Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Removed Security Essent 2010, still have issues


  • This topic is locked This topic is locked
4 replies to this topic

#1 CorbTX

CorbTX

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:22 AM

Posted 09 March 2010 - 01:34 AM

Hi,
I am running Win XP on a Emachine T5026 with 3 login accounts. Acct #1 is the primary acct (Owner) that we use for day to day. All 3 accounts have administrator rights. Accts 2 & 3 were setup when we bought the computer, but never used.

I was infected with Security Essentials 2010. I had Earthlink Protection Control Center installed (2 weeks prior)and actively running at the time. After infection nothing would appear on the screen when I booted other than the SE 2010 screens. I'm not sure if this makes sense, but the virus infected two of the logins (Accts 1 & 2) and I could not access anything. But did not infect the third (I made sure to touch NOTHING when I logged in that account that was internet or virus program related other than what I was loading off my USB drive to fix the issue per BC instructions). I used the third login to access my computer to perform all cleaning procedures.

Before I found BC; I was trying to figure out what to do. Before touching anything we went and bought an external backup harddrive and loaded all personal files onto it. I then DL Microsoft Security Essentials onto a flashdrive using a laptop that we have. I loaded MSE and ran it. It found two trojans and I deleted them. I logged back into the primary acct #1 and it was still infected and I couldn't access anything. I researched more (from the laptop) and found BC. I followed all instructions for "Removing Security Essentials 2010 Uninstall Guide" listed on the BC website. When I looked at the log of items removed from the Mal program I didn't see the TDSS thing so I ran the TDSSKiller program per the "Remove TDSS rootkit using TDSSKiller" instructions. It found nothing 0/0/0.

I then rebooted the system. When it came back up I logged into Acct#3 I noticed that the Windows Update Icon was loaded. I usually update anytime it shows up and tells me there's an update. But it donned on me that I hadn't seen the icon in awhile. So when I selected it, it stated that I had 20 updates to install. I wonder if there was something blocking it. So I installed the updates thinking that would help with my security issue as well. I was not required to reboot.

I logged off. I logged in as my primary Acct #1, everything appeared to load at first glance. I was excited. But then I noticed that my task bar only loaded 4 things - I knew something was wrong because around 15 things normally seem to load and I manually close most of them. I opened my start menu and selected Internet Explorer. I received the error message "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." Then the "Open File with what program" box opens. I went to the C drive and went to the program folder and clicked the actual .exe file for Internet Explorer and received the same error. I tried multiple programs (MS Word, Earthlink Protection Control Center, etc) all gave the same error. I logged out of Acct #1 and logged into Acct#3 (note that I never "switched user" but completely logged out of each account). When I selected Explorer from the start menu, it acted different, it opened the "Which program do you want to open this file with" box first. When I select close, the different following error appeared: "The item you selected is unavailable. It might have been moved, renamed, or removed. Do you want to remove it from the list?". BUT if I goto the C drive and program files and open the .exe file directly (in acct #3) the program opens.
Thanks for anyone's thoughts on these.


DDS (Ver_09-12-01.01) - NTFSx86
Run by Transfer at 23:40:44.21 on Mon 03/08/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2550.1865 [GMT -6:00]

AV: Protection Control Center *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: Protection Control Center *enabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\EarthLink\EarthLink Protection Control Center\avp.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\lxdecoms.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdxserv.exe
C:\WINDOWS\system32\lxdxcoms.exe
c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\LXSUPMON.EXE
C:\WINDOWS\ALCFDRTM.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Secure Online Account Numbers\SOAN.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Lexmark 4800 Series\lxdemon.exe
C:\Program Files\Lexmark 4800 Series\lxdeamon.exe
C:\Program Files\Lexmark 3600-4600 Series\lxdxmon.exe
C:\Program Files\EarthLink\EarthLink Protection Control Center\avp.exe
C:\Program Files\Carbonite\CarbonitePreinstaller.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
C:\WINDOWS\system32\lexpps.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Lexmark 3600-4600 Series\lxdxMsdMon.exe
C:\Program Files\Palm\Hotsync.exe
c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Transfer\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.emachines.com/
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: DeskshopBrowserHelper Class: {8db3d69d-da5e-4165-b781-72a761790672} - c:\windows\system32\BhoDshop.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: myBabylon English Toolbar: {b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} - c:\program files\mybabylon_english\tbmyB1.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: Nick Aracde Toolbar: {4e7bd74f-2b8d-469e-9eb4-fe6fa694b13e} -
TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: myBabylon English Toolbar: {b2e293ee-fd7e-4c71-a714-5f4750d8d7b7} - c:\program files\mybabylon_english\tbmyB1.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Weather] c:\progra~1\aws\weathe~1\Weather.exe 1
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [ShowWnd] ShowWnd.exe
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [LXSUPMON] c:\windows\system32\LXSUPMON.EXE RUN
mRun: [AlcFDMonitor] c:\windows\ALCFDRTM.EXE
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [IntelliType] "c:\program files\microsoft hardware\keyboard\type32.exe"
mRun: [_AntiSpyware] c:\progra~1\mcafee\mcafee~1\MssCli.exe
mRun: [SunKistEM] c:\program files\digital media reader\shwiconem.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SecureOnlineAccountNumbers] c:\program files\secure online account numbers\SOAN.exe /dontopenmycards
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [MCUpdateExe] c:\progra~1\mcafee.com\agent\McUpdate.exe
mRun: [MCAgentExe] c:\progra~1\mcafee.com\agent\mcagent.exe
mRun: [HP SchedIndexer] c:\program files\hewlett-packard\laserjet 33xx\hppschedindexer.exe
mRun: [HP AutoIndexer] c:\program files\hewlett-packard\laserjet 33xx\hppautoindexer.exe
mRun: [D-Link AirPlus Xtreme G] c:\program files\d-link\airplus xtreme g\AirPlusCFG.exe
mRun: [ANIWZCSService] c:\program files\alpha networks\aniwzcs service\WZCSLDR.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [lxdemon.exe] "c:\program files\lexmark 4800 series\lxdemon.exe"
mRun: [lxdeamon] "c:\program files\lexmark 4800 series\lxdeamon.exe"
mRun: [FaxCenterServer] "c:\program files\lexmark fax solutions\fm3032.exe" /s
mRun: [lxdxmon.exe] "c:\program files\lexmark 3600-4600 series\lxdxmon.exe"
mRun: [lxdxamon] "c:\program files\lexmark 3600-4600 series\lxdxamon.exe"
mRun: [AVP] "c:\program files\earthlink\earthlink protection control center\avp.exe"
mRun: [CarboniteSetupLite] "c:\program files\carbonite\CarbonitePreinstaller.exe" /preinstalled /showonfirst /reshowat=900
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
StartupFolder: c:\docume~1\transfer\startm~1\programs\startup\seagat~1.lnk - c:\documents and settings\transfer\application data\leadertech\powerregister\Seagate 2GEXXWN4 Product Registration.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\creati~1.lnk - c:\program files\scrapbook designer\scrapremind.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe
uPolicies-explorer: NoNetworkConnections = 01000000
mPolicies-system: EnableLUA = 0 (0x0)
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: &Search
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {F74E75A5-96BF-40ef-A1C8-88EAEBB82AB6} - c:\program files\secure online account numbers\SOAN.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\earthlink\earthlink protection control center\SCIEPlgn.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {0DB074F0-617E-4EE9-912C-2965CF2AA5A4} - hxxp://download.microsoft.com/download/f/0/2/f02b515c-7076-4cee-bc08-fd6fea594578/VirtualEarth3D.cab
DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} - hxxp://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} - hxxp://bestbuy.mvm.com/Core/Player/2020PlayerAX_Win32.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {33415AC7-AFFA-4D55-B41C-C64C0D07DFCA} - hxxp://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISWebManager.CAB
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab
DPF: {7FE26BE2-B923-4B41-9834-E84DA1CC1F96} - hxxp://vsp.closetmaid.com/vsp/cmaidctl_vsp.closetmaid.com_downloader.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} - hxxp://offers.e-centives.com/cif/download/bin/actxcab.cab
DPF: {A8683C98-5341-421B-B23C-8514C05354F1} - hxxp://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.0/installer.exe
DPF: {C52439A0-2693-4E40-B141-9F9AD5257241} - hxxps://ediagnostics.lexmark.com/serval.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - hxxp://www.photodex.com/pxplay.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://fellowshiptech.webex.com/client/T25L/nbr/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} - c:\program files\cozi express\CoziProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\earthl~1\earthl~1\adialhk.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: McAfee AntiSpyware Shell Extension: {f2a0229a-c4ca-4789-b606-973d24dcdd1c} - c:\progra~1\mcafee\mcafee antispyware\mssshell.dll

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2008-4-16 112144]
R1 Asapi;ASAPI;c:\windows\system32\drivers\asapi.sys [2005-3-3 11264]
R1 klif;Klif;c:\windows\system32\drivers\klif.sys [2007-12-28 195344]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 149040]
R2 AVP;EarthLink Protection Control Center;c:\program files\earthlink\earthlink protection control center\avp.exe [2009-1-22 244240]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-9-25 189736]
R2 lxde_device;lxde_device;c:\windows\system32\lxdecoms.exe -service --> c:\windows\system32\lxdecoms.exe -service [?]
R2 lxdx_device;lxdx_device;c:\windows\system32\lxdxcoms.exe -service --> c:\windows\system32\lxdxcoms.exe -service [?]
R2 lxdxCATSCustConnectService;lxdxCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdxserv.exe [2009-5-29 98984]
R2 McAfeeAntiSpyware;McAfee AntiSpyware Real-Time Scanner;c:\progra~1\mcafee\mcafee~1\MssSrv.exe [2005-2-10 147554]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2007-12-13 24592]
S1 cdrdrv;cdrdrv; [x]
S1 vobcom;vobcom; [x]
S1 vobiw;vobiw; [x]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-6 135664]
S2 lxdeCATSCustConnectService;lxdeCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdeserv.exe [2009-1-30 99248]
S2 TinaKey;TinaKey; [x]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2005-10-9 344800]
S3 mcupdmgr.exe;McAfee SecurityCenter Update Manager;c:\progra~1\mcafee.com\agent\mcupdmgr.exe [2004-11-16 249856]

=============== Created Last 30 ================

2010-03-09 04:28:58 0 d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-03-09 02:23:53 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-03-09 02:23:53 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2010-03-09 02:15:34 0 d-----w- c:\docume~1\transfer\applic~1\Malwarebytes
2010-03-09 02:15:31 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-09 02:15:29 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-09 02:15:29 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-09 02:15:29 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-08 02:52:31 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-03-08 02:49:33 0 d-----w- c:\program files\Microsoft Security Essentials
2010-03-07 21:17:42 0 d-----w- c:\docume~1\alluse~1\applic~1\Seagate
2010-03-07 21:16:48 0 d-sh--w- c:\windows\ftpcache
2010-03-07 21:16:48 0 d-----w- c:\program files\Carbonite
2010-03-07 21:15:03 0 d-----w- c:\program files\Seagate
2010-03-07 21:15:02 0 d-----w- c:\program files\common files\muvee Technologies
2010-03-07 03:59:55 0 d-sh--w- c:\documents and settings\transfer\PrivacIE
2010-03-07 03:52:59 0 d-----w- c:\docume~1\transfer\applic~1\FaxCtr
2010-03-07 03:51:09 0 d-sh--w- c:\documents and settings\transfer\IETldCache
2010-02-26 21:13:58 0 d-----w- c:\docume~1\alluse~1\applic~1\Symantec
2010-02-26 21:11:49 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2010-02-26 21:11:49 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2010-02-26 21:11:06 60960 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-02-26 21:11:06 32 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-02-26 21:11:06 19880 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-02-26 21:11:06 190752 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-02-26 20:55:53 0 d-----w- c:\docume~1\alluse~1\applic~1\EarthLink Setup Files
2010-02-26 20:55:52 0 d-----w- c:\docume~1\alluse~1\applic~1\EarthLink
2010-02-21 02:33:51 0 d-----w- c:\windows\system32\Adobe

==================== Find3M ====================

2010-01-13 22:34:08 934704 ----a-w- c:\windows\system32\CoziScreensaver.scr
2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 19:15:14 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2005-10-17 20:18:34 774144 ----a-w- c:\program files\RngInterstitial.dll
2005-10-11 00:19:26 0 --sha-w- c:\windows\sminst\HPCD.sys
2009-09-18 15:15:36 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2009-10-12 17:34:03 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009101220091013\index.dat

============= FINISH: 23:41:59.54 ===============

I wanted to mention that Norton and McAfee are installed from when I bought the computer, but I don't use them.

Merged posts. ~ OB

Attached Files


Edited by Orange Blossom, 09 March 2010 - 10:05 PM.


BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:06:22 PM

Posted 12 March 2010 - 01:55 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE



Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 CorbTX

CorbTX
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:22 AM

Posted 12 March 2010 - 02:42 PM

Hi Schrauber,
Thank you for your reply. I would love to get your help. I did actually get my .exe issue resolved and I'll detail how I did that. But I am still having issues that I would love for you to help with. I am actually going out of town until Monday and am leaving in 1 hour. So I do not have time to run the programs and detail it out yet. When I get back in town I will detail it out and run the programs. Thank you so much! Since there will be a time delay on my post, who should I PM to let them know that I am back and able to work through this?
Lark

#4 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:06:22 PM

Posted 13 March 2010 - 03:38 AM

Hi,

No problem, this topic will stay open the next 5 days. Just answer here. If this one should get closed, just send me a pm smile.gif.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#5 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:06:22 PM

Posted 18 March 2010 - 02:47 PM

Due to the lack of feedback, this topic is now closed.
If you need this topic reopened, please PM a staff member and we will reopen it for you (include the address of this thread in your request). This applies to the original topic starter only. Everyone else with similar problems, please start a new topic.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users