Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Canoot rename folder or install new programs


  • This topic is locked This topic is locked
18 replies to this topic

#1 cathay

cathay

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 25 May 2009 - 10:43 PM

Hi,

I came back from a trip and my computer is acting up. So far, I've found at least 3 different problems I never had before.

1) Create new folder. Then right-click to Rename it. Type it desired name and pressed Enter. Name reverts back to "New Folder". Have full access (administrator) and took control over folder and the top level folder also. Never had this happened before.

2) Downloaded new programs - go through installation process. When it is trying to install, it reads "Internal Error: failed to expand shell folder constant "userappdata""

3) I am running Avast Anti-virus. Did all new updates. When finished running, there are many files and folders that are "password" protected so therefore Avast is not able to access those files. I never set passwords to my files and this has never happened before.

4) I noticed there was an "Unknown User" that is showing up in some of my folder property when I was checking access rights.

Here is a log from Hackjackthis...please help!!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:29:35 PM, on 24/05/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18226)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Speeditup Free\SearchDefender.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10b.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Search Defender] "C:\Program Files\Speeditup Free\SearchDefender.exe"
O4 - HKCU\..\Run: [SpeedItUpEX] C:\Program Files\Speeditup Free\SpeedItUp.exe -MINI
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Connections.lnk = C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\Common Files\NMSAccessU.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\Windows\system32\PnkBstrB.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe


DDS (Ver_09-05-14.01) - NTFSx86
Run by Ron at 20:38:48.59 on 25/05/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.2.1033.18.3070.1456 [GMT -7:00]

AV: avast! antivirus 4.8.1229 [VPS 090331-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
SP: Spybot - Search and Destroy *enabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Lavasoft Ad-Watch Live! *enabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: Norton Internet Security *enabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: avast! antivirus 4.8.1229 [VPS 090331-0] *enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\NMSAccessU.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\PnkBstrB.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Hewlett-Packard\HP Advisor\SSDK04.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Windows\system32\conime.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10b.exe
C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Speeditup Free\SearchDefender.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Ron\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5HKBT6OB\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://ca.yahoo.com/
uSearch Page = hxxp://ie.search.msn.com
uSearch Bar = hxxp://ie.search.msn.com
uWindow Title =
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=desktop
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {1e8a6170-7264-4d0f-beae-d42a53123c75} - c:\program files\common files\symantec shared\coshared\browser\1.0\NppBho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: Show Norton Toolbar: {90222687-f593-4738-b738-fbee9c7b26df} - c:\program files\common files\symantec shared\coshared\browser\1.0\UIBHO.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Search Defender] "c:\program files\speeditup free\SearchDefender.exe"
uRun: [SpeedItUpEX] c:\program files\speeditup free\SpeedItUp.exe -MINI
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [<NO NAME>]
mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [SMSTray] c:\program files\samsung\samsung media studio 5\SMSTray.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpconn~1.lnk - c:\program files\hp connections\6811507\program\HP Connections.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\progra~1\java\jre16~3.0_0\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-5-24 64160]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-4-1 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-1 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2008-2-8 51792]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 953168]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2008-3-1 810320]
R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-9 602392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2007-5-16 102760]
R3 m4cxvista;NDIS6.0 Miniport Driver for D-Link Gigabit Ethernet Controller;c:\windows\system32\drivers\m4cxvista.sys [2007-1-10 196096]
S3 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\idsdefs\20061025.029\IDSvix86.sys [2007-5-16 202872]

=============== Created Last 30 ================

2009-05-25 10:39 <DIR> --d----- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-05-24 19:54 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-05-24 19:45 <DIR> -cd-h--- c:\programdata\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-24 19:45 <DIR> -cd-h--- c:\progra~2\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-24 18:33 <DIR> --d----- c:\program files\Registry Easy
2009-05-24 17:29 <DIR> --d----- c:\program files\Trend Micro
2009-05-24 02:12 25 a------- c:\windows\cdplayer.ini
2009-05-24 00:34 <DIR> --d----- c:\windows\Profiles
2009-05-24 00:14 <DIR> --d----- c:\program files\freestar
2009-05-24 00:08 36 ----h--- c:\windows\system32\swk.ini
2009-05-17 00:30 524,288 a--sh--- C:\ntuser.dat{f949950a-42a4-11de-b8c3-001a925d1cd0}.TMContainer00000000000000000002.regtrans-ms
2009-05-17 00:30 524,288 a--sh--- C:\ntuser.dat{f949950a-42a4-11de-b8c3-001a925d1cd0}.TMContainer00000000000000000001.regtrans-ms
2009-05-17 00:30 65,536 a--sh--- C:\ntuser.dat{f949950a-42a4-11de-b8c3-001a925d1cd0}.TM.blf
2009-05-17 00:30 5,120 a---h--- C:\ntuser.dat.LOG1
2009-05-17 00:30 0 a---h--- C:\ntuser.dat.LOG2
2009-05-17 00:30 262,144 a------- C:\ntuser.dat

==================== Find3M ====================

2009-03-16 20:38 40,960 a------- c:\windows\apppatch\apihex86.dll
2009-03-16 20:38 13,824 a------- c:\windows\system32\apilogen.dll
2009-03-16 20:38 24,064 a------- c:\windows\system32\amxread.dll
2009-03-02 21:46 3,599,328 a------- c:\windows\system32\ntkrnlpa.exe
2009-03-02 21:46 3,547,632 a------- c:\windows\system32\ntoskrnl.exe
2009-03-02 21:40 827,392 a------- c:\windows\system32\wininet.dll
2009-03-02 21:39 183,296 a------- c:\windows\system32\sdohlp.dll
2009-03-02 21:39 551,424 a------- c:\windows\system32\rpcss.dll
2009-03-02 21:39 26,112 a------- c:\windows\system32\printfilterpipelineprxy.dll
2009-03-02 21:37 78,336 a------- c:\windows\system32\ieencode.dll
2009-03-02 21:37 98,304 a------- c:\windows\system32\iasrecst.dll
2009-03-02 21:37 54,784 a------- c:\windows\system32\iasads.dll
2009-03-02 21:37 44,032 a------- c:\windows\system32\iasdatastore.dll
2009-03-02 20:04 666,624 a------- c:\windows\system32\printfilterpipelinesvc.exe
2009-03-02 19:38 17,408 a------- c:\windows\system32\iashost.exe
2009-03-02 19:28 26,624 a------- c:\windows\system32\ieUnatt.exe
2008-09-24 17:00 174 a--sh--- c:\program files\desktop.ini
2008-09-24 16:58 86,016 a------- c:\windows\inf\infstrng.dat
2008-09-24 16:58 86,016 a------- c:\windows\inf\infstor.dat
2008-09-24 16:58 51,200 a------- c:\windows\inf\infpub.dat
2008-09-24 00:29 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-07 23:12 17,408 a------- C:\psapi.dll
2007-01-25 03:52 65,536 a------- c:\program files\common files\NMSAccessU.exe
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-10-02 12:56 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-10-02 12:56 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-10-02 12:56 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
2007-09-27 12:27 16,384 a--sh--- c:\windows\temp\cookies\index.dat
2007-09-27 12:27 32,768 a--sh--- c:\windows\temp\history\history.ie5\index.dat
2007-09-27 12:27 32,768 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-05-14.01)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 27/08/2007 10:32:54 PM
System Uptime: 25/05/2009 11:06:21 AM (9 hours ago)

Motherboard: ASUSTek Computer INC. | | NODUSM3
Processor: AMD Athlon™ 64 X2 Dual Core Processor 3800+ | Socket AM2 | 2000/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 227 GiB total, 150.249 GiB free.
D: is FIXED (NTFS) - 6 GiB total, 0.884 GiB free.
E: is CDROM (CDFS)
F: is Removable
G: is Removable
H: is Removable
I: is Removable
J: is FIXED (NTFS) - 279 GiB total, 257.119 GiB free.
K: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================


==== Installed Programs ======================

3C Poker Plus
7-Zip 4.57
Ad-Aware
Adobe Flash Player 10 ActiveX
Adobe Reader 7.1.0
AppCore
ATI Catalyst Install Manager
AV
avast! Antivirus
Belarc Advisor 7.2
Call of Duty® 4 - Modern Warfare™
ccCommon
ContentSAFER for Wizmax
D-Link DGE-530T
DAEMON Tools Toolbar
Dual-Core Optimizer
Enhanced Multimedia Keyboard Solution
Football Manager 2008
FreeStar Free Video Converter 8.0.7
GOM Player
Google Desktop
Google Toolbar for Internet Explorer
Grand Theft Auto--Kane and Lynch: Dead Men
Hardware Diagnostic Tools
HijackThis 2.0.2
HP Connections (remove only)
HP Customer Experience Enhancements
HP Customer Feedback
HP Easy Setup - Core
HP Easy Setup - Frontend
HP Picasso Media Center Add-In
HP Total Care Advisor
HP Update
Instant Memory Cleaner
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 7
LightScribe 1.4.124.1
LiveUpdate 3.2 (Symantec Corporation)
Madden NFL 2003
Microsoft Games for Windows - LIVE Redistributable
Microsoft Office XP Professional with FrontPage
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
MSRedist
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
muvee autoProducer 5.0
My HP Games
MyFreeCodec
NBA LIVE 07
Norton AntiVirus
Norton Confidential Browser Component
Norton Confidential Web Protection Component
Norton Internet Security
Norton Internet Security (Symantec Corporation)
Norton Protection Center
Numedia CD-DVD writing as non-admin user
NVIDIA Drivers
OpenAL
Picasa 2
PunkBuster Services
Python 2.4.3
Realtek High Definition Audio Driver
Registry Easy v5.1
Roxio Creator Audio
Roxio Creator Basic v9
Roxio Creator Copy
Roxio Creator Data
Roxio Creator EasyArchive
Roxio Creator Tools
Roxio Express Labeler 3
Samsung Media Studio 5
Security Update for CAPICOM (KB931906)
Shock View v2.3
Soft Data Fax Modem with SmartCP
SPBBC 32bit
Speeditup Free 4.61
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
Symantec Real Time Storage Protection Component
SymNet
Tom Clancy's Rainbow Six Vegas 2
ViewSonic Windows Vista Signed Files
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Yahoo! Install Manager
Yahoo! Search Protection
Yahoo! Software Update
Yahoo! Toolbar

BC AdBot (Login to Remove)

 


#2 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:55 PM

Posted 07 June 2009 - 02:50 PM

Hello and :thumbup2: to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here
.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.


Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay
.

-----------------------------------------------------------

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Kind regards
Net_Surfer

:)

#3 cathay

cathay
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 08 June 2009 - 08:00 PM

Net Surfer...Thanks for the reply. I appreciate your help in advance.

I updated the files and ran Ad-ware, Spybot, Avast Antivirus but nothing was picked up. The only thing was that Avast was not able to open the "userappdata" folder and said it was password protected. When I look at the folder, it's "Read-only" and when I dug a little deeper, many of the common folders have been set to "Read-Only" and I cannot rename any of them.

I am set as the Adminstrator on my Vista (SP1) machine. I have not been able to update to SP2 or SP3 since when I try to install new updates, it tells me install failed due to userappdata not accessible. I "de-selected" the "Read-only" under folder properties but it sets it back once I click "apply".

I have not changed anything in terms of security, login or user attributes so I am not sure why all of the folder attirbutes changes all of the sudden. I suspect there is a malware or virus hiding in my machine.

Here is the DDS file log and the zip file.



DDS (Ver_09-05-14.01) - NTFSx86
Run by Ron at 17:50:28.93 on 08/06/2009
Internet Explorer: 8.0.6001.18702
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.2.1033.18.3070.1310 [GMT -7:00]

AV: avast! antivirus 4.8.1229 [VPS 090331-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Lavasoft Ad-Watch Live! *enabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: Norton Internet Security *enabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: avast! antivirus 4.8.1229 [VPS 090331-0] *enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\NMSAccessU.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\PnkBstrB.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\rundll32.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\conime.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\conime.exe
C:\Users\Ron\AppData\Local\Temp\Google Toolbar\gtb827E.tmp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Temp\Ron\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://ca.yahoo.com/
uSearch Page = hxxp://ie.search.msn.com
uSearch Bar = hxxp://ie.search.msn.com
uWindow Title =
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=desktop
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {1e8a6170-7264-4d0f-beae-d42a53123c75} - c:\program files\common files\symantec shared\coshared\browser\1.0\NppBho.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: Show Norton Toolbar: {90222687-f593-4738-b738-fbee9c7b26df} - c:\program files\common files\symantec shared\coshared\browser\1.0\UIBHO.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Foxit Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [SpeedItUpEX] c:\program files\speeditup free\SpeedItUp.exe -MINI
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [<NO NAME>]
mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [SMSTray] c:\program files\samsung\samsung media studio 5\SMSTray.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpconn~1.lnk - c:\program files\hp connections\6811507\program\HP Connections.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\progra~1\java\jre16~3.0_0\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-5-24 64160]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-4-1 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-1 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2008-2-8 51792]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1005904]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2008-3-1 810320]
R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-9 602392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2007-5-16 102760]
R3 m4cxvista;NDIS6.0 Miniport Driver for D-Link Gigabit Ethernet Controller;c:\windows\system32\drivers\m4cxvista.sys [2007-1-10 196096]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-6-2 33176]
S3 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\idsdefs\20061025.029\IDSvix86.sys [2007-5-16 202872]

=============== Created Last 30 ================

2009-06-03 23:09 15,688 a------- c:\windows\system32\lsdelete.exe
2009-06-02 22:21 <DIR> --d----- c:\program files\AskBarDis
2009-06-02 22:20 <DIR> --d----- c:\program files\Foxit Software
2009-06-02 22:20 <DIR> --d----- C:\Foxit
2009-06-02 21:39 <DIR> --d----- c:\programdata\NOS
2009-05-31 13:35 <DIR> --d----- c:\windows\system32\CatRoot_bak
2009-05-31 11:31 507,400 a------- c:\windows\system32\XAudio2_1.dll
2009-05-31 11:31 65,032 a------- c:\windows\system32\XAPOFX1_0.dll
2009-05-31 11:31 238,088 a------- c:\windows\system32\xactengine3_1.dll
2009-05-31 11:31 25,608 a------- c:\windows\system32\X3DAudio1_4.dll
2009-05-31 11:31 1,491,992 a------- c:\windows\system32\D3DCompiler_38.dll
2009-05-31 11:31 467,984 a------- c:\windows\system32\d3dx10_38.dll
2009-05-31 11:31 3,850,760 a------- c:\windows\system32\D3DX9_38.dll
2009-05-31 11:31 479,752 a------- c:\windows\system32\XAudio2_0.dll
2009-05-31 11:31 238,088 a------- c:\windows\system32\xactengine3_0.dll
2009-05-31 11:31 1,420,824 a------- c:\windows\system32\D3DCompiler_37.dll
2009-05-31 11:31 25,608 a------- c:\windows\system32\X3DAudio1_3.dll
2009-05-31 11:31 3,786,760 a------- c:\windows\system32\D3DX9_37.dll
2009-05-31 11:31 462,864 a------- c:\windows\system32\d3dx10_37.dll
2009-05-31 10:45 <DIR> --d----- c:\program files\Rockstar Games
2009-05-27 23:11 524,288 a--sh--- C:\ntuser.dat{0b395fb2-4b19-11de-bf97-001a925d1cd0}.TMContainer00000000000000000002.regtrans-ms
2009-05-27 23:11 524,288 a--sh--- C:\ntuser.dat{0b395fb2-4b19-11de-bf97-001a925d1cd0}.TMContainer00000000000000000001.regtrans-ms
2009-05-27 23:11 65,536 a--sh--- C:\ntuser.dat{0b395fb2-4b19-11de-bf97-001a925d1cd0}.TM.blf
2009-05-27 19:57 97,800 a------- c:\windows\system32\infocardapi.dll
2009-05-27 19:57 105,016 a------- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-05-27 19:57 37,384 a------- c:\windows\system32\infocardcpl.cpl
2009-05-27 19:57 622,080 a------- c:\windows\system32\icardagt.exe
2009-05-27 19:57 43,544 a------- c:\windows\system32\PresentationHostProxy.dll
2009-05-27 19:57 11,264 a------- c:\windows\system32\icardres.dll
2009-05-27 19:57 781,344 a------- c:\windows\system32\PresentationNative_v0300.dll
2009-05-27 19:57 326,160 a------- c:\windows\system32\PresentationHost.exe
2009-05-27 19:49 96,760 a------- c:\windows\system32\dfshim.dll
2009-05-27 19:49 282,112 a------- c:\windows\system32\mscoree.dll
2009-05-27 19:49 41,984 a------- c:\windows\system32\netfxperf.dll
2009-05-27 19:49 158,720 a------- c:\windows\system32\mscorier.dll
2009-05-27 19:49 83,968 a------- c:\windows\system32\mscories.dll
2009-05-25 10:39 <DIR> --d----- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-05-24 19:54 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-05-24 19:45 <DIR> -cd-h--- c:\programdata\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-24 19:45 <DIR> -cd-h--- c:\progra~2\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-24 17:29 <DIR> --d----- c:\program files\Trend Micro
2009-05-24 02:12 25 a------- c:\windows\cdplayer.ini
2009-05-24 00:34 <DIR> --d----- c:\windows\Profiles
2009-05-24 00:14 <DIR> --d----- c:\program files\freestar
2009-05-24 00:08 36 ----h--- c:\windows\system32\swk.ini
2009-05-17 00:30 524,288 a--sh--- C:\ntuser.dat{f949950a-42a4-11de-b8c3-001a925d1cd0}.TMContainer00000000000000000002.regtrans-ms
2009-05-17 00:30 524,288 a--sh--- C:\ntuser.dat{f949950a-42a4-11de-b8c3-001a925d1cd0}.TMContainer00000000000000000001.regtrans-ms
2009-05-17 00:30 65,536 a--sh--- C:\ntuser.dat{f949950a-42a4-11de-b8c3-001a925d1cd0}.TM.blf
2009-05-17 00:30 5,120 a---h--- C:\ntuser.dat.LOG1
2009-05-17 00:30 0 a---h--- C:\ntuser.dat.LOG2
2009-05-17 00:30 262,144 a------- C:\ntuser.dat

==================== Find3M ====================

2009-03-16 20:38 40,960 a------- c:\windows\apppatch\apihex86.dll
2009-03-16 20:38 13,824 a------- c:\windows\system32\apilogen.dll
2009-03-16 20:38 24,064 a------- c:\windows\system32\amxread.dll
2008-09-24 17:00 174 a--sh--- c:\program files\desktop.ini
2008-09-24 16:58 86,016 a------- c:\windows\inf\infstrng.dat
2008-09-24 16:58 86,016 a------- c:\windows\inf\infstor.dat
2008-09-24 16:58 51,200 a------- c:\windows\inf\infpub.dat
2008-09-24 00:29 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-07 23:12 17,408 a------- C:\psapi.dll
2007-01-25 03:52 65,536 a------- c:\program files\common files\NMSAccessU.exe
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2007-09-27 12:27 16,384 a--sh--- c:\windows\temp\cookies\index.dat
2007-09-27 12:27 32,768 a--sh--- c:\windows\temp\history\history.ie5\index.dat
2007-09-27 12:27 32,768 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 17:52:01.99 ===============

Attached Files



#4 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:55 PM

Posted 08 June 2009 - 09:54 PM

Hello Cathay, and :) to Bleeping Computer Malware Removal Forum, My Nick is Net_Surfer I'll be glad to help you with your computer problems.

I will be working on your Malware issues, this may or may not solve other issues you may have with your machine.

Sorry about the delay, but the amount of people posting with infected computers is through the roof and sometimes we can't get to logs as fast as we would like to.


Please note that whatever repairs we make, are for fixing "your computer problems only" and by no means should be used on another computer.


You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown Here.

-----------------------------------------------------------

Please be patient and I'd be grateful if you would note the following:

The cleaning process is not instant. DDS logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.

1. Please reply using the AddReply button in the lower right hand corner of your screen. Do not start a new topic.
2. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
3. All of my posts need to be checked by my coach, so please be patient while I attempt to remove your malware.
4. Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

In the meantime Please, Do NOT install any new programs or update anything unless told to do so while we are fixing your problem.

Please give me some time to review your logs and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay
.

Kind regards
Net_Surfer

:thumbup2:

#5 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:55 PM

Posted 10 June 2009 - 02:57 AM

Hello Cathay. :)

Before we start fixing anything you should write/print out these instructions or copy/paste them to a NotePad file.

If you can not download and run the following tools, then I would like for you to try another approach.

If you have the use of another computer please either use a Flash Drive or a CD to download the following and transfer them for use on the infected machine.
Be sure you put them on the desktop of the infected computer.

-----------------------------------------------------------


Ok.. Cathay, please observe these rules while we work:
  • Please Read All Instructions Carefully
  • Perform all actions in the order given.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Do not attempt to clean your computer with any tools other than the ones I ask you to use during the cleanup process.
  • In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.
  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
  • Please continue to review my answers until I tell you that your machine is clean and free of malware. (Remember absence of symptoms does not mean that everything is clear).
Just because you can't see a problem doesn't mean it isn't there.

If you can do these things, everything should go smoothly. :thumbup2:

-----------------------------------------------------------

Step #1.

Firstly, we need to disable SpyBot's Teatimer and Windows defender which can interfere with the fixes.

TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

-----------------------------------------------------------

Please disable Windows Defender's real-time protection as it will interfere with the fix. you can re-enable it when we're finished the cleanup.
  • Open Windows Defender
  • Click on "Tools"
  • Click on "General Settings"
  • Scroll down to "Real-time protection options"
  • Uncheck "Turn on Real-time protection (recommended)"
  • Click "Save"
Step #2.

I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either Norton or avast! Antivirus.

If your Norton antivirus is not an active paid subscription and you need to get rid of it please do the following:

From the add and remove programs unintall anything related to Norton{symantec product.

Then...


Download and run the Norton Removal Tool

Despite removing Symantec products there are a number of left overs remaining.

Please follow the instructions tor remove a failed installation, left overs or damaged norton product
Symantec removal here

Warning : The Norton Removal Tool uninstalls all Norton 2009/2008/2007/2006/2005/2004/2003 products, Norton 360 and Norton SystemWorks 12.0 from your computer. If you use ACT! or WinFAX, back up those databases before you proceed.

If you uninstalled all of your old antivirus then..

For a free anti-virus please follow these instructions:
Click on this link: AVG
  • Underneath AVG Anti-Virus Free click on Download
  • Click on AVG 8.5 Free for Windows
  • Click on Download
  • A window will open. Click on Save File-A window will open. Click on Next
  • Click on Accept
  • Make sure standard install is checked and click Next
  • You can enter your name and click Next
  • click Finish After install is complete click OK
  • Follow prompters to update and check for viruses
Some more links to free anti-virus programs(Note. Choose only one)

Avira

Avast(Mouse over Free Software in the upper right corner)

Here are some free firewalls: *PC Tool Firewall Plus or Zonealarm
See Bleepingcomputer's excellent tutorial to help using and understanding a firewall here
Note: You should only have one firewall installed at a time. Having more than one firewall installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.

*If you choose the PC Tools Firewall Plus and you are asked to install ThreatFire do not do so.

Step #3.

Please note: You may have to disable any script protection running before the scan. disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE

Please Temporary disable your anti spyware programs during the following steps.
If you are unsure on how to do this, please read this guide you can enable them before you connect back to the internet.
Your anti spyware program is: TeaTimer from Spybot S&D

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.
  • Step #3.


    We need to see more information about what is happening in your machine. Please perform the following scan:

    Run random's system information tool (RSIT)

    Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE

    Please note that it is important that RSIT be run and a log created while in normal mode. *If you run it and create your log while in safe mode, you will be asked to redo it again properly.
    [list]
  • Download random's system information tool (RSIT) by random/random and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open.

    Please post the contents of both here in your next reply.

    log.txt (<<--- will be maximized) and info.txt (<<--- will be minimized)
Summary of the things I advise and the logs I will need in your next reply:
  • Ensure that you have uninstalled all of your antivirus programs and just keep ONE.
  • The report log of MBAM
  • The two logs of RSIT.
And a description of any remaining problems in your next post.

How is your Computer running now?.


Upon completing the above steps I will review your logs again and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks.
Kind regards
Net_Surfer

:)

#6 cathay

cathay
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 10 June 2009 - 11:50 PM

Hi Net_Surfer,

I was trying to follow all the instruction but I got to Step 3 and...

I downloaded the MBAM and saved it onto my desktop but when I tried installing it, it reads "Internal Error: Failed to expand sheel folder constant "userappdata". Like I said in my original post, I tried installing other programs, this error message comes up and would not allow me to install.

I even went into the folder, unhid the folder to show this userappdata folder. Went into the folder's property and it is "Read-only". I unchecked this and it goes through the process of trying to unlock all the sub-folders but when it is done, it still reads "Read-only". I am the administration user on the machine but it does not seem to make a difference.

I have never had this problem in the past.

Please help.

#7 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:55 PM

Posted 11 June 2009 - 04:01 PM

Hi Net_Surfer,

I was trying to follow all the instruction but I got to Step 3 and...

I downloaded the MBAM and saved it onto my desktop but when I tried installing it, it reads "Internal Error: Failed to expand sheel folder constant "userappdata". Like I said in my original post, I tried installing other programs, this error message comes up and would not allow me to install.

I even went into the folder, unhid the folder to show this userappdata folder. Went into the folder's property and it is "Read-only". I unchecked this and it goes through the process of trying to unlock all the sub-folders but when it is done, it still reads "Read-only". I am the administration user on the machine but it does not seem to make a difference.

I have never had this problem in the past.

Please help.

Hi Cathay, :cool:

You have posted the same issue in another forum, So. I will like you to close that topic at ComputerHope.com by sending a PM to a moderator of that site telling them that you are being help here at bleeping computer.
The reason for that is that you will be taking the time of another voluntary helper, we help in various forums, and it takes the time of another helper researching and analyzing your logs when it can be helping somebody else in need of help. :thumbup2:

Here is the Link to your other topic:
http://www.computerhope.com/forum/index.ph...ic,84199.0.html

-----------------------------------------------------------

Now back to your fix. :)

The only "solution" that has come anywhere near helping anyone is the following for the related Error 1606. Follow these steps to change your registry settings: (Of course, you should back up the registry before making any changes)


Step #1.
Backup Your Registry with ERUNT

Install ERUNT
(This tool will create a complete backup of your registry to ensure we have a safety net If something goes wrong. Do not delete the backup until we are finished).
  • Please download erunt-setup.exe to your desktop.
    IMPORTANT: *if your PC is running Vista, right-click and select Run As Adminstrator
  • Double click erunt-setup.exe. Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.
You can find a complete guide to using the program HERE

When we are finished with fixing your computer (I will make it clear when we are), you can uninstall ERUNT through Add/Remove Programs. The backups will be stored at C:\WINDOWS\erdnt, and will not be deleted when ERUNT is uninstalled.

Altering system files; & or modifying the registry can be risky and BleepingComputer.com and its members cannot accept liability for any adverse effects caused by following advice freely given on this site.

Step #2.

Click on “Start-Run, type “regedit” (without the quotes)
Navigate to this registry path:
HKEY_CURRENT_USER --> Software --> Microsoft --> Windows --> Current Version --> Explorer --> User Shell Folders
Clear the key: Recent (right mouse click on the key/folder, choose “Delete”)
Close the Registry Editor and restart the computer.

If this fails to correct your problem, the question is - how long has this been a problem? If it has just recently surfaced, you might try a System Restore to a point in time before the problem started.

Step #3.

The System Restore tool

If the issue that you are experiencing started occurring recently, you can use the System Restore tool. By using this tool, you can restore the computer to an earlier point in time. Using the System Restore tool may not necessarily help you determine the issue. When you use System Restore to restore the computer to a previous state, programs and updates that you installed are removed.

To restore the operating system to an earlier point in time, please do the following:

1. Click Start, type system restore in the Start Search box, and then click System Restore in the Programs list. If you are prompted for an administrator password or confirmation, type your password or click Continue.

2. In the System Restore dialog box, click Choose a different restore point, and then click Next.

3. In the list of restore points, click a restore point that was created before you began to experience the issue, and then click Next.

4. Click Finish.

The computer restarts, and the system files and settings are returned to the state that they were in at the time that the restore point was created.


Let us know how this works and if you need more help. *If does work then do the steps that I gave you in my earlier post.


Summary of the things I advise you in my earlier post and the logs I will need in your next reply:
  • Ensure that you have uninstalled all of your antivirus programs and just keep ONE.
  • The report log of MBAM
  • The two logs of RSIT.
And a description of any remaining problems in your next post.

How is your Computer running now?.


Upon completing the above steps I will review your logs again and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks.
Kind regards
Net_Surfer

:)

#8 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:55 PM

Posted 14 June 2009 - 12:52 AM

:) Bump :)
Hello Cathay. :)
:cool: :)
Are you still there
???
:thumbup2:

If you are please follow the instructions in my previous post.

Please continue to review my answers until I tell you your machine appears to be clear. Remember absence of symptoms does not mean that everything is clear.


If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Unfortunately, if I do not hear back from you within 2 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread.


Kind regards
Net_Surfer

:)

#9 cathay

cathay
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 15 June 2009 - 12:25 AM

Net_Surfer,

I added a reply on the same day you gave me the instructions. Please review.

I cannot install MBAM as my "userappdata" folder is "Read-only". I've tried to make it not be but it doesn't seem to work.

Cathay

#10 cathay

cathay
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 15 June 2009 - 12:26 AM

Net_Surfer,

The reply is on top of the instructions you gave me. I am not sure why this happened.

Cathay

#11 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:55 PM

Posted 15 June 2009 - 03:09 AM

Net_Surfer,

The reply is on top of the instructions you gave me. I am not sure why this happened.

Cathay

Hi Cathay,

Yes I understand that you can not run MBAM, that's why I gave you the other set of instructions on STEP ONE: to download and Install: ERUNT so we can backup your registry, and fix the error message that you are getting by following: STEP TWO:

Step #2.

Click on “Start-Run, type “regedit” (without the quotes)
Navigate to this registry path:
HKEY_CURRENT_USER --> Software --> Microsoft --> Windows --> Current Version --> Explorer --> User Shell Folders
Clear the key: Recent (right mouse click on the key/folder, choose “Delete”)
Close the Registry Editor and restart the computer.

If this fails to correct your problem, the question is - how long has this been a problem? If it has just recently surfaced, you might try a System Restore to a point in time before the problem started.


then I said if that wont work to try and rollback by using SYSTEM RESTORE.

Now please go back to my reply so you can read and follow those steps: one and two, if that wont work then do step three: system restore. if everything went fine and now you can do the rest of the steps by running: MBAM and RSIT and post the logs.

If you can not download ERUNT or work in that Registry Key then Please let me know.

Kind Regards
Net_Surfer

#12 cathay

cathay
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 16 June 2009 - 11:00 PM

Hi...

I ran the ERUNT to backup the registry and checked the HKEY_CURRENT_USER --> Software --> Microsoft --> Windows --> Current Version --> Explorer -User Shell Folders and looked for "Recent", there wasn't such an entry. There is "Printhood", "Programs", then it goes to "SendTo" with no "Recent" in between.

I also checked the system restore log and the earliest one I can use is dated June 2 which by then I already had this problem. I did not do a system restore since I thought it would not change the settings anyhow.

I tried running MBAM and it still gives me the same error message, even when I "Run as Adminstrator".

Cathay... :thumbup2:

#13 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:55 PM

Posted 17 June 2009 - 12:07 PM

Hello Cathay.

Are you the Administrator of the machine? :thumbup2:

Do you have permissions to the "userappdata" folder?


Lets make sure you have permissions to that folder. In order to do the following steps you MUST be the Administrator of the machine.

Since the "Appdata" folder is a hidden folder, you have to set it to show. Below are the instructions for showing hidden folders:


1. Open Folder Options by clicking the Start button, clicking Control Panel, clicking Appearance and Personalization, and then clicking Folder Options.
2. Click the View tab.
3. Under Advanced settings, click Show hidden files and folders, and then click OK.

Now lets make sure you have the correct permissions to the folder

Changing Folder Permissions:

1. Right Click on the Folder you wish to restrict properties on
2. Select “Properties
3. In the Properties window go to the Security tab and click on Edit.
4. If the your user account is not on the list of users or groups that have permissions defined, you should click on Add. Now you need to type the user name or the group of users for which you want to change the permissions.
5. After adding your account, Click Check Names and then click OK.
6. In the Security window, select the user/group you just added and then click in the first check box under Allow which is “Full Control” and then click OK.

*************************************



The following instructions will more than likely solve the IE problem:

Please, Go to Control Panel --> Internet Options --> then Click on Advanced--> then at the bottom of that page choose: the reset option.

After that close IE then start IE again.

This should fix the issue

Please let us know if you need further assistance.

Kind regards
Net_Surfer
.
:)

#14 cathay

cathay
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 18 June 2009 - 10:53 PM

Hi

I had done what you had suggested before you provide your suggestions and I even wetn as far as changing the "useappdata" folder property and un-clicked the "Read-Only" box (which is not a checked box but rather a blue filled-in box) and it went through the motions of going through all the files within the folder to change the "read-only" attribute. Unfortunately when it is done, the folder is still "Read-Only".

I am the Administrator of the machine under User Account attributes and I have full permission to this "userappdata" folder but I cannot make it not "Read-only" as the system would not allow me to make this change. I am not sure why this is as I've never had this problem until I left the machine idle for about a month and when I started using it again, this problem has popped up.

Also, the registry is Hkey_Current_User_...\User Shell Folder\

Name - Appdata
Type - REG_EXPAND_SZ
Data - %APPDATA%

But there is a strange entry in this folder

Name - 374DE290-123F-4565-9164-39C4925E467B
Type - REG_EXPAND_SZ
Data - %USERPROFILE%\downloads

Not sure if this has anything to do with the problems. Thanks for your help in advance.

Cathay

#15 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:55 PM

Posted 19 June 2009 - 03:05 PM

Hi Cathay,

Please go: To the Vista Forum, they will help you there with that issue.

Then when that issue is clear comeback here so we can help you with the malware problems.

Sorry about that.

Best regards.

Net_Surfer




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users