Author Topic: Please help - Fake Spy Pro issues (Read 16650 times)

kristylentz · « **on:** May 27, 2010, 11:16:05 AM »

Hi there,

I seem to have a common issue. I got a dodgy popup saying that Fakespypro is infecting my computer and I needed to run scans. I found that whatever this trojan is, it disabled my AVG, IE8 and disconnected my internet temporarily. I managed to get the net up and running and use firefox to google. I stumbled across your instructions and uninstalled AVG. I then proceeded to download Microsoft Security Essentials and ran a scan. I then followed your steps right until the Java update but I get an error saying I don't have the correct Internet Connection Settings.

Please find my logs below:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/28/2010 at 00:21 AM

Application Version : 4.38.1004

Core Rules Database Version : 4951
Trace Rules Database Version: 2763

Scan type : Complete Scan
Total Scan Time : 02:28:19

Memory items scanned : 883
Memory threats detected : 0
Registry items scanned : 7567
Registry threats detected : 1
File items scanned : 131628
File threats detected : 0

Rogue.AntivirusSoft
HKU\S-1-5-21-3255875977-2652248836-1897435283-1003\Software\avsoft

-------------------------

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4148

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18904

28/05/2010 1:03:00 AM
mbam-log-2010-05-28 (01-03-00).txt

Scan type: Quick scan
Objects scanned: 125905
Time elapsed: 7 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rquwgioo (Rogue.SpywareGuard2008) -> Quarantined and deleted successfully.

-----------

I wasn't sure if I should proceed onto Hijack this as I had not successfully updated my Java.

Any assistant would be greatly appreciated. Thank you!

SuperDave · « **Reply #1 on:** May 27, 2010, 04:44:33 PM »

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

Please download: HiJackThis to your Desktop.

Double Click the HijackThis icon, located on your Desktop.
By Default, it will install to: C:\Program Files\Trend Micro\HijackThis
Accept the license agreement.
Click the Open the Misc Tools section button.
Place a checkmark beside Calculate MD5 of files if possible. Then, click Back.
Click Do a System Scan and Save a Logfile. Or, if you see a white screen, click Scan.
Please post the log in your next reply.

==============================

Download ComboFix by sUBs from one of the below links.

Important! You MUST save ComboFix to your desktop

link # 1
Link # 2

Temporarily disable your Anti-virus and any Antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click on ComboFix.exe & follow the prompts.

Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)

Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

When the scan completes it will open a text window.

Post the contents of that log in your next reply.

Remember to re-enable your Anti-virus and Antispyware protection when ComboFix is complete.

kristylentz · « **Reply #2 on:** May 28, 2010, 04:51:07 AM »

Thank you for your help. I ran Hijack this successfully but after I ran Combofix I can't open anything. Unfortunately I can't post my logs because they are on my laptop but I get the error "illegal operation attempted on a registry key that has been marked for deletion".

What should I do?

Thank you.

kristylentz · « **Reply #3 on:** May 28, 2010, 07:28:11 AM »

Hi there,
after restarting I seem to have functionality again... see how long it lasts.

Here are my logs:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:29:13 PM, on 28/05/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18904)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Windows\PLFSetI.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Users\Kristy\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files\Winamp\winampa.exe
C:\Program Files\HP\HP UT\bin\hppusg.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE
C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.au.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.au.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (filesize 62080 bytes, MD5 C11F6A1F61481E24BE3FDC06EA6F7D2A)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (filesize 2217848 bytes, MD5 A6B5A41C0ED007AB6C43CAD899E533D8)
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Acer\Empowering Technology\eDataSecurity\x86\ActiveToolBand.dll (filesize 312368 bytes, MD5 89B108C33A6512A69A5A51A606CF46C4)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (filesize 408440 bytes, MD5 1A82C1B9BB43385695EFC3A84F6756A2)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (filesize 41760 bytes, MD5 1B9245C09E475DC5AA522CAE5809E659)
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll (filesize 155184 bytes, MD5 F4BA23F29BE72B9EE4AF2E0886AA9776)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" (filesize 178712 bytes, MD5 EC9B27B37D8E9D361C38E8D364F09611)
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe (filesize 4853760 bytes, MD5 811AC69DB60ACB7F7B802434AA3E37E2)
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exeC:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" (filesize 61440 bytes, MD5 E1E71D80D078C576801B6FE2A29FCF85)
O4 - HKLM\..\Run: [PLFSetI] C:\Windows\PLFSetI.exeC:\Windows\PLFSetI.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" (filesize 81920 bytes, MD5 583385D05FCA7A0470C675B90B4CF063)
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" (filesize 62760 bytes, MD5 D5529678A1D92D125B43E3C2A308223E)
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exeC:\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exeC:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exeC:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe" (filesize 36352 bytes, MD5 E7DEADB409CD8A4552C91ABF624F138F)
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" (filesize 39792 bytes, MD5 8B9145D229D4E89D15ACB820D4A3A90F)
O4 - HKLM\..\Run: [HPUsageTracking] C:\Program Files\HP\HP UT\bin\hppusg.exe "C:\Program Files\HP\HP UT\"
O4 - HKLM\..\Run: [Skytel] Skytel.exe (filesize 1826816 bytes, MD5 C8612E58FB7FCFA5EEA4E39F7B8CBC17)
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" (filesize 31072 bytes, MD5 644795F6985C740F5E36E9336B837D0B)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" (filesize 248040 bytes, MD5 52DB6CDAC5BC7A1FC884E97C41C91213)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime (filesize 421888 bytes, MD5 ED7A6D40B20DC34BE06F4AE196AE7D50)
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" (filesize 142120 bytes, MD5 5C02EECA57384E8007B34C985CE0E42A)
O4 - HKLM\..\Run: [MSSE] "C:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey (filesize 1093208 bytes, MD5 5DB28B77A1A75DDDFEED99FB9722C540)
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript (filesize 1090952 bytes, MD5 D594EA4AC1C0E4675EF2F0063950ABEF)
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler (filesize 213936 bytes, MD5 2BAD84B393AF47006D80BA2F03B18029)
O4 - HKCU\..\Run: [DriverUpdaterPro] C:\Program Files\iXi Tools\Driver Updater Pro\DriverUpdaterPro.exe -t
O4 - HKCU\..\Run: [Google Update] "C:\Users\Kristy\AppData\Local\Google\Update\GoogleUpdate.exe" /c (filesize 133104 bytes, MD5 626A24ED1228580B9518C01930936DF9)
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Empowering Technology Launcher.lnk = ?
O4 - Global Startup: TMMonitor.lnk = C:\Program Files\ArcSoft\TotalMedia 3.5\TMMonitor.exe (filesize 258048 bytes, MD5 C603BF026601F5984A115CE07C66A3DA)
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm (filesize 1199 bytes, MD5 930DD034C9FEE44F7C2AB176441FD2C3)
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm (filesize 2758 bytes, MD5 445B66B26F1C80B1BBB1849A58FBD9FE)
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll (filesize 603040 bytes, MD5 79F7DB36E67B9E8365FA824AD96DF400)
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll (filesize 603040 bytes, MD5 79F7DB36E67B9E8365FA824AD96DF400)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL (filesize 39464 bytes, MD5 AEF204E782BFA2C8448CB43A58960744)
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm (filesize 2758 bytes, MD5 445B66B26F1C80B1BBB1849A58FBD9FE)
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm (filesize 2758 bytes, MD5 445B66B26F1C80B1BBB1849A58FBD9FE)
O13 - Gopher Prefix:
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (filesize 178040 bytes, MD5 68747446F9D982938DB6B110F2908271)
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: McAfee Application Installer Cleanup (0166841249222805) (0166841249222805mcinstcleanup) - Unknown owner - C:\Users\Kristy\AppData\Local\Temp\016684~1.EXE (file missing)
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exeC:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exeC:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exeC:\Windows\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: eDataSecurity Service - Egis Incorporated - C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exeC:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exeC:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exeC:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exeC:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exeC:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exeC:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exeC:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeC:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exeC:\Acer\Mobility Center\MobilityService.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exeC:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exeC:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exeC:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exeC:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 13077 bytes

------------------------------------------------------

ComboFix 10-05-27.03 - Kristy 28/05/2010 18:35:49.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.61.1033.18.3069.1853 [GMT 8:00]
Running from: c:\users\Kristy\Desktop\ComboFix.exe
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-04-28 to 2010-05-28 )))))))))))))))))))))))))))))))
.

2010-05-28 10:32 . 2010-05-28 10:33   --------   d-----w-   C:\32788R22FWJFW
2010-05-28 10:26 . 2010-05-28 10:26   --------   d-----w-   c:\program files\Trend Micro
2010-05-27 16:53 . 2010-05-27 16:53   --------   d-----w-   c:\users\Kristy\AppData\Roaming\Malwarebytes
2010-05-27 16:53 . 2010-04-29 07:39   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-27 16:53 . 2010-05-27 16:53   --------   d-----w-   c:\programdata\Malwarebytes
2010-05-27 16:53 . 2010-05-27 16:53   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-05-27 16:53 . 2010-04-29 07:39   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-05-27 16:47 . 2010-05-27 16:47   290560   ----a-w-   c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{F66B7E85-A39D-1017-AEFA-BC6B89B8B12D}-vrmaqdvtssd.exe
2010-05-27 13:38 . 2010-05-27 13:38   63488   ----a-w-   c:\users\Kristy\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-27 13:38 . 2010-05-27 13:38   52224   ----a-w-   c:\users\Kristy\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-05-27 13:38 . 2010-05-27 13:38   117760   ----a-w-   c:\users\Kristy\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-27 13:37 . 2010-05-27 13:37   --------   d-----w-   c:\users\Kristy\AppData\Roaming\SUPERAntiSpyware.com
2010-05-27 13:37 . 2010-05-27 13:37   --------   d-----w-   c:\programdata\SUPERAntiSpyware.com
2010-05-27 13:37 . 2010-05-27 13:37   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-05-27 13:34 . 2010-05-27 13:34   --------   d-----w-   c:\program files\CCleaner
2010-05-27 13:12 . 2010-05-27 13:12   290560   ----a-w-   c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{B11EFC17-0FEB-2D4B-EBEE-040B04EC1D88}-vrmaqdvtssd.exe
2010-05-27 12:58 . 2010-05-27 12:58   --------   d-----w-   c:\program files\Microsoft Security Essentials
2010-05-27 12:54 . 2010-04-23 14:13   2048   ----a-w-   c:\windows\system32\tzres.dll
2010-05-26 14:46 . 2010-05-23 09:50   73216   ----a-w-   c:\users\Kristy\AppData\Roaming\Mozilla\Firefox\Profiles\va4xoc4y.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc_fireftp.dll
2010-05-26 14:46 . 2010-04-18 06:33   172032   ----a-w-   c:\users\Kristy\AppData\Roaming\Mozilla\Firefox\Profiles\va4xoc4y.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\puttygen.exe
2010-05-26 14:46 . 2010-04-18 06:33   307200   ----a-w-   c:\users\Kristy\AppData\Roaming\Mozilla\Firefox\Profiles\va4xoc4y.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\psftp.exe
2010-05-26 14:46 . 2010-03-25 13:49   66048   ----a-w-   c:\users\Kristy\AppData\Roaming\Mozilla\Firefox\Profiles\va4xoc4y.default\extensions\[email protected]\platform\WINNT\components\nsTwitterFoxSign.dll
2010-05-26 14:32 . 2010-05-27 17:03   --------   d-----w-   c:\users\Kristy\AppData\Local\adielkhjv
2010-05-13 11:38 . 2010-01-29 15:40   738816   ----a-w-   c:\windows\system32\inetcomm.dll
2010-04-28 13:15 . 2010-04-28 13:15   --------   d-----w-   c:\program files\iPod
2010-04-28 13:15 . 2010-04-28 13:15   --------   d-----w-   c:\program files\iTunes
2010-04-28 13:12 . 2010-04-28 13:12   --------   d-----w-   c:\program files\Bonjour
2010-04-28 13:05 . 2010-04-28 13:05   73000   ----a-w-   c:\programdata\Apple Computer\Installer Cache\iTunes 9.1.1.11\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-27 17:25 . 2008-05-08 05:53   12   ----a-w-   c:\windows\bthservsdp.dat
2010-05-27 13:48 . 2008-10-31 11:49   --------   d-----w-   c:\users\Kristy\AppData\Roaming\uTorrent
2010-05-27 13:46 . 2009-10-10 02:57   --------   d-----w-   c:\program files\pdf995
2010-05-27 13:45 . 2009-05-21 16:29   --------   d-----w-   c:\program files\Easy Image Share
2010-05-21 06:14 . 2009-10-03 02:12   221568   ------w-   c:\windows\system32\MpSigStub.exe
2010-05-14 23:46 . 2006-11-02 11:18   --------   d-----w-   c:\program files\Windows Mail
2010-05-14 23:46 . 2008-03-26 08:33   --------   d-----w-   c:\programdata\Microsoft Help
2010-04-28 13:15 . 2008-10-27 04:53   --------   d-----w-   c:\program files\Common Files\Apple
2010-04-21 14:21 . 2009-08-08 23:46   --------   d-----w-   c:\program files\Safari
2010-04-19 06:59 . 2010-04-19 06:59   255472   ----a-w-   c:\users\Kristy\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
2010-04-11 08:41 . 2009-07-12 02:59   --------   d-----w-   c:\users\Kristy\AppData\Roaming\vlc
2010-04-11 03:12 . 2010-04-11 03:12   --------   d-----w-   c:\users\Kristy\AppData\Roaming\MOVAVI
2010-04-10 00:24 . 2010-04-10 00:23   --------   d-----w-   c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-10 00:21 . 2010-04-10 00:20   --------   d-----w-   c:\program files\QuickTime
2010-04-09 23:57 . 2009-10-17 01:29   680   ----a-w-   c:\users\Kristy\AppData\Local\d3d9caps.dat
2010-04-08 05:20 . 2010-04-08 05:20   91424   ----a-w-   c:\windows\system32\dnssd.dll
2010-04-08 05:20 . 2010-04-08 05:20   107808   ----a-w-   c:\windows\system32\dns-sd.exe
2010-04-03 11:55 . 2008-11-04 12:39   --------   d-----w-   c:\program files\Common Files\Java
2010-04-03 11:51 . 2008-11-02 10:20   --------   d-----w-   c:\program files\Java
2010-04-03 11:44 . 2010-04-03 07:12   --------   d-----w-   c:\users\Kristy\AppData\Roaming\R-Wipe&Clean
2010-04-03 11:43 . 2010-04-03 11:43   107352   ----a-w-   c:\users\Kristy\AppData\Local\GDIPFONTCACHEV1.DAT
2010-04-03 11:23 . 2010-04-03 11:21   --------   d-----w-   c:\programdata\R-Wipe&Clean
2010-04-03 11:23 . 2010-04-03 07:12   --------   d-----w-   c:\program files\R-Wipe&Clean
2010-03-24 11:14 . 2008-11-23 03:33   2485883   ----a-w-   c:\programdata\ArcSoft\Global Deploy\CheckUpdate\ArcConnect.exe
2010-03-21 01:46 . 2010-03-21 01:44   249856   ------w-   c:\windows\Setup1.exe
2010-03-21 01:46 . 2010-03-21 01:44   73216   ----a-w-   c:\windows\ST6UNST.EXE
2010-03-08 20:28 . 2008-11-02 10:15   411368   ----a-w-   c:\windows\system32\deploytk.dll
2010-03-05 14:01 . 2010-04-18 12:46   420352   ----a-w-   c:\windows\system32\vbscript.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-01-03 09:00   39472   ----a-w-   c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-05-16 213936]
"Google Update"="c:\users\Kristy\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-05-04 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-08 4853760]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-07 102400]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"PLFSetI"="c:\windows\PLFSetI.exe" [2007-10-23 200704]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2008-01-22 81920]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-10-11 62760]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-01-03 521776]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-01-07 858632]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"HPUsageTracking"="c:\program files\HP\HP UT\bin\hppusg.exe" [2007-05-04 36864]
"Skytel"="Skytel.exe" [2007-11-21 1826816]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-24 142120]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-20 1093208]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-8-29 739880]
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2008-3-26 535336]
TMMonitor.lnk - c:\program files\ArcSoft\TotalMedia 3.5\TMMonitor.exe [2008-10-27 258048]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute   REG_MULTI_SZ     autocheck autochk *\0RwcLkRen c:\windows\system32\RwcLkCfg

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):db,46,71,b0,e5,15,ca,01

R2 0166841249222805mcinstcleanup;McAfee Application Installer Cleanup (0166841249222805);c:\users\Kristy\AppData\Local\Temp\016684~1.EXE

R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-07-22 180736]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2007-05-18 28464]
R3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\DRIVERS\netaapl.sys [2009-06-05 17408]
R3 uxkx1;ASUS My Cinema U3100 Mini DVBT;c:\windows\system32\DRIVERS\uxkx1.sys [2007-11-21 459264]
R3 WisINT15;WisINT15;c:\elements\1stboot\WisINT15.SYS

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2009-12-02 42368]
S3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-11-16 3668480]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-05-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3255875977-2652248836-1897435283-1003Core.job
- c:\users\Kristy\AppData\Local\Google\Update\GoogleUpdate.exe [2009-05-04 14:12]

2010-05-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3255875977-2652248836-1897435283-1003UA.job
- c:\users\Kristy\AppData\Local\Google\Update\GoogleUpdate.exe [2009-05-04 14:12]

2010-05-28 c:\windows\Tasks\User_Feed_Synchronization-{9E7F521B-14BE-4AFE-A796-2205DDC73E94}.job
- c:\windows\system32\msfeedssync.exe [2010-03-30 04:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://en.au.acer.yahoo.com
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\users\Kristy\AppData\Roaming\Mozilla\Firefox\Profiles\va4xoc4y.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/ig?hl=en&source=iglk
FF - component: c:\users\Kristy\AppData\Roaming\Mozilla\Firefox\Profiles\va4xoc4y.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc_fireftp.dll
FF - component: c:\users\Kristy\AppData\Roaming\Mozilla\Firefox\Profiles\va4xoc4y.default\extensions\[email protected]\platform\WINNT\components\nsTwitterFoxSign.dll
FF - plugin: c:\program files\Common-Use Signing Interface\bin\npCsiPlugin.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\users\Kristy\AppData\Local\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\users\Kristy\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_ everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_a s_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-DriverUpdaterPro - c:\program files\iXi Tools\Driver Updater Pro\DriverUpdaterPro.exe
HKLM-Run-eRecoveryService - (no file)
AddRemove-Update Service - c:\program files\Sony Ericsson\Update Service\uninst.exe
AddRemove-Winamp Toolbar for Firefox - c:\users\Kristy\AppData\Roaming\Mozilla\Firefox\Profiles\va4xoc4y.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\uninstall.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-28 18:40
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(5856)
c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
c:\acer\Empowering Technology\eDataSecurity\x86\sysenv.dll
c:\windows\system32\btmmhook.dll
c:\acer\Empowering Technology\EPOWER\SysHook.dll
.
Completion time: 2010-05-28 18:42:45
ComboFix-quarantined-files.txt 2010-05-28 10:42

Pre-Run: 64,451,493,888 bytes free
Post-Run: 63,335,317,504 bytes free

- - End Of File - - 856645B23B95E7B0963355E8A6C0E228

----------------------------------------------------------------

I seem to have trouble with my internet connection every time I turn on the laptop. The net works momentarily (for a minute or so) and then cuts out until I manually reconnect.... this wasn't an issue before virus attacked. I thought I would mention it incase that is important.

Thanks again for your help.

Kristy

SuperDave · « **Reply #4 on:** May 28, 2010, 09:46:34 AM »

Quote

I seem to have trouble with my internet connection every time I turn on the laptop.

Are you using a wireless connection? Is it possible that you're too far from your router? Have you checked your signal strength, if wireless? Have you tried resetting your modem/router? Disconnect the power supply for at least 30 secs. Also, check all your connections.

P2P - I see you have P2P software installed on your machine. (uTorrent) We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.
=================================

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript (filesize 1090952 bytes, MD5 D594EA4AC1C0E4675EF2F0063950ABEF)
O23 - Service: McAfee Application Installer Cleanup (0166841249222805) (0166841249222805mcinstcleanup) - Unknown owner - C:\Users\Kristy\AppData\Local\Temp\016684~1.EXE (file missing)

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

=====================================
Please go to Jotti's malware scan
(If more than one file needs scanned they must be done separately and logs posted for each one)

* Copy the file path in the below Code box:

Code: [Select]

c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{F66B7E85-A39D-1017-AEFA-BC6B89B8B12D}-vrmaqdvtssd.exe
* At the upload site, click once inside the window next to Browse.
* Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
* Next click Submit file
* Your file will possibly be entered into a queue which normally takes less than a minute to clear.
* This will perform a scan across multiple different virus scanning engines.
* Important: Wait for all of the scanning engines to complete.
* Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.
=================================

Re-running ComboFix to remove infections:

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the quotebox below into it:
Quote
KillAll::

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5555

DirLook::

C:\32788R22FWJFW
c:\users\Kristy\AppData\Local\adielkhjv
Save this as CFScript.txt, in the same location as ComboFix.exe
Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
Please post the contents of the log in your next reply.

kristylentz · « **Reply #5 on:** May 28, 2010, 11:55:55 PM »

Thank you again for replying. Before I get started on your next set of instructions, I thought I'd reply to your first points.

Regarding the internet, we just switched to "Bob" through iinet (ADSL 2). I am connected by wireless. The signal strength is high so I don't think the software/hardware/connection itself is the issue. I think maybe the virus is blocking things with blocks access maybe?

Regarding U-Torrent, the minute I read the initial instructions (before posting this thread) I uninstalled U-torrent. I don't plan on reinstalling it. I have just deleted the torrent files that were sitting on the hard drive for downloading too. I completely get that this was the most likely cause and I have no interest in risking my laptop all over again! Thank you for the advice :-)

Now I am off to follow your instructions...

kristylentz · « **Reply #6 on:** May 29, 2010, 12:20:10 AM »

I just gave Hijack this a go and the scanned stopped me with this message:

"For some reason your system denied access write access to the Hosts file. If any hijacked domains are in the file, HijackThis may NOT be able to fix this.
If that happens, you need to edit the file yourself. To do this, click, Start, Run and type:
notepad C:\WindowsSystem32\drivers\etc\hosts
and press Enter. Find the line(s) HijackThis reports and delete them. Save the file as "hosts" ( with quotes ), and reboot.
For Vista: simply exit HijackThis, right click on the HijackTHis icon, choose "Run as Administrator"

I tried the Vista instructions and it did nothing.

What should I do?

SuperDave · « **Reply #7 on:** May 29, 2010, 05:27:35 PM »

You have an older version of HJT. Please download the latest one and rename it as stated in the instructions below.Uninstall your old version first.

Download and rename HijackThis.exe (HJT)

* Double-click on HJTInstall.
* Click on the Install button.
* It will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe.
* Upon install, HijackThis should open for you.

•Close HijackThis and rename it.

•Go to C:\Program Files\Trend Micro\HijackThis.exe

•Right click on HijackThis.exe and select Rename.

•Type in sniper.exe and press Enter.

•Right-click on sniper.exe and select Send To > Desktop (create shortcut)
.
* From the desktop open HijackThis.
* If using Windows Vista, Right-click and Run As Administrator.
* Click on the Do a system scan and save a log file button
* HijackThis will scan and then a log will open in notepad.
•Copy and Paste the entire contents of the log in your post.
.
Do not have HijackThis fix anything yet. Most of what it finds will be harmless or even required.
.
Although we have renamed HijackThis to sniper, we will still refer to it as HijackThis or HJT.

======================================

If HJT still doesn't work, please continue on with the ComboFix script and the other things.

kristylentz · « **Reply #8 on:** May 29, 2010, 06:55:53 PM »

Thank you again.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:54:24 AM, on 30/05/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18904)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Windows\PLFSetI.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\HP\HP UT\bin\hppusg.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\ArcSoft\TotalMedia 3.5\TMMonitor.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Users\Kristy\AppData\Local\Temp\RtkBtMnt.exe
C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE
C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Internet Explorer\IELowutil.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.au.acer.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Acer\Empowering Technology\eDataSecurity\x86\ActiveToolBand.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [PLFSetI] C:\Windows\PLFSetI.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HPUsageTracking] C:\Program Files\HP\HP UT\bin\hppusg.exe "C:\Program Files\HP\HP UT\"
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSSE] "C:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [Google Update] "C:\Users\Kristy\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Empowering Technology Launcher.lnk = ?
O4 - Global Startup: TMMonitor.lnk = C:\Program Files\ArcSoft\TotalMedia 3.5\TMMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: McAfee Application Installer Cleanup (0166841249222805) (0166841249222805mcinstcleanup) - Unknown owner - C:\Users\Kristy\AppData\Local\Temp\016684~1.EXE (file missing)
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: eDataSecurity Service - Egis Incorporated - C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9434 bytes

----------------------------------------------------------------------

Shall I move on?

SuperDave · « **Reply #9 on:** May 29, 2010, 07:53:41 PM »

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript (filesize 1090952 bytes, MD5 D594EA4AC1C0E4675EF2F0063950ABEF)
O23 - Service: McAfee Application Installer Cleanup (0166841249222805) (0166841249222805mcinstcleanup) - Unknown owner - C:\Users\Kristy\AppData\Local\Temp\016684~1.EXE (file missing)

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

=======================================

Now please run the ComboFix Script as described in Reply #4 .

kristylentz · « **Reply #10 on:** June 02, 2010, 06:33:31 AM »

ComboFix 10-05-27.03 - Kristy 02/06/2010 20:19:11.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.61.1033.18.3069.1920 [GMT 8:00]
Running from: c:\users\Kristy\Desktop\ComboFix.exe
Command switches used :: c:\combofix\CFScript.txt
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-05-02 to 2010-06-02 )))))))))))))))))))))))))))))))
.

2010-06-02 12:25 . 2010-06-02 12:25   --------   d-----w-   c:\users\Public\AppData\Local\temp
2010-06-02 12:25 . 2010-06-02 12:25   --------   d-----w-   c:\users\Default\AppData\Local\temp
2010-05-29 10:51 . 2010-05-29 10:56   --------   d-----w-   c:\users\Kristy\AppData\Roaming\AUSkey
2010-05-29 10:51 . 2010-05-29 10:51   --------   d-----w-   c:\program files\ABR
2010-05-29 06:23 . 2009-08-24 11:36   377344   ----a-w-   c:\windows\system32\winhttp.dll
2010-05-28 10:42 . 2010-06-02 12:25   --------   d-----w-   c:\users\Kristy\AppData\Local\temp
2010-05-28 10:26 . 2010-05-28 10:26   --------   d-----w-   c:\program files\Trend Micro
2010-05-28 10:25 . 2009-06-15 14:52   499712   ----a-w-   c:\windows\system32\kerberos.dll
2010-05-28 10:25 . 2009-06-15 14:53   270848   ----a-w-   c:\windows\system32\schannel.dll
2010-05-27 16:53 . 2010-05-27 16:53   --------   d-----w-   c:\users\Kristy\AppData\Roaming\Malwarebytes
2010-05-27 16:53 . 2010-04-29 07:39   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-27 16:53 . 2010-05-27 16:53   --------   d-----w-   c:\programdata\Malwarebytes
2010-05-27 16:53 . 2010-05-27 16:53   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-05-27 16:53 . 2010-04-29 07:39   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-05-27 16:47 . 2010-05-27 16:47   290560   ----a-w-   c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{F66B7E85-A39D-1017-AEFA-BC6B89B8B12D}-vrmaqdvtssd.exe
2010-05-27 13:38 . 2010-05-27 13:38   63488   ----a-w-   c:\users\Kristy\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-27 13:38 . 2010-05-27 13:38   52224   ----a-w-   c:\users\Kristy\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-05-27 13:38 . 2010-05-27 13:38   117760   ----a-w-   c:\users\Kristy\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-27 13:37 . 2010-05-27 13:37   --------   d-----w-   c:\users\Kristy\AppData\Roaming\SUPERAntiSpyware.com
2010-05-27 13:37 . 2010-05-27 13:37   --------   d-----w-   c:\programdata\SUPERAntiSpyware.com
2010-05-27 13:37 . 2010-05-27 13:37   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-05-27 13:34 . 2010-05-27 13:34   --------   d-----w-   c:\program files\CCleaner
2010-05-27 13:12 . 2010-05-27 13:12   290560   ----a-w-   c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{B11EFC17-0FEB-2D4B-EBEE-040B04EC1D88}-vrmaqdvtssd.exe
2010-05-27 12:58 . 2010-05-27 12:58   --------   d-----w-   c:\program files\Microsoft Security Essentials
2010-05-27 12:54 . 2010-04-23 14:13   2048   ----a-w-   c:\windows\system32\tzres.dll
2010-05-26 14:46 . 2010-05-23 09:50   73216   ----a-w-   c:\users\Kristy\AppData\Roaming\Mozilla\Firefox\Profiles\va4xoc4y.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc_fireftp.dll
2010-05-26 14:46 . 2010-04-18 06:33   172032   ----a-w-   c:\users\Kristy\AppData\Roaming\Mozilla\Firefox\Profiles\va4xoc4y.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\puttygen.exe
2010-05-26 14:46 . 2010-04-18 06:33   307200   ----a-w-   c:\users\Kristy\AppData\Roaming\Mozilla\Firefox\Profiles\va4xoc4y.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\psftp.exe
2010-05-26 14:46 . 2010-03-25 13:49   66048   ----a-w-   c:\users\Kristy\AppData\Roaming\Mozilla\Firefox\Profiles\va4xoc4y.default\extensions\[email protected]\platform\WINNT\components\nsTwitterFoxSign.dll
2010-05-26 14:32 . 2010-05-27 17:03   --------   d-----w-   c:\users\Kristy\AppData\Local\adielkhjv
2010-05-13 11:38 . 2010-01-29 15:40   738816   ----a-w-   c:\windows\system32\inetcomm.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-01 15:49 . 2008-05-08 05:53   12   ----a-w-   c:\windows\bthservsdp.dat
2010-06-01 13:52 . 2008-03-26 08:33   --------   d-----w-   c:\programdata\Microsoft Help
2010-05-21 06:14 . 2009-10-03 02:12   221568   ------w-   c:\windows\system32\MpSigStub.exe
2010-05-14 23:46 . 2006-11-02 11:18   --------   d-----w-   c:\program files\Windows Mail
2010-04-28 13:15 . 2010-04-28 13:15   --------   d-----w-   c:\program files\iTunes
2010-04-28 13:15 . 2010-04-28 13:15   --------   d-----w-   c:\program files\iPod
2010-04-28 13:15 . 2008-10-27 04:53   --------   d-----w-   c:\program files\Common Files\Apple
2010-04-28 13:12 . 2010-04-28 13:12   --------   d-----w-   c:\program files\Bonjour
2010-04-28 13:05 . 2010-04-28 13:05   73000   ----a-w-   c:\programdata\Apple Computer\Installer Cache\iTunes 9.1.1.11\SetupAdmin.exe
2010-04-21 14:21 . 2009-08-08 23:46   --------   d-----w-   c:\program files\Safari
2010-04-19 06:59 . 2010-04-19 06:59   255472   ----a-w-   c:\users\Kristy\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
2010-04-11 08:41 . 2009-07-12 02:59   --------   d-----w-   c:\users\Kristy\AppData\Roaming\vlc
2010-04-10 00:24 . 2010-04-10 00:23   --------   d-----w-   c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-10 00:21 . 2010-04-10 00:20   --------   d-----w-   c:\program files\QuickTime
2010-04-09 23:57 . 2009-10-17 01:29   680   ----a-w-   c:\users\Kristy\AppData\Local\d3d9caps.dat
2010-04-08 05:20 . 2010-04-08 05:20   91424   ----a-w-   c:\windows\system32\dnssd.dll
2010-04-08 05:20 . 2010-04-08 05:20   107808   ----a-w-   c:\windows\system32\dns-sd.exe
2010-04-03 11:43 . 2010-04-03 11:43   107352   ----a-w-   c:\users\Kristy\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-24 11:14 . 2008-11-23 03:33   2485883   ----a-w-   c:\programdata\ArcSoft\Global Deploy\CheckUpdate\ArcConnect.exe
2010-03-21 01:46 . 2010-03-21 01:44   249856   ------w-   c:\windows\Setup1.exe
2010-03-21 01:46 . 2010-03-21 01:44   73216   ----a-w-   c:\windows\ST6UNST.EXE
2010-03-08 20:28 . 2008-11-02 10:15   411368   ----a-w-   c:\windows\system32\deploytk.dll
2010-03-05 14:01 . 2010-04-18 12:46   420352   ----a-w-   c:\windows\system32\vbscript.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-05-28_10.40.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-29 06:23 . 2009-11-03 21:55   24064 c:\windows\winsxs\x86_microsoft-windows-nshhttp_31bf3856ad364e35_6.0.6002.22258_none_75ef2fe38adfadb0\nshhttp.dll
+ 2010-05-29 06:23 . 2009-11-03 21:43   24064 c:\windows\winsxs\x86_microsoft-windows-nshhttp_31bf3856ad364e35_6.0.6002.18136_none_7579325c71b3a356\nshhttp.dll
+ 2010-05-29 06:23 . 2009-11-03 22:01   24064 c:\windows\winsxs\x86_microsoft-windows-nshhttp_31bf3856ad364e35_6.0.6001.22556_none_7406bd678dbb25de\nshhttp.dll
+ 2010-05-29 06:23 . 2009-11-03 22:17   24064 c:\windows\winsxs\x86_microsoft-windows-nshhttp_31bf3856ad364e35_6.0.6001.18356_none_737d1eb6749d88ed\nshhttp.dll
+ 2010-05-29 06:23 . 2009-11-03 12:49   24064 c:\windows\winsxs\x86_microsoft-windows-nshhttp_31bf3856ad364e35_6.0.6000.21154_none_721e54699096985a\nshhttp.dll
+ 2010-05-29 06:23 . 2009-11-03 13:01   24064 c:\windows\winsxs\x86_microsoft-windows-nshhttp_31bf3856ad364e35_6.0.6000.16951_none_7191de9e777b7949\nshhttp.dll
+ 2010-05-28 10:25 . 2009-06-15 15:00   72704 c:\windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6002.22152_none_a886901f7335e2fc\secur32.dll
+ 2010-05-28 10:25 . 2009-06-15 15:25   72704 c:\windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6001.22450_none_a69e1da376115b2a\secur32.dll
+ 2010-05-28 10:25 . 2009-06-15 15:08   72704 c:\windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6000.21067_none_a4b3e75378eccda6\secur32.dll
+ 2010-05-29 06:23 . 2009-11-03 21:53   30720 c:\windows\winsxs\x86_microsoft-windows-http-api_31bf3856ad364e35_6.0.6002.22258_none_f7ee45feb3b119ca\httpapi.dll
+ 2010-05-29 06:23 . 2009-11-03 21:42   30720 c:\windows\winsxs\x86_microsoft-windows-http-api_31bf3856ad364e35_6.0.6002.18136_none_f77848779a850f70\httpapi.dll
+ 2010-05-29 06:23 . 2009-11-03 22:00   31232 c:\windows\winsxs\x86_microsoft-windows-http-api_31bf3856ad364e35_6.0.6001.22556_none_f605d382b68c91f8\httpapi.dll
+ 2010-05-29 06:23 . 2009-11-03 22:15   31232 c:\windows\winsxs\x86_microsoft-windows-http-api_31bf3856ad364e35_6.0.6001.18356_none_f57c34d19d6ef507\httpapi.dll
+ 2010-05-29 06:23 . 2009-11-03 12:46   31232 c:\windows\winsxs\x86_microsoft-windows-http-api_31bf3856ad364e35_6.0.6000.21154_none_f41d6a84b9680474\httpapi.dll
+ 2010-05-29 06:23 . 2009-11-03 12:57   31232 c:\windows\winsxs\x86_microsoft-windows-http-api_31bf3856ad364e35_6.0.6000.16951_none_f390f4b9a04ce563\httpapi.dll
+ 2008-01-21 01:58 . 2010-06-02 11:58   74542 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2010-06-02 11:58   95254 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-10-27 00:52 . 2010-06-02 11:58   12918 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3255875977-2652248836-1897435283-1003_UserData.bin
+ 2009-06-27 19:41 . 2010-06-02 11:57   16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2009-06-27 19:41 . 2010-05-27 17:07   16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2008-10-27 00:08 . 2010-06-02 11:57   32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-10-27 00:08 . 2010-05-28 10:19   32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-10-27 00:08 . 2010-06-02 11:57   49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-10-27 00:08 . 2010-05-28 10:19   49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-10-27 00:08 . 2010-05-28 10:19   16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-10-27 00:08 . 2010-06-02 11:57   16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-11-29 11:57 . 2010-06-01 14:43   16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-11-29 11:57 . 2010-05-27 12:40   16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-11-29 11:57 . 2010-05-27 12:40   32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-11-29 11:57 . 2010-06-01 14:43   32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-11-29 11:57 . 2010-05-27 12:40   16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-11-29 11:57 . 2010-06-01 14:43   16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-05-28 10:25 . 2009-06-15 12:51   9728 c:\windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6002.22152_none_a886901f7335e2fc\lsass.exe
+ 2010-05-28 10:25 . 2009-06-15 13:03   9728 c:\windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6001.22450_none_a69e1da376115b2a\lsass.exe
+ 2010-05-28 10:25 . 2009-06-15 12:59   7680 c:\windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6000.21067_none_a4b3e75378eccda6\lsass.exe
- 2010-05-28 10:19 . 2010-05-28 10:19   2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-06-02 11:57 . 2010-06-02 11:57   2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2010-05-28 10:19 . 2010-05-28 10:19   2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-06-02 11:57 . 2010-06-02 11:57   2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-05-29 06:23 . 2009-08-24 11:50   377344 c:\windows\winsxs\x86_microsoft.windows.winhttp_31bf3856ad364e35_5.1.6002.22208_none_27461209d860183c\winhttp.dll
+ 2010-05-29 06:23 . 2009-08-24 11:36   377344 c:\windows\winsxs\x86_microsoft.windows.winhttp_31bf3856ad364e35_5.1.6002.18096_none_26592378bf8d4416\winhttp.dll
+ 2010-05-29 06:23 . 2009-08-24 11:51   378368 c:\windows\winsxs\x86_microsoft.windows.winhttp_31bf3856ad364e35_5.1.6001.22504_none_255b9ef9db3d5dbc\winhttp.dll
+ 2010-05-29 06:23 . 2009-08-24 12:16   378368 c:\windows\winsxs\x86_microsoft.windows.winhttp_31bf3856ad364e35_5.1.6001.18315_none_24c830a6c226f613\winhttp.dll
+ 2010-05-29 06:23 . 2009-08-24 12:34   378880 c:\windows\winsxs\x86_microsoft.windows.winhttp_31bf3856ad364e35_5.1.6000.21113_none_23696659de200580\winhttp.dll
+ 2010-05-29 06:23 . 2009-08-24 12:47   378368 c:\windows\winsxs\x86_microsoft.windows.winhttp_31bf3856ad364e35_5.1.6000.16913_none_22dff16cc5023274\winhttp.dll
+ 2010-05-28 10:25 . 2009-06-15 15:00   270848 c:\windows\winsxs\x86_microsoft-windows-security-schannel_31bf3856ad364e35_6.0.6002.22152_none_2452506b6bad8187\schannel.dll
+ 2010-05-28 10:25 . 2009-06-15 14:53   270848 c:\windows\winsxs\x86_microsoft-windows-security-schannel_31bf3856ad364e35_6.0.6002.18051_none_23c7b3565290c866\schannel.dll
+ 2010-05-28 10:25 . 2009-06-15 15:25   270848 c:\windows\winsxs\x86_microsoft-windows-security-schannel_31bf3856ad364e35_6.0.6001.22450_none_2269ddef6e88f9b5\schannel.dll
+ 2010-05-28 10:25 . 2009-06-15 15:24   270848 c:\windows\winsxs\x86_microsoft-windows-security-schannel_31bf3856ad364e35_6.0.6001.18272_none_21cc9ffa5579c754\schannel.dll
+ 2010-05-28 10:25 . 2009-06-15 15:08   272384 c:\windows\winsxs\x86_microsoft-windows-security-schannel_31bf3856ad364e35_6.0.6000.21067_none_207fa79f71646c31\schannel.dll
+ 2010-05-28 10:25 . 2009-06-15 15:28   272384 c:\windows\winsxs\x86_microsoft-windows-security-schannel_31bf3856ad364e35_6.0.6000.16870_none_1fe460c0585503b5\schannel.dll
+ 2010-05-28 10:25 . 2009-06-15 14:59   217600 c:\windows\winsxs\x86_microsoft-windows-security-ntlm_31bf3856ad364e35_6.0.6002.22152_none_7eeef23078f56dde\msv1_0.dll
+ 2010-05-28 10:25 . 2009-06-15 14:53   218624 c:\windows\winsxs\x86_microsoft-windows-security-ntlm_31bf3856ad364e35_6.0.6002.18051_none_7e64551b5fd8b4bd\msv1_0.dll
+ 2010-05-28 10:25 . 2009-06-15 15:24   213504 c:\windows\winsxs\x86_microsoft-windows-security-ntlm_31bf3856ad364e35_6.0.6001.22450_none_7d067fb47bd0e60c\msv1_0.dll
+ 2010-05-28 10:25 . 2009-06-15 15:22   213504 c:\windows\winsxs\x86_microsoft-windows-security-ntlm_31bf3856ad364e35_6.0.6001.18272_none_7c6941bf62c1b3ab\msv1_0.dll
+ 2010-05-28 10:25 . 2009-06-15 15:06   216576 c:\windows\winsxs\x86_microsoft-windows-security-ntlm_31bf3856ad364e35_6.0.6000.21067_none_7b1c49647eac5888\msv1_0.dll
+ 2010-05-28 10:25 . 2009-06-15 15:25   216576 c:\windows\winsxs\x86_microsoft-windows-security-ntlm_31bf3856ad364e35_6.0.6000.16870_none_7a810285659cf00c\msv1_0.dll
+ 2010-05-28 10:25 . 2009-06-15 14:58   500736 c:\windows\winsxs\x86_microsoft-windows-security-kerberos_31bf3856ad364e35_6.0.6002.22152_none_e912e288c7383abe\kerberos.dll
+ 2010-05-28 10:25 . 2009-06-15 14:52   499712 c:\windows\winsxs\x86_microsoft-windows-security-kerberos_31bf3856ad364e35_6.0.6002.18051_none_e8884573ae1b819d\kerberos.dll
+ 2010-05-28 10:25 . 2009-06-15 15:22   500736 c:\windows\winsxs\x86_microsoft-windows-security-kerberos_31bf3856ad364e35_6.0.6001.22450_none_e72a700cca13b2ec\kerberos.dll
+ 2010-05-28 10:25 . 2009-06-15 15:21   499712 c:\windows\winsxs\x86_microsoft-windows-security-kerberos_31bf3856ad364e35_6.0.6001.18272_none_e68d3217b104808b\kerberos.dll
+ 2010-05-28 10:25 . 2009-06-15 15:04   496640 c:\windows\winsxs\x86_microsoft-windows-security-kerberos_31bf3856ad364e35_6.0.6000.21067_none_e54039bcccef2568\kerberos.dll
+ 2010-05-28 10:25 . 2009-06-15 15:23   494592 c:\windows\winsxs\x86_microsoft-windows-security-kerberos_31bf3856ad364e35_6.0.6000.16870_none_e4a4f2ddb3dfbcec\kerberos.dll
+ 2010-05-28 10:25 . 2009-06-15 15:00   175104 c:\windows\winsxs\x86_microsoft-windows-security-digest_31bf3856ad364e35_6.0.6002.22152_none_3d095074931fbe8f\wdigest.dll
+ 2010-05-28 10:25 . 2009-06-15 15:26   175104 c:\windows\winsxs\x86_microsoft-windows-security-digest_31bf3856ad364e35_6.0.6001.22450_none_3b20ddf895fb36bd\wdigest.dll
+ 2010-05-28 10:25 . 2009-06-15 15:09   175104 c:\windows\winsxs\x86_microsoft-windows-security-digest_31bf3856ad364e35_6.0.6000.21067_none_3936a7a898d6a939\wdigest.dll
+ 2010-05-29 06:23 . 2009-11-03 19:45   411648 c:\windows\winsxs\x86_microsoft-windows-http_31bf3856ad364e35_6.0.6002.22258_none_af0305482f402d0f\http.sys
+ 2010-05-29 06:23 . 2009-11-03 19:41   411648 c:\windows\winsxs\x86_microsoft-windows-http_31bf3856ad364e35_6.0.6002.18136_none_ae8d07c1161422b5\http.sys
+ 2010-05-29 06:23 . 2009-11-03 19:52   411136 c:\windows\winsxs\x86_microsoft-windows-http_31bf3856ad364e35_6.0.6001.22556_none_ad1a92cc321ba53d\http.sys
+ 2010-05-29 06:23 . 2009-11-03 19:53   411136 c:\windows\winsxs\x86_microsoft-windows-http_31bf3856ad364e35_6.0.6001.18356_none_ac90f41b18fe084c\http.sys
+ 2010-05-29 06:23 . 2009-11-03 10:31   398848 c:\windows\winsxs\x86_microsoft-windows-http_31bf3856ad364e35_6.0.6000.21154_none_ab3229ce34f717b9\http.sys
+ 2010-05-29 06:23 . 2009-11-03 10:37   396800 c:\windows\winsxs\x86_microsoft-windows-http_31bf3856ad364e35_6.0.6000.16951_none_aaa5b4031bdbf8a8\http.sys
- 2006-11-02 10:33 . 2010-05-28 10:25   642538 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2010-06-02 12:03   642538 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2010-06-02 12:03   123442 c:\windows\System32\perfc009.dat
- 2006-11-02 10:33 . 2010-05-28 10:25   123442 c:\windows\System32\perfc009.dat
+ 2006-11-02 12:47 . 2010-06-01 14:44   393944 c:\windows\System32\FNTCACHE.DAT
- 2006-11-02 12:47 . 2010-05-01 08:44   393944 c:\windows\System32\FNTCACHE.DAT
+ 2010-05-28 10:25 . 2009-06-15 14:58   1259008 c:\windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6002.22152_none_a886901f7335e2fc\lsasrv.dll
+ 2010-05-28 10:25 . 2009-06-15 15:25   1257984 c:\windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6001.22450_none_a69e1da376115b2a\lsasrv.dll
+ 2010-05-28 10:25 . 2009-06-15 15:04   1235456 c:\windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6000.21067_none_a4b3e75378eccda6\lsasrv.dll
+ 2006-11-02 10:22 . 2010-05-30 00:47   6553600 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
- 2006-11-02 10:22 . 2010-05-28 10:24   6553600 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
+ 2010-05-29 10:51 . 2010-05-29 10:51   1113088 c:\windows\Installer\d8603.msi
+ 2009-05-03 00:59 . 2010-05-29 06:23   204169818 c:\windows\winsxs\ManifestCache\6.0.6002.18005_001c11ba_blobs.bin
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-01-03 09:00   39472   ----a-w-   c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-05-16 213936]
"Google Update"="c:\users\Kristy\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-05-04 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-08 4853760]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-07 102400]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"PLFSetI"="c:\windows\PLFSetI.exe" [2007-10-23 200704]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2008-01-22 81920]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-10-11 62760]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-01-03 521776]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-01-07 858632]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"HPUsageTracking"="c:\program files\HP\HP UT\bin\hppusg.exe" [2007-05-04 36864]
"Skytel"="Skytel.exe" [2007-11-21 1826816]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-24 142120]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-20 1093208]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-8-29 739880]
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2008-3-26 535336]
TMMonitor.lnk - c:\program files\ArcSoft\TotalMedia 3.5\TMMonitor.exe [2008-10-27 258048]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute   REG_MULTI_SZ     autocheck autochk *\0RwcLkRen c:\windows\system32\RwcLkCfg

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):db,46,71,b0,e5,15,ca,01

R2 0166841249222805mcinstcleanup;McAfee Application Installer Cleanup (0166841249222805);c:\users\Kristy\AppData\Local\Temp\016684~1.EXE

R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-07-22 180736]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2007-05-18 28464]
R3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\DRIVERS\netaapl.sys [2009-06-05 17408]
R3 uxkx1;ASUS My Cinema U3100 Mini DVBT;c:\windows\system32\DRIVERS\uxkx1.sys [2007-11-21 459264]
R3 WisINT15;WisINT15;c:\elements\1stboot\WisINT15.SYS

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2009-12-02 42368]
S3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-11-16 3668480]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-05-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3255875977-2652248836-1897435283-1003Core.job
- c:\users\Kristy\AppData\Local\Google\Update\GoogleUpdate.exe [2009-05-04 14:12]

2010-06-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3255875977-2652248836-1897435283-1003UA.job
- c:\users\Kristy\AppData\Local\Google\Update\GoogleUpdate.exe [2009-05-04 14:12]

2010-06-01 c:\windows\Tasks\User_Feed_Synchronization-{9E7F521B-14BE-4AFE-A796-2205DDC73E94}.job
- c:\windows\system32\msfeedssync.exe [2010-03-30 04:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://en.au.acer.yahoo.com
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\users\Kristy\AppData\Roaming\Mozilla\Firefox\Profiles\va4xoc4y.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/ig?hl=en&source=iglk
FF - component: c:\users\Kristy\AppData\Roaming\Mozilla\Firefox\Profiles\va4xoc4y.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc_fireftp.dll
FF - component: c:\users\Kristy\AppData\Roaming\Mozilla\Firefox\Profiles\va4xoc4y.default\extensions\[email protected]\platform\WINNT\components\nsTwitterFoxSign.dll
FF - plugin: c:\program files\ABR\Plug-In\bin\npAUSkeyPlugin.dll
FF - plugin: c:\program files\Common-Use Signing Interface\bin\npCsiPlugin.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\users\Kristy\AppData\Local\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\users\Kristy\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_ everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_a s_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-HijackThis - c:\program files\Trend Micro\HijackThis\HijackThis.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-02 20:25
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(1084)
c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
c:\acer\Empowering Technology\eDataSecurity\x86\sysenv.dll
c:\windows\system32\btmmhook.dll
c:\acer\Empowering Technology\EPOWER\SysHook.dll
.
Completion time: 2010-06-02 20:27:36
ComboFix-quarantined-files.txt 2010-06-02 12:27

Pre-Run: 59,967,025,152 bytes free
Post-Run: 59,932,573,696 bytes free

- - End Of File - - 0015EA84E68D6F543979DE8F4D4898F1

SuperDave · « **Reply #11 on:** June 02, 2010, 10:26:29 AM »

How's your computer running now? Anymore pop-ups?

I'd like us to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the

button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

Click on to download the ESET Smart Installer. Save it to your desktop.
Double click on the icon on your desktop.

•Check

•Click the

button.
•Accept any security warnings from your browser.
•Check

•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push

•Push

, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the

button.
•Push

A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

kristylentz · « **Reply #12 on:** June 04, 2010, 10:17:01 PM »

Thank you, I am scanning the computer right now.

The laptop seems ok now, no real problems. However I do have a few questions.
Now that I have all this extra software on my Laptop, what do you suggest I uninstall and what do you suggest I use for antivirus/malware as my standard antivirus software?

Thank you :-)

SuperDave · « **Reply #13 on:** June 05, 2010, 08:12:05 AM »

Once I receive the results of the last scan, I will give you advice about how to remove those tools and which tools to use.

kristylentz · « **Reply #14 on:** June 05, 2010, 06:41:47 PM »

C:\Users\Kristy\Pictures\Themes\Screen Savers\Disney\Peter Pan\peterpan2ss.exe multiple threats deleted - quarantined

Thank you :-)

SuperDave · « **Reply #15 on:** June 06, 2010, 10:40:58 AM »

Ok. One more scan.

Download DrWeb CureIt & save it to your desktop. Scan with DrWeb-CureIt as follows:

•Double-click on drweb-cureit.exe and then click Start

•An information notice will appear, click OK.

•This starts a short scan that will scan the files currently running in memory.
•If you get a prompt to buy the full version just exit out of the window. The scanner will still work without buying the full version

•If or when something is found, click the Yes button when it asks you if you want to cure it.
•Once the short scan has finished, Click Settings > Change Settings

•Under the Scanning tab UNcheck Heuristic analysis and click OK

•Back at the main window, select the Complete scan button and then click the Green Arrow

Start Scanning button on the right and the scan will start.

•Click Yes to all if it asks if you want to cure/move any file(s).

•When the scan is done.
•In the Dr.Web CureIt menu on top left, click File and choose Save report list.

•Save the DrWeb.csv report to your Desktop.

•Exit Dr.Web Cureit.
•Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
* After reboot, Right-click the Dr.Web log on the desktop and choose Open With > Notepad
* Copy and paste that log in the next reply

kristylentz · « **Reply #16 on:** June 07, 2010, 05:44:32 AM »

No viruses found :-)

SuperDave · « **Reply #17 on:** June 07, 2010, 01:13:11 PM »

That looks good. If there's no other issues, let's do some clean-up

* Click START then RUN - Vista users press the Windows Key and the R keys for the Run box.
* Now type Combofix /uninstall in the runbox
* Make sure there's a space between Combofix and /Uninstall
* Then hit Enter

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

===============================

Download OTC by OldTimer and save it to your desktop.

1. Double-click OTC to run it.
2. Click the CleanUp! button.
3. Select Yes when the "Begin cleanup Process?" prompt appears.
4. If you are prompted to Reboot during the cleanup, select Yes
5. OTC should delete itself once it finishes, if not delete it yourself.

===============================

Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

================================

Looking over your log it seems you don't have any evidence of a third party firewall.

Firewalls protect against hackers and malicious intruders. You need to download a free firewall from one of these reliable vendors.

Remember only install ONE firewall

1) Comodo Personal Firewall (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and uncheck any HopSurf and/or Ask.com options if you choose this one)
2) Online Armor
3) Agnitum Outpost
4) PC Tools Firewall Plus

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

=================================

Use the Secunia Software Inspector to check for out of date software.

•Click Start Now

•Check the box next to Enable thorough system inspection.

•Click Start

•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!

Computer Hope Forum

News:

Author Topic: Please help - Fake Spy Pro issues (Read 16650 times)

kristylentz

Please help - Fake Spy Pro issues

SuperDave

Re: Please help - Fake Spy Pro issues

kristylentz

Re: Please help - Fake Spy Pro issues

kristylentz

Re: Please help - Fake Spy Pro issues

SuperDave

Re: Please help - Fake Spy Pro issues

kristylentz

Re: Please help - Fake Spy Pro issues

kristylentz

Re: Please help - Fake Spy Pro issues

SuperDave

Re: Please help - Fake Spy Pro issues

kristylentz

Re: Please help - Fake Spy Pro issues

SuperDave

Re: Please help - Fake Spy Pro issues

kristylentz

Re: Please help - Fake Spy Pro issues

SuperDave

Re: Please help - Fake Spy Pro issues

kristylentz

Re: Please help - Fake Spy Pro issues

SuperDave

Re: Please help - Fake Spy Pro issues

kristylentz

Re: Please help - Fake Spy Pro issues

SuperDave

Re: Please help - Fake Spy Pro issues

kristylentz

Re: Please help - Fake Spy Pro issues

SuperDave

Re: Please help - Fake Spy Pro issues