Author Topic: vista anti-spyware infection  (Read 4034 times)

0 Members and 1 Guest are viewing this topic.

Offline winchester73

  • Half a bubble off plumb
  • Administrator
  • Hero Member
  • *****
  • Posts: 5949
  • Liverpool FC - YNWA
    • View Profile
Re: vista anti-spyware infection
« Reply #15 on: September 25, 2011, 11:48:08 AM »
Did you run the System File Checker tool?

http://support.microsoft.com/kb/958044
Justice for the 96
15/4/89, 3.06pm
Hillsborough, Sheffield
YOU'LL NEVER WALK ALONE

Speak softly, but carry a big Winchester ... Winchester Arms Collectors Association member

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 14675
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: vista anti-spyware infection
« Reply #16 on: September 25, 2011, 01:57:38 PM »
Hi, chbq. 

Running the System File Checker Tool is the first step to see if it will correct the problem.  However, if not, based on the Error Code, you will need to take additional steps.

The System Update Readiness Tool may solve the problem with Error Code 80070490.  You can download it from Description of the System Update Readiness Tool for Windows Vista, for Windows Server 2008, for Windows 7, and for Windows Server 2008 R2.  You will need the version identified as "All supported x86-based versions of Windows Vista".

Note:  The System Update Readiness Tool scans for inconsistencies in your computer, while it is being installed. It typically takes less than 15 minutes to run the scan, however, the tool might take significantly longer on some environments. Although the progress bar may appear to stop, the scan is still running and you should not cancel the update.

Unfortunately, if that tool does not solve the problem, you will need to do a repair install.  Additional information is available at Windows Update error 80070490.  Illustrated instructions are in the following Bleeping Computer tutorial:  How to automatically repair Windows Vista using Startup Repair.



Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline chbq

  • Jr. Member
  • **
  • Posts: 16
    • View Profile
Re: vista anti-spyware infection
« Reply #17 on: September 29, 2011, 11:43:08 AM »
Good morning,
     
   I have followed your instructions.  Looks like the repair installation is needed.  The "install windows Vista"  screen does not give the "Repair your computer" option as shown in the Bleeping computer tutorial - options given are" what to know before installing windows" and "transfer files and settings from another computer".  I clicked on "install now" and "go online to get latest updates for installation".  The next screen says"Upgrade has been disabled",  "The upgrade cannotbe started.  To upgrade, cancel the installation and then choose to upgrade toa version of Windows that is more recent than the version you are currently running." 

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 14675
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: vista anti-spyware infection
« Reply #18 on: September 29, 2011, 04:41:54 PM »
Hi, chbq.

You have several options, although the first two may still lead to the same recommendation to do a repair install.  Based on the message, are you certain you had the Vista media? 

First, if you are unable to get any Microsoft Security Updates, I suggest that you go to http://supportservices.microsoft.com/support/services/windows_update for free assistance or call Microsoft Security Support.  The number is listed here:  Telephone Support..

Second, if it is only Microsoft Security Essentials you are unable to install, you can Submit a support case online.

Third, because you have SP2 installed, it appears it will be necessary to create a Vista SP2 slipstream installation DVD to use to do a Repair (upgrade) install.  Note that this does not always work to use for a Repair install.  Additional information at http://www.vistax64.com/tutorials/88236-repair-install-vista.html and http://www.vistax64.com/tutorials/230249-sliptream-vista-sp2.html


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline chbq

  • Jr. Member
  • **
  • Posts: 16
    • View Profile
Re: vista anti-spyware infection
« Reply #19 on: October 10, 2011, 10:14:18 PM »
Hi Corrine,

 I was unable to get ANY Microsoft Security updates so I followed your first suggestion and went to the microsoft support services website.  The expert/tech person there took control of my laptop and did something which allowed the ms security update to install.  Thank you..

Now, should I still complete your third suggestion to create a Vista SP2 slipstream installation DVD to use to do a Repair (upgrade) install?
Also, websites are extremely slow to load, any suggestions?

thanks for all your help

chbq

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 14675
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: vista anti-spyware infection
« Reply #20 on: October 10, 2011, 11:10:39 PM »
Hi, chbq.  Welcome back!

Solving the problem to enable installing Microsoft updates was the primary goal, which has now been achieved.  Are you able to run programs normally now?  Did you solve the antivirus issues?  At the time of your original posting, there were other updates needed too.

To see where things stand now, it would be best if you were to post a fresh DDS log. 


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline chbq

  • Jr. Member
  • **
  • Posts: 16
    • View Profile
Re: vista anti-spyware infection
« Reply #21 on: October 11, 2011, 12:00:26 AM »
here is the first log.  Should it be sent this way-or as an attachment  The second log is an attachment.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.6002.18005
Run by Streetroad at 20:45:25 on 2011-10-10
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.3573.1646 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_c09c50a2\aestsrv.exe
C:\Windows\system32\atashost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_c09c50a2\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10v_ActiveX.exe
c:\PROGRA~1\mcafee\msc\mcupdmgr.exe
C:\Windows\system32\wbem\wmiprvse.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
c:\program files\mcafee\virusscan\mcinsupd.exe
C:\Windows\system32\msfeedssync.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
.
============== Pseudo HJT Report ===============
.
uDefault_Page_URL = hxxp://www.msn.com
mURLSearchHooks: Elf 1 Toolbar: {22e03916-85c5-44b0-8dc9-1830c11238d9} - c:\program files\elf_1\tbElf_.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Elf 1 Toolbar: {22e03916-85c5-44b0-8dc9-1830c11238d9} - c:\program files\elf_1\tbElf_.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20111010204355.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~3\office14\URLREDIR.DLL
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\6.3.2380.0\npwinext.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Elf 1 Toolbar: {22e03916-85c5-44b0-8dc9-1830c11238d9} - c:\program files\elf_1\tbElf_.dll
TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
TB: @c:\program files\msn toolbar\platform\6.3.2380.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\6.3.2380.0\npwinext.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [<NO NAME>]
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office2002\office10\OSA.EXE
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{049D02FF-DEF2-4899-BEDE-188A05E17259} : DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{ECD99D08-706B-40D2-BDE6-AFCDCCA94FFB} : DhcpNameServer = 209.18.47.61 209.18.47.62
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2009\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-6-5 461864]
R1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\drivers\mfenlfk.sys [2011-6-4 64712]
R1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2011-6-4 164776]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R1 MpKsl19f6438f;MpKsl19f6438f;c:\programdata\microsoft\microsoft antimalware\definition updates\{8b17ec82-6b9f-4e16-b6a2-e99ff39b10f3}\MpKsl19f6438f.sys [2011-10-10 28752]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-6-4 57432]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2009-7-8 111616]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-6-4 180072]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-6-4 59288]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-6-4 338040]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2011-4-18 43392]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-6-4 87808]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-7-8 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-7-8 40552]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2011-4-27 65024]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
.
=============== Created Last 30 ================
.
2011-10-11 00:35:55   28752   ----a-w-   c:\programdata\microsoft\microsoft antimalware\definition updates\{8b17ec82-6b9f-4e16-b6a2-e99ff39b10f3}\MpKsl0a76aca4.sys
2011-10-10 16:54:33   28752   ----a-w-   c:\programdata\microsoft\microsoft antimalware\definition updates\{8b17ec82-6b9f-4e16-b6a2-e99ff39b10f3}\MpKsl19f6438f.sys
2011-10-10 16:54:01   56200   ----a-w-   c:\programdata\microsoft\microsoft antimalware\definition updates\{8b17ec82-6b9f-4e16-b6a2-e99ff39b10f3}\offreg.dll
2011-10-10 16:53:49   7269712   ----a-w-   c:\programdata\microsoft\microsoft antimalware\definition updates\{8b17ec82-6b9f-4e16-b6a2-e99ff39b10f3}\mpengine.dll
2011-09-29 11:22:52   --------   d-----w-   c:\users\streetroad\appdata\local\ElevatedDiagnostics
2011-09-19 14:28:26   7269712   ----a-w-   c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2011-09-18 01:17:12   439632   ------w-   c:\programdata\microsoft\microsoft antimalware\definition updates\{a99dffbf-0edf-45ee-9a23-a8b2d5713bef}\gapaengine.dll
2011-09-18 01:10:04   --------   d-----w-   c:\program files\Microsoft Security Client
2011-09-15 10:01:51   2409784   ----a-w-   c:\program files\windows mail\OESpamFilter.dat
.
==================== Find3M  ====================
.
2011-09-26 00:38:28   7680   ----a-w-   c:\windows\system32\acledit.dll
2011-08-31 21:00:50   22216   ----a-w-   c:\windows\system32\drivers\mbam.sys
2011-08-15 14:00:06   9344   ----a-w-   c:\windows\system32\drivers\mfeclnk.sys
2011-08-15 14:00:06   87808   ----a-w-   c:\windows\system32\drivers\mferkdet.sys
2011-08-15 14:00:06   64712   ----a-w-   c:\windows\system32\drivers\mfenlfk.sys
2011-08-15 14:00:06   59288   ----a-w-   c:\windows\system32\drivers\mfebopk.sys
2011-08-15 14:00:06   57432   ----a-w-   c:\windows\system32\drivers\cfwids.sys
2011-08-15 14:00:06   461864   ----a-w-   c:\windows\system32\drivers\mfehidk.sys
2011-08-15 14:00:06   338040   ----a-w-   c:\windows\system32\drivers\mfefirek.sys
2011-08-15 14:00:06   180072   ----a-w-   c:\windows\system32\drivers\mfeavfk.sys
2011-08-15 14:00:06   164776   ----a-w-   c:\windows\system32\drivers\mfewfpk.sys
2011-08-15 14:00:06   119808   ----a-w-   c:\windows\system32\drivers\mfeapfk.sys
2011-08-11 01:49:44   404640   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-22 13:54:40   1383424   ----a-w-   c:\windows\system32\mshtml.tlb
.
============= FINISH: 20:48:15.37 ===============


Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 14675
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: vista anti-spyware infection
« Reply #22 on: October 11, 2011, 01:15:58 PM »
Here is the DDS.txt:

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 7/7/2009 10:04:52 AM
System Uptime: 10/10/2011 8:35:09 PM (0 hours ago)
.
Motherboard: Dell Inc. |  | 0U990C
Processor: Intel(R) Core(TM)2 Duo CPU     T5550  @ 1.83GHz | Microprocessor | 1000/166mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 295 GiB total, 252.735 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {6bdd1fc6-810f-11d0-bec7-08002be2092f}
Description: Photosmart Plus B209a-m
Device ID: ROOT\IMAGE\0000
Manufacturer: HP
Name: Photosmart Plus B209a-m
PNP Device ID: ROOT\IMAGE\0000
Service: StillCam
.
Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318}
Description: Photosmart Plus B209a-m
Device ID: ROOT\MULTIFUNCTION\0000
Manufacturer: HP
Name: Photosmart Plus B209a-m
PNP Device ID: ROOT\MULTIFUNCTION\0000
Service:
.
==== System Restore Points ===================
.
RP1222: 10/7/2011 8:26:59 PM - Windows Update
RP1223: 10/9/2011 10:17:15 AM - Windows Update
RP1224: 10/10/2011 12:53:05 PM - Windows Update
.
==== Installed Programs ======================
.
32 Bit HP CIO Components Installer
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9.4.5
Advanced Audio FX Engine
Advanced Video FX Engine
Apple Application Support
Apple Software Update
B209a-m
Bing Bar
Bing Bar Platform
Bing Rewards Client Installer
BufferChm
CCleaner
Conduit Engine
Conexant HDA D330 MDC V.92 Modem
Coupon Printer for Windows
CutePDF Writer 2.8
D3DX10
Definition update for Microsoft Office 2010 (KB982726) 32-Bit Edition
Dell Resource CD
Dell Touchpad
Dell Webcam Center
Dell Webcam Manager
Destinations
DeviceDiscovery
Elf 1 Toolbar
ESET Online Scanner v3
Google Chrome
Google Earth
Google Toolbar for Internet Explorer
Google Update Helper
GPBaseService2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Imaging Device Functions 13.0
HP Photosmart Plus B209a-m All-In-One Driver Software 13.0 Rel .6
HP Print Projects 1.0
HP Smart Web Printing 4.5
HP Solution Center 13.0
HP Update
HPPhotoGadget
hpPrintProjects
HPProductAssistant
hpWLPGInstaller
Intel(R) Graphics Media Accelerator Driver
Intel(R) PROSet/Wireless Software
Intuit SiteBuilder
Java Auto Updater
Java(TM) 6 Update 22
Laptop Integrated Webcam Driver (1.04.01.1011) 
Malwarebytes' Anti-Malware version 1.51.2.1300
Marvell Miniport Driver
McAfee Security Scan Plus
McAfee Total Protection
mCore
mDriver
mHelp
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Default Manager
Microsoft Office 2010 Service Pack 1 (SP1)
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Home and Student 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Professional Edition 2003
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Single Image 2010
Microsoft Office Word MUI (English) 2010
Microsoft Office XP Media Content
Microsoft Office XP Small Business
Microsoft Search Enhancement Pack
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022.218
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual J# 2.0 Redistributable Package
Microsoft Works
mMHouse
mPfMgr
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
mWMI
Network
OGA Notifier 2.0.0048.0
OpenOffice.org 3.2
PS_AIO_06_B209a-m_SW_Min
QuickBooks
QuickBooks Pro 2009
QuickSet
QuickTime
RICOH R5C83x/84x Flash Media Controller Driver Ver.3.51.01
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler 3
Roxio Update Manager
Scan
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft Excel 2010 (KB2553070)
Security Update for Microsoft Office 2010 (KB2553091)
Security Update for Microsoft Office 2010 (KB2553096)
Security Update for Microsoft Office 2010 (KB2584066)
Segoe UI
SigmaTel Audio
Skype Toolbars
Skype™ 5.1
SmartWebPrinting
SolutionCenter
Status
SUPERAntiSpyware Free Edition
SupportSoft Assisted Service
Toolbox
TrayApp
Unity Web Player
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft Office 2010 (KB2494150)
Update for Microsoft Office 2010 (KB2553065)
Update for Microsoft Office 2010 (KB2566458)
Update for Microsoft Outlook Social Connector (KB2583935)
WebEx Support Manager for Internet Explorer
WebReg
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Messenger
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live Sync
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
.
==== Event Viewer Messages From Past Week ========
.
10/9/2011 7:39:19 AM, Error: Service Control Manager [7034]  - The HP Network Devices Support service terminated unexpectedly.  It has done this 2 time(s).
10/9/2011 10:18:15 AM, Error: Microsoft Antimalware [3002]  - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed.     Feature: Network Inspection System     Error Code: 0x8007042c     Error description: The dependency service or group failed to start.      Reason: The system is missing updates that are required for running Network Inspection System.  Install the required updates and restart the computer.
10/9/2011 10:17:44 AM, Error: Service Control Manager [7034]  - The HP Network Devices Support service terminated unexpectedly.  It has done this 3 time(s).
10/7/2011 8:28:22 PM, Error: Microsoft Antimalware [3002]  - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed.     Feature: Network Inspection System     Error Code: 0x8007042c     Error description: The dependency service or group failed to start.      Reason: The system is missing updates that are required for running Network Inspection System.  Install the required updates and restart the computer.
10/7/2011 8:17:29 AM, Error: Service Control Manager [7034]  - The HP Network Devices Support service terminated unexpectedly.  It has done this 1 time(s).
10/7/2011 8:17:07 AM, Error: Service Control Manager [7034]  - The Diagnostic System Host service terminated unexpectedly.  It has done this 1 time(s).
10/7/2011 8:17:07 AM, Error: Service Control Manager [7031]  - The WLAN AutoConfig service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
10/7/2011 8:17:07 AM, Error: Service Control Manager [7031]  - The Windows Driver Foundation - User-mode Driver Framework service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
10/7/2011 8:17:07 AM, Error: Service Control Manager [7031]  - The Windows Audio Endpoint Builder service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
10/7/2011 8:17:07 AM, Error: Service Control Manager [7031]  - The Tablet PC Input Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
10/7/2011 8:17:07 AM, Error: Service Control Manager [7031]  - The Superfetch service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
10/7/2011 8:17:07 AM, Error: Service Control Manager [7031]  - The ReadyBoost service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
10/7/2011 8:17:07 AM, Error: Service Control Manager [7031]  - The Program Compatibility Assistant Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
10/7/2011 8:17:07 AM, Error: Service Control Manager [7031]  - The Portable Device Enumerator Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
10/7/2011 8:17:07 AM, Error: Service Control Manager [7031]  - The Network Connections service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 100 milliseconds: Restart the service.
10/7/2011 8:17:07 AM, Error: Service Control Manager [7031]  - The Distributed Link Tracking Client service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
10/7/2011 8:17:07 AM, Error: Service Control Manager [7031]  - The Desktop Window Manager Session Manager service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
10/7/2011 8:16:54 AM, Error: Microsoft-Windows-Dhcp-Client [1001]  - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 001DE05C3777.  The following error occurred:  The operation was canceled by the user.. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
10/7/2011 8:16:40 AM, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Netman service.
10/7/2011 8:16:12 AM, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Wlansvc service.
10/7/2011 8:05:04 PM, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the PlugPlay service.
10/5/2011 9:19:53 PM, Error: Microsoft Antimalware [3002]  - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed.     Feature: Network Inspection System     Error Code: 0x8007042c     Error description: The dependency service or group failed to start.      Reason: The system is missing updates that are required for running Network Inspection System.  Install the required updates and restart the computer.
10/5/2011 9:18:00 PM, Error: volsnap [25]  - The shadow copies of volume C: were deleted because the shadow copy storage could not grow in time.  Consider reducing the IO load on the system or choose a shadow copy storage volume that is not being shadow copied.
10/5/2011 8:58:17 PM, Error: Microsoft Antimalware [3002]  - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed.     Feature: Network Inspection System     Error Code: 0x8007042c     Error description: The dependency service or group failed to start.      Reason: The system is missing updates that are required for running Network Inspection System.  Install the required updates and restart the computer.
10/4/2011 8:02:24 PM, Error: Microsoft Antimalware [3002]  - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed.     Feature: Network Inspection System     Error Code: 0x8007042c     Error description: The dependency service or group failed to start.      Reason: The system is missing updates that are required for running Network Inspection System.  Install the required updates and restart the computer.
10/4/2011 7:42:17 PM, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the HPSLPSVC service.
10/4/2011 3:17:35 PM, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the WerSvc service.
10/3/2011 8:08:16 PM, Error: Service Control Manager [7031]  - The McAfee McShield service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 5000 milliseconds: Restart the service.
10/10/2011 8:36:31 PM, Error: Service Control Manager [7000]  - The Parallel port driver service failed to start due to the following error:  The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
10/10/2011 8:35:55 PM, Error: Microsoft Antimalware [3002]  - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed.     Feature: Network Inspection System     Error Code: 0x8007042c     Error description: The dependency service or group failed to start.      Reason: The system is missing updates that are required for running Network Inspection System.  Install the required updates and restart the computer.
10/10/2011 8:35:41 PM, Error: EventLog [6008]  - The previous system shutdown at 8:33:43 PM on 10/10/2011 was unexpected.
10/10/2011 8:26:36 PM, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the McShield service.
10/10/2011 6:49:02 PM, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the STacSV service.
10/10/2011 12:54:40 PM, Error: Microsoft Antimalware [3002]  - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed.     Feature: Network Inspection System     Error Code: 0x8007042c     Error description: The dependency service or group failed to start.      Reason: The system is missing updates that are required for running Network Inspection System.  Install the required updates and restart the computer.
.
==== End Of File ===========================


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 14675
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: vista anti-spyware infection
« Reply #23 on: October 11, 2011, 01:45:47 PM »
Hi, Hi, chbq.

From your log, I see you were successful in installing Microsoft Security Essentials.  However, McAfee is still active on your computer, which could be part of the problem for it being slow.  Having two antivirus solutions can also cause conflicts.  If you still wish to continue with Microsoft Security Essentials, please uninstall McAfee.  Please follow the instructions at How to uninstall or reinstall supported McAfee consumer products using the McAfee Consumer Products Removal tool (MCPR.exe).

Following that, let's deal with the leftovers from the original infection and do some additional cleanup.

Please follow these instructions carefully.

Download ComboFix from one of the following locations:

Link 1
Link 2

!!! IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your antivirus and anti-malware security applications. If not disabled, these programs will likely interfere with cleanup process. This can usually be accomplished by a right-click on the icon in the System Tray. 

Note:  If you are unsure how to disable your security software, see the instructions in this topic at Tech Support Forum:  How to disable your security applications.

Now, please run ComboFix:
  • Note:  If infections are found, ComboFix will automatically reboot the machine to complete the removal process.  Please ensure all opened windows are closed before proceeding.
  • Double-click ComboFix.exe on your desktop and follow the prompts.
  • As part of the process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it is strongly recommended to have this pre-installed on your machine before doing any malware removal. The Recovery Console will allow you to start up the computer in a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    Please note: If the Microsoft Windows Recovery Console is already installed on the computer, ComboFix will continue the malware removal procedures.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

  • After the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

  • Click "Yes" to continue scanning for malware.
  • When finished, a log will be produced. Please include the C:\ComboFix.txt in your next reply.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline chbq

  • Jr. Member
  • **
  • Posts: 16
    • View Profile
Re: vista anti-spyware infection
« Reply #24 on: October 12, 2011, 12:05:11 AM »
HI Corinne,

   Which program offers more protection - McAfee or Microsoft Security  Essentials?

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 14675
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: vista anti-spyware infection
« Reply #25 on: October 12, 2011, 01:15:34 PM »
Hi, chbq.

When it comes to security software and which one is better, the answer you get will likely depend on the experiences of the person you are asking.  My personal choice when it comes to a paid/licensed solution is ESET.  Microsoft Security Essentials is my preference for a free solution.  You may find Ed Bott's articles interesting:  Microsoft vs. McAfee: How free antivirus outperformed paid and Why McAfee is still at the top of my Not Recommended list.

Note:  If you elect to remove McAfee, be sure the Windows Vista Firewall is turned on.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline chbq

  • Jr. Member
  • **
  • Posts: 16
    • View Profile
Re: vista anti-spyware infection
« Reply #26 on: October 12, 2011, 05:30:53 PM »
Hi Corinne,
    I ran ComboFix.  The log is attached.
    I deleted McAfee and left MSE on.  What free antivirus/anti malware, etc programs should I keep on the computer along with MSE?

Edited by Corrine to add copy/paste of log:

ComboFix 11-10-12.01 - Streetroad 10/12/2011  13:51:43.1.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.3573.2340 [GMT -4:00]
Running from: c:\users\Streetroad\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\Roaming
c:\programdata\Roaming\Intel\Wireless\Settings\Settings.ini
c:\users\Streetroad\GoToAssistDownloadHelper.exe
.
.
(((((((((((((((((((((((((   Files Created from 2011-09-12 to 2011-10-12  )))))))))))))))))))))))))))))))
.
.
2011-10-12 18:02 . 2011-10-12 18:02   --------   d-----w-   c:\users\Default\AppData\Local\temp
2011-10-12 15:33 . 2011-10-12 15:33   28752   ----a-w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{019F4673-B93C-4142-B464-3A3023EC0E4C}\MpKsl4089193d.sys
2011-10-12 15:33 . 2011-10-12 15:33   56200   ----a-w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{019F4673-B93C-4142-B464-3A3023EC0E4C}\offreg.dll
2011-10-11 23:15 . 2010-11-30 15:43   439632   ----a-w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2011-10-11 23:15 . 2011-10-11 23:15   703824   ----a-w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{16334273-19E0-46C6-9AAC-F5B2DAB571AC}\gapaengine.dll
2011-10-11 23:15 . 2011-09-12 23:14   7269712   ----a-w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{019F4673-B93C-4142-B464-3A3023EC0E4C}\mpengine.dll
2011-09-29 11:22 . 2011-09-29 11:22   --------   d-----w-   c:\users\Streetroad\AppData\Local\ElevatedDiagnostics
2011-09-19 14:28 . 2011-09-12 23:14   7269712   ----a-w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-09-19 00:14 . 2011-09-19 00:14   --------   d-----w-   c:\users\Default\AppData\Local\Microsoft Help
2011-09-18 01:10 . 2011-09-18 01:10   --------   d-----w-   c:\program files\Microsoft Security Client
2011-09-15 10:01 . 2011-08-10 12:14   2409784   ----a-w-   c:\program files\Windows Mail\OESpamFilter.dat
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-26 00:38 . 2006-11-02 08:42   7680   ----a-w-   c:\windows\system32\acledit.dll
2011-08-31 21:00 . 2011-05-23 02:14   22216   ----a-w-   c:\windows\system32\drivers\mbam.sys
2011-08-11 01:49 . 2011-08-11 01:49   404640   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-22 13:54 . 2011-08-10 23:20   1383424   ----a-w-   c:\windows\system32\mshtml.tlb
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{22e03916-85c5-44b0-8dc9-1830c11238d9}]
2010-12-09 17:51   3911776   ----a-w-   c:\program files\Elf_1\tbElf_.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2010-12-09 17:51   3911776   ----a-w-   c:\program files\ConduitEngine\ConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{22e03916-85c5-44b0-8dc9-1830c11238d9}"= "c:\program files\Elf_1\tbElf_.dll" [2010-12-09 3911776]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngine.dll" [2010-12-09 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{22e03916-85c5-44b0-8dc9-1830c11238d9}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{22E03916-85C5-44B0-8DC9-1830C11238D9}"= "c:\program files\Elf_1\tbElf_.dll" [2010-12-09 3911776]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngine.dll" [2010-12-09 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{22e03916-85c5-44b0-8dc9-1830c11238d9}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-08-31 1047208]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2011-06-15 1532760]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office2002\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickSet.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickSet.lnk
backup=c:\windows\pss\QuickSet.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 04:59   937920   ----a-r-   c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-06-08 04:02   37296   ----a-w-   c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2007-10-25 20:31   167936   ----a-w-   c:\program files\DellTPad\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DELL Webcam Manager]
2007-07-27 23:43   118784   ------w-   c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-19 07:33   125952   ----a-w-   c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-02-15 16:41   166424   ----a-w-   c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2010-03-12 17:08   49208   ----a-w-   c:\program files\HP\HP Software Update\hpwuschd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-02-15 16:41   141848   ----a-w-   c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Intuit SyncManager]
2011-06-15 05:32   1532760   ----a-w-   c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2011-08-31 21:00   1047208   ----a-w-   c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSC]
2011-06-15 19:16   997920   ----a-w-   c:\program files\Microsoft Security Client\msseces.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-11-10 06:54   4240760   ----a-w-   c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OEM02Cfg.exe]
2007-10-10 21:02   28672   ----a-w-   c:\windows\OEM02Cfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OEM02Mon.exe]
2007-05-10 08:01   36864   ----a-w-   c:\windows\OEM02Mon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-02-15 16:41   133656   ----a-w-   c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38   421888   ----a-w-   c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-04-11 06:28   1233920   ----a-w-   c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2008-02-16 01:23   405504   ----a-w-   c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2011-01-26 22:05   15026056   ----a-r-   c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 16:44   248552   ----a-w-   c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-02-18 21:40   2012912   ----a-w-   c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-09-02 00:19   39408   ----a-w-   c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38   1008184   ----a-w-   c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-19 07:33   202240   ----a-w-   c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
R1 MpKsl5c475539;MpKsl5c475539;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{BF15BDA8-FC53-4B1A-8E3B-AE2017335176}\MpKsl5c475539.sys

R1 MpKsld59740f2;MpKsld59740f2;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5C20B806-EB8F-4488-B77E-4694471100BE}\MpKsld59740f2.sys

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-12-20 136176]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-12-20 136176]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2011-04-27 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 208944]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-02-17 12872]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S1 MpKsl4089193d;MpKsl4089193d;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{019F4673-B93C-4142-B464-3A3023EC0E4C}\MpKsl4089193d.sys [2011-10-12 28752]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-02-17 66632]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_c09c50a2\aestsrv.exe [2007-09-20 73728]
S2 atashost;WebEx Service Host for Support Center;c:\windows\system32\atashost.exe [2009-03-06 20376]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2007-06-07 111616]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2011-04-18 43392]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL4089193D
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation   REG_MULTI_SZ      FontCache
HPZ12   REG_MULTI_SZ      Pml Driver HPZ12 Net Driver HPZ12
HPService   REG_MULTI_SZ      HPSLPSVC
hpdevmgmt   REG_MULTI_SZ      hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-20 01:42]
.
2011-10-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-20 01:42]
.
2011-10-12 c:\windows\Tasks\User_Feed_Synchronization-{09EF6CBD-21A8-48AF-85FD-59B0FD19850D}.job
- c:\windows\system32\msfeedssync.exe [2009-08-11 07:33]
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
MSConfigStartUp-mcagent_exe - c:\program files\McAfee.com\Agent\mcagent.exe
MSConfigStartUp-mcui_exe - c:\program files\McAfee.com\Agent\mcagent.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-12 14:03
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-10-12  14:12:46
ComboFix-quarantined-files.txt  2011-10-12 18:12
.
Pre-Run: 268,111,982,592 bytes free
Post-Run: 268,078,727,168 bytes free
.
- - End Of File - - 5C06DF5DB42E2B1EE9734CC6C319EA6D



Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 14675
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: vista anti-spyware infection
« Reply #27 on: October 12, 2011, 07:45:19 PM »
Hi, chbq.

Let's start with the outdated/vulnerable software on your computer.  We'll talk about ongoing security after I know things are back to normal.

Please download JavaRa and unzip it to your desktop.

  • Double-click on JavaRa.exe to start the program.  (Windows Vista users Right-click JavaRa.exe > Select Run as Administrator)
  • Click on Remove Older Versions to remove older versions of Java.
  • A logfile will pop up. Please save it to a convenient location.

Then download and install Java SE Runtime Environment 6u27.   

Note:  UNCHECK any pre-checked toolbar and/or software options presented with the update.  They are not part of the software update and are completely optional.   

Next comes Adobe Reader, which has also had a number of critical security updates.  Install the latest version of Adobe Reader from http://www.adobe.com/products/reader/

After those updates have been completed, please do the following:

Custom CFScript

Note: The following instructions were created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


  • Please open Notepad (Click Start -> Run -> type notepad in the Open field -> OK).  Copy/Paste all of the text present inside the code box below:
Code: [Select]
Registry::
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} -
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} -
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} -
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} -
  • Save this as CFScript.txt and place it on your desktop.
  • Close any open browsers.
  • Close/disable all antivirus and anti-malware programs so they do not interfere with the running of ComboFix.




  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline chbq

  • Jr. Member
  • **
  • Posts: 16
    • View Profile
Re: vista anti-spyware infection
« Reply #28 on: October 13, 2011, 12:34:05 AM »
Hi Corinne,
  This is the latest log. 
ComboFix 11-10-12.04 - Streetroad 10/12/2011  21:01:11.2.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.3573.1974 [GMT -4:00]
Running from: c:\users\Streetroad\Desktop\ComboFix.exe
Command switches used :: c:\users\Streetroad\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((   Files Created from 2011-09-13 to 2011-10-13  )))))))))))))))))))))))))))))))
.
.
2011-10-13 01:13 . 2011-10-13 01:13   --------   d-----w-   c:\users\Default\AppData\Local\temp
2011-10-12 23:16 . 2011-10-12 23:16   28752   ----a-w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{AF33B12B-7102-4C09-95BC-3A50329BFC36}\MpKslb3071174.sys
2011-10-12 23:16 . 2011-10-12 23:16   56200   ----a-w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{AF33B12B-7102-4C09-95BC-3A50329BFC36}\offreg.dll
2011-10-12 23:16 . 2011-09-12 23:14   7269712   ----a-w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{AF33B12B-7102-4C09-95BC-3A50329BFC36}\mpengine.dll
2011-10-12 18:21 . 2008-01-02 23:33   172032   ----a-w-   c:\windows\system32\igfxres.dll
2011-10-11 23:15 . 2010-11-30 15:43   439632   ------w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2011-10-11 23:15 . 2011-10-11 23:15   703824   ------w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{16334273-19E0-46C6-9AAC-F5B2DAB571AC}\gapaengine.dll
2011-09-29 11:22 . 2011-09-29 11:22   --------   d-----w-   c:\users\Streetroad\AppData\Local\ElevatedDiagnostics
2011-09-19 14:28 . 2011-09-12 23:14   7269712   ----a-w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-09-19 00:14 . 2011-09-19 00:14   --------   d-----w-   c:\users\Default\AppData\Local\Microsoft Help
2011-09-18 01:10 . 2011-09-18 01:10   --------   d-----w-   c:\program files\Microsoft Security Client
2011-09-15 10:01 . 2011-08-10 12:14   2409784   ----a-w-   c:\program files\Windows Mail\OESpamFilter.dat
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-26 00:38 . 2006-11-02 08:42   7680   ----a-w-   c:\windows\system32\acledit.dll
2011-08-31 21:00 . 2011-05-23 02:14   22216   ----a-w-   c:\windows\system32\drivers\mbam.sys
2011-08-11 01:49 . 2011-08-11 01:49   404640   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-22 13:54 . 2011-08-10 23:20   1383424   ----a-w-   c:\windows\system32\mshtml.tlb
.
.
(((((((((((((((((((((((((((((   SnapShot@2011-10-12_18.03.23   )))))))))))))))))))))))))))))))))))))))))
.
- 2006-11-02 13:02 . 2011-10-12 17:47   32768              c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2006-11-02 13:02 . 2011-10-12 22:22   32768              c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2006-11-02 13:02 . 2011-10-12 22:22   32768              c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2006-11-02 13:02 . 2011-10-12 17:47   32768              c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2006-11-02 13:02 . 2011-10-12 22:22   16384              c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2006-11-02 13:02 . 2011-10-12 17:47   16384              c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-08 15:24 . 2011-10-13 00:44   407992              c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{22e03916-85c5-44b0-8dc9-1830c11238d9}]
2010-12-09 17:51   3911776   ----a-w-   c:\program files\Elf_1\tbElf_.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2010-12-09 17:51   3911776   ----a-w-   c:\program files\ConduitEngine\ConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{22e03916-85c5-44b0-8dc9-1830c11238d9}"= "c:\program files\Elf_1\tbElf_.dll" [2010-12-09 3911776]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngine.dll" [2010-12-09 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{22e03916-85c5-44b0-8dc9-1830c11238d9}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{22E03916-85C5-44B0-8DC9-1830C11238D9}"= "c:\program files\Elf_1\tbElf_.dll" [2010-12-09 3911776]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngine.dll" [2010-12-09 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{22e03916-85c5-44b0-8dc9-1830c11238d9}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-08-31 1047208]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2011-06-15 1532760]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office2002\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickSet.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickSet.lnk
backup=c:\windows\pss\QuickSet.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 04:59   937920   ----a-r-   c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-06-08 04:02   37296   ----a-w-   c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2007-10-25 20:31   167936   ----a-w-   c:\program files\DellTPad\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DELL Webcam Manager]
2007-07-27 23:43   118784   ------w-   c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-19 07:33   125952   ----a-w-   c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-02-15 16:41   166424   ----a-w-   c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2010-03-12 17:08   49208   ----a-w-   c:\program files\HP\HP Software Update\hpwuschd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-02-15 16:41   141848   ----a-w-   c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Intuit SyncManager]
2011-06-15 05:32   1532760   ----a-w-   c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2011-08-31 21:00   1047208   ----a-w-   c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSC]
2011-06-15 19:16   997920   ----a-w-   c:\program files\Microsoft Security Client\msseces.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-11-10 06:54   4240760   ----a-w-   c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OEM02Cfg.exe]
2007-10-10 21:02   28672   ----a-w-   c:\windows\OEM02Cfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OEM02Mon.exe]
2007-05-10 08:01   36864   ----a-w-   c:\windows\OEM02Mon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-02-15 16:41   133656   ----a-w-   c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38   421888   ----a-w-   c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-04-11 06:28   1233920   ----a-w-   c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2008-02-16 01:23   405504   ----a-w-   c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2011-01-26 22:05   15026056   ----a-r-   c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 16:44   248552   ----a-w-   c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-02-18 21:40   2012912   ----a-w-   c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-09-02 00:19   39408   ----a-w-   c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38   1008184   ----a-w-   c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-19 07:33   202240   ----a-w-   c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
R1 MpKsl5c475539;MpKsl5c475539;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{BF15BDA8-FC53-4B1A-8E3B-AE2017335176}\MpKsl5c475539.sys

R1 MpKsld59740f2;MpKsld59740f2;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5C20B806-EB8F-4488-B77E-4694471100BE}\MpKsld59740f2.sys

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-12-20 136176]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-12-20 136176]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2011-04-27 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 208944]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-02-17 12872]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S1 MpKslb3071174;MpKslb3071174;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{AF33B12B-7102-4C09-95BC-3A50329BFC36}\MpKslb3071174.sys [2011-10-12 28752]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-02-17 66632]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_c09c50a2\aestsrv.exe [2007-09-20 73728]
S2 atashost;WebEx Service Host for Support Center;c:\windows\system32\atashost.exe [2009-03-06 20376]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2007-06-07 111616]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2011-04-18 43392]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSLB3071174
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation   REG_MULTI_SZ      FontCache
HPZ12   REG_MULTI_SZ      Pml Driver HPZ12 Net Driver HPZ12
HPService   REG_MULTI_SZ      HPSLPSVC
hpdevmgmt   REG_MULTI_SZ      hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-20 01:42]
.
2011-10-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-20 01:42]
.
2011-10-13 c:\windows\Tasks\User_Feed_Synchronization-{09EF6CBD-21A8-48AF-85FD-59B0FD19850D}.job
- c:\windows\system32\msfeedssync.exe [2009-08-11 07:33]
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-12 21:13
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-10-12  21:24:08
ComboFix-quarantined-files.txt  2011-10-13 01:24
ComboFix2.txt  2011-10-12 18:12
.
Pre-Run: 265,969,307,648 bytes free
Post-Run: 265,972,277,248 bytes free
.
- - End Of File - - C99337154539ABAC2C0E78A21AB61BB1

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 14675
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: vista anti-spyware infection
« Reply #29 on: October 13, 2011, 02:00:15 PM »
Hi, chbq.  Let's do one more run with ComboFix. 

Custom CFScript

Note: The following instructions were created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


  • Please open Notepad (Click Start -> Run -> type notepad in the Open field -> OK).  Copy/Paste all of the text present inside the code box below:
Code: [Select]
RegLock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
  • Save this as CFScript.txt and place it on your desktop.
  • Close any open browsers.
  • Close/disable all antivirus and anti-malware programs so they do not interfere with the running of ComboFix.




  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

How is your computer now?


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.