 is legit
C:\windows\system32\bfe.dll => MD5 is legit
C:\windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\windows\system32\SDRSVC.dll => MD5 is legit
C:\windows\system32\vssvc.exe => MD5 is legit
C:\windows\system32\wscsvc.dll => MD5 is legit
C:\windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\windows\system32\wuaueng.dll => MD5 is legit
C:\windows\system32\qmgr.dll => MD5 is legit
C:\windows\system32\es.dll => MD5 is legit
C:\windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\windows\system32\svchost.exe => MD5 is legit
C:\windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

 

[Jay Pfoutz]

These tasks can be ended...

The Task Manager has AsusSender.exe show as running, then going away, every half second or so. Same with HotkeyService.exe, and a few rundll32.exe, and WefFault.exe.

For the auto-arrange problem, right-click on the Desktop and mouseover View > select Auto arrange icons (make sure unchecked).

Open CCleaner, click Tools > Startup. Let it load for a bit, then click Save to text file... - once that's done, please post the contents of that log in your next reply.

 

[Michael_NY]

I cannot end those tasks. Each of them are up for less than a second before ending on their own and then starting again; repeat.

I have made sure that Auto arrange is unchecked. On a related note; I have tried to turn it on (just so I could convince my computer that I really do want it off), but upon restarting my computer, it is unchecked again. I seem unable to alter any of my desktop properties (at least as they relate to my icons).

Here is the report;

YesHKCU:RunAkamai NetSession InterfaceAkamai Technologies, Inc."C:\Users\Michael\AppData\Local\Akamai\netsession_win.exe"
YesHKCU:RunDAEMON Tools LiteDT Soft Ltd"C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
YesHKCU:RunNortonUpdateAgentSymantec CorporationC:\ProgramData\Norton\NUA.exe
YesHKLM:RunAd-Aware Browsing ProtectionLavasoft"C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe"
YesHKLM:RunAdobe ARMAdobe Systems Incorporated"C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
YesHKLM:RunAPSDaemonApple Inc."C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
YesHKLM:RunASUS Screen Saver ProtectorASUSC:\Windows\AsScrPro.exe
YesHKLM:RunBoingo Wi-Fi"C:\Program Files\Boingo\Boingo Wi-Fi\Boingo.lnk"
YesHKLM:RunBrStsWndbrotherC:\Program Files\Brownie\BrstsWnd.exe Autorun
YesHKLM:RunDigitalZoomControlASUSTek"C:\Program Files\ASUS\DigitalZoomControl\DigitalZoomControl.exe"
YesHKLM:RunEvtMgr6Logitech, Inc.C:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGaming
YesHKLM:RunHotkeyMonASUSTek Computer Inc.AsusSender.exe C:\Program Files\EeePC\HotkeyService\HotKeyMon.exe
YesHKLM:RunHotkeyServiceASUSTek Computer Inc.AsusSender.exe C:\Program Files\EeePC\HotkeyService\HotkeyService.exe
YesHKLM:RunOOBESetupASUSTeK Computer Inc.C:\Program Files\asus\OOBERegBackup\OOBERegBackup.exe /restore -"C:\Program Files\asus\OOBERegBackup\OOBEReg.ini"
YesHKLM:RunQuickTime TaskApple Inc."C:\Program Files\QuickTime\QTTask.exe" -atboottime
YesHKLM:RunRtHDVCplRealtek SemiconductorC:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s
YesHKLM:RunSuperHybridEngineASUSTek Computer Inc.AsusSender.exe C:\Program Files\EeePC\SHE\SuperHybridEngine.exe
YesHKLM:RunSynTPEnhSynaptics Incorporated%ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
YesHKLM:RunWinampAgentNullsoft, Inc."C:\Program Files\Winamp\winampa.exe"
YesStartup CommonBluetooth.lnkBroadcom Corporation.C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
YesStartup CommonMicrosoft Find Fast.lnkC:\Program Files\Microsoft Office\Office\FINDFAST.EXE
YesStartup CommonOffice Startup.lnkC:\Program Files\Microsoft Office\Office\OSA.EXE

Thank you

 

[Jay Pfoutz]

• Download RogueKiller and save it on your desktop.
• Quit all programs
• Start RogueKiller.exe.
• Wait until Prescan has finished ...
• Click on Scan

• Wait for the end of the scan.
• The report has been created on the desktop.
• Click on the Delete button.

• The report has been created on the desktop.

• Next click on the ShortcutsFix
  
  
  
• The report has been created on the desktop.

Please post:

All RKreport.txt text files located on your desktop.

 

[Michael_NY]

DragonMaster Jay,

Thanks for all you are doing. Here are the three reports.

----------------------------------------------------

RogueKiller V8.0.2 [08/31/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: https://www.techspot.com/downloads/5562-roguekiller.html
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : Michael [Admin rights]
Mode : Scan -- Date : 09/13/2012 08:08:15

¤¤¤ Bad processes : 4 ¤¤¤
[SUSP PATH][DLL] explorer.exe -- C:\Windows\explorer.exe : C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.dll -> UNLOADED
[SUSP PATH] NUA.exe -- C:\ProgramData\Norton\NUA.exe -> KILLED [TermProc]
[SUSP PATH][DLL] rundll32.exe -- C:\Windows\System32\rundll32.exe : -> KILLED [TermProc]
[SUSP PATH][DLL] rundll32.exe -- C:\Windows\System32\rundll32.exe : -> KILLED [TermProc]

¤¤¤ Registry Entries : 9 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : NortonUpdateAgent (C:\ProgramData\Norton\NUA.exe) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-3716613784-1258854080-1605684737-1000[...]\Run : NortonUpdateAgent (C:\ProgramData\Norton\NUA.exe) -> FOUND
[TASK][RESIDU] ProgramDataUpdater : C:\Windows\System32\rundll32.exe -> FOUND
[TASK][RESIDU] Proxy : C:\Windows\System32\rundll32.exe -> FOUND
[TASK][RESIDU] SR : C:\Windows\System32\rundll32.exe -> FOUND
[TASK][RESIDU] IpAddressConflict1 : C:\Windows\System32\rundll32.exe -> FOUND
[TASK][RESIDU] IpAddressConflict2 : C:\Windows\System32\rundll32.exe -> FOUND
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[13] : NtAlertResumeThread @ 0x832FCCA9 -> HOOKED (Unknown @ 0x86D4DB18)
SSDT[14] : NtAlertThread @ 0x8324FBC0 -> HOOKED (Unknown @ 0x86D4C388)
SSDT[19] : NtAllocateVirtualMemory @ 0x83248BCC -> HOOKED (Unknown @ 0x86FE07E8)
SSDT[22] : NtAlpcConnectPort @ 0x8329444E -> HOOKED (Unknown @ 0x865170B8)
SSDT[43] : NtAssignProcessToJobObject @ 0x8321DFCA -> HOOKED (Unknown @ 0x86D79128)
SSDT[74] : NtCreateMutant @ 0x8322F28E -> HOOKED (Unknown @ 0x86FE7720)
SSDT[86] : NtCreateSymbolicLinkObject @ 0x832208ED -> HOOKED (Unknown @ 0x86477E98)
SSDT[87] : NtCreateThread @ 0x832FAED6 -> HOOKED (Unknown @ 0x86FE67F0)
SSDT[88] : NtCreateThreadEx @ 0x8328F34B -> HOOKED (Unknown @ 0x86477F68)
SSDT[96] : NtDebugActiveProcess @ 0x832CCDB0 -> HOOKED (Unknown @ 0x86D73A90)
SSDT[111] : NtDuplicateObject @ 0x8325065A -> HOOKED (Unknown @ 0x86FE0940)
SSDT[131] : NtFreeVirtualMemory @ 0x830D847A -> HOOKED (Unknown @ 0x86FE7E68)
SSDT[145] : NtImpersonateAnonymousToken @ 0x832148BC -> HOOKED (Unknown @ 0x86D61350)
SSDT[147] : NtImpersonateThread @ 0x8329884C -> HOOKED (Unknown @ 0x86D612D8)
SSDT[155] : NtLoadDriver @ 0x831E4BFC -> HOOKED (Unknown @ 0x8629DA98)
SSDT[168] : NtMapViewOfSection @ 0x83265512 -> HOOKED (Unknown @ 0x86FE7D88)
SSDT[177] : NtOpenEvent @ 0x8322EC8A -> HOOKED (Unknown @ 0x86D6A628)
SSDT[190] : NtOpenProcess @ 0x83230AD4 -> HOOKED (Unknown @ 0x86FE0AE0)
SSDT[191] : NtOpenProcessToken @ 0x8328321F -> HOOKED (Unknown @ 0x86CEC948)
SSDT[194] : NtOpenSection @ 0x8328889B -> HOOKED (Unknown @ 0x86D6E130)
SSDT[198] : NtOpenThread @ 0x8327CF95 -> HOOKED (Unknown @ 0x86FE0A10)
SSDT[215] : NtProtectVirtualMemory @ 0x83261581 -> HOOKED (Unknown @ 0x86FE7058)
SSDT[304] : NtResumeThread @ 0x8328F572 -> HOOKED (Unknown @ 0x86D3C920)
SSDT[316] : NtSetContextThread @ 0x832FC755 -> HOOKED (Unknown @ 0x86D2E118)
SSDT[333] : NtSetInformationProcess @ 0x8325776D -> HOOKED (Unknown @ 0x86FE7C30)
SSDT[350] : NtSetSystemInformation @ 0x8326D26C -> HOOKED (Unknown @ 0x86D73048)
SSDT[366] : NtSuspendProcess @ 0x832FCBE3 -> HOOKED (Unknown @ 0x86D6FF90)
SSDT[367] : NtSuspendThread @ 0x832B4085 -> HOOKED (Unknown @ 0x86D3C068)
SSDT[370] : NtTerminateProcess @ 0x83279BCD -> HOOKED (Unknown @ 0x86CEA4C8)
SSDT[371] : NtTerminateThread @ 0x83297584 -> HOOKED (Unknown @ 0x86D32B90)
SSDT[385] : NtUnmapViewOfSection @ 0x8328385A -> HOOKED (Unknown @ 0x86D25760)
SSDT[399] : NtWriteVirtualMemory @ 0x8327E92A -> HOOKED (Unknown @ 0x86FE7F38)
S_SSDT[318] : Unknown -> HOOKED (Unknown @ 0x87E1D2E8)
S_SSDT[402] : Unknown -> HOOKED (Unknown @ 0x87E0E2C8)
S_SSDT[434] : Unknown -> HOOKED (Unknown @ 0x87E02390)
S_SSDT[436] : Unknown -> HOOKED (Unknown @ 0x87E26E00)
S_SSDT[448] : Unknown -> HOOKED (Unknown @ 0x87BCC210)
S_SSDT[490] : Unknown -> HOOKED (Unknown @ 0x87E41E08)
S_SSDT[508] : Unknown -> HOOKED (Unknown @ 0x87E1A7A8)
S_SSDT[509] : Unknown -> HOOKED (Unknown @ 0x87E29E08)
S_SSDT[585] : Unknown -> HOOKED (Unknown @ 0x87BD90B0)
S_SSDT[588] : Unknown -> HOOKED (Unknown @ 0x87E111D8)
IRP[IRP_MJ_CREATE] : \SystemRoot\system32\drivers\atapi.sys -> HOOKED ([MAJOR] Unknown @ 0x850B71F8)
IRP[IRP_MJ_CLOSE] : \SystemRoot\system32\drivers\atapi.sys -> HOOKED ([MAJOR] Unknown @ 0x850B71F8)
IRP[IRP_MJ_DEVICE_CONTROL] : \SystemRoot\system32\drivers\atapi.sys -> HOOKED ([MAJOR] Unknown @ 0x850B71F8)
IRP[IRP_MJ_INTERNAL_DEVICE_CONTROL] : \SystemRoot\system32\drivers\atapi.sys -> HOOKED ([MAJOR] Unknown @ 0x850B71F8)
IRP[IRP_MJ_POWER] : \SystemRoot\system32\drivers\atapi.sys -> HOOKED ([MAJOR] Unknown @ 0x850B71F8)
IRP[IRP_MJ_SYSTEM_CONTROL] : \SystemRoot\system32\drivers\atapi.sys -> HOOKED ([MAJOR] Unknown @ 0x850B71F8)
IRP[IRP_MJ_PNP] : \SystemRoot\system32\drivers\atapi.sys -> HOOKED ([MAJOR] Unknown @ 0x850B71F8)

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\windows\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: +++++
--- User ---
[MBR] 5f9074452f51f11d2d580847a94ef254
[BSP] 8e7f089651944c89a69681dea7db699e : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 102400 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 209717248 | Size: 125816 Mo
2 - [XXXXXX] FAT32 (0x1b) [HIDDEN!] Offset (sectors): 467388416 | Size: 10240 Mo
3 - [XXXXXX] UNKNOWN (0xef) [VISIBLE] Offset (sectors): 488359936 | Size: 15 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1].txt >>
RKreport[1].txt

RogueKiller V8.0.2 [08/31/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: https://www.techspot.com/downloads/5562-roguekiller.html
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : Michael [Admin rights]
Mode : Remove -- Date : 09/13/2012 08:10:25

¤¤¤ Bad processes : 4 ¤¤¤
[SUSP PATH][DLL] explorer.exe -- C:\Windows\explorer.exe : C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.dll -> UNLOADED
[SUSP PATH] NUA.exe -- C:\ProgramData\Norton\NUA.exe -> KILLED [TermProc]
[SUSP PATH][DLL] rundll32.exe -- C:\Windows\System32\rundll32.exe : -> KILLED [TermProc]
[SUSP PATH][DLL] rundll32.exe -- C:\Windows\System32\rundll32.exe : -> KILLED [TermProc]

¤¤¤ Registry Entries : 8 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : NortonUpdateAgent (C:\ProgramData\Norton\NUA.exe) -> DELETED
[TASK][RESIDU] ProgramDataUpdater : C:\Windows\System32\rundll32.exe -> DELETED
[TASK][RESIDU] Proxy : C:\Windows\System32\rundll32.exe -> DELETED
[TASK][RESIDU] SR : C:\Windows\System32\rundll32.exe -> DELETED
[TASK][RESIDU] IpAddressConflict1 : C:\Windows\System32\rundll32.exe -> DELETED
[TASK][RESIDU] IpAddressConflict2 : C:\Windows\System32\rundll32.exe -> DELETED
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> REPLACED (2)
[HJ] HKLM\[...]\System : EnableLUA (0) -> REPLACED (1)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[13] : NtAlertResumeThread @ 0x832FCCA9 -> HOOKED (Unknown @ 0x86D4DB18)
SSDT[14] : NtAlertThread @ 0x8324FBC0 -> HOOKED (Unknown @ 0x86D4C388)
SSDT[19] : NtAllocateVirtualMemory @ 0x83248BCC -> HOOKED (Unknown @ 0x86FE07E8)
SSDT[22] : NtAlpcConnectPort @ 0x8329444E -> HOOKED (Unknown @ 0x865170B8)
SSDT[43] : NtAssignProcessToJobObject @ 0x8321DFCA -> HOOKED (Unknown @ 0x86D79128)
SSDT[74] : NtCreateMutant @ 0x8322F28E -> HOOKED (Unknown @ 0x86FE7720)
SSDT[86] : NtCreateSymbolicLinkObject @ 0x832208ED -> HOOKED (Unknown @ 0x86477E98)
SSDT[87] : NtCreateThread @ 0x832FAED6 -> HOOKED (Unknown @ 0x86FE67F0)
SSDT[88] : NtCreateThreadEx @ 0x8328F34B -> HOOKED (Unknown @ 0x86477F68)
SSDT[96] : NtDebugActiveProcess @ 0x832CCDB0 -> HOOKED (Unknown @ 0x86D73A90)
SSDT[111] : NtDuplicateObject @ 0x8325065A -> HOOKED (Unknown @ 0x86FE0940)
SSDT[131] : NtFreeVirtualMemory @ 0x830D847A -> HOOKED (Unknown @ 0x86FE7E68)
SSDT[145] : NtImpersonateAnonymousToken @ 0x832148BC -> HOOKED (Unknown @ 0x86D61350)
SSDT[147] : NtImpersonateThread @ 0x8329884C -> HOOKED (Unknown @ 0x86D612D8)
SSDT[155] : NtLoadDriver @ 0x831E4BFC -> HOOKED (Unknown @ 0x8629DA98)
SSDT[168] : NtMapViewOfSection @ 0x83265512 -> HOOKED (Unknown @ 0x86FE7D88)
SSDT[177] : NtOpenEvent @ 0x8322EC8A -> HOOKED (Unknown @ 0x86D6A628)
SSDT[190] : NtOpenProcess @ 0x83230AD4 -> HOOKED (Unknown @ 0x86FE0AE0)
SSDT[191] : NtOpenProcessToken @ 0x8328321F -> HOOKED (Unknown @ 0x86CEC948)
SSDT[194] : NtOpenSection @ 0x8328889B -> HOOKED (Unknown @ 0x86D6E130)
SSDT[198] : NtOpenThread @ 0x8327CF95 -> HOOKED (Unknown @ 0x86FE0A10)
SSDT[215] : NtProtectVirtualMemory @ 0x83261581 -> HOOKED (Unknown @ 0x86FE7058)
SSDT[304] : NtResumeThread @ 0x8328F572 -> HOOKED (Unknown @ 0x86D3C920)
SSDT[316] : NtSetContextThread @ 0x832FC755 -> HOOKED (Unknown @ 0x86D2E118)
SSDT[333] : NtSetInformationProcess @ 0x8325776D -> HOOKED (Unknown @ 0x86FE7C30)
SSDT[350] : NtSetSystemInformation @ 0x8326D26C -> HOOKED (Unknown @ 0x86D73048)
SSDT[366] : NtSuspendProcess @ 0x832FCBE3 -> HOOKED (Unknown @ 0x86D6FF90)
SSDT[367] : NtSuspendThread @ 0x832B4085 -> HOOKED (Unknown @ 0x86D3C068)
SSDT[370] : NtTerminateProcess @ 0x83279BCD -> HOOKED (Unknown @ 0x86CEA4C8)
SSDT[371] : NtTerminateThread @ 0x83297584 -> HOOKED (Unknown @ 0x86D32B90)
SSDT[385] : NtUnmapViewOfSection @ 0x8328385A -> HOOKED (Unknown @ 0x86D25760)
SSDT[399] : NtWriteVirtualMemory @ 0x8327E92A -> HOOKED (Unknown @ 0x86FE7F38)
S_SSDT[318] : Unknown -> HOOKED (Unknown @ 0x87E1D2E8)
S_SSDT[402] : Unknown -> HOOKED (Unknown @ 0x87E0E2C8)
S_SSDT[434] : Unknown -> HOOKED (Unknown @ 0x87E02390)
S_SSDT[436] : Unknown -> HOOKED (Unknown @ 0x87E26E00)
S_SSDT[448] : Unknown -> HOOKED (Unknown @ 0x87BCC210)
S_SSDT[490] : Unknown -> HOOKED (Unknown @ 0x87E41E08)
S_SSDT[508] : Unknown -> HOOKED (Unknown @ 0x87E1A7A8)
S_SSDT[509] : Unknown -> HOOKED (Unknown @ 0x87E29E08)
S_SSDT[585] : Unknown -> HOOKED (Unknown @ 0x87BD90B0)
S_SSDT[588] : Unknown -> HOOKED (Unknown @ 0x87E111D8)
IRP[IRP_MJ_CREATE] : \SystemRoot\system32\drivers\atapi.sys -> HOOKED ([MAJOR] Unknown @ 0x850B71F8)
IRP[IRP_MJ_CLOSE] : \SystemRoot\system32\drivers\atapi.sys -> HOOKED ([MAJOR] Unknown @ 0x850B71F8)
IRP[IRP_MJ_DEVICE_CONTROL] : \SystemRoot\system32\drivers\atapi.sys -> HOOKED ([MAJOR] Unknown @ 0x850B71F8)
IRP[IRP_MJ_INTERNAL_DEVICE_CONTROL] : \SystemRoot\system32\drivers\atapi.sys -> HOOKED ([MAJOR] Unknown @ 0x850B71F8)
IRP[IRP_MJ_POWER] : \SystemRoot\system32\drivers\atapi.sys -> HOOKED ([MAJOR] Unknown @ 0x850B71F8)
IRP[IRP_MJ_SYSTEM_CONTROL] : \SystemRoot\system32\drivers\atapi.sys -> HOOKED ([MAJOR] Unknown @ 0x850B71F8)
IRP[IRP_MJ_PNP] : \SystemRoot\system32\drivers\atapi.sys -> HOOKED ([MAJOR] Unknown @ 0x850B71F8)

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\windows\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: +++++
--- User ---
[MBR] 5f9074452f51f11d2d580847a94ef254
[BSP] 8e7f089651944c89a69681dea7db699e : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 102400 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 209717248 | Size: 125816 Mo
2 - [XXXXXX] FAT32 (0x1b) [HIDDEN!] Offset (sectors): 467388416 | Size: 10240 Mo
3 - [XXXXXX] UNKNOWN (0xef) [VISIBLE] Offset (sectors): 488359936 | Size: 15 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt



RogueKiller V8.0.2 [08/31/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: https://www.techspot.com/downloads/5562-roguekiller.html
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : Michael [Admin rights]
Mode : Shortcuts HJfix -- Date : 09/13/2012 08:12:36

¤¤¤ Bad processes : 4 ¤¤¤
[SUSP PATH][DLL] explorer.exe -- C:\Windows\explorer.exe : C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.dll -> UNLOADED
[SUSP PATH] NUA.exe -- C:\ProgramData\Norton\NUA.exe -> KILLED [TermProc]
[SUSP PATH][DLL] rundll32.exe -- C:\Windows\System32\rundll32.exe : -> KILLED [TermProc]
[SUSP PATH][DLL] rundll32.exe -- C:\Windows\System32\rundll32.exe : -> KILLED [TermProc]

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ File attributes restored: ¤¤¤
Desktop: Success 0 / Fail 0
Quick launch: Success 0 / Fail 0
Programs: Success 1 / Fail 0
Start menu: Success 0 / Fail 0
User folder: Success 27 / Fail 0
My documents: Success 0 / Fail 0
My favorites: Success 0 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 0 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 26 / Fail 6
Backup: [NOT FOUND]

Drives:
[C:] \Device\HarddiskVolume1 -- 0x3 --> Restored
[D:] \Device\HarddiskVolume2 -- 0x3 --> Restored
[E:] \Device\CdRom0 -- 0x5 --> Skipped
[F:] \Device\HarddiskVolume5 -- 0x2 --> Restored

¤¤¤ Infection : ¤¤¤

Finished : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt


Michael

 

[Jay Pfoutz]

Now, how are things running?

 

[Michael_NY]

They are running roughly the same as before. I still have the hourglass show up by my mouse cursor all the time and the startup seems slow. Desktop icons continue to auto-arrange at startup. The machine seems better than it did a week or so ago, but not as good as before I picked up Live Security Platinum.

 

[Jay Pfoutz]

Download Windows Repair (all in one) from this site

Install the program then run it.

Go to Step 2 and allow it to run CheckDisk by clicking on Do It button:

Once that is done then go to Step 3 and allow it to run System File Check by clicking on Do It button:

Go to Step 4 and under "System Restore" click on Create button:

Go to Start Repairs tab and click Start button.

Please ensure that ONLY items seen in the image below are ticked as indicated (they're all checked by default):

Click on box next to the Restart System when Finished. Then click on Start.

 

[Michael_NY]

DMJ,

I no longer seem to have the background programs running and things seem to be quicker now. I still have been unable to get the desktop to stop auto-arranging at startup, but I've been away for a few days and haven't been able to try all setting. Thanks for all the assistance.

Michael

 

[Jay Pfoutz]

Let's see if the Desktop icon layout will solve itself, if we do the following...

Please download OTM

• Save it to your0 desktop.
• Please double-click OTM to run it. (Note for Vista: Right-click on the file and choose Run As Administrator).
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL C (or, after highlighting, right-click and choose Copy):
  
  

  :reg
  [HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Bags\1\Desktop]
  "desktop"=-
  
  :Commands
  [emptytemp]
  [purity]
  [Reboot]

  
  
• Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTM and reboot your PC.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and
open the newest .log file present, and copy/paste the contents of that document back here in your next post.