Kathryn Rowan
Posts: 62 +0
After I select "Repair your computer" when rebooting, I get a screen that asks for a user name and password. It doesn't accept the user name and password for the only user on this computer. What do I do?
Solved Host Process for Windows Services has stopped working
- Thread starter Kathryn Rowan
- Start date
Kathryn Rowan
Posts: 62 +0
Here's the report from Combofix:
ComboFix 13-03-19.01 - Robert 03/19/2013 20:44:42.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1791.893 [GMT -6:00]
Running from: c:\users\Robert\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
SP: Microsoft Security Essentials *Disabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2013-02-20 to 2013-03-20 )))))))))))))))))))))))))))))))
.
.
2013-03-20 02:52 . 2013-03-20 02:52--------d-----w-c:\users\Robert\AppData\Local\temp
2013-03-20 02:52 . 2013-03-20 02:52--------d-----w-c:\windows\system32\config\systemprofile\AppData\Local\temp
2013-03-20 02:52 . 2013-03-20 02:52--------d-----w-c:\users\QBDataServiceUser20\AppData\Local\temp
2013-03-20 02:52 . 2013-03-20 02:52--------d-----w-c:\users\QBDataServiceUser19\AppData\Local\temp
2013-03-20 02:52 . 2013-03-20 02:52--------d-----w-c:\users\Default\AppData\Local\temp
2013-03-20 01:23 . 2013-03-15 07:217108640----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{39579FD8-4700-434E-B911-D8E280EB94E5}\mpengine.dll
2013-03-19 20:38 . 2013-03-19 20:38--------d-----w-c:\program files\ESET
2013-03-19 20:12 . 2013-03-19 20:12--------d-----w-C:\_OTL
2013-03-19 17:59 . 2013-02-07 22:456954968----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-03-19 14:13 . 2013-03-19 14:13--------d-----w-c:\windows\ERUNT
2013-03-19 14:13 . 2013-03-19 14:13--------d-----w-C:\JRT
2013-03-18 21:49 . 2013-03-18 21:49--------d-----w-c:\program files\7-Zip
2013-03-18 21:31 . 2013-03-18 21:31--------d-----w-c:\users\Robert\CD95F661A5C444F5A6AAECDD91C240CC.TMP
2013-03-17 18:34 . 2013-03-17 18:32740840------w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{86F08306-FA33-40DC-BB0A-8A5DE89DDE07}\gapaengine.dll
2013-03-17 18:18 . 2013-03-17 18:19--------d-----w-c:\program files\Microsoft Security Client
2013-03-08 13:58 . 2013-03-08 13:5894112----a-w-c:\windows\system32\WindowsAccessBridge.dll
2013-02-27 11:05 . 2013-02-27 11:05--------d-----w-c:\windows\system32\config\systemprofile\AppData\Local\Adobe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-03-08 13:58 . 2012-05-20 19:20861088----a-w-c:\windows\system32\npdeployJava1.dll
2013-03-08 13:58 . 2010-05-01 20:26782240----a-w-c:\windows\system32\deployJava1.dll
2013-01-30 10:53 . 2010-06-12 22:41232336------w-c:\windows\system32\MpSigStub.exe
2013-01-28 20:02 . 2013-01-28 20:025113072----a-w-c:\windows\uninst.exe
2013-01-20 21:59 . 2013-01-20 21:59195296----a-w-c:\windows\system32\drivers\MpFilter.sys
2013-01-20 21:59 . 2013-01-20 21:59100328----a-w-c:\windows\system32\drivers\NisDrvWFP.sys
2013-01-05 05:26 . 2013-02-13 08:303550072----a-w-c:\windows\system32\ntoskrnl.exe
2013-01-05 05:26 . 2013-02-13 08:303602808----a-w-c:\windows\system32\ntkrnlpa.exe
2013-01-04 11:28 . 2013-02-13 08:30914792----a-w-c:\windows\system32\drivers\tcpip.sys
2013-01-04 01:55 . 2013-02-13 08:3031232----a-w-c:\windows\system32\drivers\tcpipreg.sys
2013-01-04 01:38 . 2013-02-13 08:302048512----a-w-c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-01-03 10:0039472----a-w-c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Empowering Technology Launcher.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Empowering Technology Launcher.lnk
backup=c:\windows\pss\Empowering Technology Launcher.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Secunia PSI Tray.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Secunia PSI Tray.lnk
backup=c:\windows\pss\Secunia PSI Tray.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^Robert^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\Robert\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Assist Launcher]
2007-02-02 18:051261568----a-w-c:\program files\Acer Assist\launcher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Empowering Technology Monitor]
2008-01-10 02:43326176----a-w-c:\acer\Empowering Technology\SysMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Product Registration]
2007-10-15 20:433387392----a-w-c:\program files\Acer Registration\ACE1.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-12-03 07:35946352----a-w-c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-12-18 14:2838112----a-w-c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-11-28 21:1359280----a-w-c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BkupTray]
2008-01-23 20:3334552----a-w-c:\program files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2007-04-04 01:501603152----a-w-c:\program files\Canon\MyPrinter\BJMYPRT.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
2007-05-15 01:01644696----a-w-c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eDataSecurity Loader]
2008-01-03 09:55521776----a-w-c:\acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-21 02:25125952----a-w-c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2010-07-08 03:0430192----a-w-c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Updater]
2011-10-03 10:44161336----a-w-c:\program files\Google\Google Updater\GoogleUpdater.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2009-02-27 01:3630040----a-w-c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Intuit SyncManager]
2010-10-19 10:581439496----a-w-c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-12-12 20:57152544----a-w-c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
2008-09-17 21:1432768----a-w-c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSC]
2013-01-27 17:11947152----a-w-c:\program files\Microsoft Security Client\msseces.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nmctxth]
2008-12-13 00:06642856----a-w-c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
2007-02-04 18:0279400----a-w-c:\program files\ScanSoft\OmniPageSE4\OpWareSE4.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMMediaSharing]
2008-01-26 02:49204908----a-w-c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\PCMMediaSharing.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-10-25 10:12421888----a-w-c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2007-07-06 03:064669440----a-w-c:\windows\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Search Protection]
2009-02-03 13:15111856----a-w-c:\program files\Yahoo!\Search Protection\SearchProtection.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetPoint]
2005-03-31 23:19434176----a-w-c:\program files\Logitech\SetPoint\SetPoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skytel]
2007-06-15 08:451826816----a-w-c:\windows\SkyTel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
2007-02-02 00:37630784----a-w-c:\program files\Motorola\SMSERIAL\sm56hlpr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2006-10-25 15:03210472----a-w-c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2006-11-10 18:3590112----a-w-c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-07-03 16:04252848----a-w-c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-07-15 14:5268856----a-w-c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2012-10-29 17:50296096----a-w-c:\program files\Real\RealPlayer\Update\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:231008184----a-w-c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsWelcomeCenter]
2009-04-11 06:282153472----a-w-c:\windows\System32\oobefldr.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-21 02:25202240----a-w-c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WrtMon.exe]
2006-09-20 14:3520480----a-w-c:\windows\System32\spool\drivers\w32x86\3\WrtMon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
2009-02-03 13:15111856----a-w-c:\program files\Yahoo!\Search Protection\SearchProtection.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
2002-11-23 08:15631362----a-w-c:\program files\Logitech\iTouch\iTouch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R4 Acer HomeMedia Connect Service;Acer HomeMedia Connect Service;c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonationREG_MULTI_SZ FontCache
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-03-12 17:201629648----a-w-c:\program files\Google\Chrome\Application\25.0.1364.172\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-03 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-18 13:11]
.
2013-03-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 00:04]
.
2013-03-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 00:04]
.
2013-03-19 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4152560199-2736179257-3684623034-1000.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-07-27 20:27]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.yahoo.com
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.1.1 75.75.75.75 75.75.76.76
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-03-19 20:52
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3512)
c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
c:\acer\Empowering Technology\eDataSecurity\x86\sysenv.dll
.
Completion time: 2013-03-19 20:54:00
ComboFix-quarantined-files.txt 2013-03-20 02:53
ComboFix2.txt 2013-03-19 01:17
.
Pre-Run: 44,271,177,728 bytes free
Post-Run: 43,912,740,864 bytes free
.
- - End Of File - - D46C5D9914EFC67AB3295769FC231F80
ComboFix 13-03-19.01 - Robert 03/19/2013 20:44:42.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1791.893 [GMT -6:00]
Running from: c:\users\Robert\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
SP: Microsoft Security Essentials *Disabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2013-02-20 to 2013-03-20 )))))))))))))))))))))))))))))))
.
.
2013-03-20 02:52 . 2013-03-20 02:52--------d-----w-c:\users\Robert\AppData\Local\temp
2013-03-20 02:52 . 2013-03-20 02:52--------d-----w-c:\windows\system32\config\systemprofile\AppData\Local\temp
2013-03-20 02:52 . 2013-03-20 02:52--------d-----w-c:\users\QBDataServiceUser20\AppData\Local\temp
2013-03-20 02:52 . 2013-03-20 02:52--------d-----w-c:\users\QBDataServiceUser19\AppData\Local\temp
2013-03-20 02:52 . 2013-03-20 02:52--------d-----w-c:\users\Default\AppData\Local\temp
2013-03-20 01:23 . 2013-03-15 07:217108640----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{39579FD8-4700-434E-B911-D8E280EB94E5}\mpengine.dll
2013-03-19 20:38 . 2013-03-19 20:38--------d-----w-c:\program files\ESET
2013-03-19 20:12 . 2013-03-19 20:12--------d-----w-C:\_OTL
2013-03-19 17:59 . 2013-02-07 22:456954968----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-03-19 14:13 . 2013-03-19 14:13--------d-----w-c:\windows\ERUNT
2013-03-19 14:13 . 2013-03-19 14:13--------d-----w-C:\JRT
2013-03-18 21:49 . 2013-03-18 21:49--------d-----w-c:\program files\7-Zip
2013-03-18 21:31 . 2013-03-18 21:31--------d-----w-c:\users\Robert\CD95F661A5C444F5A6AAECDD91C240CC.TMP
2013-03-17 18:34 . 2013-03-17 18:32740840------w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{86F08306-FA33-40DC-BB0A-8A5DE89DDE07}\gapaengine.dll
2013-03-17 18:18 . 2013-03-17 18:19--------d-----w-c:\program files\Microsoft Security Client
2013-03-08 13:58 . 2013-03-08 13:5894112----a-w-c:\windows\system32\WindowsAccessBridge.dll
2013-02-27 11:05 . 2013-02-27 11:05--------d-----w-c:\windows\system32\config\systemprofile\AppData\Local\Adobe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-03-08 13:58 . 2012-05-20 19:20861088----a-w-c:\windows\system32\npdeployJava1.dll
2013-03-08 13:58 . 2010-05-01 20:26782240----a-w-c:\windows\system32\deployJava1.dll
2013-01-30 10:53 . 2010-06-12 22:41232336------w-c:\windows\system32\MpSigStub.exe
2013-01-28 20:02 . 2013-01-28 20:025113072----a-w-c:\windows\uninst.exe
2013-01-20 21:59 . 2013-01-20 21:59195296----a-w-c:\windows\system32\drivers\MpFilter.sys
2013-01-20 21:59 . 2013-01-20 21:59100328----a-w-c:\windows\system32\drivers\NisDrvWFP.sys
2013-01-05 05:26 . 2013-02-13 08:303550072----a-w-c:\windows\system32\ntoskrnl.exe
2013-01-05 05:26 . 2013-02-13 08:303602808----a-w-c:\windows\system32\ntkrnlpa.exe
2013-01-04 11:28 . 2013-02-13 08:30914792----a-w-c:\windows\system32\drivers\tcpip.sys
2013-01-04 01:55 . 2013-02-13 08:3031232----a-w-c:\windows\system32\drivers\tcpipreg.sys
2013-01-04 01:38 . 2013-02-13 08:302048512----a-w-c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-01-03 10:0039472----a-w-c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Empowering Technology Launcher.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Empowering Technology Launcher.lnk
backup=c:\windows\pss\Empowering Technology Launcher.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Secunia PSI Tray.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Secunia PSI Tray.lnk
backup=c:\windows\pss\Secunia PSI Tray.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^Robert^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\Robert\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Assist Launcher]
2007-02-02 18:051261568----a-w-c:\program files\Acer Assist\launcher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Empowering Technology Monitor]
2008-01-10 02:43326176----a-w-c:\acer\Empowering Technology\SysMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Product Registration]
2007-10-15 20:433387392----a-w-c:\program files\Acer Registration\ACE1.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-12-03 07:35946352----a-w-c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-12-18 14:2838112----a-w-c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-11-28 21:1359280----a-w-c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BkupTray]
2008-01-23 20:3334552----a-w-c:\program files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2007-04-04 01:501603152----a-w-c:\program files\Canon\MyPrinter\BJMYPRT.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
2007-05-15 01:01644696----a-w-c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eDataSecurity Loader]
2008-01-03 09:55521776----a-w-c:\acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-21 02:25125952----a-w-c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2010-07-08 03:0430192----a-w-c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Updater]
2011-10-03 10:44161336----a-w-c:\program files\Google\Google Updater\GoogleUpdater.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2009-02-27 01:3630040----a-w-c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Intuit SyncManager]
2010-10-19 10:581439496----a-w-c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-12-12 20:57152544----a-w-c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
2008-09-17 21:1432768----a-w-c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSC]
2013-01-27 17:11947152----a-w-c:\program files\Microsoft Security Client\msseces.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nmctxth]
2008-12-13 00:06642856----a-w-c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
2007-02-04 18:0279400----a-w-c:\program files\ScanSoft\OmniPageSE4\OpWareSE4.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMMediaSharing]
2008-01-26 02:49204908----a-w-c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\PCMMediaSharing.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-10-25 10:12421888----a-w-c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2007-07-06 03:064669440----a-w-c:\windows\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Search Protection]
2009-02-03 13:15111856----a-w-c:\program files\Yahoo!\Search Protection\SearchProtection.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetPoint]
2005-03-31 23:19434176----a-w-c:\program files\Logitech\SetPoint\SetPoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skytel]
2007-06-15 08:451826816----a-w-c:\windows\SkyTel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
2007-02-02 00:37630784----a-w-c:\program files\Motorola\SMSERIAL\sm56hlpr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2006-10-25 15:03210472----a-w-c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2006-11-10 18:3590112----a-w-c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-07-03 16:04252848----a-w-c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-07-15 14:5268856----a-w-c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2012-10-29 17:50296096----a-w-c:\program files\Real\RealPlayer\Update\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:231008184----a-w-c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsWelcomeCenter]
2009-04-11 06:282153472----a-w-c:\windows\System32\oobefldr.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-21 02:25202240----a-w-c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WrtMon.exe]
2006-09-20 14:3520480----a-w-c:\windows\System32\spool\drivers\w32x86\3\WrtMon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
2009-02-03 13:15111856----a-w-c:\program files\Yahoo!\Search Protection\SearchProtection.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
2002-11-23 08:15631362----a-w-c:\program files\Logitech\iTouch\iTouch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R4 Acer HomeMedia Connect Service;Acer HomeMedia Connect Service;c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonationREG_MULTI_SZ FontCache
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-03-12 17:201629648----a-w-c:\program files\Google\Chrome\Application\25.0.1364.172\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-03 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-18 13:11]
.
2013-03-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 00:04]
.
2013-03-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 00:04]
.
2013-03-19 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4152560199-2736179257-3684623034-1000.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-07-27 20:27]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.yahoo.com
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.1.1 75.75.75.75 75.75.76.76
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-03-19 20:52
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3512)
c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
c:\acer\Empowering Technology\eDataSecurity\x86\sysenv.dll
.
Completion time: 2013-03-19 20:54:00
ComboFix-quarantined-files.txt 2013-03-20 02:53
ComboFix2.txt 2013-03-19 01:17
.
Pre-Run: 44,271,177,728 bytes free
Post-Run: 43,912,740,864 bytes free
.
- - End Of File - - D46C5D9914EFC67AB3295769FC231F80
Kathryn Rowan
Posts: 62 +0
I get the same results after re-running Combofix. Could I rund the program in Safe Mode?
Broni
Posts: 56,041 +517
No. There is nothing malicious there anymore.
Download Windows Repair (All in One) from this site
Install the program then run it.
NOTE 1. In Windows Vista, 7 and 8 right click on the program, click "Run As Administrator".
NOTE 2. Disable your antivirus program before running Windows Repair.
Go to Step 2 and allow it to run CheckDisk by clicking on Do It button:
Once that is done then go to Step 3 and allow it to run System File Check by clicking on Do It button:
Go to Step 4 and under "System Restore" click on Create button:
Go to Start Repairs tab and click Start button.
Leave all checkmarks as they're.
NOTE for Windows 8 users. Reset Registry Permissions is NOT checked by design.
Click on Start button.
Post Windows Repair log (_windows_repair_log.txt) which is located in the following folder:
64-bit systems - C:\Program Files (x86)\Tweaking.com\Windows Repair (All in One)\Logs
32-bit systems - C:\Program Files\Tweaking.com\Windows Repair (All in One)\Logs
Download Windows Repair (All in One) from this site
Install the program then run it.
NOTE 1. In Windows Vista, 7 and 8 right click on the program, click "Run As Administrator".
NOTE 2. Disable your antivirus program before running Windows Repair.
Go to Step 2 and allow it to run CheckDisk by clicking on Do It button:
Once that is done then go to Step 3 and allow it to run System File Check by clicking on Do It button:
Go to Step 4 and under "System Restore" click on Create button:
Go to Start Repairs tab and click Start button.
Leave all checkmarks as they're.
NOTE for Windows 8 users. Reset Registry Permissions is NOT checked by design.
Click on Start button.
Post Windows Repair log (_windows_repair_log.txt) which is located in the following folder:
64-bit systems - C:\Program Files (x86)\Tweaking.com\Windows Repair (All in One)\Logs
32-bit systems - C:\Program Files\Tweaking.com\Windows Repair (All in One)\Logs
Kathryn Rowan
Posts: 62 +0
Here's the log from Windows Repair:
Running Repair Under System Account
Running Repair Under System Account
Starting Repairs...
Start (3/20/2013 8:20:24 AM)
Reset Registry Permissions 01/03
HKEY_CURRENT_USER & Sub Keys
Start (3/20/2013 8:20:24 AM)
Running Repair Under Current User Account
Done (3/20/2013 8:20:29 AM)
Reset Registry Permissions 02/03
HKEY_LOCAL_MACHINE & Sub Keys
Start (3/20/2013 8:20:29 AM)
Running Repair Under System Account
Done (3/20/2013 8:24:02 AM)
Reset Registry Permissions 03/03
HKEY_CLASSES_ROOT & Sub Keys
Start (3/20/2013 8:24:02 AM)
Running Repair Under System Account
Done (3/20/2013 8:24:35 AM)
Register System Files
Start (3/20/2013 8:24:35 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (3/20/2013 8:25:08 AM)
Repair WMI
Start (3/20/2013 8:25:08 AM)
Running Repair Under Current User Account
The system cannot find the path specified.
Invalid Global Switch.
Running Repair Under System Account
The system cannot find the path specified.
Invalid Global Switch.
Done (3/20/2013 8:28:32 AM)
Repair Windows Firewall
Start (3/20/2013 8:28:32 AM)
Running Repair Under Current User Account
The Internet Connection Sharing (ICS) service is not started.
More help is available by typing NET HELPMSG 3521.
The Internet Connection Sharing (ICS) service could not be started.
The service did not report an error.
More help is available by typing NET HELPMSG 3534.
Running Repair Under System Account
The Internet Connection Sharing (ICS) service is not started.
More help is available by typing NET HELPMSG 3521.
The Internet Connection Sharing (ICS) service could not be started.
The service did not report an error.
More help is available by typing NET HELPMSG 3534.
Done (3/20/2013 8:29:06 AM)
Repair Internet Explorer
Start (3/20/2013 8:29:06 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (3/20/2013 8:29:24 AM)
Repair MDAC/MS Jet
Start (3/20/2013 8:29:24 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (3/20/2013 8:29:44 AM)
Repair Hosts File
Start (3/20/2013 8:29:44 AM)
Running Repair Under System Account
Done (3/20/2013 8:29:46 AM)
Remove Policies Set By Infections
Start (3/20/2013 8:29:46 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (3/20/2013 8:29:51 AM)
Repair Icons
Start (3/20/2013 8:29:51 AM)
Running Repair Under System Account
Could Not Find C:\Users\Robert\AppData\Local\IconCache.db.bak
Could Not Find C:\Users\Robert\AppData\Local\IconCache.db
Done (3/20/2013 8:29:53 AM)
Repair Winsock & DNS Cache
Start (3/20/2013 8:29:53 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (3/20/2013 8:30:02 AM)
Repair Proxy Settings
Start (3/20/2013 8:30:02 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (3/20/2013 8:30:06 AM)
Repair Windows Updates
Start (3/20/2013 8:30:06 AM)
Running Repair Under Current User Account
The Background Intelligent Transfer Service service is not started.
More help is available by typing NET HELPMSG 3521.
The Windows Update service is not started.
More help is available by typing NET HELPMSG 3521.
The system cannot find the file specified.
Running Repair Under System Account
The Cryptographic Services service is not started.
More help is available by typing NET HELPMSG 3521.
The Background Intelligent Transfer Service service is not started.
More help is available by typing NET HELPMSG 3521.
The Windows Update service is not started.
More help is available by typing NET HELPMSG 3521.
The system cannot find the file specified.
Done (3/20/2013 8:30:28 AM)
Repair CD/DVD Missing/Not Working
Start (3/20/2013 8:30:28 AM)
Done (3/20/2013 8:30:28 AM)
Repair Volume Shadow Copy Service
Start (3/20/2013 8:30:28 AM)
Running Repair Under Current User Account
The Volume Shadow Copy service is not started.
More help is available by typing NET HELPMSG 3521.
The Microsoft Software Shadow Copy Provider service is not started.
More help is available by typing NET HELPMSG 3521.
Running Repair Under System Account
The Volume Shadow Copy service is not started.
More help is available by typing NET HELPMSG 3521.
The Microsoft Software Shadow Copy Provider service is not started.
More help is available by typing NET HELPMSG 3521.
Done (3/20/2013 8:30:38 AM)
Repair MSI (Windows Installer)
Start (3/20/2013 8:30:38 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (3/20/2013 8:30:47 AM)
Repair bat Association
Start (3/20/2013 8:30:47 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (3/20/2013 8:30:52 AM)
Repair cmd Association
Start (3/20/2013 8:30:52 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (3/20/2013 8:30:57 AM)
Repair com Association
Start (3/20/2013 8:30:57 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (3/20/2013 8:31:01 AM)
Repair Directory Association
Start (3/20/2013 8:31:02 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (3/20/2013 8:31:06 AM)
Repair Drive Association
Start (3/20/2013 8:31:06 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (3/20/2013 8:31:11 AM)
Repair exe Association
Start (3/20/2013 8:31:11 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (3/20/2013 8:31:16 AM)
Repair Folder Association
Start (3/20/2013 8:31:16 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (3/20/2013 8:31:20 AM)
Repair inf Association
Start (3/20/2013 8:31:20 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (3/20/2013 8:31:25 AM)
Repair lnk (Shortcuts) Association
Start (3/20/2013 8:31:25 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (3/20/2013 8:31:30 AM)
Repair msc Association
Start (3/20/2013 8:31:30 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (3/20/2013 8:31:35 AM)
Repair reg Association
Start (3/20/2013 8:31:35 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (3/20/2013 8:31:39 AM)
Repair scr Association
Start (3/20/2013 8:31:39 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (3/20/2013 8:31:44 AM)
Repair Windows Safe Mode
Start (3/20/2013 8:31:44 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (3/20/2013 8:31:49 AM)
Repair Print Spooler
Start (3/20/2013 8:31:49 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (3/20/2013 8:32:02 AM)
Restore Important Windows Services
Start (3/20/2013 8:32:02 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (3/20/2013 8:32:06 AM)
Set Windows Services To Default Startup
Start (3/20/2013 8:32:06 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (3/20/2013 8:32:19 AM)
Cleaning up empty logs...
All Selected Repairs Done.
Done (3/20/2013 8:32:19 AM)
Total Repair Time: 00:11:55
...YOU MUST RESTART YOUR SYSTEM...
Running Repair Under System Account
Running Repair Under System Account
Running Repair Under System Account
Starting Repairs...
Start (3/20/2013 8:20:24 AM)
Reset Registry Permissions 01/03
HKEY_CURRENT_USER & Sub Keys
Start (3/20/2013 8:20:24 AM)
Running Repair Under Current User Account
Done (3/20/2013 8:20:29 AM)
Reset Registry Permissions 02/03
HKEY_LOCAL_MACHINE & Sub Keys
Start (3/20/2013 8:20:29 AM)
Running Repair Under System Account
Done (3/20/2013 8:24:02 AM)
Reset Registry Permissions 03/03
HKEY_CLASSES_ROOT & Sub Keys
Start (3/20/2013 8:24:02 AM)
Running Repair Under System Account
Done (3/20/2013 8:24:35 AM)
Register System Files
Start (3/20/2013 8:24:35 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (3/20/2013 8:25:08 AM)
Repair WMI
Start (3/20/2013 8:25:08 AM)
Running Repair Under Current User Account
The system cannot find the path specified.
Invalid Global Switch.
Running Repair Under System Account
The system cannot find the path specified.
Invalid Global Switch.
Done (3/20/2013 8:28:32 AM)
Repair Windows Firewall
Start (3/20/2013 8:28:32 AM)
Running Repair Under Current User Account
The Internet Connection Sharing (ICS) service is not started.
More help is available by typing NET HELPMSG 3521.
The Internet Connection Sharing (ICS) service could not be started.
The service did not report an error.
More help is available by typing NET HELPMSG 3534.
Running Repair Under System Account
The Internet Connection Sharing (ICS) service is not started.
More help is available by typing NET HELPMSG 3521.
The Internet Connection Sharing (ICS) service could not be started.
The service did not report an error.
More help is available by typing NET HELPMSG 3534.
Done (3/20/2013 8:29:06 AM)
Repair Internet Explorer
Start (3/20/2013 8:29:06 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (3/20/2013 8:29:24 AM)
Repair MDAC/MS Jet
Start (3/20/2013 8:29:24 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (3/20/2013 8:29:44 AM)
Repair Hosts File
Start (3/20/2013 8:29:44 AM)
Running Repair Under System Account
Done (3/20/2013 8:29:46 AM)
Remove Policies Set By Infections
Start (3/20/2013 8:29:46 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (3/20/2013 8:29:51 AM)
Repair Icons
Start (3/20/2013 8:29:51 AM)
Running Repair Under System Account
Could Not Find C:\Users\Robert\AppData\Local\IconCache.db.bak
Could Not Find C:\Users\Robert\AppData\Local\IconCache.db
Done (3/20/2013 8:29:53 AM)
Repair Winsock & DNS Cache
Start (3/20/2013 8:29:53 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (3/20/2013 8:30:02 AM)
Repair Proxy Settings
Start (3/20/2013 8:30:02 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (3/20/2013 8:30:06 AM)
Repair Windows Updates
Start (3/20/2013 8:30:06 AM)
Running Repair Under Current User Account
The Background Intelligent Transfer Service service is not started.
More help is available by typing NET HELPMSG 3521.
The Windows Update service is not started.
More help is available by typing NET HELPMSG 3521.
The system cannot find the file specified.
Running Repair Under System Account
The Cryptographic Services service is not started.
More help is available by typing NET HELPMSG 3521.
The Background Intelligent Transfer Service service is not started.
More help is available by typing NET HELPMSG 3521.
The Windows Update service is not started.
More help is available by typing NET HELPMSG 3521.
The system cannot find the file specified.
Done (3/20/2013 8:30:28 AM)
Repair CD/DVD Missing/Not Working
Start (3/20/2013 8:30:28 AM)
Done (3/20/2013 8:30:28 AM)
Repair Volume Shadow Copy Service
Start (3/20/2013 8:30:28 AM)
Running Repair Under Current User Account
The Volume Shadow Copy service is not started.
More help is available by typing NET HELPMSG 3521.
The Microsoft Software Shadow Copy Provider service is not started.
More help is available by typing NET HELPMSG 3521.
Running Repair Under System Account
The Volume Shadow Copy service is not started.
More help is available by typing NET HELPMSG 3521.
The Microsoft Software Shadow Copy Provider service is not started.
More help is available by typing NET HELPMSG 3521.
Done (3/20/2013 8:30:38 AM)
Repair MSI (Windows Installer)
Start (3/20/2013 8:30:38 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (3/20/2013 8:30:47 AM)
Repair bat Association
Start (3/20/2013 8:30:47 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (3/20/2013 8:30:52 AM)
Repair cmd Association
Start (3/20/2013 8:30:52 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (3/20/2013 8:30:57 AM)
Repair com Association
Start (3/20/2013 8:30:57 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (3/20/2013 8:31:01 AM)
Repair Directory Association
Start (3/20/2013 8:31:02 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (3/20/2013 8:31:06 AM)
Repair Drive Association
Start (3/20/2013 8:31:06 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (3/20/2013 8:31:11 AM)
Repair exe Association
Start (3/20/2013 8:31:11 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (3/20/2013 8:31:16 AM)
Repair Folder Association
Start (3/20/2013 8:31:16 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (3/20/2013 8:31:20 AM)
Repair inf Association
Start (3/20/2013 8:31:20 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (3/20/2013 8:31:25 AM)
Repair lnk (Shortcuts) Association
Start (3/20/2013 8:31:25 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (3/20/2013 8:31:30 AM)
Repair msc Association
Start (3/20/2013 8:31:30 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (3/20/2013 8:31:35 AM)
Repair reg Association
Start (3/20/2013 8:31:35 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (3/20/2013 8:31:39 AM)
Repair scr Association
Start (3/20/2013 8:31:39 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (3/20/2013 8:31:44 AM)
Repair Windows Safe Mode
Start (3/20/2013 8:31:44 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (3/20/2013 8:31:49 AM)
Repair Print Spooler
Start (3/20/2013 8:31:49 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (3/20/2013 8:32:02 AM)
Restore Important Windows Services
Start (3/20/2013 8:32:02 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (3/20/2013 8:32:06 AM)
Set Windows Services To Default Startup
Start (3/20/2013 8:32:06 AM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (3/20/2013 8:32:19 AM)
Cleaning up empty logs...
All Selected Repairs Done.
Done (3/20/2013 8:32:19 AM)
Total Repair Time: 00:11:55
...YOU MUST RESTART YOUR SYSTEM...
Running Repair Under System Account
Kathryn Rowan
Posts: 62 +0
Problem seems to be solved. Any idea what the problem was?
Kathryn Rowan
Posts: 62 +0
BTW - I just made a donation. This is the second time you have helped me and I really appreciate it. Sorry I couldn't donate more but we are really tight on money as I do not currently have a job. Thanks for your help!
Kathryn Rowan
Posts: 62 +0
Where do I find the Security Check log?
Kathryn Rowan
Posts: 62 +0
Here's the report from Security Check. I know I did run it before, I guess the report didn't get posted in my reply.
Results of screen317's Security Check version 0.99.61
Windows Vista Service Pack 2 x86 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Microsoft Security Essentials
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Secunia PSI (3.0.0.6001)
Malwarebytes Anti-Malware version 1.70.0.1100
CCleaner
Java 7 Update 17
Adobe Reader 8 Adobe Reader out of Date!
Adobe Reader 10.1.6 Adobe Reader out of Date!
Google Chrome 25.0.1364.152
Google Chrome 25.0.1364.172
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials MSMpEng.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 6 % Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````
Results of screen317's Security Check version 0.99.61
Windows Vista Service Pack 2 x86 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Microsoft Security Essentials
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Secunia PSI (3.0.0.6001)
Malwarebytes Anti-Malware version 1.70.0.1100
CCleaner
Java 7 Update 17
Adobe Reader 8 Adobe Reader out of Date!
Adobe Reader 10.1.6 Adobe Reader out of Date!
Google Chrome 25.0.1364.152
Google Chrome 25.0.1364.172
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials MSMpEng.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 6 % Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````
Broni
Posts: 56,041 +517
You can download it from https://www.techspot.com/downloads/2083-adobe-reader-dc.html
After installing the latest Adobe Reader, uninstall all previous versions (if present).
Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.
Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader(3.5MB) from HERE.
It's a much smaller file to download and uses a lot less resources than Adobe Reader.
Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or any other garbage.
=============================
1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following:
Code:
:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[emptyjava]
[CLEARALLRESTOREPOINTS]
[Reboot]- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Post resulting log.
2. Now, we'll remove all tools, we used during our cleaning process
Clean up with OTL:
- Double-click OTL.exe to start the program.
- Close all other programs apart from OTL as this step will require a reboot
- On the OTL main screen, press the CLEANUP button
- Say Yes to the prompt and then allow the program to reboot your computer.
If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.
3. Make sure, Windows Updates are current.
4. If any trojans, rootkits or bootkits were listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!
5. Check if your browser plugins are up to date.
Firefox - https://www.mozilla.org/en-US/plugincheck/
other browsers: https://browsercheck.qualys.com/ (click on "Launch a quick scan now" link)
6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.
7. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.
8. Run Temporary File Cleaner (TFC) weekly.
9. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.
10. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.
11. (Windows XP only) Run defrag at your convenience.
12. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.
13. Read:
How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html
Simple and easy ways to keep your computer safe and secure on the Internet: http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
14. Please, let me know, how your computer is doing.
Kathryn Rowan
Posts: 62 +0
Here's the report from the OTL Scan:
All processes killed
========== OTL ==========
========== COMMANDS ==========
[EMPTYTEMP]
User: All Users
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
User: Public
->Temp folder emptied: 0 bytes
User: QBDataServiceUser18
->Temp folder emptied: 0 bytes
User: QBDataServiceUser19
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: QBDataServiceUser20
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: Robert
->Temp folder emptied: 26767970 bytes
->Temporary Internet Files folder emptied: 58901821 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 12587665 bytes
->Flash cache emptied: 0 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 540594 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 94.00 mb
[EMPTYFLASH]
User: All Users
User: Default
->Flash cache emptied: 0 bytes
User: Default User
->Flash cache emptied: 0 bytes
User: Public
User: QBDataServiceUser18
User: QBDataServiceUser19
User: QBDataServiceUser20
User: Robert
->Flash cache emptied: 0 bytes
Total Flash Files Cleaned = 0.00 mb
[EMPTYJAVA]
User: All Users
User: Default
User: Default User
User: Public
User: QBDataServiceUser18
User: QBDataServiceUser19
User: QBDataServiceUser20
User: Robert
->Java cache emptied: 0 bytes
Total Java Files Cleaned = 0.00 mb
Restore point Set: OTL Restore Point
OTL by OldTimer - Version 3.2.69.0 log created on 03202013_195459
Files\Folders moved on Reboot...
File\Folder C:\Windows\temp\TMP0000003A245FAFFB14583405 not found!
PendingFileRenameOperations files...
Registry entries deleted on Reboot...
All processes killed
========== OTL ==========
========== COMMANDS ==========
[EMPTYTEMP]
User: All Users
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
User: Public
->Temp folder emptied: 0 bytes
User: QBDataServiceUser18
->Temp folder emptied: 0 bytes
User: QBDataServiceUser19
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: QBDataServiceUser20
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: Robert
->Temp folder emptied: 26767970 bytes
->Temporary Internet Files folder emptied: 58901821 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 12587665 bytes
->Flash cache emptied: 0 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 540594 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 94.00 mb
[EMPTYFLASH]
User: All Users
User: Default
->Flash cache emptied: 0 bytes
User: Default User
->Flash cache emptied: 0 bytes
User: Public
User: QBDataServiceUser18
User: QBDataServiceUser19
User: QBDataServiceUser20
User: Robert
->Flash cache emptied: 0 bytes
Total Flash Files Cleaned = 0.00 mb
[EMPTYJAVA]
User: All Users
User: Default
User: Default User
User: Public
User: QBDataServiceUser18
User: QBDataServiceUser19
User: QBDataServiceUser20
User: Robert
->Java cache emptied: 0 bytes
Total Java Files Cleaned = 0.00 mb
Restore point Set: OTL Restore Point
OTL by OldTimer - Version 3.2.69.0 log created on 03202013_195459
Files\Folders moved on Reboot...
File\Folder C:\Windows\temp\TMP0000003A245FAFFB14583405 not found!
PendingFileRenameOperations files...
Registry entries deleted on Reboot...
Kathryn Rowan
Posts: 62 +0
Just wanted to follow up. Our computer seems to be working fine but I am having problems with Secunia PSI. It gets hung up when trying to update some software. Any thoughts on this?
Broni
Posts: 56,041 +517
Way to go!!
Good luck and stay safe
I suggest asking your question at Secunia forum: http://secunia.com/community/forum/all_threads/
Good luck and stay safe
I suggest asking your question at Secunia forum: http://secunia.com/community/forum/all_threads/
Similar threads
Latest posts
-
Woman divorces husband after ChatGPT reads his coffee grounds and predicts affair- themastergoose replied