Hi All (and maybe especially Broni, who seems experienced in this regard),
I got the System Care Antivirus virus about a week ago.
I searched the web, found advice to start Windows (Vista) in safe mode, then run Malwarebytes (MB). I was able to do this, and it detected "Trojan.FakeAlert.SSGen" which MB quarantined and deleted.
I then also ran Microsoft Security Essentials (MSE) which turned up clean.
By this point, all annoying pop ups from System Care (saying I am infected, etc) had stopped. So things seemed okay EXCEPT that System Care AntiVirus is still listed under "All Programs", I.e., the list you get when you press the "windows key" and then click "All programs". (Interestingly, however, it is NOT listed in the file folder C:\Programs, NOR is it listed in Control Panel Add/Remove programs).
I, of course, didn't like the fact that System Care Antivirus is listed there in the Windows Key/All Programs list. I also don't understand if the program is actually physically installed on my machine, or if this is some kind of "illusion" of installation that it puts up.
I searched the web for help. The most useful-looking advice was on this website (from Broni). I ran all of the diagnostics he suggested in normal mode. None of them turned up anything.
1. Malwarebytes
2. DDS
3. RogueKiller
4. MB AntiRootkit
5. ComboFix
Am I safe? How do I get that System Care Antivirus thing off my windows key/all programs list?
All logs are printed reproduced below. Thanks for any help anyone can give.
Best,
Dave
******* INITIAL MALWAREBYTES LOG **********
Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org
Database version: v2013.05.06.04
Windows Vista Service Pack 2 x86 NTFS (Safe Mode/Networking)
Internet Explorer 7.0.6002.18005
Dave :: KING-PC [limited]
06-05-2013 13:49:05
mbam-log-2013-05-06 (13-49-05).txt
Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 418813
Time elapsed: 1 hour(s), 5 minute(s), 48 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce|E0DDD48BC0B2EDDB0000E0DCF3B2F200 (Trojan.FakeAlert.SSGen) -> Data: C:\ProgramData\E0DDD48BC0B2EDDB0000E0DCF3B2F200\E0DDD48BC0B2EDDB0000E0DCF3B2F200.exe -> Quarantined and deleted successfully.
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 1
C:\ProgramData\E0DDD48BC0B2EDDB0000E0DCF3B2F200\E0DDD48BC0B2EDDB0000E0DCF3B2F200.exe (Trojan.FakeAlert.SSGen) -> Quarantined and deleted successfully.
(end)
************** DDS LOG **********************
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 10.7.2
Run by King at 9:52:36 on 2013-05-07
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.45.1030.18.2814.1873 [GMT 2:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Acer\Empowering Technology\SysMonitor.exe
C:\Program Files\Acer\Empowering Technology\Framework.Launcher.exe
C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\Program Files\USB_video_device\Driver\Driver32\emmon.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://eu.ask.com?o=15780&l=dis
uDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0406&s=1&o=vb32&d=0309&m=aspire_m1201
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0406&s=1&o=vb32&d=0309&m=aspire_m1201
mDefault_Page_URL = hxxp://da.intl.acer.yahoo.com
uURLSearchHooks: UrlSearchHook Class: {00000000-6E41-4FD3-8538-502F5495E5FC} - c:\program files\ask.com\GenericAskToolbar.dll
dURLSearchHooks: {A3BC75A2-1F87-4686-AA43-5347D756017C} - <orphaned>
BHO: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - c:\program files\yahoo!\companion\installs\cpn\YT.DLL
BHO: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: ShowBarObj Class: {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - c:\program files\acer\empowering technology\edatasecurity\x86\ActiveToolBand.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: CocoonSoftware Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Acer eDataSecurity Management: {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - c:\program files\acer\empowering technology\edatasecurity\x86\eDStoolbar.dll
TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn\YT.DLL
TB: CocoonSoftware Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\ask.com\GenericAskToolbar.dll
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [RegistryBooster] "c:\program files\uniblue\registrybooster\launcher.exe" delay 20000
mRun: [Windows Defender] c:\program files\windows defender\MSASCui.exe -hide
mRun: [Acer Empowering Technology Monitor] c:\program files\acer\empowering technology\SysMonitor.exe
mRun: [EmpoweringTechnology] c:\program files\acer\empowering technology\Framework.Launcher.exe boot
mRun: [eDataSecurity Loader] c:\program files\acer\empowering technology\edatasecurity\x86\eDSloader.exe
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Skytel] Skytel.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [WarReg_PopUp] c:\acer\wr_popup\WarReg_PopUp.exe
mRun: [eRecoveryService] <no file>
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-unins...VWSzItQUxZTUYtU0xLTFUtQVoyVUItNkdPS0ItSkhGTkg"&"inst=NzctNTExNDQyMTc0LUJBKzEtS1YzKzctWEwrMS1UNC1GUDkrNi1OMUYrMS1CQVI5RysxLVRCOSsyLUZMKzktRjlNN0IrNS1RSVgxKzMtWDIwMTArMg"&"prod=90"&"ver=10.0.1170
mRunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "c:\programdata\malwarebytes\malwarebytes' anti-malware\cleanup.dll",ProcessCleanupScript
mRunOnce: [1] c:\program files\malwarebytes' anti-malware\chameleon\mbam-chameleon.exe /r /p
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\emmon.lnk - c:\program files\usb_video_device\driver\driver32\emmon.exe
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&ksporter til Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Free YouTube to MP3 Converter - c:\users\king\appdata\roaming\dvdvideosoftiehelpers\freeyoutubetomp3converter.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 87.72.130.2 87.72.22.66
TCP: Interfaces\{12269A03-2A26-4544-8560-CC4EB90E32A4} : DHCPNameServer = 87.72.130.2 87.72.22.66
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
AppInit_DLLs= AVGRSSTX.DLL, c:\progra~1\google\google~2\GOEC62~1.DLL
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\king\appdata\roaming\mozilla\firefox\profiles\wocfmhxm.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.dk/
FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=CCS&o=15777&locale=en_EU&q=
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBook.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBookDB.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpNeoLogger.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSaturn.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartSelect.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartWebPrinting.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSWPOperation.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPLogging.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTC.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTL.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXREStub.dll
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\canon\zoombrowser ex\program\NPCIG.dll
FF - plugin: c:\program files\google\update\1.3.21.135\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20125.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1168638.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_4_402_265.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
FF - ExtSQL: !HIDDEN! 2009-09-02 16:22; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - ExtSQL: !HIDDEN! 2010-01-10 00:32; smartwebprinting@hp.com; c:\program files\hp\digital imaging\smart web printing\MozillaAddOn3
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2013-1-20 195296]
R2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\newtech infosystems\nti backup now 5\client\Agentsvc.exe [2008-3-3 16384]
R2 ETService;Empowering Technology Service;c:\program files\acer\empowering technology\service\ETService.exe [2008-5-15 24576]
R2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 100328]
R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\newtech infosystems\nti backup now 5\BackupSvc.exe [2008-4-25 45056]
R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\newtech infosystems\nti backup now 5\SchedulerSvc.exe [2008-4-25 131072]
R2 Skype C2C Service;Skype C2C Service;c:\programdata\skype\toolbars\skype c2c service\c2c_service.exe [2012-10-2 3064000]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2013-1-27 295232]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 FontCache;Tjenesten Windows-skrifttypecache;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-2-28 161384]
S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [2010-5-20 30576]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2011-8-17 137472]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2011-8-17 8576]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2013-05-06 10:58:50 -------- d-----w- c:\programdata\E0DDD48BC0B2EDDB0000E0DCF3B2F200
2013-05-06 02:25:18 6906960 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{9927b571-d052-49cd-a48f-f62bfec52ce4}\mpengine.dll
2013-05-05 07:59:51 6906960 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2013-04-23 22:56:38 706640 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{28a5b42d-e66a-49d3-902f-279cdca8f514}\gapaengine.dll
.
==================== Find3M ====================
.
2013-05-02 15:28:50 238872 ------w- c:\windows\system32\MpSigStub.exe
2013-03-11 13:25:50 3603816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-03-11 13:25:50 3551080 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-09 03:45:04 49152 ----a-w- c:\windows\system32\csrsrv.dll
2013-03-09 01:28:08 64000 ----a-w- c:\windows\system32\smss.exe
2013-03-08 03:53:50 376320 ----a-w- c:\windows\system32\winsrv.dll
2013-03-08 03:52:22 2067968 ----a-w- c:\windows\system32\mstscax.dll
2013-03-05 01:40:56 2049024 ----a-w- c:\windows\system32\win32k.sys
2013-03-03 19:07:52 1082232 ----a-w- c:\windows\system32\drivers\ntfs.sys
2013-02-21 03:53:09 834048 ----a-w- c:\windows\system32\wininet.dll
2013-02-21 02:14:29 389632 ----a-w- c:\windows\system32\html.iec
2013-02-21 01:49:31 1383424 ----a-w- c:\windows\system32\mshtml.tlb
2013-02-12 01:57:27 15872 ----a-w- c:\windows\system32\drivers\usb8023.sys
.
============= FINISH: 9:53:59,34 ===============
*********** ROGUE KILLER LOG ***********
RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : https://www.techspot.com/downloads/5562-roguekiller.html
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/
Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : King [Admin rights]
Mode : Remove -- Date : 05/07/2013 10:20:28
| ARK || FAK || MBR |
¤¤¤ Bad processes : 0 ¤¤¤
¤¤¤ Registry Entries : 4 ¤¤¤
[RUN][ROGUE ST] HKLM\[...]\RunOnce : 1 (C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\mbam-chameleon.exe /r /p) -> DELETED
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[SCREENSV][SUSP PATH] HKCU\[...]\Desktop (C:\Windows\Acer(Wide).scr) [-] -> REPLACED (C:\Windows\system32\logon.scr)
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver : [LOADED] ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts
127.0.0.1 localhost
::1 localhost
¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: WDC WD3200AAJS-00B4A0 ATA Device +++++
--- User ---
[MBR] ed53baffc098644bca4166351a4a17fd
[BSP] 61f1476c52b384f3c9bb9ad15510b116 : Acer MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 15000 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 30722048 | Size: 116116 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 268527616 | Size: 174127 Mo
User = LL1 ... OK!
User = LL2 ... OK!
Finished : << RKreport[2]_D_05072013_02d1020.txt >>
RKreport[1]_S_05072013_02d1014.txt ; RKreport[2]_D_05072013_02d1020.txt
*************** MB ANTI ROOTKIT LOG ***************
Malwarebytes Anti-rootkit BET v1.05.0.1001
Cleanup:
Congratulations. No cleanup is required!
Scan Finished. No malware found.
NOTE: When I first double clicked on the MBAR exe file, I got this message: "PROBABLE ROOTKIT ACTIVITY DETECTED. Registry value "AppInit_Dlls" has been found, which may be caused by rootkit activity." I then had a Yes / No choice to remove it now or not. It said if you click NO, the scan may stall, in which case you should start over and click YES: I clicked NO.
Had all scans checked, I.e., drivers, sectors, system.
Took about an hour to run.
******************* COMBOFIX LOG *********************
NOTE: Parts of this might look a bit strange because it is google-translated from Danish to English.
ComboFix 13-05-07.01 - King 07-05-2013 12:33:33.1.2 - x86
Microsoft ® Windows Vista ™ Home Basic 6.0.6002.2.1252.45.1030.18.2814.1615 [GMT 2:00]
Running from: c: \ users \ Dave \ Desktop \ ComboFix.exe
AV: Microsoft Security Essentials * Disabled / Updated * {3F839487-C7A2-C958-E30C-E2825BA31FB5}
SP: Microsoft Security Essentials * Disabled / Updated * {84E27563-E198-C6D6-D9BC-D9F020245508}
SP: Windows Defender * Disabled / Outdated * {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((Other Deletions)))))) )))))))))))))))))))))))))))))))))))))))))))
.
.
c: \ users \ Dave \ AppData \ Roaming \. #
c: \ windows \ system32 \ system
c: \ windows \ wininit.ini
.
.
(((((((((((((((((((((((((((((Files Created from 2013-04-07 to 2013-05-07))))))) ))))))))))))))))))))))))))))
.
.
2013-05-07 10:41. 2013-05-07 10:41 -------- d ----- w-c: \ users \ Default \ AppData \ Local \ Temp
2013-05-07 10:41. 2013-05-07 10:41 -------- d ----- w-c: \ users \ King \ AppData \ Local \ Temp
2013-05-07 08:12. 2013-05-07 08:12 29904 ---- aw-c: \ Application Data \ Microsoft \ Microsoft Antimalware \ Definition Updates \ {F3198FF6-D21C-4D0E-B27E-A5336E2BD9A1} \ MpKsl48d1381e.sys
2013-05-07 07:59. 2013-04-10 03:08 6906960 ---- aw-c: \ Application Data \ Microsoft \ Microsoft Antimalware \ Definition Updates \ {F3198FF6-D21C-4D0E-B27E-A5336E2BD9A1} \ mpengine.dll
2013-05-06 10:58. 2013-05-06 11:05 -------- d ----- w-c: \ application data \ E0DDD48BC0B2EDDB0000E0DCF3B2F200
2013-05-06 02:25. 2013-04-10 03:08 6906960 ---- aw-c: \ Application Data \ Microsoft \ Microsoft Antimalware \ Definition Updates \ Backup \ mpengine.dll
2013-04-23 22:56. 2013-04-23 22:55 706640 ------ w-c: \ Application Data \ Microsoft \ Microsoft Antimalware \ Definition Updates \ {28A5B42D-E66A-49D3-902F-279CDCA8F514} \ gapaengine.dll
2013-04-10 19:42. 2013-04-10 19:42 -------- d ----- w-c: \ program files \ Common Files \ Skype
.
.
.
((((((((((((((((((((((((((((((((((((((((Find3M Report)))))))) ))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-02 15:28. 2009-10-03 08:27 238872 ------ w-c: \ windows \ system32 \ MpSigStub.exe
2013-02-12 01:57. 2013-03-21 17:55 15872 ---- aw c: \ windows \ system32 \ drivers \ usb8023.sys
2012-07-14 00:17. 2011-06-29 09:14 136672 ---- aw-c: \ program files \ mozilla firefox \ components \ browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((Reg Loading Points))))))))) )))))))))))))))))))))))))))))))))))))))
.
.
* Note * empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER \ Software \ Microsoft \ Internet Explorer \ URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}" = "c: \ program files \ Ask.com \ GenericAskToolbar.dll" [2010-02-04 1197448]
.
[HKEY_CLASSES_ROOT \ clsid \ {00000000-6e41-4fd3-8538-502f5495e5fc}]
.
@ = "{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT \ CLSID \ {30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-07-29 16:52 121392 ---- aw-c: \ program files \ Acer \ Empowering Technology \ eDataSecurity \ x86 \ PSDProtect.dll
.
[HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run]
"Windows Welcome Center" = "Oobefldr.dll" [2009-04-11 2153472]
.
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run]
"Acer Empowering Technology Monitor" = "c: \ program files \ Acer \ Empowering Technology \ SysMonitor.exe" [2008-06-02 319488]
"EmpoweringTechnology" = "c: \ program files \ Acer \ Empowering Technology \ Framework.Launcher.exe" [2008-06-02 319488]
"EDataSecurity Loader" = "c: \ program files \ Acer \ Empowering Technology \ eDataSecurity \ x86 \ eDSloader.exe" [2008-07-29 526896]
"LanguageShortcut" = "c: \ program files \ CyberLink \ PowerDVD \ Language \ Language.exe" [2007-01-08 52256]
"RtHDVCpl" = "RtHDVCpl.exe" [2008-05-20 6144000]
"Skytel" = "Skytel.exe" [2007-11-20 1826816]
"StartCCC" = "c: \ program files \ ATI Technologies \ ATI.ACE \ Core-Static \ CLIStart.exe" [2008-01-21 61440]
"WarReg_PopUp" = "c: \ acer \ WR_PopUp \ WarReg_PopUp.exe" [2006-11-05 57344]
"Groove Monitor" = "c: \ program files \ Microsoft Office \ Office12 \ GrooveMonitor.exe" [2009-02-26 30040]
"LifeCam" = "c: \ program files \ Microsoft LifeCam \ LifeExp.exe" [2010-05-20 119152]
"Adobe Reader Speed ??Launcher" = "c: \ program files \ Adobe \ Reader 8.0 \ Reader \ Reader_sl.exe" [2011-08-31 40368]
"Adobe ARM" = "c: \ program files \ Common Files \ Adobe \ ARM \ 1.0 \ Adobearm.exe" [2011-03-29 937920]
"HP Software Update" = "c: \ program files \ HP \ HP Software Update \ HPWuSchd2.exe" [2008-03-25 49152]
"MSC" = "c: \ program files \ Microsoft Security Client \ msseces.exe" [2013-01-27 947152]
"APSDaemon" = "c: \ program files \ Common Files \ Apple \ Apple Application Support \ APSDaemon.exe" [2012-10-11 59280]
"SunJavaUpdateSched" = "c: \ program files \ Common Files \ Java \ Java Update \ jusched.exe" [2012-07-03 252848]
"BkupTray" = "c: \ program files \ NewTech Infosystems \ NTI Backup Now 5 \ BkupTray.exe" [2008-04-25 28672]
"QuickTime Task" = "c: \ program files \ QuickTime \ qttask.exe" [2012-10-25 421888]
.
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ RunOnce]
"AvgUninstallURL" = "start [?]
"Malwarebytes Anti-Malware (cleanup)" = "c: \ Application Data \ Malwarebytes \ Malwarebytes' Anti-Malware \ cleanup.dll" [2012-12-14 1091432]
"Z1" = "c: \ users \ Dave \ Desktop \ wow \ 4 MB Antirootkit \ mbar-1.05.0.1001 \ mbar \ mbar.exe" [2013-05-07 1398856]
.
c: \ users \ Dave \ AppData \ Roaming \ Microsoft \ Windows \ Start Menu \ Programs \ Startup \
Screen Clipper and Launcher to OneNote 2007.lnk - c: \ program files \ Microsoft Office \ Office12 \ ONENOTEM.EXE [2009-2-26 97680]
.
c: \ Application Data \ Microsoft \ Windows \ Start Menu \ Programs \ Startup \
emMon.lnk - c: \ program files \ USB_video_device \ Driver \ Driver32 \ emmon.exe [2013-4-1 81408]
.
[HKEY_LOCAL_MACHINE \ software \ microsoft \ windows \ current version \ policies \ system]
"EnableUIADesktopToggle" = 0 (0x0)
.
[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Minimal \ MsMpSvc]
@ = "Service"
.
[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Minimal \ WudfSvc]
@ = "Service"
.
[HKLM \ ~ \ startupfolder \ C: ^ ProgramData ^ Microsoft ^ Windows ^ Start Menu ^ Programs ^ Startup ^ HP Digital Imaging Monitor.lnk]
path = c: \ Application Data \ Microsoft \ Windows \ Start Menu \ Programs \ Startup \ HP Digital Imaging Monitor.lnk
backup = c: \ windows \ pss \ HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension =. CommonStartup
.
[HKEY_LOCAL_MACHINE \ software \ microsoft \ shared tools \ msconfig \ startupreg \ Malwarebytes Anti-Malware (reboot)]
2012-12-14 15:49 824232 ---- aw-c: \ program files \ Malwarebytes' Anti-Malware \ mbam.exe
.
[HKEY_LOCAL_MACHINE \ software \ microsoft \ shared tools \ msconfig \ startupreg \ NokiaSuite.exe]
2011-11-01 14:40 1053056 ---- aw-c: \ program files \ Nokia \ Nokia Suite \ NokiaSuite.exe
.
[HKEY_LOCAL_MACHINE \ software \ microsoft \ shared tools \ msconfig \ startupreg \ pamelaPCR.exe]
2011-09-13 20:27 6053888 ---- aw-c: \ program files \ PamelaPCR \ PamelaPCR.exe
.
[HKEY_LOCAL_MACHINE \ software \ microsoft \ shared tools \ msconfig \ startupreg \ Remote Control]
2007-01-08 20:26 68640 ---- aw-c: \ program files \ CyberLink \ PowerDVD \ PDVDServ.exe
.
[HKEY_LOCAL_MACHINE \ software \ microsoft \ shared tools \ msconfig \ startupreg \ Skype]
2013-02-28 16:50 18642024 ---- ar-c: \ program files \ Skype \ Phone \ skype.exe
.
[HKEY_LOCAL_MACHINE \ software \ microsoft \ security center \ Monitoring \ McAfeeAntiSpyware]
"DisableMonitoring" = dword: 00000001
.
--- Other Services / Drivers In Memory ---
.
* NewlyCreated * - MPKSL48D1381E
* NewlyCreated * - TRUE SIGHT
* Deregistered * - True Sight
.
[HKEY_LOCAL_MACHINE \ software \ microsoft \ windows nt \ current version \ svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE Mpssvc
HPZ12 REG_MULTI_SZ PML Driver HPZ12 Net Driver HPZ12
getPlusHelper REG_MULTI_SZ getPlusHelper
LocalServiceAndNoImpersonation REG_MULTI_SZ font cache
hpdevmgmt REG_MULTI_SZ Hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks'
.
2013-05-07 c: \ windows \ Tasks \ GoogleUpdateTaskMachineCore.job
- C: \ program files \ Google \ Update \ GoogleUpdate.exe [2010-02-06 23:42]
.
2013-05-07 c: \ windows \ Tasks \ GoogleUpdateTaskMachineUA.job
- C: \ program files \ Google \ Update \ GoogleUpdate.exe [2010-02-06 23:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp :/ / eu.ask.com? o = 15780 & l = dis
mSTART Page = hxxp :/ / homepage.acer.com / rdr.aspx? b = ACAW & l = 0406 & s = 1 & o = vb32 & d = 0309 & m = aspire_m1201
IE: E & xport to Microsoft Excel - c: \ progra ~ 1 \ MICROS ~ 2 \ Office12 \ EXCEL.EXE/3000
IE: Free YouTube to MP3 Converter - c: \ users \ King \ AppData \ Roaming \ DVDVideoSoftIEHelpers \ freeyoutubetomp3converter.htm
TCP: DhcpNameServer = 87.72.130.2 87.72.22.66
FF - ProfilePath - c: \ users \ King \ AppData \ Roaming \ Mozilla \ Firefox \ Profiles \ wocfmhxm.default \
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.dk/
FF - prefs.js: keyword.URL - hxxp :/ / websearch.ask.com / redirect? Client = ff & src = kw & tb = CCS & o = 15777 & locale = en_EU & q =
FF - ExtSQL!: HIDDEN! 2009-09-02 16:22; {20a82645-C095-46ed-80e3-08825760534b} c: \ windows \ Microsoft.NET \ Framework \ v3.5 \ Windows Presentation Foundation \ DotNetAssistantExtension
FF - ExtSQL!: HIDDEN! 2010-01-10 12:32; smartwebprinting@hp.com c: \ program files \ HP \ Digital Imaging \ Smart Web Printing \ MozillaAddOn3
.
---- EMPTY SHORTCUTS REMOVED ----
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - (no file)
HKCU-Run-RegistryBooster - c: \ program files \ Uniblue \ RegistryBooster \ Launcher.exe
HKLM-Run-eRecoveryService - (no file)
HKLM-Run-hpqSRMon - (no file)
SafeBoot-WudfPf
SafeBoot-WudfRd
.
.
.
************************************************** ************************
.
CatchMe 0.3.1398 W2K/XP/Vista - rootkit / stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-05-07 12:41
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autorun ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
@ Denied: (A) (Users)
@ Denied: (A) (Everyone)
@ Allowed: (B 1 2 3 4 5) (S-1-5-20)
"Blind Dial" = dword: 00000000
.
Completion time: 2013-05-07 12:43:22
ComboFix-quarantined-files.txt 2013-05-07 10:43
.
Pre-Run: 31,681,634,304 bytes free
Post-Run: 33,528,606,720 bytes free
.
- End Of File - 16C604655B0F7BC3ED0B78A9E315CD7F
I got the System Care Antivirus virus about a week ago.
I searched the web, found advice to start Windows (Vista) in safe mode, then run Malwarebytes (MB). I was able to do this, and it detected "Trojan.FakeAlert.SSGen" which MB quarantined and deleted.
I then also ran Microsoft Security Essentials (MSE) which turned up clean.
By this point, all annoying pop ups from System Care (saying I am infected, etc) had stopped. So things seemed okay EXCEPT that System Care AntiVirus is still listed under "All Programs", I.e., the list you get when you press the "windows key" and then click "All programs". (Interestingly, however, it is NOT listed in the file folder C:\Programs, NOR is it listed in Control Panel Add/Remove programs).
I, of course, didn't like the fact that System Care Antivirus is listed there in the Windows Key/All Programs list. I also don't understand if the program is actually physically installed on my machine, or if this is some kind of "illusion" of installation that it puts up.
I searched the web for help. The most useful-looking advice was on this website (from Broni). I ran all of the diagnostics he suggested in normal mode. None of them turned up anything.
1. Malwarebytes
2. DDS
3. RogueKiller
4. MB AntiRootkit
5. ComboFix
Am I safe? How do I get that System Care Antivirus thing off my windows key/all programs list?
All logs are printed reproduced below. Thanks for any help anyone can give.
Best,
Dave
******* INITIAL MALWAREBYTES LOG **********
Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org
Database version: v2013.05.06.04
Windows Vista Service Pack 2 x86 NTFS (Safe Mode/Networking)
Internet Explorer 7.0.6002.18005
Dave :: KING-PC [limited]
06-05-2013 13:49:05
mbam-log-2013-05-06 (13-49-05).txt
Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 418813
Time elapsed: 1 hour(s), 5 minute(s), 48 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce|E0DDD48BC0B2EDDB0000E0DCF3B2F200 (Trojan.FakeAlert.SSGen) -> Data: C:\ProgramData\E0DDD48BC0B2EDDB0000E0DCF3B2F200\E0DDD48BC0B2EDDB0000E0DCF3B2F200.exe -> Quarantined and deleted successfully.
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 1
C:\ProgramData\E0DDD48BC0B2EDDB0000E0DCF3B2F200\E0DDD48BC0B2EDDB0000E0DCF3B2F200.exe (Trojan.FakeAlert.SSGen) -> Quarantined and deleted successfully.
(end)
************** DDS LOG **********************
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 10.7.2
Run by King at 9:52:36 on 2013-05-07
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.45.1030.18.2814.1873 [GMT 2:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Acer\Empowering Technology\SysMonitor.exe
C:\Program Files\Acer\Empowering Technology\Framework.Launcher.exe
C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\Program Files\USB_video_device\Driver\Driver32\emmon.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://eu.ask.com?o=15780&l=dis
uDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0406&s=1&o=vb32&d=0309&m=aspire_m1201
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0406&s=1&o=vb32&d=0309&m=aspire_m1201
mDefault_Page_URL = hxxp://da.intl.acer.yahoo.com
uURLSearchHooks: UrlSearchHook Class: {00000000-6E41-4FD3-8538-502F5495E5FC} - c:\program files\ask.com\GenericAskToolbar.dll
dURLSearchHooks: {A3BC75A2-1F87-4686-AA43-5347D756017C} - <orphaned>
BHO: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - c:\program files\yahoo!\companion\installs\cpn\YT.DLL
BHO: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: ShowBarObj Class: {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - c:\program files\acer\empowering technology\edatasecurity\x86\ActiveToolBand.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: CocoonSoftware Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Acer eDataSecurity Management: {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - c:\program files\acer\empowering technology\edatasecurity\x86\eDStoolbar.dll
TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn\YT.DLL
TB: CocoonSoftware Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\ask.com\GenericAskToolbar.dll
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [RegistryBooster] "c:\program files\uniblue\registrybooster\launcher.exe" delay 20000
mRun: [Windows Defender] c:\program files\windows defender\MSASCui.exe -hide
mRun: [Acer Empowering Technology Monitor] c:\program files\acer\empowering technology\SysMonitor.exe
mRun: [EmpoweringTechnology] c:\program files\acer\empowering technology\Framework.Launcher.exe boot
mRun: [eDataSecurity Loader] c:\program files\acer\empowering technology\edatasecurity\x86\eDSloader.exe
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Skytel] Skytel.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [WarReg_PopUp] c:\acer\wr_popup\WarReg_PopUp.exe
mRun: [eRecoveryService] <no file>
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-unins...VWSzItQUxZTUYtU0xLTFUtQVoyVUItNkdPS0ItSkhGTkg"&"inst=NzctNTExNDQyMTc0LUJBKzEtS1YzKzctWEwrMS1UNC1GUDkrNi1OMUYrMS1CQVI5RysxLVRCOSsyLUZMKzktRjlNN0IrNS1RSVgxKzMtWDIwMTArMg"&"prod=90"&"ver=10.0.1170
mRunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "c:\programdata\malwarebytes\malwarebytes' anti-malware\cleanup.dll",ProcessCleanupScript
mRunOnce: [1] c:\program files\malwarebytes' anti-malware\chameleon\mbam-chameleon.exe /r /p
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\emmon.lnk - c:\program files\usb_video_device\driver\driver32\emmon.exe
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&ksporter til Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Free YouTube to MP3 Converter - c:\users\king\appdata\roaming\dvdvideosoftiehelpers\freeyoutubetomp3converter.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 87.72.130.2 87.72.22.66
TCP: Interfaces\{12269A03-2A26-4544-8560-CC4EB90E32A4} : DHCPNameServer = 87.72.130.2 87.72.22.66
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
AppInit_DLLs= AVGRSSTX.DLL, c:\progra~1\google\google~2\GOEC62~1.DLL
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\king\appdata\roaming\mozilla\firefox\profiles\wocfmhxm.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.dk/
FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=CCS&o=15777&locale=en_EU&q=
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBook.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBookDB.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpNeoLogger.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSaturn.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartSelect.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartWebPrinting.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSWPOperation.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPLogging.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTC.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTL.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXREStub.dll
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\canon\zoombrowser ex\program\NPCIG.dll
FF - plugin: c:\program files\google\update\1.3.21.135\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20125.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1168638.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_4_402_265.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
FF - ExtSQL: !HIDDEN! 2009-09-02 16:22; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - ExtSQL: !HIDDEN! 2010-01-10 00:32; smartwebprinting@hp.com; c:\program files\hp\digital imaging\smart web printing\MozillaAddOn3
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2013-1-20 195296]
R2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\newtech infosystems\nti backup now 5\client\Agentsvc.exe [2008-3-3 16384]
R2 ETService;Empowering Technology Service;c:\program files\acer\empowering technology\service\ETService.exe [2008-5-15 24576]
R2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 100328]
R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\newtech infosystems\nti backup now 5\BackupSvc.exe [2008-4-25 45056]
R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\newtech infosystems\nti backup now 5\SchedulerSvc.exe [2008-4-25 131072]
R2 Skype C2C Service;Skype C2C Service;c:\programdata\skype\toolbars\skype c2c service\c2c_service.exe [2012-10-2 3064000]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2013-1-27 295232]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 FontCache;Tjenesten Windows-skrifttypecache;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-2-28 161384]
S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [2010-5-20 30576]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2011-8-17 137472]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2011-8-17 8576]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2013-05-06 10:58:50 -------- d-----w- c:\programdata\E0DDD48BC0B2EDDB0000E0DCF3B2F200
2013-05-06 02:25:18 6906960 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{9927b571-d052-49cd-a48f-f62bfec52ce4}\mpengine.dll
2013-05-05 07:59:51 6906960 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2013-04-23 22:56:38 706640 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{28a5b42d-e66a-49d3-902f-279cdca8f514}\gapaengine.dll
.
==================== Find3M ====================
.
2013-05-02 15:28:50 238872 ------w- c:\windows\system32\MpSigStub.exe
2013-03-11 13:25:50 3603816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-03-11 13:25:50 3551080 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-09 03:45:04 49152 ----a-w- c:\windows\system32\csrsrv.dll
2013-03-09 01:28:08 64000 ----a-w- c:\windows\system32\smss.exe
2013-03-08 03:53:50 376320 ----a-w- c:\windows\system32\winsrv.dll
2013-03-08 03:52:22 2067968 ----a-w- c:\windows\system32\mstscax.dll
2013-03-05 01:40:56 2049024 ----a-w- c:\windows\system32\win32k.sys
2013-03-03 19:07:52 1082232 ----a-w- c:\windows\system32\drivers\ntfs.sys
2013-02-21 03:53:09 834048 ----a-w- c:\windows\system32\wininet.dll
2013-02-21 02:14:29 389632 ----a-w- c:\windows\system32\html.iec
2013-02-21 01:49:31 1383424 ----a-w- c:\windows\system32\mshtml.tlb
2013-02-12 01:57:27 15872 ----a-w- c:\windows\system32\drivers\usb8023.sys
.
============= FINISH: 9:53:59,34 ===============
*********** ROGUE KILLER LOG ***********
RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : https://www.techspot.com/downloads/5562-roguekiller.html
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/
Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : King [Admin rights]
Mode : Remove -- Date : 05/07/2013 10:20:28
| ARK || FAK || MBR |
¤¤¤ Bad processes : 0 ¤¤¤
¤¤¤ Registry Entries : 4 ¤¤¤
[RUN][ROGUE ST] HKLM\[...]\RunOnce : 1 (C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\mbam-chameleon.exe /r /p) -> DELETED
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[SCREENSV][SUSP PATH] HKCU\[...]\Desktop (C:\Windows\Acer(Wide).scr) [-] -> REPLACED (C:\Windows\system32\logon.scr)
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver : [LOADED] ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts
127.0.0.1 localhost
::1 localhost
¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: WDC WD3200AAJS-00B4A0 ATA Device +++++
--- User ---
[MBR] ed53baffc098644bca4166351a4a17fd
[BSP] 61f1476c52b384f3c9bb9ad15510b116 : Acer MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 15000 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 30722048 | Size: 116116 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 268527616 | Size: 174127 Mo
User = LL1 ... OK!
User = LL2 ... OK!
Finished : << RKreport[2]_D_05072013_02d1020.txt >>
RKreport[1]_S_05072013_02d1014.txt ; RKreport[2]_D_05072013_02d1020.txt
*************** MB ANTI ROOTKIT LOG ***************
Malwarebytes Anti-rootkit BET v1.05.0.1001
Cleanup:
Congratulations. No cleanup is required!
Scan Finished. No malware found.
NOTE: When I first double clicked on the MBAR exe file, I got this message: "PROBABLE ROOTKIT ACTIVITY DETECTED. Registry value "AppInit_Dlls" has been found, which may be caused by rootkit activity." I then had a Yes / No choice to remove it now or not. It said if you click NO, the scan may stall, in which case you should start over and click YES: I clicked NO.
Had all scans checked, I.e., drivers, sectors, system.
Took about an hour to run.
******************* COMBOFIX LOG *********************
NOTE: Parts of this might look a bit strange because it is google-translated from Danish to English.
ComboFix 13-05-07.01 - King 07-05-2013 12:33:33.1.2 - x86
Microsoft ® Windows Vista ™ Home Basic 6.0.6002.2.1252.45.1030.18.2814.1615 [GMT 2:00]
Running from: c: \ users \ Dave \ Desktop \ ComboFix.exe
AV: Microsoft Security Essentials * Disabled / Updated * {3F839487-C7A2-C958-E30C-E2825BA31FB5}
SP: Microsoft Security Essentials * Disabled / Updated * {84E27563-E198-C6D6-D9BC-D9F020245508}
SP: Windows Defender * Disabled / Outdated * {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((Other Deletions)))))) )))))))))))))))))))))))))))))))))))))))))))
.
.
c: \ users \ Dave \ AppData \ Roaming \. #
c: \ windows \ system32 \ system
c: \ windows \ wininit.ini
.
.
(((((((((((((((((((((((((((((Files Created from 2013-04-07 to 2013-05-07))))))) ))))))))))))))))))))))))))))
.
.
2013-05-07 10:41. 2013-05-07 10:41 -------- d ----- w-c: \ users \ Default \ AppData \ Local \ Temp
2013-05-07 10:41. 2013-05-07 10:41 -------- d ----- w-c: \ users \ King \ AppData \ Local \ Temp
2013-05-07 08:12. 2013-05-07 08:12 29904 ---- aw-c: \ Application Data \ Microsoft \ Microsoft Antimalware \ Definition Updates \ {F3198FF6-D21C-4D0E-B27E-A5336E2BD9A1} \ MpKsl48d1381e.sys
2013-05-07 07:59. 2013-04-10 03:08 6906960 ---- aw-c: \ Application Data \ Microsoft \ Microsoft Antimalware \ Definition Updates \ {F3198FF6-D21C-4D0E-B27E-A5336E2BD9A1} \ mpengine.dll
2013-05-06 10:58. 2013-05-06 11:05 -------- d ----- w-c: \ application data \ E0DDD48BC0B2EDDB0000E0DCF3B2F200
2013-05-06 02:25. 2013-04-10 03:08 6906960 ---- aw-c: \ Application Data \ Microsoft \ Microsoft Antimalware \ Definition Updates \ Backup \ mpengine.dll
2013-04-23 22:56. 2013-04-23 22:55 706640 ------ w-c: \ Application Data \ Microsoft \ Microsoft Antimalware \ Definition Updates \ {28A5B42D-E66A-49D3-902F-279CDCA8F514} \ gapaengine.dll
2013-04-10 19:42. 2013-04-10 19:42 -------- d ----- w-c: \ program files \ Common Files \ Skype
.
.
.
((((((((((((((((((((((((((((((((((((((((Find3M Report)))))))) ))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-02 15:28. 2009-10-03 08:27 238872 ------ w-c: \ windows \ system32 \ MpSigStub.exe
2013-02-12 01:57. 2013-03-21 17:55 15872 ---- aw c: \ windows \ system32 \ drivers \ usb8023.sys
2012-07-14 00:17. 2011-06-29 09:14 136672 ---- aw-c: \ program files \ mozilla firefox \ components \ browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((Reg Loading Points))))))))) )))))))))))))))))))))))))))))))))))))))
.
.
* Note * empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER \ Software \ Microsoft \ Internet Explorer \ URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}" = "c: \ program files \ Ask.com \ GenericAskToolbar.dll" [2010-02-04 1197448]
.
[HKEY_CLASSES_ROOT \ clsid \ {00000000-6e41-4fd3-8538-502f5495e5fc}]
.
@ = "{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT \ CLSID \ {30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-07-29 16:52 121392 ---- aw-c: \ program files \ Acer \ Empowering Technology \ eDataSecurity \ x86 \ PSDProtect.dll
.
[HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run]
"Windows Welcome Center" = "Oobefldr.dll" [2009-04-11 2153472]
.
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run]
"Acer Empowering Technology Monitor" = "c: \ program files \ Acer \ Empowering Technology \ SysMonitor.exe" [2008-06-02 319488]
"EmpoweringTechnology" = "c: \ program files \ Acer \ Empowering Technology \ Framework.Launcher.exe" [2008-06-02 319488]
"EDataSecurity Loader" = "c: \ program files \ Acer \ Empowering Technology \ eDataSecurity \ x86 \ eDSloader.exe" [2008-07-29 526896]
"LanguageShortcut" = "c: \ program files \ CyberLink \ PowerDVD \ Language \ Language.exe" [2007-01-08 52256]
"RtHDVCpl" = "RtHDVCpl.exe" [2008-05-20 6144000]
"Skytel" = "Skytel.exe" [2007-11-20 1826816]
"StartCCC" = "c: \ program files \ ATI Technologies \ ATI.ACE \ Core-Static \ CLIStart.exe" [2008-01-21 61440]
"WarReg_PopUp" = "c: \ acer \ WR_PopUp \ WarReg_PopUp.exe" [2006-11-05 57344]
"Groove Monitor" = "c: \ program files \ Microsoft Office \ Office12 \ GrooveMonitor.exe" [2009-02-26 30040]
"LifeCam" = "c: \ program files \ Microsoft LifeCam \ LifeExp.exe" [2010-05-20 119152]
"Adobe Reader Speed ??Launcher" = "c: \ program files \ Adobe \ Reader 8.0 \ Reader \ Reader_sl.exe" [2011-08-31 40368]
"Adobe ARM" = "c: \ program files \ Common Files \ Adobe \ ARM \ 1.0 \ Adobearm.exe" [2011-03-29 937920]
"HP Software Update" = "c: \ program files \ HP \ HP Software Update \ HPWuSchd2.exe" [2008-03-25 49152]
"MSC" = "c: \ program files \ Microsoft Security Client \ msseces.exe" [2013-01-27 947152]
"APSDaemon" = "c: \ program files \ Common Files \ Apple \ Apple Application Support \ APSDaemon.exe" [2012-10-11 59280]
"SunJavaUpdateSched" = "c: \ program files \ Common Files \ Java \ Java Update \ jusched.exe" [2012-07-03 252848]
"BkupTray" = "c: \ program files \ NewTech Infosystems \ NTI Backup Now 5 \ BkupTray.exe" [2008-04-25 28672]
"QuickTime Task" = "c: \ program files \ QuickTime \ qttask.exe" [2012-10-25 421888]
.
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ RunOnce]
"AvgUninstallURL" = "start [?]
"Malwarebytes Anti-Malware (cleanup)" = "c: \ Application Data \ Malwarebytes \ Malwarebytes' Anti-Malware \ cleanup.dll" [2012-12-14 1091432]
"Z1" = "c: \ users \ Dave \ Desktop \ wow \ 4 MB Antirootkit \ mbar-1.05.0.1001 \ mbar \ mbar.exe" [2013-05-07 1398856]
.
c: \ users \ Dave \ AppData \ Roaming \ Microsoft \ Windows \ Start Menu \ Programs \ Startup \
Screen Clipper and Launcher to OneNote 2007.lnk - c: \ program files \ Microsoft Office \ Office12 \ ONENOTEM.EXE [2009-2-26 97680]
.
c: \ Application Data \ Microsoft \ Windows \ Start Menu \ Programs \ Startup \
emMon.lnk - c: \ program files \ USB_video_device \ Driver \ Driver32 \ emmon.exe [2013-4-1 81408]
.
[HKEY_LOCAL_MACHINE \ software \ microsoft \ windows \ current version \ policies \ system]
"EnableUIADesktopToggle" = 0 (0x0)
.
[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Minimal \ MsMpSvc]
@ = "Service"
.
[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Minimal \ WudfSvc]
@ = "Service"
.
[HKLM \ ~ \ startupfolder \ C: ^ ProgramData ^ Microsoft ^ Windows ^ Start Menu ^ Programs ^ Startup ^ HP Digital Imaging Monitor.lnk]
path = c: \ Application Data \ Microsoft \ Windows \ Start Menu \ Programs \ Startup \ HP Digital Imaging Monitor.lnk
backup = c: \ windows \ pss \ HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension =. CommonStartup
.
[HKEY_LOCAL_MACHINE \ software \ microsoft \ shared tools \ msconfig \ startupreg \ Malwarebytes Anti-Malware (reboot)]
2012-12-14 15:49 824232 ---- aw-c: \ program files \ Malwarebytes' Anti-Malware \ mbam.exe
.
[HKEY_LOCAL_MACHINE \ software \ microsoft \ shared tools \ msconfig \ startupreg \ NokiaSuite.exe]
2011-11-01 14:40 1053056 ---- aw-c: \ program files \ Nokia \ Nokia Suite \ NokiaSuite.exe
.
[HKEY_LOCAL_MACHINE \ software \ microsoft \ shared tools \ msconfig \ startupreg \ pamelaPCR.exe]
2011-09-13 20:27 6053888 ---- aw-c: \ program files \ PamelaPCR \ PamelaPCR.exe
.
[HKEY_LOCAL_MACHINE \ software \ microsoft \ shared tools \ msconfig \ startupreg \ Remote Control]
2007-01-08 20:26 68640 ---- aw-c: \ program files \ CyberLink \ PowerDVD \ PDVDServ.exe
.
[HKEY_LOCAL_MACHINE \ software \ microsoft \ shared tools \ msconfig \ startupreg \ Skype]
2013-02-28 16:50 18642024 ---- ar-c: \ program files \ Skype \ Phone \ skype.exe
.
[HKEY_LOCAL_MACHINE \ software \ microsoft \ security center \ Monitoring \ McAfeeAntiSpyware]
"DisableMonitoring" = dword: 00000001
.
--- Other Services / Drivers In Memory ---
.
* NewlyCreated * - MPKSL48D1381E
* NewlyCreated * - TRUE SIGHT
* Deregistered * - True Sight
.
[HKEY_LOCAL_MACHINE \ software \ microsoft \ windows nt \ current version \ svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE Mpssvc
HPZ12 REG_MULTI_SZ PML Driver HPZ12 Net Driver HPZ12
getPlusHelper REG_MULTI_SZ getPlusHelper
LocalServiceAndNoImpersonation REG_MULTI_SZ font cache
hpdevmgmt REG_MULTI_SZ Hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks'
.
2013-05-07 c: \ windows \ Tasks \ GoogleUpdateTaskMachineCore.job
- C: \ program files \ Google \ Update \ GoogleUpdate.exe [2010-02-06 23:42]
.
2013-05-07 c: \ windows \ Tasks \ GoogleUpdateTaskMachineUA.job
- C: \ program files \ Google \ Update \ GoogleUpdate.exe [2010-02-06 23:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp :/ / eu.ask.com? o = 15780 & l = dis
mSTART Page = hxxp :/ / homepage.acer.com / rdr.aspx? b = ACAW & l = 0406 & s = 1 & o = vb32 & d = 0309 & m = aspire_m1201
IE: E & xport to Microsoft Excel - c: \ progra ~ 1 \ MICROS ~ 2 \ Office12 \ EXCEL.EXE/3000
IE: Free YouTube to MP3 Converter - c: \ users \ King \ AppData \ Roaming \ DVDVideoSoftIEHelpers \ freeyoutubetomp3converter.htm
TCP: DhcpNameServer = 87.72.130.2 87.72.22.66
FF - ProfilePath - c: \ users \ King \ AppData \ Roaming \ Mozilla \ Firefox \ Profiles \ wocfmhxm.default \
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.dk/
FF - prefs.js: keyword.URL - hxxp :/ / websearch.ask.com / redirect? Client = ff & src = kw & tb = CCS & o = 15777 & locale = en_EU & q =
FF - ExtSQL!: HIDDEN! 2009-09-02 16:22; {20a82645-C095-46ed-80e3-08825760534b} c: \ windows \ Microsoft.NET \ Framework \ v3.5 \ Windows Presentation Foundation \ DotNetAssistantExtension
FF - ExtSQL!: HIDDEN! 2010-01-10 12:32; smartwebprinting@hp.com c: \ program files \ HP \ Digital Imaging \ Smart Web Printing \ MozillaAddOn3
.
---- EMPTY SHORTCUTS REMOVED ----
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - (no file)
HKCU-Run-RegistryBooster - c: \ program files \ Uniblue \ RegistryBooster \ Launcher.exe
HKLM-Run-eRecoveryService - (no file)
HKLM-Run-hpqSRMon - (no file)
SafeBoot-WudfPf
SafeBoot-WudfRd
.
.
.
************************************************** ************************
.
CatchMe 0.3.1398 W2K/XP/Vista - rootkit / stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-05-07 12:41
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autorun ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
@ Denied: (A) (Users)
@ Denied: (A) (Everyone)
@ Allowed: (B 1 2 3 4 5) (S-1-5-20)
"Blind Dial" = dword: 00000000
.
Completion time: 2013-05-07 12:43:22
ComboFix-quarantined-files.txt 2013-05-07 10:43
.
Pre-Run: 31,681,634,304 bytes free
Post-Run: 33,528,606,720 bytes free
.
- End Of File - 16C604655B0F7BC3ED0B78A9E315CD7F