|
Slow computer and Firefox popup
Hi,
My husband said his computer was much slower than normal today, so I took a look at it and found that 99% of Windows Updates have failed in the past year. I tried things that I found in Microsoft Answers but nothing worked so I posted a message there and hope that someone can help me with that (I ran their utility - Fixit - and when it was done, I tested it and clicked that it still failed - and that took me to a page that said 'this page has expired.' !!!) My point is, this computer is vulnerable. While I was looking at his computer, about 30 seconds after MS Fixit finished, Firefox popped up with two tabs. The first one was a Startnow (www.startnow.com) tab with Bing and it looked like the Bing equivalent of a Google search page. This was quickly followed by Thank you! Special Savings tab: http://www.specialsavings.com/forum/...ucts/done.html. It was thanking him for installing something. The site is called Deal Finders and it's a coupon clipping site that He said that he has never had popups and although he installed Firefox a very long time ago, he does not use it, and that he didn't recognize the two sites at all. This is not a Firefox add-in but I don't know enough about Firefox to look at other things. I checked Program in Control Panel but it didn't indicate an installation there. I ran MBAM and it said everything was fine, I ran a quick MSE scan, and I cleaned out the temp files, history, etc. I went to msconfig and unclicked things that he doesn't need loaded on startup, and went into task manager and shut down things he didn't need. I did all of this before he got the popups. Right now, I'm doing a defrag. But I don't know what to do next to make sure he's okay. He has Windows Vista Home Premium SP1 (because SP2 was one of the failed updates), uses IE7 (same thing), and for virus/malware he has Microsoft Security Essentials with Windows Firewall. Thanks for your help. Sorry this is so long. Please let me know what information you need. |
Welcome to CTH tamwood,
Let's see what all is there. The system is Vista, so when running any of the scan files we use, be sure to right click the file, then select "Run as administrator" to start the scan/tool. And To make sure you have an accurate view of files there, make sure you can View Hidden Files. Also uncheck "Hide Extensions for Known File Types" To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs. Here are some antivirus disable tips if needed. ------- Click here and download OldTimer's OTL to your desktop, then click that to open the scan display. At the top click "Scan All Users", then click "Run Scan". Make no other changes at this time. When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are also saved in the same location as OTL.exe. Post the contents of those back here please. ----------- Click here and download the installer for Gmer to your desktop, then click that file to run Gmer. Once the opening scan finishes, click on Scan (again, before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan). When completed, click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please. ----------- Download aswMBR ( 511KB ) to your desktop.
A lot, but comprehensive, and will make sure we get a good view of everything. |
Thanks, will do.
|
Post when ready.
|
I did OTL twice but it did not create an Extras.txt file. Also, twice, when I ran aswMBR, it created a BSOD and restarted the computer before it was done. I was not able to get the BSOD info before it disappeared. I ran it one more time and it finished without a problem and I was able to save the log file. I just wanted you to know about it.
------------------------------------------- OTL logfile created on: 3/19/2012 12:30:07 AM - Run 5 OTL by OldTimer - Version 3.2.39.1 Folder = D:\Virus Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation Internet Explorer (Version = 7.0.6001.18000) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 1.93 Gb Total Physical Memory | 1.04 Gb Available Physical Memory | 53.88% Memory free 4.09 Gb Paging File | 2.96 Gb Available in Paging File | 72.41% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 111.44 Gb Total Space | 51.78 Gb Free Space | 46.47% Space Free | Partition Type: NTFS Drive D: | 111.44 Gb Total Space | 100.37 Gb Free Space | 90.07% Space Free | Partition Type: NTFS Computer Name: ASPIRE | User Name: leigh | Logged in as Administrator. Boot Mode: Normal | Scan Mode: All users Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2012/03/17 22:52:54 | 000,594,432 | ---- | M] (OldTimer Tools) -- D:\Virus\OTL.exe PRC - [2012/01/13 14:53:18 | 000,652,360 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe PRC - [2011/06/15 15:16:48 | 000,997,920 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe PRC - [2011/06/06 12:55:28 | 000,064,952 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe PRC - [2011/04/27 15:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe PRC - [2010/11/23 17:52:06 | 000,038,144 | ---- | M] (RingCentral, Inc.) -- C:\Program Files\RingCentral\eXtreme Fax\RCHotKey.exe PRC - [2008/10/29 02:29:41 | 002,927,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe PRC - [2008/08/01 13:51:42 | 000,405,504 | ---- | M] (Acer Inc.) -- C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe PRC - [2008/07/29 20:53:00 | 000,500,784 | ---- | M] (Egis Incorporated) -- C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe PRC - [2008/07/29 20:52:50 | 000,526,896 | ---- | M] (Egis Incorporated) -- C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe PRC - [2008/07/02 14:35:52 | 000,850,440 | ---- | M] (Dritek System Inc.) -- C:\Program Files\Launch Manager\LManager.exe PRC - [2008/06/02 12:25:40 | 000,024,576 | ---- | M] () -- C:\Program Files\Acer\Empowering Technology\Service\ETService.exe PRC - [2008/03/18 14:27:12 | 000,013,312 | ---- | M] (Agere Systems) -- C:\Windows\System32\agrsmsvc.exe PRC - [2008/01/16 22:35:02 | 000,081,504 | ---- | M] () -- C:\Program Files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe PRC - [2007/12/06 19:15:28 | 000,110,592 | ---- | M] () -- C:\ACER\Mobility Center\MobilityService.exe ========== Modules (No Company Name) ========== MOD - [2010/11/20 01:57:10 | 000,771,584 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\Sys tem.Runtime.Remo#\07932234c4cdc31042eeacc9f81d8fda \System.Runtime.Remoting.ni.dll MOD - [2010/08/12 09:49:54 | 000,212,992 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\Sys tem.ServiceProce#\e6220b10333c1b184103c97e09a9a144 \System.ServiceProcess.ni.dll MOD - [2010/08/12 09:47:21 | 005,450,752 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\Sys tem.Xml\5c64322812ad3369c7618e5f52d13a72\System.Xm l.ni.dll MOD - [2010/08/12 09:46:55 | 012,430,848 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\Sys tem.Windows.Forms\19f5c72f22f18275e3fa45a2a8e04140 \System.Windows.Forms.ni.dll MOD - [2010/08/12 09:46:43 | 001,587,200 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\Sys tem.Drawing\618be9fca90bc21db0010bae1e84dad4\Syste m.Drawing.ni.dll MOD - [2010/08/12 09:45:30 | 007,949,824 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\Sys tem\e757b4f83931d47c785b0aaacf7cce81\System.ni.dll MOD - [2010/08/12 09:45:06 | 011,490,816 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\msc orlib\fb0a3a6e527462455beda91d7ea58de5\mscorlib.ni .dll MOD - [2009/09/04 08:19:30 | 000,644,096 | ---- | M] () -- C:\Program Files\IZArc\IZArcCM.dll MOD - [2008/08/18 22:06:15 | 000,036,864 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\Framework.Utility\3.0 .3009.0__4df5dcab8860d239\Framework.Utility.dll MOD - [2008/08/18 22:06:14 | 000,061,440 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\Framework.Library\3.0 .3009.0__3036420f80dd6947\Framework.Library.dll MOD - [2008/08/18 22:06:14 | 000,009,216 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\Framework.Model.Contr ollerInterface\3.0.3009.0__d842b71b4d6ed079\Framew ork.Model.ControllerInterface.dll MOD - [2008/07/29 20:52:38 | 000,227,888 | ---- | M] () -- C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\ShowErrMsg.dll MOD - [2003/06/07 16:30:08 | 000,057,344 | ---- | M] () -- C:\Program Files\Launch Manager\PowerUtl.dll ========== Win32 Services (SafeList) ========== SRV - [2012/01/13 14:53:18 | 000,652,360 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService) SRV - [2011/06/06 12:55:28 | 000,064,952 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice) SRV - [2011/04/27 15:39:26 | 000,208,944 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe -- (NisSrv) SRV - [2011/04/27 15:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc) SRV - [2008/07/29 20:53:00 | 000,500,784 | ---- | M] (Egis Incorporated) [Auto | Running] -- C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe -- (eDataSecurity Service) SRV - [2008/06/02 12:25:40 | 000,024,576 | ---- | M] () [Auto | Running] -- C:\Program Files\Acer\Empowering Technology\Service\ETService.exe -- (ETService) SRV - [2008/03/18 14:27:12 | 000,013,312 | ---- | M] (Agere Systems) [Auto | Running] -- C:\Windows\System32\agrsmsvc.exe -- (AgereModemAudio) SRV - [2008/01/20 22:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend) SRV - [2008/01/16 22:35:02 | 000,081,504 | ---- | M] () [Auto | Running] -- C:\Program Files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe -- (CLHNService) SRV - [2007/12/06 19:15:28 | 000,110,592 | ---- | M] () [Auto | Running] -- C:\ACER\Mobility Center\MobilityService.exe -- (MobilityService) SRV - [2005/11/17 15:18:52 | 001,527,900 | ---- | M] (MAGIX®) [On_Demand | Stopped] -- d:\Program Files\MAGIX\Common\Database\bin\fbserver.exe -- (FirebirdServerMAGIXInstance) ========== Driver Services (SafeList) ========== DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp) DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\leigh\AppData\Local\Temp\catchme.sys -- (catchme) DRV - [2012/03/18 23:51:33 | 000,029,904 | ---- | M] () [Kernel | System | Stopped] -- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{BE2CCF8B-F01D-4686-823C-E80B3AD617BF}\MpKsldeadcdf4.sys -- (MpKsldeadcdf4) DRV - [2011/12/10 15:24:06 | 000,020,464 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector) DRV - [2011/04/27 15:25:24 | 000,065,024 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NisDrvWFP.sys -- (NisDrv) DRV - [2011/04/18 13:18:50 | 000,043,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\MpNWMon.sys -- (MpNWMon) DRV - [2009/07/09 13:45:36 | 000,116,064 | ---- | M] (JMicron Technology Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\jmcr.sys -- (JMCR) DRV - [2008/07/18 20:05:10 | 000,061,424 | ---- | M] (Cyberlink Corp.) [Kernel | Auto | Running] -- C:\Program Files\Acer Arcade Deluxe\PlayMovie\000.fcl -- ({49DE1C67-83F8-4102-99E0-C16DCC7EEC796}) DRV - [2008/06/10 21:54:36 | 000,123,904 | ---- | M] (Realtek Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169) DRV - [2008/06/02 12:20:12 | 000,015,392 | ---- | M] (Acer, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\int15.sys -- (int15) DRV - [2008/02/29 18:13:38 | 001,202,560 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AGRSM.sys -- (AgereSoftModem) DRV - [2008/02/19 01:09:40 | 000,166,960 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Apfiltr.sys -- (ApfiltrService) DRV - [2008/01/16 22:35:08 | 000,122,368 | ---- | M] (Cyberlink Corp.) [Kernel | Auto | Running] -- C:\Program Files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\NTIPPKernel.sys -- (NTIPPKernel) DRV - [2006/11/03 00:27:36 | 000,020,112 | ---- | M] (Dritek System Inc.) [Kernel | System | Running] -- C:\Program Files\Launch Manager\DPortIO.sys -- (DritekPortIO) DRV - [2002/06/03 21:38:38 | 000,311,684 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\P1001Vid.sys -- (P1001VID) Creative WebCam (WDM) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=...m=aspire_4730z IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm IE - HKLM\..\SearchScopes,DefaultScope = {67A2568C-7A0A-4EED-AECC-B5405DE63B64} IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source? } IE - HKLM\..\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}: "URL" = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.micros oft:{language}:{referrer:source?}&ie={inputEncodin g}&oe={outputEncoding}&rlz=1I7ACAW IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVer sion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Inter net Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-2835799940-606296060-655187663-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://global.acer.com [binary data] IE - HKU\S-1-5-21-2835799940-606296060-655187663-1000\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1 IE - HKU\S-1-5-21-2835799940-606296060-655187663-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ IE - HKU\S-1-5-21-2835799940-606296060-655187663-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore = http://www.google.com/ IE - HKU\S-1-5-21-2835799940-606296060-655187663-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 2 IE - HKU\S-1-5-21-2835799940-606296060-655187663-1000\..\SearchScopes,DefaultScope = {105E99FF-8B9A-4492-B155-06194B9056D2} IE - HKU\S-1-5-21-2835799940-606296060-655187663-1000\..\SearchScopes\{105E99FF-8B9A-4492-B155-06194B9056D2}: "URL" = http://www.bing.com/search?FORM=IPGTDF&PC=IPGTDF&q={searchTerms}&src=I E-SearchBox IE - HKU\S-1-5-21-2835799940-606296060-655187663-1000\..\SearchScopes\{A59C167F-298F-30E1-8F0D-B7ED3F450647}: "URL" = http://www.startnow.com/s/?q={searchTerms}&src=defsearch&provider=Bing&provi der_code=Z057&partner_id=333&product_id=519&affili ate_id=&channel=DPGL15&toolbar_id=200&toolbar_vers ion=2.0&install_country=US&install_date=20110614&u ser_guid=6CB80A9C18B74B239F200E853263ADCA&machine_ id=0494027f837940b47fed5c153607ef6e&browser=IE&os= win&os_version=6.0-x86-SP1 IE - HKU\S-1-5-21-2835799940-606296060-655187663-1000\..\SearchScopes\{C9BF099A-5362-4E59-8BE3-8AA955FFCBD9}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language }:{referrer:source?}&ie={inputEncoding}&oe={output Encoding}&sourceid=ie7&rlz=1I7ACAW IE - HKU\S-1-5-21-2835799940-606296060-655187663-1000\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..browser.search.selectedEngine: "Bing" FF - prefs.js..browser.startup.homepage: "http://www.startnow.com/?src=startpage&provider=Bing&provider_code=Z057&pa rtner_id=333&product_id=519&affiliate_id=&channel= DPGL15&toolbar_id=200&toolbar_version=2.0&install_ country=US&install_date=20110614&user_guid=6CB80A9 C18B74B239F200E853263ADCA&machine_id=0494027f83794 0b47fed5c153607ef6e&browser=FF&os=win&os_version=6 .0-x86-SP1" FF - prefs.js..keyword.URL: "http://www.startnow.com/s/?src=addrbar&provider=Bing&provider_code=Z057&part ner_id=333&product_id=519&affiliate_id=&channel=DP GL15&toolbar_id=200&toolbar_version=2.0&install_co untry=US&install_date=20110614&user_guid=6CB80A9C1 8B74B239F200E853263ADCA&machine_id=0494027f837940b 47fed5c153607ef6e&browser=FF&os=win&os_version=6.0-x86-SP1&q=" FF - prefs.js..network.proxy.type: 0 FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll () FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.) FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.3: C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extens ions\\superfish@superfish.com: C:\ProgramDataMozilla\Extensions\superfish@superfi sh.com [2012/03/15 17:34:39 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extens ions\\{27182e60-b5f3-411c-b545-b44205977502}: C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\ [2012/01/20 16:24:26 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extens ions\\{3252b9ae-c69a-4eaf-9502-dc9c1f6c009e}: C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DMExtension\ [2012/01/20 16:24:37 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Components: d:\Program Files\Mozilla Firefox\components [2012/01/20 16:23:17 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Plugins: d:\Program Files\Mozilla Firefox\plugins [2012/02/06 14:17:04 | 000,000,000 | ---D | M] [2011/06/12 17:47:24 | 000,000,000 | ---D | M] (No name found) -- C:\Users\leigh\AppData\Roaming\mozilla\Extensions [2010/06/11 11:28:51 | 000,000,000 | ---D | M] (No name found) -- C:\Users\leigh\AppData\Roaming\mozilla\Extensions\ mozswing@mozswing.org [2012/02/06 15:41:41 | 000,000,000 | ---D | M] (No name found) -- C:\Users\leigh\AppData\Roaming\mozilla\Firefox\Pro files\7vfnswoq.default\extensions [2012/02/06 15:41:42 | 000,000,000 | ---D | M] (Microsoft Choice Guard) -- C:\Users\leigh\AppData\Roaming\mozilla\Firefox\Pro files\7vfnswoq.default\extensions\ChoiceGuard@Micr osoft [2011/06/14 16:49:25 | 000,002,265 | ---- | M] () -- C:\Users\leigh\AppData\Roaming\Mozilla\Firefox\Pro files\7vfnswoq.default\searchplugins\bing-zugo.xml [2011/06/12 17:47:27 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions [2011/06/12 17:22:12 | 000,000,000 | ---D | M] (Skype extension) -- C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} [2010/12/14 22:59:38 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} [2011/06/12 16:00:28 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} [2012/03/15 17:34:39 | 000,000,000 | ---D | M] (Window Shopper - Powered by Superfish) -- C:\PROGRAMDATAMOZILLA\EXTENSIONS\SUPERFISH@SUPERFI SH.COM [2009/09/02 09:11:35 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION [2012/02/06 14:17:09 | 000,000,000 | ---D | M] (Java Console) -- D:\PROGRAM FILES\MOZILLA FIREFOX\EXTENSIONS\{CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} [2011/05/04 04:52:23 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll O1 HOSTS File: ([2010/10/22 23:19:13 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found. O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.) O2 - BHO: (ShowBarObj Class) - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\ActiveToolBand.dll (Egis) O2 - BHO: (Skype Plug-In) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) O3 - HKLM\..\Toolbar: (Acer eDataSecurity Management) - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll (Egis Incorporated.) O3 - HKU\S-1-5-21-2835799940-606296060-655187663-1000\..\Toolbar\ShellBrowser: (Acer eDataSecurity Management) - {5CBE3B7C-1E47-477E-A7DD-396DB0476E29} - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll (Egis Incorporated.) O4 - HKLM..\Run: [] File not found O4 - HKLM..\Run: [Acer Assist Launcher] C:\Program Files\Acer\Acer Assist\launcher.exe () O4 - HKLM..\Run: [Acer Product Registration] C:\Program Files\Acer\Acer Registration\ACE1.exe (Leader Technologies) O4 - HKLM..\Run: [eDataSecurity Loader] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe (Egis Incorporated) O4 - HKLM..\Run: [ePower_DMC] C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe (Acer Inc.) O4 - HKLM..\Run: [LManager] C:\Program Files\Launch Manager\LManager.exe (Dritek System Inc.) O4 - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation) O4 - HKU\S-1-5-21-2835799940-606296060-655187663-1000..\Run: [RCHotKey] C:\Program Files\RingCentral\eXtreme Fax\RCHotKey.exe (RingCentral, Inc.) O4 - HKU\S-1-5-21-2835799940-606296060-655187663-1000..\Run: [RCUI] C:\Program Files\RingCentral\eXtreme Fax\RCUI.exe (RingCentral, Inc.) O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\pol icies\Explorer: NoDrives = 0 O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-2835799940-606296060-655187663-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-2835799940-606296060-655187663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\pol icies\Explorer: NoDrives = 0 O9 - Extra Button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) O9 - Extra 'Tools' menuitem : Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.) O15 - HKU\S-1-5-21-2835799940-606296060-655187663-1000\..Trusted Ranges: GD ([http] in Local intranet) O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/sites/pr.../ieawsdc32.cab (Microsoft Office Template and Media Control) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_30) O16 - DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_30) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_30) O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} http://cabby.markur.com/activex/AMC.cab (AxisMediaControlEmb Class) O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 24.247.15.53 66.189.0.100 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfac es\{0E4514BD-028B-40B4-B9F3-884926C28168}: DhcpNameServer = 192.168.1.1 24.247.15.53 66.189.0.100 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfac es\{C966F92B-F884-40CE-8096-7E5FAFC26918}: DhcpNameServer = 172.16.2.5 172.18.82.11 4.2.2.2 O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies) O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~1\GoogleDesktopNetwork3 .dll) - C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google) O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation) O24 - Desktop WallPaper: C:\Users\leigh\Pictures\Ski Trip 2010\on top of blue heven looking at eagle eye restaurant.jpg O24 - Desktop BackupWallPaper: C:\Users\leigh\Pictures\Ski Trip 2010\on top of blue heven looking at eagle eye restaurant.jpg O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - No CLSID value found. O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2006/09/18 17:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = ComFile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* ========== Files/Folders - Created Within 30 Days ========== [2012/03/15 23:51:52 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Defraggler [2012/03/15 23:51:50 | 000,000,000 | ---D | C] -- C:\Program Files\Defraggler [2012/03/15 17:26:09 | 000,000,000 | ---D | C] -- C:\Users\leigh\AppData\Local\ElevatedDiagnostics ========== Files - Modified Within 30 Days ========== [2012/03/19 00:17:29 | 002,701,242 | ---- | M] () -- C:\Windows\System32\perfh009.dat [2012/03/19 00:17:28 | 000,853,960 | ---- | M] () -- C:\Windows\System32\perfc009.dat [2012/03/19 00:11:16 | 000,000,000 | ---- | M] () -- C:\Windows\System32\LogConfigTemp.xml [2012/03/19 00:11:11 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 [2012/03/19 00:11:10 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 [2012/03/19 00:10:54 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2012/03/19 00:10:36 | 2072,035,328 | -HS- | M] () -- C:\hiberfil.sys [2012/03/19 00:10:34 | 273,906,273 | ---- | M] () -- C:\Windows\MEMORY.DMP [2012/03/19 00:01:05 | 000,000,256 | ---- | M] () -- C:\Windows\tasks\HP Photo Creations Messager.job [2012/03/15 23:51:52 | 000,001,706 | ---- | M] () -- C:\Users\Public\Desktop\Defraggler.lnk [2012/03/15 17:22:12 | 000,000,808 | ---- | M] () -- C:\Users\Public\Desktop\CCleaner.lnk [2012/03/15 16:38:06 | 000,000,910 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk [2012/02/20 11:12:20 | 000,000,942 | ---- | M] () -- C:\Users\leigh\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Outlook.lnk ========== Files Created - No Company Name ========== [2012/03/15 23:51:52 | 000,001,706 | ---- | C] () -- C:\Users\Public\Desktop\Defraggler.lnk [2012/03/15 16:38:06 | 000,000,910 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk [2012/01/20 16:15:03 | 000,000,057 | ---- | C] () -- C:\ProgramData\Ament.ini [2011/12/19 19:55:27 | 000,000,227 | ---- | C] () -- C:\Windows\PowerReg.dat [2011/12/19 19:55:25 | 000,045,568 | ---- | C] () -- C:\Windows\UniFish3.exe [2011/06/12 17:23:52 | 000,000,048 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat [2011/06/12 17:00:01 | 000,000,223 | ---- | C] () -- C:\Windows\System32\P1001Twn.ini [2011/06/08 17:57:22 | 001,929,576 | ---- | C] () -- C:\Windows\System32\HPScanTRDrv_DJ3050A_J611.dll [2011/03/03 11:12:16 | 001,503,232 | ---- | C] () -- C:\Windows\System32\ptj.exe [2011/03/03 11:12:16 | 001,103,360 | ---- | C] () -- C:\Windows\System32\cidfont.dll [2011/03/03 11:12:12 | 004,369,408 | ---- | C] () -- C:\Windows\System32\pdftk.exe [2011/03/03 11:12:12 | 000,235,008 | ---- | C] () -- C:\Windows\System32\office.exe [2011/02/11 19:40:40 | 000,004,096 | ---- | C] ( ) -- C:\Windows\System32\IGFXDEVLib.dll [2010/08/25 20:30:02 | 000,439,308 | ---- | C] () -- C:\Windows\System32\igcompkrng500.bin [2010/08/25 20:30:00 | 000,982,240 | ---- | C] () -- C:\Windows\System32\igkrng500.bin [2010/08/25 20:30:00 | 000,092,356 | ---- | C] () -- C:\Windows\System32\igfcg500m.bin [2010/08/25 19:57:00 | 000,000,151 | ---- | C] () -- C:\Windows\System32\GfxUI.exe.config [2010/06/30 18:32:50 | 000,176,235 | ---- | C] () -- C:\Windows\System32\Primomonnt.dll [2010/06/07 23:53:12 | 000,120,200 | ---- | C] () -- C:\Windows\System32\DLLDEV32i.dll [2010/06/07 23:45:50 | 000,006,211 | ---- | C] () -- C:\Windows\mgxoschk.ini ========== Alternate Data Streams ========== @Alternate Data Stream - 120 bytes -> C:\ProgramData\Temp:73933431 @Alternate Data Stream - 114 bytes -> C:\ProgramData\Temp:AB689DEA @Alternate Data Stream - 111 bytes -> C:\ProgramData\Temp:4220A65C @Alternate Data Stream - 100 bytes -> C:\ProgramData\Temp:753F86A9 < End of report > |
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-03-18 01:05:40 Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HTS543225L9A300 rev.FBEOC40C Running: hmmwzjh2.exe; Driver: C:\Users\leigh\AppData\Local\Temp\pgtdrpod.sys ---- Kernel code sections - GMER 1.0.15 ---- C:\Program Files\Acer Arcade Deluxe\PlayMovie\000.fcl entry point in "" section [0xA91AF41C] .clc C:\Program Files\Acer Arcade Deluxe\PlayMovie\000.fcl unknown last code section [0xA91B0000, 0x1000, 0xE0000020] ---- User code sections - GMER 1.0.15 ---- .text C:\Windows\Explorer.EXE[3264] SHELL32.dll!InitNetworkAddressControl + 2939 7632006C 4 Bytes [00, 26, 00, 10] {ADD [ESI], AH; ADD [EAX], DL} ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\Explorer.EXE[3264] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73EF8864] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3d c\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3264] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73F39855] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3d c\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3264] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73EFB984] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3d c\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3264] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73EEFB47] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3d c\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3264] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73EF7A29] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3d c\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3264] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73EEEA65] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3d c\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3264] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [73F2B12D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3d c\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3264] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [73EFBC4A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3d c\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3264] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73EF0756] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3d c\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3264] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73EF06BD] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3d c\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3264] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73EE71B3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3d c\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3264] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [73F7D9E0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3d c\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3264] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [73F17329] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3d c\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3264] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73EEE109] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3d c\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3264] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73EE697E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3d c\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3264] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73EE69A9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3d c\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3264] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73EF2475] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3d c\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3264] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateThread] [100027E0] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Egis Inc. PSD DragDrop Protection/Egis Inc.) IAT C:\Windows\Explorer.EXE[3264] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!FreeLibraryAndExitThread] [10001D90] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Egis Inc. PSD DragDrop Protection/Egis Inc.) IAT C:\Windows\Explorer.EXE[3264] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [10002B30] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Egis Inc. PSD DragDrop Protection/Egis Inc.) IAT C:\Windows\Explorer.EXE[3264] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [100011D0] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Egis Inc. PSD DragDrop Protection/Egis Inc.) IAT C:\Windows\Explorer.EXE[3264] @ C:\Windows\system32\ole32.dll [msvcrt.dll!free] [6708F563] C:\Windows\AppPatch\AcSpecfc.DLL (Windows Compatibility DLL/Microsoft Corporation) ---- EOF - GMER 1.0.15 ---- |
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-03-19 12:51:57 ----------------------------- 12:51:57.754 OS Version: Windows 6.0.6001 Service Pack 1 12:51:57.754 Number of processors: 2 586 0xF0D 12:51:57.756 ComputerName: ASPIRE UserName: leigh 12:51:59.526 Initialize success 12:52:59.905 AVAST engine defs: 12031700 12:54:39.577 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 12:54:39.581 Disk 0 Vendor: Hitachi_HTS543225L9A300 FBEOC40C Size: 238475MB BusType: 3 12:54:39.601 Disk 0 MBR read successfully 12:54:39.607 Disk 0 MBR scan 12:54:39.637 Disk 0 unknown MBR code 12:54:39.644 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 10244 MB offset 63 12:54:39.666 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 114116 MB offset 20981760 12:54:39.700 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 114113 MB offset 254691328 12:54:39.719 Disk 0 scanning sectors +488394752 12:54:39.828 Disk 0 scanning C:\Windows\system32\drivers 12:54:53.975 Service scanning 12:55:13.295 Service MpKsl04d4cb26 C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{39AF48C5-35EA-4E7E-9C64-A120B8EC7A24}\MpKsl04d4cb26.sys **LOCKED** 32 12:55:13.778 Service MpNWMon C:\Windows\system32\DRIVERS\MpNWMon.sys **LOCKED** 32 12:55:31.930 Modules scanning 12:55:45.756 Disk 0 trace - called modules: 12:55:45.842 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS PCIIDEX.SYS msahci.sys 12:55:45.854 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8554d780] 12:55:45.866 3 CLASSPNP.SYS[833a6745] -> nt!IofCallDriver -> [0x85381918] 12:55:45.878 5 acpi.sys[806996a0] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x846128e0] 12:55:46.933 AVAST engine scan C:\Windows 12:55:51.950 AVAST engine scan C:\Windows\system32 12:59:37.998 AVAST engine scan C:\Windows\system32\drivers 12:59:51.419 AVAST engine scan C:\Users\leigh 13:01:52.835 Disk 0 MBR has been saved successfully to "D:\Virus\MBR.dat" 13:01:52.852 The log file has been saved successfully to "D:\Virus\aswMBR.txt" 13:04:32.605 AVAST engine scan C:\ProgramData 13:06:58.152 Scan finished successfully 13:07:32.819 Disk 0 MBR has been saved successfully to "D:\Virus\MBR.dat" 13:07:32.832 The log file has been saved successfully to "D:\Virus\aswMBR2.txt" |
Once we finish our repairs here you do need to update to Service Pack 2, but not just yet.
Really would like to see some of what that second OTL log would have shown though. Download HijackThis from Here. Then click on the downloaded file, and install HijackThis. In HijackThis, click Config - Misc Tools - Open Uninstall Manager. Click on Save List, then save that to a location you can locate again (such as the desktop). Copy/paste the contents of that back here please. |
| All times are GMT +1. The time now is 05:09 PM. |
Copyright © Cyber Tech Help. All rights reserved. All other trademarks are the property of their respective owners.