Jump to content

Please Help, My Computer is Sick!

Recommended Posts

Got it, would you recommend getting the malwarebytes pro instead of these free options?

MBAM is to be run as an adjunct to an antivirus not as an antivirus replacement. It is compatible with most AV's and it finds quite a few threats that AV's do not ordinarily detect and remove.

I run MBAM and ESET on one of my PCs, and MSE and MBAM on the other. Also, I always keep UAC a full throttle!

Let me look at your DDS and attach now.

Share this post

Link to post
Share on other sites

Your DDS logs look pretty good.

Did you intentionally install these Programs?

SweetIM for Messenger 3.6

SweetIM Toolbar for Internet Explorer 4.2

Price Gong

Go to the Control Panel -> Programs and Features

Uninstall the following Programs: (unless you use them)

SweetIM Toolbar for Internet Explorer

AVG PC Tuneup 2011 <=== ESET detected a trojan in part of this program

Price Gong

Please delete the renamed Combofix on your desktop and download a new version from HERE or HERE

Very Important! Temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:


Now, we have to run Combofix with a script this time as follows:

1. Open Notepad, and on the Notepad menu, choose "Format" and make sure that Word Wrap is UNchecked (disabled).

2. Copy/Paste the text in the code box below and save it to your desktop as CFScript.txt by using the File -> "Save as" function on the Notepad Menu.


BHO-X64: SWEETIE - No File
BHO-X64: PriceGong - No File
BHO-X64: AcroIEHelperStub - No File
BHO-X64: URLRedirectionBHO - No File
BHO-X64: PriceGong - No File



3. Disable all anti-malware and antivirus active protection by referring to these directions HERE

4. Close All Open Windows and Browsers,


Referring to the picture above, drag CFScript.txt into ComboFix.exe

This will launch ComboFix.

If the run does not finish or You have problems, please launch Combofix in safe mode following the same directions as above.

If ComboFix prompts you to:

  • Update to a newer version, make sure you allow it to update.
  • Upload infected files for analysis, please allow it to do so.

Please copy/paste the log (C:\Combofix.txt) that opens when it finishes (Do NOT attach it).

Share this post

Link to post
Share on other sites

Ok I did as requested and here is the new combo fix log:

ComboFix 11-12-02.02 - Dylan 12/02/2011 20:40:03.2.8 - x64

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.4031.2653 [GMT -6:00]

Running from: c:\users\Dylan\Desktop\ComboFix.exe

Command switches used :: c:\users\Dylan\Desktop\CFScript.txt

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))




















































((((((((((((((((((((((((( Files Created from 2011-11-03 to 2011-12-03 )))))))))))))))))))))))))))))))



2011-12-03 02:45 . 2011-12-03 02:45 -------- d-----w- c:\users\Default\AppData\Local\temp

2011-12-02 16:37 . 2011-12-02 16:37 -------- d-----w- c:\program files (x86)\ESET

2011-12-02 14:03 . 2011-11-21 11:40 8822856 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{A149768E-64A3-4C43-922E-3B10EDCC418E}\mpengine.dll

2011-12-01 16:46 . 2011-12-01 16:54 -------- d-----w- c:\users\Dylan\AppData\Roaming\EasyBurner

2011-12-01 16:46 . 2011-12-01 16:46 -------- d-----w- c:\program files (x86)\EasyBurner

2011-12-01 16:46 . 2011-12-01 16:46 -------- d-----w- c:\users\Dylan\Tracing

2011-11-23 14:23 . 2011-11-23 15:12 -------- d-----w- c:\program files (x86)\MagicISO

2011-11-22 23:16 . 2011-11-22 23:16 -------- d-----w- c:\program files\7-Zip

2011-11-19 19:52 . 2011-11-19 19:52 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin7.dll

2011-11-19 19:52 . 2011-11-19 19:52 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin6.dll

2011-11-19 19:52 . 2011-11-19 19:52 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin5.dll

2011-11-19 19:52 . 2011-11-19 19:52 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin4.dll

2011-11-19 19:52 . 2011-11-19 19:52 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin3.dll

2011-11-19 19:52 . 2011-11-19 19:52 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin2.dll

2011-11-19 19:52 . 2011-11-19 19:52 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin.dll

2011-11-19 19:51 . 2011-11-19 19:52 -------- d-----w- c:\program files (x86)\QuickTime

2011-11-19 19:51 . 2011-11-19 19:51 -------- d-----w- c:\programdata\Apple Computer

2011-11-17 18:57 . 2011-10-01 05:28 886784 ----a-w- c:\program files\Common Files\System\wab32.dll

2011-11-17 18:57 . 2011-10-01 04:43 708608 ----a-w- c:\program files (x86)\Common Files\System\wab32.dll

2011-11-17 18:57 . 2011-09-29 16:24 1897328 ----a-w- c:\windows\system32\drivers\tcpip.sys

2011-11-17 18:57 . 2011-09-29 04:09 3141120 ----a-w- c:\windows\system32\win32k.sys

2011-11-07 17:45 . 2009-07-14 01:41 257024 ----a-w- c:\windows\system32\Spool\prtprocs\x64\hpzppw72.dll




(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))


2011-10-24 20:29 . 2011-10-24 20:29 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx

2011-10-24 20:29 . 2011-10-24 20:29 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts

2011-10-11 15:24 . 2011-07-25 07:43 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2011-10-03 10:06 . 2011-10-28 02:11 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll

2011-10-01 03:21 . 2011-10-12 19:13 1638912 ----a-w- c:\windows\system32\mshtml.tlb

2011-10-01 02:59 . 2011-10-12 19:13 1638912 ----a-w- c:\windows\SysWow64\mshtml.tlb



((((((((((((((((((((((((((((( SnapShot@2011-11-28_17.04.15 )))))))))))))))))))))))))))))))))))))))))


+ 2011-12-01 16:46 . 2011-12-01 16:46 81920 c:\windows\Installer\{520C2939-555B-40BF-A91B-8B671AB560EB}\NewShortcut415_4CCAB7D458B24B15A0EC604BB989DE2E.exe

+ 2011-12-01 16:46 . 2011-12-01 16:46 81920 c:\windows\Installer\{520C2939-555B-40BF-A91B-8B671AB560EB}\NewShortcut4141_0A5AF17F905D42EDA5C5E0092FE17BCD.exe

+ 2011-12-01 16:46 . 2011-12-01 16:46 81920 c:\windows\Installer\{520C2939-555B-40BF-A91B-8B671AB560EB}\NewShortcut41312_1731A9EE9C0746289A4E8E0C846C3503.exe

+ 2011-12-01 16:46 . 2011-12-01 16:46 81920 c:\windows\Installer\{520C2939-555B-40BF-A91B-8B671AB560EB}\NewShortcut4131_FFE36E03834F4130AABAE0CA500D3452.exe

+ 2011-12-01 16:46 . 2011-12-01 16:46 81920 c:\windows\Installer\{520C2939-555B-40BF-A91B-8B671AB560EB}\NewShortcut4121_559FB45329F144F986E67BE0FC74B959.exe

+ 2011-12-01 16:46 . 2011-12-01 16:46 81920 c:\windows\Installer\{520C2939-555B-40BF-A91B-8B671AB560EB}\NewShortcut4111_B9923C5ACA204943B2C2B90E2CE0771E.exe

+ 2011-12-01 16:46 . 2011-12-01 16:46 81920 c:\windows\Installer\{520C2939-555B-40BF-A91B-8B671AB560EB}\NewShortcut402_117374C798904B8FAA94F6F5BB0F1151.exe

+ 2011-12-01 16:46 . 2011-12-01 16:46 81920 c:\windows\Installer\{520C2939-555B-40BF-A91B-8B671AB560EB}\ARPPRODUCTICON.exe

+ 2011-12-03 02:46 . 2011-12-03 02:46 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat

- 2011-11-28 16:48 . 2011-11-28 16:48 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat

+ 2011-12-03 02:46 . 2011-12-03 02:46 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat

- 2011-11-28 16:48 . 2011-11-28 16:48 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat

- 2010-09-26 05:06 . 2011-11-28 16:50 163840 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

+ 2010-09-26 05:06 . 2011-12-03 02:01 163840 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

- 2010-09-26 05:06 . 2011-11-28 16:50 753664 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

+ 2010-09-26 05:06 . 2011-12-03 02:01 753664 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

- 2010-09-26 03:18 . 2011-11-28 17:03 229376 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

+ 2010-09-26 03:18 . 2011-12-03 02:14 229376 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

- 2010-09-26 03:18 . 2011-11-28 17:03 720896 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

+ 2010-09-26 03:18 . 2011-12-03 02:14 720896 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

- 2009-07-14 05:01 . 2011-11-28 16:47 437940 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat

+ 2009-07-14 05:01 . 2011-12-03 02:45 437940 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat

+ 2010-09-26 05:06 . 2011-12-03 02:01 5324800 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

- 2010-09-26 05:06 . 2011-11-28 16:50 5324800 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

+ 2011-05-07 22:23 . 2011-12-01 17:01 1152924 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1241964948-472029292-2349098027-1001-12288.dat

+ 2011-12-01 16:45 . 2011-12-01 16:45 6192128 c:\windows\Installer\2dc0e10.msi


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))



*Note* empty entries & legit default entries are not shown






2010-04-17 05:55 120176 ----a-w- c:\program files (x86)\EgisTec MyWinLocker\x86\PSDProtect.dll



"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-11-11 5495680]



"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-03-04 284696]

"EgisUpdate"="c:\program files (x86)\EgisTec IPS\EgisUpdate.exe" [2010-03-11 201584]

"EgisTecPMMUpdate"="c:\program files (x86)\EgisTec IPS\PmmUpdate.exe" [2010-03-11 407920]

"BackupManagerTray"="c:\program files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe" [2010-03-08 260608]

"LManager"="c:\program files (x86)\Launch Manager\LManager.exe" [2010-03-03 1300560]

"MDS_Menu"="c:\program files (x86)\Acer Arcade Deluxe\MediaShow Espresso\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]

"AppleSyncNotifier"="c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]

"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]

"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]

"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]


c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2010-4-16 1127200]



"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)



Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp








R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R3 AmUStor;AM USB Stroage Driver;c:\windows\system32\drivers\AmUStor.SYS [x]

R3 AthBTPort;Atheros Virtual Bluetooth Class;c:\windows\system32\DRIVERS\btath_flt.sys [x]

R3 BTATH_A2DP;Bluetooth A2DP Audio Driver;c:\windows\system32\drivers\btath_a2dp.sys [x]

R3 BTATH_HCRP;Bluetooth HCRP Server driver;c:\windows\system32\DRIVERS\btath_hcrp.sys [x]

R3 BTATH_RCP;Bluetooth AVRCP Device;c:\windows\system32\DRIVERS\btath_rcp.sys [x]

R3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys [x]

R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]

R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2010-01-21 30963576]

R3 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files (x86)\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2009-11-06 50432]

R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]

R3 TurboBoost;TurboBoost;c:\program files\Intel\TurboBoost\TurboBoost.exe [2009-11-02 126352]

R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]

R4 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]

R4 MWLService;MyWinLocker Service;c:\program files (x86)\EgisTec MyWinLocker\x86\MWLService.exe [2010-04-17 305520]

S1 mwlPSDFilter;mwlPSDFilter;c:\windows\system32\DRIVERS\mwlPSDFilter.sys [x]

S1 mwlPSDNServ;mwlPSDNServ;c:\windows\system32\DRIVERS\mwlPSDNServ.sys [x]

S1 mwlPSDVDisk;mwlPSDVDisk;c:\windows\system32\DRIVERS\mwlPSDVDisk.sys [x]

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]

S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]

S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]

S2 AtherosSvc;AtherosSvc;c:\program files (x86)\Bluetooth Suite\adminservice.exe [2010-01-18 23592]

S2 DsiWMIService;Dritek WMI Service;c:\program files (x86)\Launch Manager\dsiwmis.exe [2010-03-03 325200]

S2 ePowerSvc;Acer ePower Service;c:\program files\Acer\Acer ePower Management\ePowerSvc.exe [2010-04-23 867360]

S2 GREGService;GREGService;c:\program files (x86)\Acer\Registration\GREGsvc.exe [2010-01-08 23584]

S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-03-04 13336]

S2 NTI IScheduleSvc;NTI IScheduleSvc;c:\program files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe [2010-03-08 250368]

S2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2009-11-06 144640]

S2 ODDPwrSvc;Acer ODD Power Service;c:\program files\Acer\Optical Drive Power Management\ODDPWRSvc.exe [2010-04-22 171040]

S2 TurboB;Turbo Boost UI Monitor driver;c:\windows\system32\DRIVERS\TurboB.sys [x]

S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2009-10-01 2314240]

S2 Updater Service;Updater Service;c:\program files\Acer\Acer Updater\UpdaterService.exe [2010-01-28 243232]

S3 BTATH_BUS;Atheros Bluetooth Bus;c:\windows\system32\DRIVERS\btath_bus.sys [x]

S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]

S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys [x]

S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]



Contents of the 'Scheduled Tasks' folder


2011-12-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1241964948-472029292-2349098027-1001Core.job

- c:\users\Dylan\AppData\Local\Google\Update\GoogleUpdate.exe [2011-11-08 18:05]


2011-12-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1241964948-472029292-2349098027-1001UA.job

- c:\users\Dylan\AppData\Local\Google\Update\GoogleUpdate.exe [2011-11-08 18:05]



--------- x86-64 -----------






2010-04-17 05:58 137584 ----a-w- c:\program files (x86)\EgisTec MyWinLocker\x64\PSDProtect.dll



"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-03-30 10135584]

"RtHDVBg"="c:\program files\Realtek\Audio\HDA\RAVBg64.exe" [2010-03-30 907808]

"AmIcoSinglun64"="c:\program files (x86)\AmIcoSingLun\AmIcoSinglun64.exe" [2010-02-05 324608]

"ODDPwr"="c:\program files\Acer\Optical Drive Power Management\ODDPwr.exe" [2010-04-22 223264]

"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [bU]

"PLFSetI"="c:\windows\PLFSetI.exe" [2010-01-13 206208]

"Acer ePower Management"="c:\program files\Acer\Acer ePower Management\ePowerTray.exe" [2010-04-23 861216]

"AtherosBtStack"="c:\program files (x86)\Bluetooth Suite\BtvStack.exe" [2010-01-18 430632]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-27 16413288]


------- Supplementary Scan -------


uLocal Page = c:\windows\system32\blank.htm

mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_5745g&r=273609109406l0483z166t56j5l492

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html

IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105

IE: Search the Web - c:\program files (x86)\SweetIM\Toolbars\Internet Explorer\resources\menuext.html

IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

LSP: c:\programdata\Megamedia\Megakey\msadm.dll

TCP: DhcpNameServer =


- - - - ORPHANS REMOVED - - - -


Toolbar-Locked - (no file)


WebBrowser-{EEE6C35B-6118-11DC-9C72-001320C79847} - (no file)




--------------------- LOCKED REGISTRY KEYS ---------------------



@Denied: (A 2) (Everyone)














@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"













@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"












@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"










@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"












@Denied: (A 2) (Everyone)










[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]

@Denied: (A) (Everyone)



[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]

@Denied: (A) (Everyone)


[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]


"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"


[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Windows CE Services]





@Denied: (Full) (Everyone)


------------------------ Other Running Processes ------------------------


c:\program files (x86)\Bonjour\mDNSResponder.exe

c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe


c:\program files (x86)\Cyberlink\Shared files\RichVideo.exe

c:\program files (x86)\Launch Manager\LMworker.exe




Completion time: 2011-12-02 20:53:31 - machine was rebooted

ComboFix-quarantined-files.txt 2011-12-03 02:53

ComboFix2.txt 2011-11-28 17:06


Pre-Run: 420,954,087,424 bytes free

Post-Run: 420,865,871,872 bytes free


- - End Of File - - 38399C44FDCDD994CD27A4842B00CB03

Share this post

Link to post
Share on other sites

Something out of the ordinary did occur after the Combo fix reboot. When Combofix was preparing the logs, an IAStore program or application pop up came up in the background and it said to press "ok" to terminate application, or "cancel" to debug. I pressed "ok" in order to terminate the program because combofix said not to allow any processes to run while preparing the log... I'm not sure what this was all about, but maybe you do.

Share this post

Link to post
Share on other sites

I think I'm going to call it a night. We made some serious progress today! Thank you so much for you help, you're awesome. I probably won't home until mid afternoon tomorrow. Talk to you then!

Share this post

Link to post
Share on other sites

I honestly do not know why that IAStore pop-up appeared, but as long as Combofix finished and produced a log, I would not worry about what seems to be a one-time occurrence. If there had been a blue screen I would be more concerned.

Yes, we did make substantial progress yesterday and it's just about time to wrap things up.

But, before we do, there's something you should do now that your MBR is clean:

Back up your clean MBR

  • Delete the infected MBR.dat on your desktop
  • Right-click aswMBR.exe on your desktop and select "Run as Administrator"
  • Post the contents of the log that opens in your next reply
  • Zip up MBR.dat and attach it to your next reply
  • Retain mbr.dat (it is only 512 bytes) so your have a clean MBR that can be restored in the event it ever becomes infected again
  • Copy MBR.dat to a CD or USB for safekeeping.

Share this post

Link to post
Share on other sites

Alright I deleted the MBR.dat file, and ran aswMBR, here is my aswMBR log, I downloaded Avast! since that was one of the antivirus programs you recommended:

aswMBR version Copyright© 2011 AVAST Software

Run date: 2011-12-03 14:33:57


14:33:57.761 OS Version: Windows x64 6.1.7600

14:33:57.761 Number of processors: 8 586 0x1E05

14:33:57.761 ComputerName: COOKAAYMONSTER UserName: Dylan

14:33:59.399 Initialize success

14:35:33.676 AVAST engine defs: 11120302

14:36:25.936 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1

14:36:25.936 Disk 0 Vendor: Hitachi_ PB4O Size: 476940MB BusType: 3

14:36:25.952 Disk 0 MBR read successfully

14:36:25.967 Disk 0 MBR scan

14:36:25.967 Disk 0 Windows 7 default MBR code

14:36:25.983 Service scanning

14:36:27.215 Modules scanning

14:36:27.215 Disk 0 trace - called modules:

14:36:27.246 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll

14:36:27.262 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004e03060]

14:36:27.262 3 CLASSPNP.SYS[fffff88001af643f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8004b13050]

14:36:28.604 AVAST engine scan C:\Windows

14:36:32.816 AVAST engine scan C:\Windows\system32

14:37:59.723 AVAST engine scan C:\Windows\system32\drivers

14:38:10.435 AVAST engine scan C:\Users\Dylan

14:42:57.062 AVAST engine scan C:\ProgramData

14:45:13.204 Scan finished successfully

14:48:27.131 Disk 0 MBR has been saved successfully to "C:\Users\Dylan\Downloads\MBR.dat"

14:48:27.131 The log file has been saved successfully to "C:\Users\Dylan\Downloads\aswMBR log.txt"

Share this post

Link to post
Share on other sites

Excellent job!

Your scans are all coming up clean now and the rootkit that was causing your redirect problems has been disinfected.

We have a perform a few "housekeeping" steps to remove the clean-up tools that we used!!

  • Please delete these programs from your Desktop (or their download location):
    TDSSKiller, MBRCheck, ASWMBR.exe
  • Please retain the back-up copy of your MBR and make sure that you have burned it to CD or copied it to USB for safekeeping, so you have it in the event You need to restore it.

To remove Combofix and it's quarantine folder:

  • Click Start -> type "run" into the Start Search box, the double-click the "Run" that appears under the "Programs" category at the top
  • Copy/paste the following bolded text into the Start Search box and select OK:
  • "%userprofile%\desktop\combofix.exe" /uninstall

This will do the following:

  • Uninstall Combofix and all its associated files and folders.
  • Flush your system restore points and create a new restore point.
  • Rehide your system files and folders
  • Reset your system clock
  • Disable autorun to prevent you from contracting USB transferred infections. You can still access all plugged in devices via My Computer (or Computer in Vista & W7) or by hitting the (Windows key + E) simultaneously to open Windows Explorer


Here are some additional measures you should take to keep your system in good working order and ensure your continued security.

1. Scan your system for outdated versions of commonly used software applications that may also cause your PC be vulnerable, using the Secunia Online Software Inspector (OSI) by clicking the Start Scanner button. This is very important because recent statistics confirm that an overwhelming majority of infections are aquired through application not Operating System flaws. Commonly used programs like Quicktime, Java, and Adobe Acrobat Reader, itunes, FlashPlayer and many others are frequently targeted today. You can make your computer much more secure if you update to the most current versions of these programs and any others that Secunia alerts you to.

Just click the "Start Scanner" button to get a listing of all outdated and possibly insecure resident programs.

Note: If your firewall prompts you about access, allow it.

2. Keep MBAM as an on demand scanner because I highly recommend it, and the quick scan will find most all active malware in minutes.

3. You should visit the Windows Updates website, and obtain the most current updates/patches for your Operating System and Internet Explorer.

  • The easiest and fastest way to obtain Windows Updates is by clicking Control Panel -> Windows Update or by acessing Windows Update through your Start Menu
  • However, setting your computer to download and install updates automatically will relieve you of the responsibility of doing this on a continual basis.
  • It is important to periodically check that Windows Updates is functioning properly because many threats disable it as part of their strategy to compromise your system.
  • Windows Updates (including a new Microsoft Malicious Software Removal Tool (MSRT)) are released on the second Tuesday of every month.

Finally, please review the additional suggestions offered by Tony Klein in How did I get infected in the first place. so you can maintain a safe and secure computing environment.

Happy Surfing! :)

Share this post

Link to post
Share on other sites

Do I need to keep the aswMBR logs as well or just the MBR zip? Do I need DDS or Gparted any longer? It doesn't seem combofix was fully uninstalled, it still seems to remain in Computer/(C:)/Users/Dylan/Downloads/Combofix, should I just manually delete this one, or is there another tricky way to take care of this?

Share this post

Link to post
Share on other sites

Also Secunia tells me my flashplayer is out of date, but then I visit the adobe flash website, and it says Flash is incorporated in googlechrome, and will update itself when needed... so I guess that one is ok even though Secunia says it is not?

Share this post

Link to post
Share on other sites
Do I need to keep the aswMBR logs as well or just the MBR zip? Do I need DDS or Gparted any longer? It doesn't seem combofix was fully uninstalled, it still seems to remain in Computer/(C:)/Users/Dylan/Downloads/Combofix, should I just manually delete this one, or is there another tricky way to take care of this?

Good question - it is a good idea to keep the MBR logs so they can be compared to logs acquired at a future date if the need arises.

You do not need DDS or GParted. The "first" because you should always download the latest copy of any system analysis program, and the "second" because you haven't been able to tweak your system to boot from CD. I would contact Acer support about that issue.

Since Combofix is in your downloads directory issue this command from the run line (start -> run):

"C:/Users/Dylan/Downloads/Combofix" /uninstall

If that doesn't work, you can manually delete the C:\Combofix and C:\Qoobox folders and set a new system restore point:


Also Secunia tells me my flashplayer is out of date, but then I visit the adobe flash website, and it says Flash is incorporated in googlechrome, and will update itself when needed... so I guess that one is ok even though Secunia says it is not?

That is the beauty of Chrome (its add-ons are built in and self-updating) , so you can ignore that and BTW the current version of Adobe Flash Player is


Share this post

Link to post
Share on other sites

Alright, So I am a bit afraid to plug my external hard drive back into my computer, is there anything I should do prior to doing so? or just plug it in and scan it. I also just downloaded the free version of avast!, because I noticed that it did not remain after running the DDS scan, and it gave me the pro version for free to try for 30 days. When I downloaded this program it said it was creating a new system restore point for me, will this suffice or do I need to create another one myself?

Share this post

Link to post
Share on other sites

Whenever you install a new program or Windows Updates, a new restore point is created, so that restore point will suffice.

You can plug in your external hard drive, and first scan it with a Malwarebytes quick scan. Then perform a full system scan with an updated Avast, followed by a full MBAM scan. If anything is detected you can post those logs.

Share this post

Link to post
Share on other sites

I want to start by apologizing for the lack of response on my part, my internet has been down, and comcast is still trying to fix the issues. So my external hard drive seems to have remained uninfected. I ran Avast! full scan, and it did find malware on my computer, and recommended I run another scan during the boot of my computer, which I did, and it found more problems, which I told it to fix, but it also found files that say ERROR file is a decompression bomb... I have no idea what this means, but there didn't seem to be a way to fix these problems with the scan. Then I ran malwarebytes full scan when my computer booted up, and this came out clean. Next I ran another Avast! full scan, and in this scan it found about ten or so files that it said it could not scan because they were archived files that were password protected. I have no idea why these would exist, or what their password would be. Once again I am sorry for not responding sooner.

Share this post

Link to post
Share on other sites

I fully understand your lack of internet issues. No need to apologize though it is appreciated.

This is the AVAST USER MANUAL in PDF Format:


If you go to page 41, it will tell you how to create a Report file:

How to create a report of the scan results

You can c rea te a permanent record of the resul t of each scan by c rea t ing a report

which you can then view later. To create a report, first access the options menu as

desc ribed on page 25 and select “Settings”. Next click on “Reports” and in the next

sc reen, chec k the box “Crea te report file” as shown below.

Save the Report as a TXT file by using the Text File radio button under "Type of File", and then attach it to your next reply.


Share this post

Link to post
Share on other sites

Ok, so my Avast! doesn't have an up arrow in the top left corner, and when I right click on the screen it doesn't do anything. I'm thinking that maybe since I have the trial version, it may not let me save my logs... I've searched though the help menu several times, and it is frankly, not helpful at all at helping you to navigate to the settings.

Share this post

Link to post
Share on other sites

So since I can not paste these logs I will manually type them, this log is from this morning:

File Name: Status:

C:/ProgramDa.6256.ta/Soluto/Dumps/ApplicationDumps/vlc.exe.6256.dmp Error File is offline - File is currently unavailable(42006)

C:/program files/avast software/avast/defs/11120801/algo.dll Error System can not find the path specified (3)

C:/program files/avast software/avast/defs/11120801/aswcnmbs.dll Error System can not find the path specified (3)

C:/program files/avast software/avast/defs/11120801/aswcnmis.dll Error System can not find the path specified (3)

C:/program files/avast software/avast/defs/11120801/aswcnmos.dll Error System can not find the path specified (3)

C:/program files/avast software/avast/defs/11120801/aswengin.dll Error System can not find the path specified (3)

C:/program files/avast software/avast/defs/11120801/aswfidb.dll Error System can not find the path specified (3)

C:/program files/avast software/avast/defs/11120801/aswrep.dll Error System can not find the path specified (3)

C:/program files/avast software/avast/defs/11120801/aswscan.dll Error System can not find the path specified (3)

Share this post

Link to post
Share on other sites

I also ran a scan on 12/5 and here is the gist of those results as I don't want retype this looooong list:

File Name:


There are approximately 90 of these files that begin with this source, and then are altered in different ways some files say language, others bg, buttons, and icon. For example:






All these files say Error Archive is password protected

Hopefully this isn't too confusing.....

Share this post

Link to post
Share on other sites

These are the results from my Avast! boot time scan:

C:/OEM/Preload/Autorun/APP/Acer Backup Manager/Data1.cab|>mui.exe Error File is a Decompression Bomb

:Volume{cb2a7676-8f0e-11df-8051-806e6f6e6963/D2D/Images/POP0109Z0OX00CE18.SWM|>mui.exe Error File is a Decompression Bomb

There were also several Java Agent threats in my Temp folder...

Share this post

Link to post
Share on other sites
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.