0

Hey all, I have finished 2 weeks of trying to rid my acer aspire 8930G laptop of a keylogger & fingerprint logger and thot all was well, but somethings told me there is still a problem. Despite running Norton Security Suite (which never stopped the trogan in the 1st place) and NPE did find a FPlaunchercache64.dll file in safe mode which I got rid of, and then downloading threatfire (which didn't find anything either) my laptop fan started running nonstop and LOUDLY. I opened up, blew out the dust (thru the vent on the backside, not inside laptop) and still it is soooo loud. Looked at task manager and found 4 instances of iexploreR.exe running at the most cpu usage (total of 230,000) isn't this the virus that hides itself? my cpu usage reports anywhere from 60-97% all of a sudden. I need to find this thing on my laptop and get rid of it, but nothing seems to find anything. Any help would be most appreciated. This is only a 15 month old laptop which worked perfectly till the keylogger and fplogger came thru a trojan, which I removed, but still issues remain. Each boot up gets a message from Hijack this saying for some reason the hosts files are denied access, but gives instructions as if it's a permissions thing in Vista x64. Trying to right click hijack this program and choose run as administrator is NOT an option. So the current Hijack this log is this:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:45:52 PM, on 7/19/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18928)
Boot mode: Safe mode with network support

Running processes:
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?fr=fp-yie8
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?fr=fp-yie8/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=2&o=vp64&d=0510&m=aspire_8930
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=2&o=vp64&d=0510&m=aspire_8930
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Security Suite\Engine\4.2.0.12\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Security Suite\Engine\4.2.0.12\IPSBHO.DLL
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Comcast Toolbar - {79CEEA4E-C231-4614-9E3B-53B2A02F39B7} - C:\Program Files (x86)\comcasttb\comcastdx.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Big Fish Games Toolbar - {C7C9FC25-88B0-4682-9C9F-2608E9117647} - C:\Program Files (x86)\BfgBar\bfg.dll
O2 - BHO: MSN Toolbar BHO - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files (x86)\MSN Toolbar\Platform\4.0.0379.0\npwinext.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Program Files (x86)\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security Suite\Engine\4.2.0.12\coIEPlg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Big Fish Games Toolbar - {C7C9FC25-88B0-4682-9C9F-2608E9117647} - C:\Program Files (x86)\BfgBar\bfg.dll
O3 - Toolbar: MSN Toolbar - {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\Program Files (x86)\MSN Toolbar\Platform\4.0.0379.0\npwinext.dll
O3 - Toolbar: Comcast Toolbar - {79CEEA4E-C231-4614-9E3B-53B2A02F39B7} - C:\Program Files (x86)\comcasttb\comcastdx.dll
O4 - HKLM\..\Run: [eAudio] "C:\Program Files\Acer\Empowering Technology\eAudio\eAudio.exe"
O4 - HKLM\..\Run: [BkupTray] "C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe"
O4 - HKLM\..\Run: [Acer Assist Launcher] "C:\Program Files (x86)\Acer\Acer Assist\launcher.exe"
O4 - HKLM\..\Run: [LManager] C:\PROGRA~2\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [PlayMovie] "C:\Program Files (x86)\Acer Arcade Deluxe\PlayMovie\PMVService.exe"
O4 - HKLM\..\Run: [VitaKeyPdtWzd] "C:\Program Files (x86)\Acer Bio Protection\PdtWzd.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files (x86)\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [YMailAdvisor] "C:\Program Files (x86)\Yahoo!\Common\YMailAdvisor.exe"
O4 - HKLM\..\Run: [Carbonite Backup] "C:\Program Files (x86)\Carbonite\Carbonite Backup\CarboniteUI.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [ComcastAntispyClient] "C:\Program Files (x86)\comcasttb\ComcastSpywareScan\ComcastAntispy.exe" /hide
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files (x86)\Trend Micro\HiJackThis\HijackThis.exe /startupscan
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OpenOffice.org 3.2.lnk = C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: Acer VCM.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: Quick-Launch Area - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - C:\Program Files (x86)\Acer Bio Protection\PwdBank.exe
O9 - Extra 'Tools' menuitem: Quick-Launch Area - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - C:\Program Files (x86)\Acer Bio Protection\PwdBank.exe
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files (x86)\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {C345E174-3E87-4F41-A01C-B066A90A49B4} (WRC Class) - http://trial.trymicrosoftoffice.com/trialoaa/buymsoffice_assets/framework/microsoft/wrc32.ocx
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - Winlogon Notify: AWinNotifyVitaKey MC3000 - Invalid registry found
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Amazon Unbox Video Service (ADVService) - Amazon.com - C:\Program Files (x86)\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Unknown owner - C:\Windows\system32\agr64svc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Comcast AntiSpyware (AntiSpywareService) - Unknown owner - C:\Program Files (x86)\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: NTI Backup Now 5 Agent Service (BUNAgentSvc) - NewTech Infosystems, Inc. - C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
O23 - Service: CarboniteService - Carbonite, Inc. (www.carbonite.com) - C:\Program Files (x86)\Carbonite\Carbonite Backup\carboniteservice.exe
O23 - Service: CLHNService - Unknown owner - C:\Program Files (x86)\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: eDataSecurity Service - Egis Incorporated - C:\Program Files (x86)\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
O23 - Service: Empowering Technology Service (ETService) - Unknown owner - C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: EgisTec Service (IGBASVC) - Egis Technology Inc. - C:\Program Files (x86)\Acer Bio Protection\BASVC.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: Norton Security Suite (N360) - Symantec Corporation - C:\Program Files (x86)\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NTI Backup Now 5 Backup Service (NTIBackupSvc) - NewTech InfoSystems, Inc. - C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
O23 - Service: NTI Backup Now 5 Scheduler Service (NTISchedulerSvc) - Unknown owner - C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files (x86)\Cyberlink\Shared files\RichVideo.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: Raw Socket Service (RS_Service) - Acer Incorporated - C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: Stuffit Archive Name Service - Smith Micro Software, Inc. - C:\Program Files (x86)\Smith Micro\StuffIt 2009\ArcNameService.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files (x86)\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: Validity Fingerprint Service (vfsFPService) - Validity Sensors, Inc. - C:\Windows\system32\vfsFPService.exe
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 14521 bytes

2
Contributors
17
Replies
18
Views
7 Years
Discussion Span
Last Post by crunchie
0

take a look at this: http://malwareremoval.com/forum/viewtopic.php?f=11&t=52385 and tell me if this is my issue: I ran the bootkit file and dos window opened with same message that I have a bootkit but I was unable to copy it like instructed; however, it said the same as the poster posted about his pc. Is factory restore my only option? I just did this in May due to some issue that was NOT spyware related so I hate to have to do it again, but if that is my only removal option..I must. Plz help.

0

Hi and welcome to the Daniweb forums :).

==========

Let's have a look first.

Download Bootkit Remover to your Desktop.

  • You then need to extract the remover.exe file from the RAR using a program capable of extracting RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
  • After extracting remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
  • It will show a Black screen with some data on it.
  • Right click on the screen and click Select All.
  • Press CTRL+C
  • Open a Notepad and press CTRL+V
  • Post the output back here.

====

0

As I posted above (in reply to my 1st post), I did all this last nite and 2 issues remain: used bootkit remover and dos window shows I do have something suspicious in MBR. I can select all of the DOS window, but control c closes the window and in notepad nothing pastes, is there any way I can upload/attach a screen shot? I did get that to paste in paint. Thx for your help.

0

Try doing this;

Notepad.

Go to System32\dllcache and find notepad.exe
Right Click on Notepad.exe and choose copy from the menu.

Go back to the System32 folder and right click on an empty space in the window. Choose paste from the menu. This will place a fresh copy of Notepad in your system32 folder.

Now try this;

Download Bootkit Remover to your Desktop.

  • You then need to extract the remover.exe file from the RAR using a program capable of extracting RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
  • After extracting remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
  • It will show a Black screen with some data on it.
  • Right click on the screen and click Select All.
  • Press CTRL+C
  • Open a Notepad and press CTRL+V
  • Post the output back here.
0

don't have a sys32\dllcache file or folder; do have notepad.exe in sys32 file; should copy paste to same folder? doubt will help.

btw, gmer didn't find any rootkit/bootkit but most options in scan were greyed out; however sophos has so far found multiple hidden files--should I post them here?

also, threatfire found rogue spyware this a.m.--should i post them as well?

0

Try doing this;

Notepad.

Go to System32\dllcache and find notepad.exe
Right Click on Notepad.exe and choose copy from the menu.

Go back to the System32 folder and right click on an empty space in the window. Choose paste from the menu. This will place a fresh copy of Notepad in your system32 folder.

Now try this;

Download Bootkit Remover to your Desktop.

  • You then need to extract the remover.exe file from the RAR using a program capable of extracting RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
  • After extracting remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
  • It will show a Black screen with some data on it.
  • Right click on the screen and click Select All.
  • Press CTRL+C
  • Open a Notepad and press CTRL+V
  • Post the output back here.

have no sys32/dllcache file/folder; do have notepad.exe in sys32 folder; doubt copy/pste would do any good here.

btw, gmer didn't find anything, tho' most options on scan were greyed out; sophos is currently scanning and has found multiple hidden files; have a screen shot can send you from infected pc, not from here (my home computer, uninfected) and this a.m. threatfire found rogue spyware, tho norton & superantispyware never did, yet sas did find malware trace files tonite after update.

do you want me to send you info/screen shots?

0

Yes please.

You can also try running Combofix.

Please download ComboFix by sUBs from HERE or HERE

  • You must download it to and run it from your Desktop
  • Physically disconnect from the internet.
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply.
  • Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

0

Yes please.

You can also try running Combofix.

Please download ComboFix by sUBs from HERE or HERE

  • You must download it to and run it from your Desktop
  • Physically disconnect from the internet.
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply.
  • Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

i am sending u the screenshots & will try combofix now; get back to you later on it, but reply on screenshots asap please

Attachments sophos_screenshot.jpg 271.36 KB
0

The only ones I would delete there are the TIF's. All the others are legitimate entries, (not that the TIF entries are bad, just that they are temporary).

0

The only ones I would delete there are the TIF's. All the others are legitimate entries, (not that the TIF entries are bad, just that they are temporary).

K, here's the latest news/info. First, threatfire found a.rogue.spyware which I deleted (hope that doesn't mess up anything as I didn't want to use the uninstall found in the folder, but it is still residing in recycle bin in case you tell me to restore); then because threatfire screamed at me when I tried to use combo, saying the program was suspicious for trying to open a file other than the one I selected, I hesitated to run it, but went ahead. I am attaching the debug log which gives me the command (at dos prompt)to dump/investigate the mbr; access denied was returned; next I ran eset online scan (nothing found); then spyhunter full scan (nothing found); malwarebytes (nothing found).

Besides the constant maxed out cpu and loud fan, I have now discovered I cannot print from my laptop to network printer. I have been having permissions issues for the past month (may or may not be related to malware) but I have, I KNOW, in the past been able to modify permissions etc. Tonite, I have to Run as Admin "Sharing" and all options are either greyed out or if clickable, error msgs: found an unknown acct "S-1-5-32-547" which had a ? on the icon before name and when I tried to use advanced security to remove this account, got error "Program cannot open required dialogue box because it cannot determine if computer named GutterMa-9af011 is joined to a domain" so I click to close out and get 2nd Windows Security error: "...the RPC Server is unavailable"--does this mean something's got control of my permissions, printer, everything? this unknown acct has full control (manage/change, etc in print settings)and admins/everyone only can print--yet I cannot change any of it.

Forget about Iexplorer.exe as that is not even showing up now, although lots of files are missing in hijack this log. Now as I try to copy/paste it here, it has changed. I noted last time I sent it to you the date on it was different--should've been the one just saved. Now I just tried to upload it to you, found it dated 7/25 2:37 am, but when upload errored out (guess you can't upload log files) I went to go find it in win\sys32 and it was gone--the only one there was the one I went in and renamed hijackthis0721 to let me know THIS is the log I saved after sending you the one from 7/19. Now I go into the program folder for Trend Micro\hijack this\ and the only log there, too, is dated 7/19. I JUST NOW found it thru the upload window. Is this another symptom?

So I will save again now (tho let me say I have to run hj this as admin because the startup one always gives me the error msg that for some reason it was denied access to the hosts files, and that if malware resides in there, it won't be able to detect it, etc. then tells Vista users this can be overcome by RUN AS ADMIN.

OK, here is the JUST NOW hj log:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:28:55 AM, on 7/25/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18928)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Acer Bio Protection\CompPtcVUI.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
C:\Program Files (x86)\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Program Files (x86)\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe
C:\Program Files (x86)\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
C:\Program Files (x86)\Acer Bio Protection\BASVC.exe
C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Program Files (x86)\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe
C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
C:\Program Files (x86)\Cyberlink\Shared files\RichVideo.exe
C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files (x86)\Smith Micro\StuffIt 2009\ArcNameService.exe
C:\Program Files (x86)\ThreatFire\TFService.exe
C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files (x86)\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe
C:\Windows\PLFSetI.exe
C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Windows\SysWOW64\DllHost.exe
C:\Program Files (x86)\Acer\Acer VCM\AcerVCMProxy.exe
C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe
C:\Program Files (x86)\Acer\Empowering Technology\eDataSecurity\x86\eDSMSNLoader32.exe
C:\Program Files (x86)\Launch Manager\LManager.exe
C:\Program Files (x86)\Acer Arcade Deluxe\PlayMovie\PMVService.exe
C:\Program Files (x86)\Acer Bio Protection\PdtWzd.exe
C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files (x86)\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files (x86)\Yahoo!\Common\YMailAdvisor.exe
C:\Program Files (x86)\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\ThreatFire\TFTray.exe
C:\Program Files (x86)\Acer Bio Protection\PwdBank.exe
C:\Program Files (x86)\Acer\Acer VCM\acp2HID.exe
C:\Program Files (x86)\Internet Explorer\IELowutil.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10h_ActiveX.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?fr=fp-yie8
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?fr=fp-yie8/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=2&o=vp64&d=0510&m=aspire_8930
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=2&o=vp64&d=0510&m=aspire_8930
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Security Suite\Engine\4.2.0.12\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Security Suite\Engine\4.2.0.12\IPSBHO.DLL
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Big Fish Games Toolbar - {C7C9FC25-88B0-4682-9C9F-2608E9117647} - C:\Program Files (x86)\BfgBar\bfg.dll
O2 - BHO: MSN Toolbar BHO - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files (x86)\MSN Toolbar\Platform\4.0.0379.0\npwinext.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Program Files (x86)\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security Suite\Engine\4.2.0.12\coIEPlg.dll
O3 - Toolbar: Big Fish Games Toolbar - {C7C9FC25-88B0-4682-9C9F-2608E9117647} - C:\Program Files (x86)\BfgBar\bfg.dll
O3 - Toolbar: MSN Toolbar - {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\Program Files (x86)\MSN Toolbar\Platform\4.0.0379.0\npwinext.dll
O4 - HKLM\..\Run: [eAudio] "C:\Program Files\Acer\Empowering Technology\eAudio\eAudio.exe"
O4 - HKLM\..\Run: [BkupTray] "C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe"
O4 - HKLM\..\Run: [Acer Assist Launcher] "C:\Program Files (x86)\Acer\Acer Assist\launcher.exe"
O4 - HKLM\..\Run: [LManager] C:\PROGRA~2\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [PlayMovie] "C:\Program Files (x86)\Acer Arcade Deluxe\PlayMovie\PMVService.exe"
O4 - HKLM\..\Run: [VitaKeyPdtWzd] "C:\Program Files (x86)\Acer Bio Protection\PdtWzd.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files (x86)\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [YMailAdvisor] "C:\Program Files (x86)\Yahoo!\Common\YMailAdvisor.exe"
O4 - HKLM\..\Run: [Carbonite Backup] "C:\Program Files (x86)\Carbonite\Carbonite Backup\CarboniteUI.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ThreatFire] "C:\Program Files (x86)\ThreatFire\TFTray.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /install /silent
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files (x86)\Trend Micro\HiJackThis\HijackThis.exe /startupscan
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Acer VCM.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: Quick-Launch Area - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - C:\Program Files (x86)\Acer Bio Protection\PwdBank.exe
O9 - Extra 'Tools' menuitem: Quick-Launch Area - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - C:\Program Files (x86)\Acer Bio Protection\PwdBank.exe
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files (x86)\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {C345E174-3E87-4F41-A01C-B066A90A49B4} (WRC Class) - http://trial.trymicrosoftoffice.com/trialoaa/buymsoffice_assets/framework/microsoft/wrc32.ocx
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Amazon Unbox Video Service (ADVService) - Amazon.com - C:\Program Files (x86)\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Unknown owner - C:\Windows\system32\agr64svc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: NTI Backup Now 5 Agent Service (BUNAgentSvc) - NewTech Infosystems, Inc. - C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
O23 - Service: CarboniteService - Carbonite, Inc. (www.carbonite.com) - C:\Program Files (x86)\Carbonite\Carbonite Backup\carboniteservice.exe
O23 - Service: CLHNService - Unknown owner - C:\Program Files (x86)\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: eDataSecurity Service - Egis Incorporated - C:\Program Files (x86)\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
O23 - Service: Empowering Technology Service (ETService) - Unknown owner - C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: EgisTec Service (IGBASVC) - Egis Technology Inc. - C:\Program Files (x86)\Acer Bio Protection\BASVC.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: Norton Security Suite (N360) - Symantec Corporation - C:\Program Files (x86)\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NTI Backup Now 5 Backup Service (NTIBackupSvc) - NewTech InfoSystems, Inc. - C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
O23 - Service: NTI Backup Now 5 Scheduler Service (NTISchedulerSvc) - Unknown owner - C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files (x86)\Cyberlink\Shared files\RichVideo.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: Raw Socket Service (RS_Service) - Acer Incorporated - C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: Stuffit Archive Name Service - Smith Micro Software, Inc. - C:\Program Files (x86)\Smith Micro\StuffIt 2009\ArcNameService.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files (x86)\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files (x86)\ThreatFire\TFService.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: Validity Fingerprint Service (vfsFPService) - Validity Sensors, Inc. - C:\Windows\system32\vfsFPService.exe
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 16123 bytes


I would appreciate your review of the attached logs and give me any advice you can to fix this...i am hanging on...avoiding formatting/restoring pc to factory default in hopes this can be beaten...but I NEED my laptop back. So if you think its hopeless, tell me and I'll begin the kill process. Also, with the cpu maxed out constantly and loud fan (assume because it's working overtime to cool down cpu)I'm afraid to use it too much for fear of frying the mbd or cpu. oF COURSE...I just now went to screenshot/upload task mgr performance and for 20 seconds the most it got to was 41% briefly then back down to 11%. I DID notice the fan got quieter than it's been a few hours ago, but it's still way too loud...so I don't know what's up with that.

Edited by myviolinsings: wrong program name: combo kit NOT bootkit remover in para 1

Attachments bootkit_access_denied_screen_shot.jpg 142.88 KB
.\debug.cpp(238) : Debug log started at 23.07.2010 - 07:29:53
.\boot_cleaner.cpp(675) : Bootkit Remover
.\boot_cleaner.cpp(676) : (c) 2009 eSage Lab
.\boot_cleaner.cpp(677) : www.esagelab.com
.\boot_cleaner.cpp(681) : Program version: 1.1.0.0
.\boot_cleaner.cpp(688) : OS Version: Microsoft Windows Vista Home Premium Edition Service Pack 2 (build 6002), 64-bit
.\debug.cpp(248) : **********************************************
.\debug.cpp(249) : *** [ LOADED MODULES INFORMATION ] ***********
.\debug.cpp(250) : **********************************************
.\debug.cpp(256) : 0x0201d000 0x00517000 "\SystemRoot\system32\ntoskrnl.exe"
.\debug.cpp(256) : 0x02534000 0x00046000 "\SystemRoot\system32\hal.dll"
.\debug.cpp(256) : 0x00605000 0x0000a000 "\SystemRoot\system32\kdcom.dll"
.\debug.cpp(256) : 0x0060f000 0x0003b000 "\SystemRoot\system32\mcupdate_GenuineIntel.dll"
.\debug.cpp(256) : 0x0064a000 0x00014000 "\SystemRoot\system32\PSHED.dll"
.\debug.cpp(256) : 0x0065e000 0x0005d000 "\SystemRoot\system32\CLFS.SYS"
.\debug.cpp(256) : 0x006bb000 0x000b2000 "\SystemRoot\system32\CI.dll"
.\debug.cpp(256) : 0x0080a000 0x000da000 "\SystemRoot\system32\drivers\Wdf01000.sys"
.\debug.cpp(256) : 0x008e4000 0x0000e000 "\SystemRoot\system32\drivers\WDFLDR.SYS"
.\debug.cpp(256) : 0x008f2000 0x00056000 "\SystemRoot\system32\drivers\acpi.sys"
.\debug.cpp(256) : 0x00948000 0x00009000 "\SystemRoot\system32\drivers\WMILIB.SYS"
.\debug.cpp(256) : 0x00951000 0x0000a000 "\SystemRoot\system32\drivers\msisadrv.sys"
.\debug.cpp(256) : 0x0095b000 0x00030000 "\SystemRoot\system32\drivers\pci.sys"
.\debug.cpp(256) : 0x0098b000 0x00015000 "\SystemRoot\System32\drivers\partmgr.sys"
.\debug.cpp(256) : 0x009a0000 0x00004000 "\SystemRoot\system32\DRIVERS\compbatt.sys"
.\debug.cpp(256) : 0x009a4000 0x0000c000 "\SystemRoot\system32\DRIVERS\BATTC.SYS"
.\debug.cpp(256) : 0x009b0000 0x00014000 "\SystemRoot\system32\drivers\volmgr.sys"
.\debug.cpp(256) : 0x0076d000 0x00066000 "\SystemRoot\System32\drivers\volmgrx.sys"
.\debug.cpp(256) : 0x009c4000 0x00013000 "\SystemRoot\System32\drivers\mountmgr.sys"
.\debug.cpp(256) : 0x009d7000 0x00008000 "\SystemRoot\System32\Drivers\UBHelper.sys"
.\debug.cpp(256) : 0x00a0e000 0x0011a000 "\SystemRoot\system32\DRIVERS\iaStor.sys"
.\debug.cpp(256) : 0x00b28000 0x00008000 "\SystemRoot\system32\drivers\atapi.sys"
.\debug.cpp(256) : 0x00b30000 0x00024000 "\SystemRoot\system32\drivers\ataport.SYS"
.\debug.cpp(256) : 0x00b54000 0x00047000 "\SystemRoot\system32\drivers\fltmgr.sys"
.\debug.cpp(256) : 0x00c03000 0x0006e000 "\SystemRoot\system32\drivers\N360x64\0402000.00C\SYMDS64.SYS"
.\debug.cpp(256) : 0x00c71000 0x00014000 "\SystemRoot\system32\drivers\fileinfo.sys"
.\debug.cpp(256) : 0x00c85000 0x00009000 "\SystemRoot\system32\DRIVERS\psdfilter.sys"
.\debug.cpp(256) : 0x00c8e000 0x0003b000 "\SystemRoot\system32\drivers\N360x64\0402000.00C\SYMEFA64.SYS"
.\debug.cpp(256) : 0x00cc9000 0x00011000 "\SystemRoot\system32\drivers\TfSysMon.sys"
.\debug.cpp(256) : 0x00cda000 0x00014000 "\SystemRoot\system32\drivers\TfFsMon.sys"
.\debug.cpp(256) : 0x00cee000 0x0000c000 "\SystemRoot\System32\Drivers\PxHlpa64.sys"
.\debug.cpp(256) : 0x00cfa000 0x00087000 "\SystemRoot\System32\Drivers\ksecdd.sys"
.\debug.cpp(256) : 0x00e05000 0x001c3000 "\SystemRoot\system32\drivers\ndis.sys"
.\debug.cpp(256) : 0x00d81000 0x00050000 "\SystemRoot\system32\drivers\msrpc.sys"
.\debug.cpp(256) : 0x00b9b000 0x00059000 "\SystemRoot\system32\drivers\NETIO.SYS"
.\debug.cpp(256) : 0x01002000 0x00176000 "\SystemRoot\System32\drivers\tcpip.sys"
.\debug.cpp(256) : 0x01178000 0x0002c000 "\SystemRoot\System32\drivers\fwpkclnt.sys"
.\debug.cpp(256) : 0x0120e000 0x000e5000 "\SystemRoot\system32\DRIVERS\timntr.sys"
.\debug.cpp(256) : 0x0140e000 0x00180000 "\SystemRoot\System32\Drivers\Ntfs.sys"
.\debug.cpp(256) : 0x0158e000 0x00044000 "\SystemRoot\system32\drivers\volsnap.sys"
.\debug.cpp(256) : 0x0160c000 0x00166000 "\SystemRoot\system32\DRIVERS\tdrpm251.sys"
.\debug.cpp(256) : 0x01772000 0x00008000 "\SystemRoot\System32\Drivers\spldr.sys"
.\debug.cpp(256) : 0x0177a000 0x0003f000 "\SystemRoot\system32\DRIVERS\snapman.sys"
.\debug.cpp(256) : 0x017b9000 0x00012000 "\SystemRoot\System32\Drivers\mup.sys"
.\debug.cpp(256) : 0x017cb000 0x0002c000 "\SystemRoot\System32\drivers\ecache.sys"
.\debug.cpp(256) : 0x015d2000 0x00014000 "\SystemRoot\system32\drivers\disk.sys"
.\debug.cpp(256) : 0x012f3000 0x0002c000 "\SystemRoot\system32\drivers\CLASSPNP.SYS"
.\debug.cpp(256) : 0x01600000 0x0000a000 "\SystemRoot\system32\drivers\crcdisk.sys"
.\debug.cpp(256) : 0x02922000 0x0000d000 "\SystemRoot\system32\DRIVERS\tunnel.sys"
.\debug.cpp(256) : 0x0292f000 0x00009000 "\SystemRoot\system32\DRIVERS\tunmp.sys"
.\debug.cpp(256) : 0x02938000 0x00013000 "\SystemRoot\system32\DRIVERS\intelppm.sys"
.\debug.cpp(256) : 0x0294b000 0x00005000 "\SystemRoot\system32\DRIVERS\CmBatt.sys"
.\debug.cpp(256) : 0x02950000 0x00009000 "\SystemRoot\system32\DRIVERS\wmiacpi.sys"
.\debug.cpp(256) : 0x02a03000 0x00939000 "\SystemRoot\system32\DRIVERS\nvlddmkm.sys"
.\debug.cpp(256) : 0x0340d000 0x000e3000 "\SystemRoot\System32\drivers\dxgkrnl.sys"
.\debug.cpp(256) : 0x034f0000 0x00010000 "\SystemRoot\System32\drivers\watchdog.sys"
.\debug.cpp(256) : 0x03500000 0x0000c000 "\SystemRoot\system32\DRIVERS\usbuhci.sys"
.\debug.cpp(256) : 0x0350c000 0x00046000 "\SystemRoot\system32\DRIVERS\USBPORT.SYS"
.\debug.cpp(256) : 0x03552000 0x00011000 "\SystemRoot\system32\DRIVERS\usbehci.sys"
.\debug.cpp(256) : 0x03608000 0x000ed000 "\SystemRoot\system32\DRIVERS\HDAudBus.sys"
.\debug.cpp(256) : 0x036f5000 0x00013000 "\SystemRoot\system32\DRIVERS\L1E60x64.sys"
.\debug.cpp(256) : 0x0380e000 0x0048e000 "\SystemRoot\system32\DRIVERS\NETw5v64.sys"
.\debug.cpp(256) : 0x03c9c000 0x00016000 "\SystemRoot\system32\DRIVERS\i8042prt.sys"
.\debug.cpp(256) : 0x03cb2000 0x0000c000 "\SystemRoot\SysWOW64\Drivers\DKbFltr.sys"
.\debug.cpp(256) : 0x03cbe000 0x0000e000 "\SystemRoot\system32\DRIVERS\kbdclass.sys"
.\debug.cpp(256) : 0x03ccc000 0x00055000 "\SystemRoot\system32\DRIVERS\SynTP.sys"
.\debug.cpp(256) : 0x03d21000 0x00002000 "\SystemRoot\system32\DRIVERS\USBD.SYS"
.\debug.cpp(256) : 0x03d23000 0x0000c000 "\SystemRoot\system32\DRIVERS\mouclass.sys"
.\debug.cpp(256) : 0x03d2f000 0x0005c000 "\SystemRoot\system32\DRIVERS\itecir.sys"
.\debug.cpp(256) : 0x03d8b000 0x0001c000 "\SystemRoot\system32\DRIVERS\cdrom.sys"
.\debug.cpp(256) : 0x03da7000 0x00008000 "\SystemRoot\system32\Drivers\NTIDrvr.sys"
.\debug.cpp(256) : 0x03daf000 0x0000d000 "\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys"
.\debug.cpp(256) : 0x03dbc000 0x00039000 "\SystemRoot\system32\DRIVERS\msiscsi.sys"
.\debug.cpp(256) : 0x03708000 0x0005d000 "\SystemRoot\system32\DRIVERS\storport.sys"
.\debug.cpp(256) : 0x03800000 0x0000d000 "\SystemRoot\system32\DRIVERS\TDI.SYS"
.\debug.cpp(256) : 0x03765000 0x00023000 "\SystemRoot\system32\DRIVERS\rasl2tp.sys"
.\debug.cpp(256) : 0x03788000 0x0000c000 "\SystemRoot\system32\DRIVERS\ndistapi.sys"
.\debug.cpp(256) : 0x03794000 0x00031000 "\SystemRoot\system32\DRIVERS\ndiswan.sys"
.\debug.cpp(256) : 0x037c5000 0x00010000 "\SystemRoot\system32\DRIVERS\raspppoe.sys"
.\debug.cpp(256) : 0x037d5000 0x0001e000 "\SystemRoot\system32\DRIVERS\raspptp.sys"
.\debug.cpp(256) : 0x03563000 0x00018000 "\SystemRoot\system32\DRIVERS\rassstp.sys"
.\debug.cpp(256) : 0x0357b000 0x00013000 "\SystemRoot\system32\DRIVERS\termdd.sys"
.\debug.cpp(256) : 0x03df5000 0x00002000 "\SystemRoot\system32\DRIVERS\swenum.sys"
.\debug.cpp(256) : 0x0358e000 0x00034000 "\SystemRoot\system32\DRIVERS\ks.sys"
.\debug.cpp(256) : 0x035c2000 0x00011000 "\SystemRoot\system32\DRIVERS\circlass.sys"
.\debug.cpp(256) : 0x037f3000 0x0000b000 "\SystemRoot\system32\DRIVERS\mssmbios.sys"
.\debug.cpp(256) : 0x035d3000 0x00010000 "\SystemRoot\system32\DRIVERS\umbus.sys"
.\debug.cpp(256) : 0x0333c000 0x00048000 "\SystemRoot\system32\DRIVERS\usbhub.sys"
.\debug.cpp(256) : 0x035e3000 0x00014000 "\SystemRoot\System32\Drivers\NDProxy.SYS"
.\debug.cpp(256) : 0x0780f000 0x00161000 "\SystemRoot\system32\drivers\RTKVHD64.sys"
.\debug.cpp(256) : 0x07970000 0x0003b000 "\SystemRoot\system32\drivers\portcls.sys"
.\debug.cpp(256) : 0x079ab000 0x00023000 "\SystemRoot\system32\drivers\drmk.sys"
.\debug.cpp(256) : 0x079ce000 0x00006000 "\SystemRoot\system32\drivers\ksthunk.sys"
.\debug.cpp(256) : 0x07c09000 0x0013c000 "\SystemRoot\system32\DRIVERS\agrsm64.sys"
.\debug.cpp(256) : 0x07d45000 0x0000f000 "\SystemRoot\system32\drivers\modem.sys"
.\debug.cpp(256) : 0x07d54000 0x00014000 "\SystemRoot\system32\drivers\nvhda64v.sys"
.\debug.cpp(256) : 0x07d68000 0x0000b000 "\SystemRoot\system32\DRIVERS\hidir.sys"
.\debug.cpp(256) : 0x07d73000 0x00012000 "\SystemRoot\system32\DRIVERS\HIDCLASS.SYS"
.\debug.cpp(256) : 0x07d85000 0x00008000 "\SystemRoot\system32\DRIVERS\HIDPARSE.SYS"
.\debug.cpp(256) : 0x07d8d000 0x0000b000 "\SystemRoot\system32\DRIVERS\kbdhid.sys"
.\debug.cpp(256) : 0x07d98000 0x0000b000 "\SystemRoot\system32\DRIVERS\mouhid.sys"
.\debug.cpp(256) : 0x07da3000 0x0000a000 "\SystemRoot\System32\Drivers\Fs_Rec.SYS"
.\debug.cpp(256) : 0x07dad000 0x00009000 "\SystemRoot\System32\Drivers\Null.SYS"
.\debug.cpp(256) : 0x07db6000 0x0000e000 "\SystemRoot\System32\drivers\vga.sys"
.\debug.cpp(256) : 0x07dc4000 0x00025000 "\SystemRoot\System32\drivers\VIDEOPRT.SYS"
.\debug.cpp(256) : 0x07de9000 0x00010000 "\SystemRoot\system32\DRIVERS\WinUSB.sys"
.\debug.cpp(256) : 0x07c00000 0x00009000 "\SystemRoot\System32\DRIVERS\RDPCDD.sys"
.\debug.cpp(256) : 0x079d4000 0x0001c000 "\SystemRoot\system32\DRIVERS\usbccgp.sys"
.\debug.cpp(256) : 0x079f0000 0x00009000 "\SystemRoot\system32\drivers\rdpencdd.sys"
.\debug.cpp(256) : 0x07800000 0x0000b000 "\SystemRoot\System32\Drivers\Msfs.SYS"
.\debug.cpp(256) : 0x03384000 0x00011000 "\SystemRoot\System32\Drivers\Npfs.SYS"
.\debug.cpp(256) : 0x03df7000 0x00009000 "\SystemRoot\System32\DRIVERS\rasacd.sys"
.\debug.cpp(256) : 0x03395000 0x0001d000 "\SystemRoot\system32\DRIVERS\tdx.sys"
.\debug.cpp(256) : 0x02959000 0x00076000 "\SystemRoot\System32\Drivers\N360x64\0402000.00C\SYMTDIV.SYS"
.\debug.cpp(256) : 0x033b2000 0x00036000 "\??\C:\Windows\system32\Drivers\SYMEVENT64x86.SYS"
.\debug.cpp(256) : 0x029cf000 0x0001b000 "\SystemRoot\system32\DRI
combofix_prompted_threatfire.jpg 196.16 KB sophos_screenshot.jpg 271.36 KB
0

Hey, I finally figured out how to get the bootkit remover.exe command to work (had to be at the right directory: after run as admin, default dir is win\sys32, so cd\ to remover.exe file location and dumped mbr to a file within that dir. But when I opened it, windows asked me which pgm to use and chose notepad and it was undecipherable to me, So I will upload another screen shot of dos window and hope you can know what it's telling us. something about read/write error

Thx for all your help.
Sheila

Attachments bootkit_remover_dos_window.jpg 239.08 KB
0

At the moment I cannot keep up with you. I have asked you to run Combofix. Part of the instructions were to disable any other monitoring software. Threatfire is one of those.
The file that threatfire picked up was a file belonging to Combofix.
If you wish to follow my instructions then I am happy to continue, but if you are going to run this, that and the other tool in between my trying to help you, then I am going to have to pass this thread onto someone else.

0

At the moment I cannot keep up with you. I have asked you to run Combofix. Part of the instructions were to disable any other monitoring software. Threatfire is one of those.
The file that threatfire picked up was a file belonging to Combofix.
If you wish to follow my instructions then I am happy to continue, but if you are going to run this, that and the other tool in between my trying to help you, then I am going to have to pass this thread onto someone else.

I guess I should have replied to you, but did you read my last post about all I did and look at the combofix pic? I must not have gotten threatfire disabled, but I did go ahead and run it and sent the results. The other things I tried today were because I was trying to get anything to find this on my own.

I am sorry for the info overload, but am desperate to resolve. Now after reading/viewing all I have sent you, let me add one more thing: I dumped the mbr and sent you the screenshot, then I went back and tried the fix the mbr and got the error msg in dos window: no standard boot code found for your os. Don't know if that tells you anything, but I try to give all info in case it matters.

Please continue with instructions.

Sheila

0

Yes please.

You can also try running Combofix.

Please download ComboFix by sUBs from HERE or HERE

  • You must download it to and run it from your Desktop
  • Physically disconnect from the internet.
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply.
  • Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

OK, first apology for NOT doing this last night. Don't know where YOU are located, but it's almost 6 am here and last nite was also 4-5ish AM, so forgive me.--am running days with only 2-3 hrs sleep each.

I went back and re-read your instructions and found I did NOT install/run from desktop (nor did I turn off norton firewall (only disabled antivirus); so I uninstalled all those programs from today, rebooted, downloaded the combo from your 1st link in post, turned off norton av & firewall, disconnected from my network, and right clicked the desktop link RUN AS ADMIN (since nothing works unless I do anymore)and immediately a window popped up that said combofix does not work on anything except 2000 & xp and only x32 sys. In my initial post here, it may have been unclear, but I mentioned Vista x64, which is what I am running.

That said, I was prepared to follow your instructs, post back here the finds, etc. But since I cannot, please let me know the next course of action. I so appreciate your help, and sorry again that I pushed myself past the point of brain-deadness yesterday. LOL.

Thx
Sheila

P.S. It struck me that I never got that message (the wrong OS)last nite when I thot I ran combofix so I went back to see what it was that I ran. When you replied earlier that threatfire had detected combo, you might not have noticed, but the top of the screenshot I sent you was sothos anti-rootkit scan. So it appears I didn't even try combofix last nite, as it was not on my pc. Another apology for the sothos send, but wanted you to know.

Edited by myviolinsings: found I had run wrong program; thus didn't know combofix wasn't compatible till now

0

Ok. I missed the 64bit there. Combofix does run on Vista, but only on 32bit.
You probably have the worst system possible to sort out problems on :(.
To be honest, the quickest way to sort this would be a reformat. Windows 7 would be better too :).

0

Ok. I missed the 64bit there. Combofix does run on Vista, but only on 32bit.
You probably have the worst system possible to sort out problems on :(.
To be honest, the quickest way to sort this would be a reformat. Windows 7 would be better too :).

Just to be sure: repairing windows install or mbr will NOT get rid of the malware? since I last month deleted my acronis true image of my entire hd, I would now NOT want to make another until AFTER reformat? and, it is not enough to restore to factory default? I need to actually wipe the disk and then use the safe partition to restore to factory default? Just want to be sure the "reformat" part is what I think you mean.

I appreciate all your help and wish we could have snared this thing--would be nice to have known exactly WHAT it is and HOW I got it.

Thx so much
Sheila

0

Taking it back to factory defaults would be fine. That should take you back to where a reformat would (almost) get you.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.