Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Not sure what to do

  • This topic is locked This topic is locked
11 replies to this topic

#1 Bmaru


  • Members
  • 7 posts
  • Gender:Female
  • Local time:06:44 PM

Posted 06 February 2012 - 11:49 PM

Attached File  attach-help.zip   207.57KB   2 downloadsPlease help! My desktop PC (Acer) and MSI laptop - both 64-bit running Windows 7- are messed up. I am mainly asking for help on the desktop because I pretty much destroyed the OS on the laptop trying to destroy whatever it is that was replicating on it last night. Both have been exposed to external drives that could be the source... I don't know what is exactly happening, if it is malware, virus, computer issue, maybe even botnet related as I have been having ongoing issues for several years with home network. I need to know how to verify all my external and flash drives that contain homework and backups. I have attached my firewall log - please advise. I have strange things happening with folders\icons flickering, appearing,disapearing more than normal. The memory usage has shot up noticeably. I checked disk defrag and it said 1% , runs weekly. Shortcuts are appearing where they weren't before. There is an additional user listed in Users folder (I attached screen print.) The temp folders seem messed up (see attached.) I checked disk defrag and it said 1% , runs weekly. I haven't had a chance to look into programs that defrag pagefiles as I am already way behind in school now because of this mess already.

My Acronis True Image backups are all corrupt- at least the bulk of them- I found that out when I messed up my laptop trying to delete whatever replicator it is. .. When I saw it briefly in the emergency disk I think the repeating file had the word Bear in it... but I was so overtired at that point. (yeah I know - I should know better.) I think McAfee Total Protection is corrupted because on my laptop it said it tells me it is not up to date, but doesn't on the other. Previously, I had run Stinger from McAfee and nothing came up, but now after some of the weird file movements I have seen, I don't know if any antivirus is\was working. My subscription online says it expires all the time when it shouldn't until 2013. I use Adobe CS5 for school and I have had a lot of issues with it and probably do need to reinstall when I have a chance.... I think the services I have running are excessive, but I am afraid to download anything else at this point to inspect my start-up items without advise. I think it has something do do with MS VB 9. I have seen msdownld.tmp appearing on both machines. MS VB 9 showed up on both machines and unless it came with SQL, I did not download it, even then it shouldn't have been on both then... The restore points show double the amount of install\restalls of Stuffit and VB9... Also, I do need reinstall SQL Express for homework as soon as I can...

The desktop had SQL Server Express 2008 which I uninstalled to try and reinstall the 64-bit which is now gone since the system restore I attempted, which said it wasn't successful in the safe mode, but said it was when I restarted. Note: I attempted the restore hoping whatever caused this would be reversed- I feel like an idiot for sure. A very similiar situation happened to me a couple years ago with two dfferent home computers on my network where doing factory restores did not resolve the problem- (could it be a backdoor trojan that was missed and now reinfecting??) The part that upset me even more was I noticed the same thing last night that happened in the past... I missed right click opened up the "New Network Connection" box which had the letter Z filled in and the check box, checked with no ability to uncheck it. This freaks me out because I had identity theft scare with email changes on credit cards the last time this happened. I don't use wireless still because of it, but if there is an internal network connection caused from weakening of my OS- I don't know what to do...

I tried running Bitdefender Backdoor Remover application on the laptop last night, but I am not sure if it worked correctly since it was done in a millisecond - have not tried on the desktop. Also on the laptop: I could not uninstall the McAfee... Revo Uninstaller would not remain open for me either... I have an image to restore that laptop - I destroyed the original OS trying to ruin whatever was attacking it...., but the backup, like I noted is corrupt.... I am fine getting a new OS if needed, but I want to avoid these issues from occuring again. My desktop is what I really need help with now but I am afraid to do anything now... it won't allow me to switch the firewall from McAfee to Windows. If I can fix it then run a valid backup, I am not as concerned about finding out where to get all my other backups fixed- The last time this happened I wasn't so prepared with backups, now I am and they are all infected! My bad for not validating each and every one- Side question: I know some backups did validate in the past, so do backup validations check for such things? Also,I realize there is a good possibility I will need someone locally to look at this. I am sorry for giving too much info or rambling and appreciate any help or advice I can get. Also,I stopped the Acronis Services from running before the below report was run. Thanks.

**I forgot to mention in original post: Adobe Illustrator CS5: It gives me a message saying my registry has an error in it upon opening and asks if I want to have it resolved. I click no, but have clicked yes in the past, it hadn't shown in a while, but does currently again. I read in an adobe forum to ignore it because it could be a malware trigger possibly, but don't recall details... at that point I had already clicked yes but nothing came up on subsequent scans, so I forgot about it.

Attached File  attach-help.zip   207.57KB   2 downloads

DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Jem at 20:38:13 on 2012-02-06
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3839.2201 [GMT -6:00]
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
============== Running Processes ===============
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Acer\Registration\GREGsvc.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Acer\Acer Updater\UpdaterService.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe
C:\Program Files\McAfee\MAT\McPvTray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\acrotray.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
C:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\McAfee\VirusScan\mcods.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com/
uSearch Bar = Preserve
mDefault_Page_URL = hxxp://acer.msn.com
mStart Page = hxxp://acer.msn.com
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=userinit.exe
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - C:\Program Files (x86)\Adobe\Adobe Contribute CS5\Plugins\IEPlugin\contributeieplugin.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: {27B4851A-3207-45A2-B947-BE8AFE6163AB} - No File
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20120106153554.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~3\Office14\URLREDIR.DLL
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - No File
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - C:\Program Files (x86)\Adobe\Adobe Contribute CS5\Plugins\IEPlugin\contributeieplugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB: {B2E293EE-FD7E-4C71-A714-5F4750D8D7B7} - No File
uRun: [AdobeBridge]
uRun: [Google Update] "C:\Users\Jem\AppData\Local\Google\Update\GoogleUpdate.exe" /c
mRun: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
mRun: [<NO NAME>]
mRun: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [TrueImageMonitor.exe] "C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe"
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: EnableLinkedConnections = 1 (0x1)
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer =
TCP: Interfaces\{0B47D2C2-3636-4E51-B6DA-6EEF1042FFAC} : DhcpNameServer =
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\PROGRA~2\McAfee\MSC\McSnIePl.dll
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\McAfee\SITEAD~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\McAfee\SITEAD~1\McIEPlg.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
BHO-X64: ContributeBHO Class: {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files (x86)\Adobe\Adobe Contribute CS5\Plugins\IEPlugin\contributeieplugin.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: {27B4851A-3207-45A2-B947-BE8AFE6163AB} - No File
BHO-X64: McAfee Phishing Filter - No File
BHO-X64: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20120106153554.dll
BHO-X64: scriptproxy - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO-X64: McAfee SiteAdvisor BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~3\Office14\URLREDIR.DLL
BHO-X64: URLRedirectionBHO - No File
BHO-X64: {DBC80044-A445-435b-BC74-9C25C1C588A9} - No File
BHO-X64: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO-X64: SmartSelect - No File
TB-X64: Contribute Toolbar: {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files (x86)\Adobe\Adobe Contribute CS5\Plugins\IEPlugin\contributeieplugin.dll
TB-X64: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
TB-X64: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB-X64: {B2E293EE-FD7E-4C71-A714-5F4750D8D7B7} - No File
mRun-x64: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
mRun-x64: [(Default)]
mRun-x64: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe"
mRun-x64: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [TrueImageMonitor.exe] "C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe"
================= FIREFOX ===================
FF - ProfilePath - C:\Users\Jem\AppData\Roaming\Mozilla\Firefox\Profiles\b2mjsesl.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\progra~2\mcafee\msc\npMcSnFFPl.dll
FF - plugin: C:\PROGRA~2\MICROS~3\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Air\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Canon\MyCamera Download Plugin\NPCIG.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\McAfee\SiteAdvisor\NPMcFFPlg32.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\TabletPlugins\npwacom.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\Jem\AppData\Local\Google\Update\\npGoogleUpdate3.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
============= SERVICES / DRIVERS ===============
R0 fltsrv;Acronis Storage Filter Management;C:\Windows\system32\DRIVERS\fltsrv.sys --> C:\Windows\system32\DRIVERS\fltsrv.sys [?]
R0 McPvDrv;McPvDrv Driver;C:\Windows\system32\drivers\McPvDrv.sys --> C:\Windows\system32\drivers\McPvDrv.sys [?]
R0 mfehidk;McAfee Inc. mfehidk;C:\Windows\system32\drivers\mfehidk.sys --> C:\Windows\system32\drivers\mfehidk.sys [?]
R0 mfewfpk;McAfee Inc. mfewfpk;C:\Windows\system32\drivers\mfewfpk.sys --> C:\Windows\system32\drivers\mfewfpk.sys [?]
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R0 vididr;Acronis Virtual Disk;C:\Windows\system32\DRIVERS\vididr.sys --> C:\Windows\system32\DRIVERS\vididr.sys [?]
R0 vidsflt61;Acronis Disk Storage Filter (61);C:\Windows\system32\DRIVERS\vsflt61.sys --> C:\Windows\system32\DRIVERS\vsflt61.sys [?]
R1 mfenlfk;McAfee NDIS Light Filter;C:\Windows\system32\DRIVERS\mfenlfk.sys --> C:\Windows\system32\DRIVERS\mfenlfk.sys [?]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-1-3 63928]
R2 GREGService;GREGService;C:\Program Files (x86)\Acer\Registration\GREGsvc.exe [2010-1-8 23584]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-10-1 249936]
R2 McMPFSvc;McAfee Personal Firewall Service;C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-10-1 249936]
R2 McNaiAnn;McAfee VirusScan Announcer;C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-10-1 249936]
R2 McProxy;McAfee Proxy Service;C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-10-1 249936]
R2 McShield;McAfee McShield;C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe [2011-10-1 199272]
R2 mfefire;McAfee Firewall Core Service;C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe [2011-10-1 208536]
R2 mfevtp;McAfee Validation Trust Protection Service;"C:\Windows\system32\mfevtps.exe" --> C:\Windows\system32\mfevtps.exe [?]
R2 TabletServiceWacom;TabletServiceWacom;C:\Windows\system32\Wacom_Tablet.exe --> C:\Windows\system32\Wacom_Tablet.exe [?]
R2 Updater Service;Updater Service;C:\Program Files\Acer\Acer Updater\UpdaterService.exe [2010-8-26 243232]
R3 afcdp;afcdp;C:\Windows\system32\DRIVERS\afcdp.sys --> C:\Windows\system32\DRIVERS\afcdp.sys [?]
R3 cfwids;McAfee Inc. cfwids;C:\Windows\system32\drivers\cfwids.sys --> C:\Windows\system32\drivers\cfwids.sys [?]
R3 mfeavfk;McAfee Inc. mfeavfk;C:\Windows\system32\drivers\mfeavfk.sys --> C:\Windows\system32\drivers\mfeavfk.sys [?]
R3 mfefirek;McAfee Inc. mfefirek;C:\Windows\system32\drivers\mfefirek.sys --> C:\Windows\system32\drivers\mfefirek.sys [?]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\system32\drivers\nvhda64v.sys --> C:\Windows\system32\drivers\nvhda64v.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 afcdpsrv;Acronis Nonstop Backup Service;C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe [2012-1-1 3450832]
S3 mferkdet;McAfee Inc. mferkdet;C:\Windows\system32\drivers\mferkdet.sys --> C:\Windows\system32\drivers\mferkdet.sys [?]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 SwitchBoard;Adobe SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
S3 syncagentsrv;Acronis Sync Agent Service;C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe [2011-12-16 5881952]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 wacmoumonitor;Wacom Mode Helper;C:\Windows\system32\DRIVERS\wacmoumonitor.sys --> C:\Windows\system32\DRIVERS\wacmoumonitor.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\system32\DRIVERS\wdcsam64.sys --> C:\Windows\system32\DRIVERS\wdcsam64.sys [?]
=============== Created Last 30 ================
2012-02-05 17:15:26 3006832 ----a-w- C:\Windows\System32\auto_reactivate.exe
2012-02-05 17:12:02 340992 ----a-w- C:\Windows\System32\schannel.dll
2012-02-05 17:12:01 152432 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2012-02-05 17:12:00 95600 ----a-w- C:\Windows\System32\drivers\ksecdd.sys
2012-02-05 17:12:00 459232 ----a-w- C:\Windows\System32\drivers\cng.sys
2012-02-05 17:12:00 224768 ----a-w- C:\Windows\SysWow64\schannel.dll
2012-02-05 17:12:00 1447936 ----a-w- C:\Windows\System32\lsasrv.dll
2012-02-05 14:22:02 -------- d-----w- C:\AITEMP
2012-02-05 08:23:07 -------- d-----w- C:\ProgramData\NVIDIA Corporation
2012-02-05 06:02:58 -------- d-----w- C:\Program Files (x86)\Smith Micro
2012-02-05 02:08:06 -------- d-----w- C:\Program Files (x86)\McAfee Security Scan
2012-02-05 00:54:04 -------- d-----w- C:\Users\Jem\AppData\Local\Microsoft Corporation
2012-02-05 00:52:08 -------- d-----w- C:\Program Files (x86)\Microsoft Windows 7 Upgrade Advisor
2012-02-03 00:38:51 -------- d-----w- C:\Users\Jem\.eclipse
2012-02-02 09:25:09 -------- d-----w- C:\Users\Jem\AppData\Local\Smith Micro
2012-02-02 09:25:01 -------- d-----w- C:\ProgramData\Smith Micro
2012-02-02 01:34:30 -------- d-----w- C:\Users\Jem\AppData\Roaming\AdobeSupportAdvisor.E7BED6E5DDA59983786DD72EBFA46B1598278E07.1
2012-02-02 01:34:25 -------- d-----w- C:\Program Files (x86)\Adobe Support Advisor
2012-01-25 10:33:56 -------- d-----w- C:\Users\Jem\AppData\Roaming\Autodesk
2012-01-20 11:10:13 -------- d-----w- C:\Users\Jem\AppData\Roaming\Unity
2012-01-20 10:42:04 -------- d-----w- C:\Users\Jem\AppData\Local\Unity
2012-01-20 06:51:06 -------- d-----w- C:\Program Files (x86)\stinger
2012-01-17 07:47:43 -------- d-----w- C:\Windows\System32\RsFx
2012-01-16 00:59:39 -------- d-----w- C:\Users\Jem\AppData\Roaming\Nik Software
2012-01-14 01:39:42 -------- d-----w- C:\Program Files (x86)\Microsoft Synchronization Services
2012-01-10 20:32:27 395776 ----a-w- C:\Windows\System32\webio.dll
==================== Find3M ====================
2012-01-02 03:32:14 367200 ----a-w- C:\Windows\System32\drivers\afcdp.sys
2012-01-02 03:32:08 1285216 ----a-w- C:\Windows\System32\drivers\tdrpman.sys
2012-01-02 03:32:05 986208 ----a-w- C:\Windows\System32\drivers\timntr.sys
2012-01-02 03:31:52 142944 ----a-w- C:\Windows\System32\drivers\vsflt61.sys
2012-01-02 03:31:48 310368 ----a-w- C:\Windows\System32\drivers\snapman.sys
2012-01-02 02:37:45 211040 ----a-w- C:\Windows\System32\drivers\vididr.sys
2012-01-02 02:37:39 133728 ----a-w- C:\Windows\System32\drivers\fltsrv.sys
2012-01-02 00:02:57 16200 ----a-w- C:\Windows\stinger.sys
2011-12-05 19:39:30 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-11-29 02:28:28 55856 ------w- C:\Windows\System32\drivers\PxHlpa64.sys
2011-11-24 04:52:09 3145216 ----a-w- C:\Windows\System32\win32k.sys
2011-11-19 14:58:00 77312 ----a-w- C:\Windows\System32\packager.dll
2011-11-19 14:01:00 67072 ----a-w- C:\Windows\SysWow64\packager.dll
2011-11-17 06:41:18 1731920 ----a-w- C:\Windows\System32\ntdll.dll
2011-11-17 06:35:26 29184 ----a-w- C:\Windows\System32\sspisrv.dll
2011-11-17 06:35:26 136192 ----a-w- C:\Windows\System32\sspicli.dll
2011-11-17 06:35:25 28160 ----a-w- C:\Windows\System32\secur32.dll
2011-11-17 06:33:55 31232 ----a-w- C:\Windows\System32\lsass.exe
2011-11-17 05:38:39 1292080 ----a-w- C:\Windows\SysWow64\ntdll.dll
2011-11-17 05:35:02 314880 ----a-w- C:\Windows\SysWow64\webio.dll
2011-11-17 05:34:52 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2011-11-17 05:28:48 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
2011-11-17 02:47:19 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
============= FINISH: 20:39:10.73 ===============

Edited by Bmaru, 07 February 2012 - 01:24 AM.

BC AdBot (Login to Remove)


#2 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:12:44 AM

Posted 10 February 2012 - 12:28 PM


Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 Bmaru

  • Topic Starter

  • Members
  • 7 posts
  • Gender:Female
  • Local time:06:44 PM

Posted 11 February 2012 - 06:05 PM


#4 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:12:44 AM

Posted 11 February 2012 - 06:33 PM

We'll start with a rootkit scan

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Posted Image
m0le is a proud member of UNITE

#5 Bmaru

  • Topic Starter

  • Members
  • 7 posts
  • Gender:Female
  • Local time:06:44 PM

Posted 12 February 2012 - 12:45 AM

Okay, the scan finally finished. I did mess up and run it without saving to desktop, but I found the file in my temp folders and moved it to the desktop. The program asked me to load update of avast definitions, which I did, but that kind of freaks me out because I think my other def files in temp folders are being messed with. Also, before I received your initial post, I uninstalled my McAfee Total Protection (which is a paid for subscription) and put a BitDefender Trial on to see if it would see anything... it didn't. I didn't want to uninstall\reinstall anything else without your advise, so I left it. I previously had uninstalled MS Office, because of weird stuff happening and was waiting for the 2/14 update to reinstall. I think my network adaptor should be verified too, but I don't know how. My programs and features screen was hiding programs that I thought were unintalled from also- The top sort menu had a field that was almost hidden until I squished th rest of them over, right clicked on it, then checked unspecified. Apple Update, Adobe Reader X, Acrobat X, Firefox from what I remember... It looks like Acrobat and Reader are gone after trying again- I had to find the uninstall file for FF, I want to reinstall Acrobat when possible since it is paid for and used often. The only browser I have left right now is IE9 and I will wait to install anything else (been using the no-add-on version) - but I do need firefox, chrome or safari to do my homework for javascripting. I have noticed some possibly suspicious files in my temp folders - scriptiing files - maybe they are fine - I don't know. One looked like it was referencing all browsers to do the same thing- even had iphone listed on it (which I have) I saw that one several days ago... I am extremely sleep-deprived and not in a good health condition, so I apologize if my memory isn't the best. I am crazy behind in homework because of this mess and have to try and use Flash Pro and SQL Server 2008 R2, which sucks because I don't want SQL Server on my computer anymore.

Also: BleepingComputer said this when I signed in: You were last here on Feb 12 2012, 12:01 AM . I am in CST (it was 11:00pm) and my account settings reflect that. I signed in on my phone right before, but my phone is set to CST also...

Regarding boot file - The following is denied in my program rules for firewall, because when it asked me to allow it yesterday, I didn't know what it was or where it came from:

Thank you.


aswMBR version Copyright© 2011 AVAST Software
Run date: 2012-02-11 18:49:39
18:49:39.468 OS Version: Windows x64 6.1.7601 Service Pack 1
18:49:39.468 Number of processors: 2 586 0x602
18:49:39.468 ComputerName: TRULYOUTRAGEOUS UserName: Jem
18:49:42.806 Initialize success
18:50:49.622 AVAST engine defs: 12021101
18:51:00.605 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000005a
18:51:00.605 Disk 0 Vendor: Hitachi_ JP4O Size: 953869MB BusType: 3
18:51:00.620 Disk 0 MBR read successfully
18:51:00.620 Disk 0 MBR scan
18:51:00.932 Disk 0 unknown MBR code
18:51:00.964 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 18000 MB offset 2048
18:51:00.979 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 36866048
18:51:00.995 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 935766 MB offset 37070848
18:51:01.010 Service scanning
18:51:02.180 Modules scanning
18:51:02.180 Disk 0 trace - called modules:
18:51:02.227 ntoskrnl.exe fltsrv.sys tdrpman.sys CLASSPNP.SYS disk.sys vsflt61.sys ACPI.sys storport.sys hal.dll nvstor64.sys
18:51:02.243 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800428b060]
18:51:02.243 3 CLASSPNP.SYS[fffff8800163b43f] -> nt!IofCallDriver -> [0xfffffa8004288e10]
18:51:02.243 5 vsflt61.sys[fffff88000fe20fd] -> nt!IofCallDriver -> [0xfffffa80040997a0]
18:51:02.243 7 ACPI.sys[fffff88000f317a1] -> nt!IofCallDriver -> \Device\0000005a[0xfffffa8004099060]
18:51:05.519 AVAST engine scan C:\Windows
18:51:11.338 AVAST engine scan C:\Windows\system32
18:55:46.350 AVAST engine scan C:\Windows\system32\drivers
18:56:20.654 AVAST engine scan C:\Users\Jem
22:55:03.946 AVAST engine scan C:\ProgramData
23:01:41.010 Scan finished successfully
23:03:42.893 Disk 0 MBR has been saved successfully to "C:\Users\Jem\Desktop\MBR.dat"
23:03:42.924 The log file has been saved successfully to "C:\Users\Jem\Desktop\aswMBR_.txt"

#6 Bmaru

  • Topic Starter

  • Members
  • 7 posts
  • Gender:Female
  • Local time:06:44 PM

Posted 12 February 2012 - 12:48 AM

Just noticed this too: My CD\DVD drive is showing disabled - it wasn't like that yesterday....

#7 Bmaru

  • Topic Starter

  • Members
  • 7 posts
  • Gender:Female
  • Local time:06:44 PM

Posted 12 February 2012 - 02:11 AM

something is really wrong I redownloaded to my desktop correctly and when i started the scan again it was showing filenames in windows folders when it has not before.. then i watched file that began with av drop into the local temp folder for my user acct then disappear immediately again and again a lot of the files in tmp are listed as cmd shell run and i forgot to mention that bitdefender could not scan 300+ files that r pword locked but not by me. my pc bluescreened and i am attempting the scan again in safe mode and sending this from my phone i also discovered backup files from ny ext dr hidden in the .trash mac file from school use. i am soo screwed for homework i have other pcs but dont know how to verify they r ok .. i tried telling school about weird stuff i past and they dont care. that is why i still havent used the pcs from the last time stuff happened... i need to find somewhere locally that will figure this out before i lose my school funding and my mind

#8 Bmaru

  • Topic Starter

  • Members
  • 7 posts
  • Gender:Female
  • Local time:06:44 PM

Posted 12 February 2012 - 02:49 AM

The scan log just said it scanned but nothing else.

Now Device Manager shows a Coprocessor is disabled, Location PCI bus 0 device 1 function 3 - Device type: other devices, manufactuer, unknown:

The drivers for this device are not installed. (Code 28)

There is no driver selected for the device information set or element.

To find a driver for this device, click Update Driver.

#9 Bmaru

  • Topic Starter

  • Members
  • 7 posts
  • Gender:Female
  • Local time:06:44 PM

Posted 12 February 2012 - 02:50 AM

Oh yeah, here is the second scan result done in safe mode:

aswMBR version Copyright© 2011 AVAST Software
Run date: 2012-02-12 00:30:00
00:30:00.904 OS Version: Windows x64 6.1.7601 Service Pack 1
00:30:00.904 Number of processors: 2 586 0x602
00:30:00.919 ComputerName: TRULYOUTRAGEOUS UserName: Jem
00:30:03.992 Initialze error C0000061 - driver not loaded
00:30:10.030 AVAST engine defs: 12021101
00:30:32.790 Service scanning
00:30:35.068 Modules scanning
00:30:35.068 Disk 0 trace - called modules:
00:30:37.517 AVAST engine scan C:\Windows
00:30:41.620 AVAST engine scan C:\Windows\system32
00:33:14.437 AVAST engine scan C:\Windows\system32\drivers
00:33:25.154 AVAST engine scan C:\Users\Jem
01:26:22.952 AVAST engine scan C:\ProgramData
01:27:35.602 Scan finished successfully
01:29:34.817 The log file has been saved successfully to "C:\Users\Jem\Desktop\2.txt"

#10 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:12:44 AM

Posted 13 February 2012 - 09:44 PM

No sign of anything rootkit-like so we'll run a removal tool and see what we can find

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#11 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:12:44 AM

Posted 16 February 2012 - 09:39 PM


I have not had a reply from you for 3 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.


Posted Image
m0le is a proud member of UNITE

#12 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:12:44 AM

Posted 17 February 2012 - 07:58 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
Posted Image
m0le is a proud member of UNITE

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users