Hello, I was referred here by Ravencajun at GardenWeb.
Something called Vista Anti-spyware popped up telling me that I was being hacked and to save myself I needed to buy their product. I tried to ignore it, click out, but it was persistent and would not allow me to access Internet Explorer or even run Malawarebytes Anti-Malware. I was able to run Microsoft Security Essentials which reported no threats.
I shut the computer down and turned it on the next day and finally was able to get to download.com to get Spybot Search & Destroy. I ran that, then was able to run Malawarebytes too. Everything is better except when I start up I get a window which says:
"Error loading C:/users etc. etc.
The specified module could not be found."
I click OK and can go on using the computer with no trouble.
But, a window comes up which reports there are blocked start-up programs, looks like about 24. I looked at the list of blocked start up programs, and some I recognize like itunes, adobe, Intel...but there are others like "iwon toolbar," "Ovaguhakuc," and "Pgilevelecofi" which I question.
There are disable/enable buttons on the list of blocked start-up programs.
Not sure what to do. Computer seems to be working fine, though, except for that start-up window.
I have not followed the directions on "Prepare your computer for analysis and recommendations." It looks so intimidating--thought I'd ask first.
prepare your computer for analysis and recommendations
GardenWeb Link: http://ths.gardenweb.com/forums/load/comphelp/msg051320521716.html?4
Hi, Daisy. Welcome to LandzDown Forum.
We will do our best to assist you. However, in order to do so, please follow all instructions provided in the sequence given. Do not install/re-install any programs or run any fixes or scanners that you have not been instructed to use. This may cause conflicts with the tools being used in the cleanup process.
If you have questions regarding any of the instructions or problems running any tools, please let us know.
Download
DDS.scr by sUBs from one of the following links and save it to your desktop.
Link 1 (http://download.bleepingcomputer.com/sUBs/dds.scr)
Link 2 (http://www.forospyware.com/sUBs/dds)
- Double-Click dds.scr and a command window will appear. This is normal
- Shortly after two logs will appear, DDS.txt & Attach.txt
- A window will open instructing you save & post the logs
- Save the logs to a convenient place such as your desktop
- Copy the contents of both logs & post in your next reply
http://ths.gardenweb.com/forums/load/comphelp/msg051320521716.html?4
link to the GW post.
Don't worry Daisy, one step at a time! You are in very good hands here at LzD.
It asks Do you want to run or save dds.scr (611KB) from download.bleepingcomputer.com? So I should click "Save" and put on desktop, right?
(not "Run")
Hi, Daisy.
Yes, save it to your desktop please.
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Susan at 17:04:44.01 on Mon 05/16/2011
Internet Explorer: 9.0.8112.16421
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3060.1740 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\spool\DRIVERS\W32X86\3\HP1006MC.EXE
C:\Windows\system32\AERTSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\iWonIE\bar\1.bin\idbarsvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iWonIE\bar\1.bin\idbrmon.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\taskeng.exe
C:\Windows\system32\sdclt.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Susan\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uWindow Title = Internet Explorer provided by Dell
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: N/A: {70bd8aab-ad49-42f5-b1bd-240f078c1a11} - c:\program files\iwonie\bar\1.bin\idSrcAs.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: Toolbar BHO: {fc130ee2-5a2a-45a7-8e09-d2ca06c795a8} - c:\progra~1\iwonie\bar\1.bin\idbar.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: iWon Toolbar: {44843b6e-d44a-4b4f-bca4-559c86633dc6} - c:\program files\iwonie\bar\1.bin\idbar.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [AROReminder] c:\program files\aro 2011\ARO.exe -rem
uRun: [Pgilevetecofiruj] rundll32.exe "c:\users\susan\appdata\local\APreChli.dll",Startup
uRun: [Ovaguhakucadic] rundll32.exe "c:\users\susan\appdata\local\upiluyet.dll",Startup
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockwave 11\SwHelper_1151601.exe -Update -1151601 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; MDDC; .NET CLR 3.5.30729; InfoPath.2; OfficeLiveConnector.1.3; OfficeLivePatch.0.0; .NET CLR 3.0.30729)" -"http://www.shockwave.com/gamelanding/metalmayhem.jsp"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [iWonIE Browser Plugin Loader] c:\progra~1\iwonie\bar\1.bin\idbrmon.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVWSzItQUxZTUYtU0xLTFUtQVoyVUItNkdPS0ItSkhGTkg"&"inst=NzctNDc0Nzk5MDA3LUJBKzEtS1YzKzctWEwrMS1UNC1GUDkrNi1UQjkrMi1GTCs5LUYxME0rNS1RSVgxKzQtWDIwMTArMi1GMTBNMTBEKzI"&"prod=90"&"ver=10.0.1187
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 MpKsl0ab21ec8;MpKsl0ab21ec8;c:\programdata\microsoft\microsoft antimalware\definition updates\{277e32cd-5ca6-4122-ad95-7de272aba68c}\MpKsl0ab21ec8.sys [2011-5-16 28752]
R2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-5 77824]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 iWonIEService;iWon Toolbar Service;c:\progra~1\iwonie\bar\1.bin\idbarsvc.exe [2010-9-23 28766]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-10-24 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 54144]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2010-11-11 206360]
R3 PCDSRVC{E9D79540-57D5953E-06020101}_0;PCDSRVC{E9D79540-57D5953E-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\dell support center\pcdsrvc.pkms [2010-11-17 21744]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-05-16 20:45:35 28752 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{277e32cd-5ca6-4122-ad95-7de272aba68c}\MpKsl0ab21ec8.sys
2011-05-16 20:45:18 7071056 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{277e32cd-5ca6-4122-ad95-7de272aba68c}\mpengine.dll
2011-05-16 01:57:18 -------- d-----w- c:\users\susan\appdata\roaming\Sammsoft
2011-05-16 01:56:49 -------- d-----w- c:\program files\ARO 2011
2011-05-14 22:17:05 0 ----a-w- c:\users\susan\appdata\local\Tsapexijokiqov.bin
2011-05-14 22:17:04 -------- d-----w- c:\users\susan\appdata\local\{08DB7A2B-FD07-4E59-9DDF-7CC4FB6D1E65}
2011-05-11 00:14:58 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2011-05-01 21:02:21 4199768 ----a-w- c:\windows\system32\cdintf400.dll
2011-04-27 21:01:42 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2011-04-27 21:01:42 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2011-04-27 21:01:36 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-04-20 14:28:00 -------- d-----w- c:\program files\iPod
2011-04-20 14:27:58 -------- d-----w- c:\program files\iTunes
2011-04-20 14:26:16 -------- d-----w- c:\program files\Bonjour
.
==================== Find3M ====================
.
2011-04-16 17:51:00 161792 ----a-w- c:\windows\system32\msls31.dll
2011-04-16 17:51:00 1126912 ----a-w- c:\windows\system32\wininet.dll
2011-04-13 22:40:10 4284416 ----a-w- c:\windows\system32\GPhotos.scr
2011-04-06 23:20:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 23:20:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-03-10 17:03:51 1162240 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-10 17:03:51 1136640 ----a-w- c:\windows\system32\mfc42.dll
2011-03-03 15:42:03 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-03 15:40:07 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2011-03-03 15:40:05 542720 ----a-w- c:\windows\apppatch\AcLayers.dll
2011-03-03 15:40:05 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2011-03-03 15:40:04 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll
2011-03-03 13:25:11 2041856 ----a-w- c:\windows\system32\win32k.sys
2011-03-02 15:44:27 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-02-22 14:13:01 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-02-22 13:33:12 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-02-22 13:33:09 797696 ----a-w- c:\windows\system32\FntCache.dll
2011-02-19 00:36:58 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-16 16:16:37 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-02-16 14:02:23 292864 ----a-w- c:\windows\system32\atmfd.dll
.
============= FINISH: 17:05:09.57 ===============
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume3
Install Date: 4/10/2009 12:39:41 PM
System Uptime: 5/16/2011 10:00:41 AM (7 hours ago)
.
Motherboard: Dell Inc. | | 0G679R
Processor: Pentium(R) Dual-Core CPU E5200 @ 2.50GHz | Socket 775 | 1600/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 283 GiB total, 197.595 GiB free.
D: is FIXED (NTFS) - 15 GiB total, 6.975 GiB free.
E: is CDROM ()
H: is FIXED (NTFS) - 56 GiB total, 0.003 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP946: 5/3/2011 9:33:54 AM - Scheduled Checkpoint
RP947: 5/3/2011 2:30:15 PM - Windows Update
RP948: 5/4/2011 9:46:58 AM - Scheduled Checkpoint
RP949: 5/4/2011 3:26:31 PM - Windows Update
RP950: 5/5/2011 8:11:09 AM - Scheduled Checkpoint
RP951: 5/5/2011 6:39:07 PM - Windows Update
RP952: 5/6/2011 2:07:37 PM - Windows Update
RP953: 5/7/2011 10:45:35 AM - Scheduled Checkpoint
RP954: 5/8/2011 7:23:09 AM - Windows Update
RP955: 5/8/2011 2:44:22 PM - Windows Update
RP956: 5/9/2011 6:03:45 AM - Scheduled Checkpoint
RP957: 5/9/2011 3:01:46 PM - Windows Update
RP958: 5/10/2011 5:19:27 PM - Windows Update
RP959: 5/10/2011 7:04:56 PM - Windows Update
RP960: 5/11/2011 7:29:13 PM - Windows Update
RP961: 5/13/2011 6:02:47 AM - Windows Update
RP962: 5/14/2011 7:17:32 AM - Windows Update
RP963: 5/14/2011 3:20:01 PM - Windows Update
RP964: 5/15/2011 6:40:22 PM - Windows Update
RP966: 5/15/2011 6:56:35 PM - ARO 2011 - Before Installation
RP968: 5/15/2011 6:57:25 PM - ARO 2011 - FIRST RUN
RP970: 5/15/2011 7:17:10 PM - ARO 2011 Sun, May 15, 11 19:17
RP971: 5/16/2011 8:36:58 AM - Scheduled Checkpoint
RP972: 5/16/2011 1:44:53 PM - Windows Update
.
==== Installed Programs ======================
.
Update for Microsoft Office 2007 (KB2508958)
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9.4.4
Adobe Shockwave Player 11.5
AnswerWorks 5.0 English Runtime
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ARO 2011
Bonjour
calibre
Choice Guard
Compatibility Pack for the 2007 Office system
Dell Edoc Viewer
Dell Support Center
GoToAssist 8.0.0.514
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections 12.1.11.0
iPhone Configuration Utility
iTunes
iWon Toolbar
IZArc 3.81
Java(TM) 6 Update 11
Junk Mail filter update
KODAK EASYSHARE Gallery Upload ActiveX Control
KODAK Gallery Upload Software
Malwarebytes' Anti-Malware
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Live Add-in 1.5
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Search Enhancement Pack
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable - KB2467175
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Works
Mozilla Thunderbird (3.1.10)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Netflix Movie Viewer
OGA Notifier 2.0.0048.0
Picasa 3
PrimoPDF -- by Nitro PDF Software
Quicken 2011
QuickTime
Realtek High Definition Audio Driver
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler 3
Roxio Update Manager
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2466156)
Security Update for 2007 Microsoft Office System (KB2509488)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2464583)
Security Update for Microsoft Office Groove 2007 (KB2494047)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
Security Update for Microsoft Office Publisher 2007 (KB2284697)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Spelling Dictionaries Support For Adobe Reader 9
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 (KB2509470)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (KB2536413)
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
.
==== Event Viewer Messages From Past Week ========
.
5/16/2011 9:07:45 AM, Error: Schannel [36874] - An SSL connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.
5/13/2011 4:17:14 PM, Error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
5/11/2011 7:15:46 PM, Error: Microsoft-Windows-Dhcp-Client [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 0024E800BCA0. The following error occurred: The wait operation timed out.. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
5/10/2011 7:08:07 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Search service to connect.
5/10/2011 7:08:07 PM, Error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/10/2011 7:05:58 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
.
==== End Of File ===========================
Hi, Daisy.
Did you get the error: "Error loading C:/users etc. etc. The specified module could not be found." before or after running ARO 2011? If it was after running ARO 2011, does it have a restore option for the registry edits it performed? Unless someone is extremely knowledgeable about the registry, I recommend
never using registry cleaners/optimizers. They do more damage than good.
We'll deal with the outdated Adobe Flash Player and Reader later. First, I want you to take care of Sun Java. Please go to add/remove programs and uninstall
Java(TM) 6 Update 11.
Please download
JavaRa (http://sourceforge.net/project/downloading.php?groupname=javara&filename=JavaRa.zip&use_mirror=osdn) and unzip it to your desktop.
- Double-click on JavaRa.exe to start the program. (Windows Vista users Right-click JavaRa.exe > Select Run as Administrator)
- Click on Remove Older Versions to remove older versions of Java.
- A logfile will pop up. Please save it to a convenient location.
Then download and install
Java SE Runtime Environment (JRE) 6 Update 25.
Download the Windows x86 Offline version from: Java SE Runtime Environment 6u25 (http://www.oracle.com/technetwork/java/javase/downloads/jre-6u25-download-346243.html)
Note: UNCHECK any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.
While you're in add/remove programs, see if the uninstaller for
iWon Toolbar works.
Following all of that, please do the following:
Please follow these instructions carefully.Download ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.infospyware.net/antimalware/combofix/)
!!! IMPORTANT !!! Save ComboFix.exe to your DesktopDisable your antivirus and anti-malware security applications. If not disabled, these programs will likely interfere with cleanup process. This can usually be accomplished by a right-click on the icon in the System Tray.
Note: If you are unsure how to disable your security software, see the instructions in this topic at Tech Support Forum: How to disable your security applications - Tech Support Forum (http://www.techsupportforum.com/forums/f50/how-to-disable-your-security-applications-490111.html).
Now, please run ComboFix:
- Note: If infections are found, ComboFix will automatically reboot the machine to complete the removal process. Please ensure all opened windows are closed before proceeding.
- Double-click ComboFix.exe on your desktop and follow the prompts.
- As part of the process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it is strongly recommended to have this pre-installed on your machine before doing any malware removal. The Recovery Console will allow you to start up the computer in a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Please note: If the Microsoft Windows Recovery Console is already installed on the computer, ComboFix will continue the malware removal procedures.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
- When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
(https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fsecuritygarden.googlepages.com%2FCF_RC1.png&hash=29e6fe1eb864e58b4b66611caa7d7b6be84a47f8)
- After the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
(https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fsecuritygarden.googlepages.com%2FCF_RC2.png&hash=e111f6aa2d657579d44cabc5fb4258fd1dce26eb)
- Click "Yes" to continue scanning for malware.
- When finished, a log will be produced. Please include the C:\ComboFix.txt in your next reply.
Good morning, Corinne.
I am sorry I do not remember which came first the "Error loading" or running ARO 2011. Could be error loading came after but that's a bit of a guess. It was the trial version and ARO reports that "2226 registry errors and tweaks remain & junk status was caution after last scan." On the ARO settings window there is a tab called "Restore Defaults."
As for getting instructions from the Tech Support Forum to disable antivirus and antimalware--would that Forum be here at landzdown? Should I enable them at the end of your instructions? I worry about being unprotected for any period.
I have morning appointments and will follow the rest of the instructions when I get back.
Thank you. Susan
Hi, Susan.
Something happened (again) to the formatting of the link to Tech Support Forum. I've fixed it in the instructions above but also copied the instructions for MSE here:
Microsoft Security Essentials
* Right click on the system tray icon, and select "Open"
* Click on the "Settings" tab
* On the left side of the screen, click on "Real-time protection"
* Uncheck "Turn on Real-time protection"
* Click on "Save Changes"
After running ComboFix your computer will restart. At that time, you can reverse the steps to reactivate MSE.
OK, the JavaRa didn't go perfectly.
I saved it, and it went into my documents and I moved it to the desktop.
I do not know how to unzip.
I started the program (was not asked to "Run as Administrator"--never saw that option).
After clicking "Remove Older Versions"--a message came that it "could not find JavaRadef! Be sure the definition file resides in the same directory JavaRa.exe is in." I saw JavaRa.def right above JavaRa.exe in that window.
After it finished searching for old versions it said a logfile has been created called JavaRa.log and can be found on your main hard drive. Said it will "now open log file," but I did not see it and cannot find in the C drive but maybe I'm not looking in the right place.
When I was looking at the C drive listings, I clicked on JavaRa and got a note that I should extract all files for it to run properly. Should I?
I'm sorry.
Yes, you need to extract all of the files.
If you want to keep things all neat and tidy, create a new folder, JavaRa.
Next, right-click the downloaded zip file.
Select "Extract all"
Follow the instructions to navigate to the folder you created.
There is a ZIP on the JavaRa icon. When I rt. click and go down to IZArc, I have these choices:
Extract to....
Extract here
Extract to ./JavaRa
Email JavaRa.zip
Convert Archive
Create self-extracting (.EXE) file
Open with IZArc
Test
I'm guessing I should go to "Create self-extracting (.EXE) file. Right?
No, you do not want to create a self-extracting file. I'd never heard of IZArc but found the instructions, copied below from http://www.izarc.org/tutorials.html#extract
How to extract files
Step 1: Select an archived file and double-click on it. If IZArc is configured correctly, it will be launched
and open your archive otherwise first open IZarc and then open the desired archived file.
Step 2: If you want to extract only few files from the archive you can select them in the file list
(Hold CTRL key to select more than one file).
Step 3: Select "Extract" from the Actions Menu or click on the Extract button.
Step 4: After Extract dialog appeared you can select the folder where your files will be extracted.
Step 5: Click Extract button.
Step 6: Close IZArc.
Tips: You can easily extract the content of an archive by right click on it and from the IZArc context menu
select "Extract Here".
OK I got the JavaRa log after a lot of fiddling around. It's on the desktop.
Can I delete the unzipped version of JavaRa? Trying to avoid clutter.
As for Windows x86 offline, I never know whether to click "run" or "save" when downloading.
Yes, you can delete the downloaded zip file.
When downloading a file, select Save. Running immediately starts the installation. By saving, the file goes in my download folder. This way, my antivirus can scan the downloaded file prior to installation.
I got the Windows x86 Offline downloaded. Was not given any opportunities to UNCHECK anything.
It looks like the uninstaller for "Iwon toolbar" would work. I didn't do it though. Shall I?
I'm ready to run ComboFix and I cannot find out how to disable ARO 2011 trial version, but it does give me an opportunity to UNINSTALL. Should I do that? That would leave me Microsoft Security Essentials and Malawarebytes' to disable.
I'm stopped at the ComboFix Warning! box now--telling me to disable Microsoft Security Essentials.
Hi, Daisy.
Did you complete the installation of the updated Java? It is during installation of programs like that you need to watch for pre-checked options to add toolbars (like the Iwon toolbar).
Yes, try the uninstaller for "Iwon toolbar".
ARO 2011 is not security software -- however, it is a registry cleaner and, as I indicated previously, not something I would recommend unless extremely knowledgeable about the registry. Personally, I suggest uninstalling it.
If you use the free version of Malwarebytes, there is nothing to disable. However, if it is the paid/licensed version, yes, you need to disable MBAM's real-time protection.
Java is installed. I got the window "You have successfully installed Java. Updates will automatically......"
I uninstalled "Iwon toolbar."
ARO 2011 uninstalled.
Ran Combofix. It asked if I wanted the newer version from when I started working on it last night, and I said yes. I have the Combofix log.
Combofix was not on my desktop, it was in downloads or the C: drive--cannot remember. Could not find ComboFix.exe to check for Recovery Console.
I am using my husband's laptop because I cannot access the internet.
I restarted computer so I'm online now.
Here is the ComboFix log. I don't know where to find C:ComboFix.txt.
I am beginning to feel I do not have the computer skills to do all this.
ComboFix 11-05-17.03 - Susan 05/18/2011 7:54.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3060.1708 [GMT -7:00]
Running from: c:\users\Susan\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2011-04-18 to 2011-05-18 )))))))))))))))))))))))))))))))
.
.
2011-05-18 14:57 . 2011-05-18 14:57 -------- d-----w- c:\users\Susan\AppData\Local\temp
2011-05-18 14:57 . 2011-05-18 14:57 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-05-18 14:38 . 2010-09-23 17:19 643072 ----a-w- c:\program files\Uninstall iWon Toolbar.dll
2011-05-18 14:36 . 2011-05-18 14:36 -------- d-----w- c:\program files\Common Files\Java
2011-05-18 03:07 . 2011-05-18 14:34 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-17 20:39 . 2011-04-11 07:04 7071056 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{898AA554-85B6-4DA6-8B8B-24B6CD3A3F2B}\mpengine.dll
2011-05-16 01:57 . 2011-05-18 14:40 -------- d-----w- c:\users\Susan\AppData\Roaming\Sammsoft
2011-05-14 22:17 . 2011-05-16 01:30 0 ----a-w- c:\users\Susan\AppData\Local\Tsapexijokiqov.bin
2011-05-11 00:14 . 2011-04-07 12:01 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-05-01 21:02 . 2010-09-01 01:43 4199768 ----a-w- c:\windows\system32\cdintf400.dll
2011-04-27 21:01 . 2011-03-03 15:40 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2011-04-27 21:01 . 2011-03-03 13:35 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2011-04-27 21:01 . 2011-03-12 21:55 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-04-20 14:28 . 2011-04-20 14:28 -------- d-----w- c:\program files\iPod
2011-04-20 14:27 . 2011-04-20 14:28 -------- d-----w- c:\program files\iTunes
2011-04-20 14:26 . 2011-04-20 14:26 -------- d-----w- c:\program files\Bonjour
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-16 17:51 . 2011-04-16 17:51 161792 ----a-w- c:\windows\system32\msls31.dll
2011-04-16 17:51 . 2011-04-16 17:51 1126912 ----a-w- c:\windows\system32\wininet.dll
2011-04-16 17:50 . 2011-04-16 17:50 86528 ----a-w- c:\windows\system32\iesysprep.dll
2011-04-16 17:50 . 2011-04-16 17:50 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2011-04-16 17:50 . 2011-04-16 17:50 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2011-04-16 17:50 . 2011-04-16 17:50 48640 ----a-w- c:\windows\system32\mshtmler.dll
2011-04-16 17:50 . 2011-04-16 17:50 63488 ----a-w- c:\windows\system32\tdc.ocx
2011-04-16 17:50 . 2011-04-16 17:50 367104 ----a-w- c:\windows\system32\html.iec
2011-04-16 17:50 . 2011-04-16 17:50 74752 ----a-w- c:\windows\system32\iesetup.dll
2011-04-16 17:50 . 2011-04-16 17:50 23552 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-16 17:50 . 2011-04-16 17:50 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-16 17:50 . 2011-04-16 17:50 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-04-16 17:50 . 2011-04-16 17:50 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-04-16 17:50 . 2011-04-16 17:50 1797632 ----a-w- c:\windows\system32\jscript9.dll
2011-04-16 17:50 . 2011-04-16 17:50 152064 ----a-w- c:\windows\system32\wextract.exe
2011-04-16 17:50 . 2011-04-16 17:50 150528 ----a-w- c:\windows\system32\iexpress.exe
2011-04-16 17:50 . 2011-04-16 17:50 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2011-04-16 17:50 . 2011-04-16 17:50 11776 ----a-w- c:\windows\system32\mshta.exe
2011-04-16 17:50 . 2011-04-16 17:50 101888 ----a-w- c:\windows\system32\admparse.dll
2011-04-16 17:50 . 2011-04-16 17:50 35840 ----a-w- c:\windows\system32\imgutil.dll
2011-04-16 17:50 . 2011-04-16 17:50 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2011-04-13 22:40 . 2011-04-13 22:40 4284416 ----a-w- c:\windows\system32\GPhotos.scr
2011-04-11 07:04 . 2011-01-21 22:52 7071056 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-04-06 23:20 . 2011-04-06 23:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 23:20 . 2011-04-06 23:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-03-10 17:03 . 2011-04-15 01:53 1162240 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-10 17:03 . 2011-04-15 01:53 1136640 ----a-w- c:\windows\system32\mfc42.dll
2011-03-03 15:42 . 2011-04-15 01:53 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-03 15:40 . 2011-04-27 21:01 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2011-03-03 15:40 . 2011-04-27 21:01 542720 ----a-w- c:\windows\apppatch\AcLayers.dll
2011-03-03 15:40 . 2011-04-27 21:01 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2011-03-03 15:40 . 2011-04-27 21:01 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll
2011-03-03 13:25 . 2011-04-15 01:53 2041856 ----a-w- c:\windows\system32\win32k.sys
2011-03-02 15:44 . 2011-04-15 01:53 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-02-22 14:13 . 2011-03-22 23:27 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-02-22 13:33 . 2011-03-22 23:27 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-02-22 13:33 . 2011-03-22 23:27 797696 ----a-w- c:\windows\system32\FntCache.dll
2011-02-22 13:24 . 2011-04-15 01:53 213504 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-02-22 13:24 . 2011-04-15 01:53 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-02-22 13:23 . 2011-04-15 01:53 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-22 13:23 . 2011-04-15 01:53 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
2011-02-19 00:36 . 2011-02-19 00:36 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-02-19 00:36 . 2011-02-19 00:36 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-18 14:03 . 2011-04-15 01:53 305152 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-18 14:03 . 2011-04-15 01:53 146432 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-02-18 14:03 . 2011-04-15 01:53 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-17 4907008]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 133656]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-14 421160]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-21 963976]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-04-11 00:57 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2010-10-25 54144]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 206360]
R3 PCDSRVC{E9D79540-57D5953E-06020101}_0;PCDSRVC{E9D79540-57D5953E-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\dell support center\pcdsrvc.pkms [2010-11-18 21744]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S1 MpKsl87e5d2f4;MpKsl87e5d2f4;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{898AA554-85B6-4DA6-8B8B-24B6CD3A3F2B}\MpKsl87e5d2f4.sys [2011-05-18 28752]
S2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-05 77824]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-10-25 43392]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL87E5D2F4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-12 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2010-11-18 15:13]
.
2011-05-17 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\Dell Support Center\pcdrcui.exe [2010-11-18 15:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-18 07:57
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\PCDSRVC{E9D79540-57D5953E-06020101}_0]
"ImagePath"="\??\c:\program files\dell support center\pcdsrvc.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,34,eb,d9,2e,da,30,d7,47,9b,65,d0,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,34,eb,d9,2e,da,30,d7,47,9b,65,d0,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(268)
c:\program files\iWonIE\bar\1.bin\idbrstub.dll
.
Completion time: 2011-05-18 07:58:27
ComboFix-quarantined-files.txt 2011-05-18 14:58
ComboFix2.txt 2011-05-18 14:50
.
Pre-Run: 216,171,003,904 bytes free
Post-Run: 216,143,429,632 bytes free
.
- - End Of File - - D4813AC69F01429494D702ED9BA6FD8C
Hi, Daisy.
Are you still getting the "Error loading C:/users etc. etc. The specified module could not be found." at startup?
With IE 9, the default location for saving files on your computer is C:\Users\Susan\Downloads. If you select "Save as" by clicking the down arrow next to "Save" from the download notification at the bottom of the screen, you can browser to another location for saving the file.
Custom CFScript
Note: The following instructions were created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
- Please open Notepad (Click Start -> Run -> type notepad in the Open field -> OK). Copy/Paste all of the text present inside the code box below:
Folder::
c:\program files\iWonIE
File::
Uninstall iWon Toolbar.dll
- Save this as CFScript.txt and place it on your desktop.
- Close any open browsers.
- Close/disable all antivirus and anti-malware programs so they do not interfere with the running of ComboFix.
(https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fsecuritygarden.googlepages.com%2FCF_CFScript.gif&hash=19cdd291c9ded999b7ed69b7a82ebed7c9d0ab01)
- Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
- ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
- When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Are you still getting the "Error loading C:/users etc. etc. The specified module could not be found." at startup?
No--I am getting this message: "Windows has blocked some Start-Up Programs. Windows blocks programs that require permission to run when Windows starts. Click to view blocked programs." There are about 12-15 on the System Configuration list with checked boxes next to each.
With IE 9, the default location for saving files on your computer is C:\Users\Susan\Downloads. If you select "Save as" by clicking the down arrow next to "Save" from the download notification at the bottom of the screen, you can browser to another location for saving the file. OK--got it.
I'll go ahead with the rest of the instructions now.
Notepad gives me no opportunities to "Click Start - > Run....etc.
There is no code box. Notepad just looks like a blank page with File Edit Format View Help across the top.
Am I in the right place?
Corrine, I am feeling overwhelmed. I have ComboFix but not the .exe. I see the application which is "pev" and something called "snapshot."
You must be losing patience with me, and if you feel it would more appropriate, I am willing to take the computer in to
the shop for the work it needs. I feed bad about the time you have put in with me knowing some of the trouble is my
lack of understanding of all the programs and systems which run the computer.
Quote from: Daisy on May 18, 2011, 08:51:09 PM
No--I am getting this message: "Windows has blocked some Start-Up Programs. Windows blocks programs that require permission to run when Windows starts. Click to view blocked programs." There are about 12-15 on the System Configuration list with checked boxes next to each.
Are these known programs that you use (i.e., Roxio, Microsoft Office programs, Windows Live, etc.) or unrecognized names. Can you provide a list or screen copy of what is shown as blocked?
Quote from: Daisy on May 18, 2011, 09:06:21 PM
Notepad gives me no opportunities to "Click Start - > Run....etc.
There is no code box. Notepad just looks like a blank page with File Edit Format View Help across the top.
Am I in the right place?
First you have to copy the code I provided with the ComboFix instructions. Paste the information from within the code box in the above instructions in the open Notepad. Then select File > Save as > ComboFix.txt
Quote from: Daisy on May 18, 2011, 09:20:27 PM
Corrine, I am feeling overwhelmed. I have ComboFix but not the .exe. I see the application which is "pev" and something called "snapshot."
It sounds as though you have the settings to hide common file extensions. See the instructions on how to show the extensions: Show or hide file name extensions (http://windows.microsoft.com/en-US/windows-vista/Show-or-hide-file-name-extensions).
By the way, if ComboFix is still in your "downloads" folder (C:\Users\Susan\Downloads), you need to navigate to that location and right-click ComboFix. Select cut. Go to C:\Users\Susan\Desktop and paste ComboFix there.
Now when you save the text file with the code to your desktop, you will be able to drag it on top of ComboFix to run.
Quote from: Daisy on May 18, 2011, 09:20:27 PM
You must be losing patience with me, and if you feel it would more appropriate, I am willing to take the computer in to
the shop for the work it needs. I feed bad about the time you have put in with me knowing some of the trouble is my
lack of understanding of all the programs and systems which run the computer.
If you take your computer to a shop, you won't learn anything. At least
I hope I'm helping you to learn a few more things about your computer (i.e., how to unzip a file, save as). That is the best part of what I do -- hopefully helping the people I help learn more about their computers and security during the process.
I tried to take a screenshot but did not know how to paste it in here. (I could paste into a WP document, but not here.) The manufacturers in the system configuration window/startup tab are Realtek (HD Audio), Intel, Microsoft, Adobe, Apple, Sun Microsys, and Malawarebytes. Each has a checked box by it.
Am I to save the notebook page as ComboFix.txt or CFScript.txt?
I fixed the file name extensions and have found ComboFix.exe. It is on the desktop.
One more question:
Do I need to disable Malawarebytes, not purchased version? Last time you said I did not. Just Microsoft Security.
Oops, sorry. Yes, save the Notepad page as CFScript.txt. Good catch!
No, you do not need to disable Malwarebytes.
Just to let you know, all the script is going to do is get rid of the iWonIE garbage since it is still showing.
I drug the Notepad page to ComboFix (after disabling security) and it ran again, log below. The computer did not reboot, and I could not go on the Internet. So I turned it off and restarted and now I can access Internet. The "Windows has blocked some startup programs" is still there.
ComboFix 11-05-17.03 - Susan 05/18/2011 17:31:58.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3060.1811 [GMT -7:00]
Running from: c:\users\Susan\Desktop\ComboFix.exe
Command switches used :: c:\users\Susan\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\PCDr\5744\Downloads\09c89f7c-3785-4562-bfa2-0294dad219cb.dll
c:\programdata\PCDr\5744\Downloads\211f2e06-18cf-4b15-8d16-613c14340779.dll
c:\programdata\PCDr\5744\Downloads\295a87df-c8df-47c1-8928-31d3bc55eae3.dll
c:\programdata\PCDr\5744\Downloads\7cfc7ddb-2ff0-41ad-a5d7-3e2c7c6da278.dll
c:\programdata\PCDr\5744\Downloads\9f7cb229-6226-4846-9375-1b73ad107c4e.dll
c:\programdata\PCDr\5744\Downloads\aad4193c-5f11-4479-83a6-e739206cb375.dll
c:\programdata\PCDr\5744\Downloads\ccb2bb33-3a38-4a93-93e7-871d4d9be0b6.dll
c:\programdata\PCDr\5744\Downloads\d57ca607-df9e-42be-b6e5-f975ebf2105b.dll
c:\programdata\PCDr\5744\Downloads\db49fe36-7c40-41f5-b9c1-5a7c3297c269.dll
c:\programdata\PCDr\5744\Downloads\e3d50fea-9128-4ef0-9ea5-b4d74186612f.dll
c:\programdata\PCDr\5744\Downloads\e87994e7-694e-4058-a64a-df23fd76e4df.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-04-19 to 2011-05-19 )))))))))))))))))))))))))))))))
.
.
2011-05-19 00:36 . 2011-05-19 00:36 -------- d-----w- c:\users\Susan\AppData\Local\temp
2011-05-19 00:36 . 2011-05-19 00:36 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-05-18 20:50 . 2011-05-18 20:50 28752 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6BDF1905-B6EA-4796-98B4-BE96EBA5D417}\MpKsle20c8035.sys
2011-05-18 20:50 . 2011-04-11 07:04 7071056 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6BDF1905-B6EA-4796-98B4-BE96EBA5D417}\mpengine.dll
2011-05-18 14:36 . 2011-05-18 14:36 -------- d-----w- c:\program files\Common Files\Java
2011-05-18 03:07 . 2011-05-18 14:34 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-16 01:57 . 2011-05-18 14:40 -------- d-----w- c:\users\Susan\AppData\Roaming\Sammsoft
2011-05-14 22:17 . 2011-05-16 01:30 0 ----a-w- c:\users\Susan\AppData\Local\Tsapexijokiqov.bin
2011-05-11 00:14 . 2011-04-07 12:01 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-05-01 21:02 . 2010-09-01 01:43 4199768 ----a-w- c:\windows\system32\cdintf400.dll
2011-04-27 21:01 . 2011-03-03 15:40 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2011-04-27 21:01 . 2011-03-03 13:35 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2011-04-27 21:01 . 2011-03-12 21:55 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-04-20 14:28 . 2011-04-20 14:28 -------- d-----w- c:\program files\iPod
2011-04-20 14:27 . 2011-04-20 14:28 -------- d-----w- c:\program files\iTunes
2011-04-20 14:26 . 2011-04-20 14:26 -------- d-----w- c:\program files\Bonjour
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-16 17:51 . 2011-04-16 17:51 161792 ----a-w- c:\windows\system32\msls31.dll
2011-04-16 17:51 . 2011-04-16 17:51 1126912 ----a-w- c:\windows\system32\wininet.dll
2011-04-16 17:50 . 2011-04-16 17:50 86528 ----a-w- c:\windows\system32\iesysprep.dll
2011-04-16 17:50 . 2011-04-16 17:50 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2011-04-16 17:50 . 2011-04-16 17:50 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2011-04-16 17:50 . 2011-04-16 17:50 48640 ----a-w- c:\windows\system32\mshtmler.dll
2011-04-16 17:50 . 2011-04-16 17:50 63488 ----a-w- c:\windows\system32\tdc.ocx
2011-04-16 17:50 . 2011-04-16 17:50 367104 ----a-w- c:\windows\system32\html.iec
2011-04-16 17:50 . 2011-04-16 17:50 74752 ----a-w- c:\windows\system32\iesetup.dll
2011-04-16 17:50 . 2011-04-16 17:50 23552 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-16 17:50 . 2011-04-16 17:50 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-16 17:50 . 2011-04-16 17:50 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-04-16 17:50 . 2011-04-16 17:50 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-04-16 17:50 . 2011-04-16 17:50 1797632 ----a-w- c:\windows\system32\jscript9.dll
2011-04-16 17:50 . 2011-04-16 17:50 152064 ----a-w- c:\windows\system32\wextract.exe
2011-04-16 17:50 . 2011-04-16 17:50 150528 ----a-w- c:\windows\system32\iexpress.exe
2011-04-16 17:50 . 2011-04-16 17:50 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2011-04-16 17:50 . 2011-04-16 17:50 11776 ----a-w- c:\windows\system32\mshta.exe
2011-04-16 17:50 . 2011-04-16 17:50 101888 ----a-w- c:\windows\system32\admparse.dll
2011-04-16 17:50 . 2011-04-16 17:50 35840 ----a-w- c:\windows\system32\imgutil.dll
2011-04-16 17:50 . 2011-04-16 17:50 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2011-04-13 22:40 . 2011-04-13 22:40 4284416 ----a-w- c:\windows\system32\GPhotos.scr
2011-04-11 07:04 . 2011-01-21 22:52 7071056 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-04-06 23:20 . 2011-04-06 23:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 23:20 . 2011-04-06 23:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-03-10 17:03 . 2011-04-15 01:53 1162240 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-10 17:03 . 2011-04-15 01:53 1136640 ----a-w- c:\windows\system32\mfc42.dll
2011-03-03 15:42 . 2011-04-15 01:53 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-03 15:40 . 2011-04-27 21:01 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2011-03-03 15:40 . 2011-04-27 21:01 542720 ----a-w- c:\windows\apppatch\AcLayers.dll
2011-03-03 15:40 . 2011-04-27 21:01 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2011-03-03 15:40 . 2011-04-27 21:01 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll
2011-03-03 13:25 . 2011-04-15 01:53 2041856 ----a-w- c:\windows\system32\win32k.sys
2011-03-02 15:44 . 2011-04-15 01:53 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-02-22 14:13 . 2011-03-22 23:27 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-02-22 13:33 . 2011-03-22 23:27 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-02-22 13:33 . 2011-03-22 23:27 797696 ----a-w- c:\windows\system32\FntCache.dll
2011-02-22 13:24 . 2011-04-15 01:53 213504 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-02-22 13:24 . 2011-04-15 01:53 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-02-22 13:23 . 2011-04-15 01:53 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-22 13:23 . 2011-04-15 01:53 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
2011-02-19 00:36 . 2011-02-19 00:36 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-02-19 00:36 . 2011-02-19 00:36 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-18 14:03 . 2011-04-15 01:53 305152 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-18 14:03 . 2011-04-15 01:53 146432 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-02-18 14:03 . 2011-04-15 01:53 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-17 4907008]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 133656]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-14 421160]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-21 963976]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-04-11 00:57 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2010-10-25 54144]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 206360]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S1 MpKsle20c8035;MpKsle20c8035;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6BDF1905-B6EA-4796-98B4-BE96EBA5D417}\MpKsle20c8035.sys [2011-05-18 28752]
S2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-05 77824]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-10-25 43392]
S3 PCDSRVC{E9D79540-57D5953E-06020101}_0;PCDSRVC{E9D79540-57D5953E-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\dell support center\pcdsrvc.pkms [2010-11-18 21744]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSLE20C8035
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-12 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2010-11-18 15:13]
.
2011-05-18 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\Dell Support Center\pcdrcui.exe [2010-11-18 15:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-18 17:36
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\PCDSRVC{E9D79540-57D5953E-06020101}_0]
"ImagePath"="\??\c:\program files\dell support center\pcdsrvc.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,34,eb,d9,2e,da,30,d7,47,9b,65,d0,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,34,eb,d9,2e,da,30,d7,47,9b,65,d0,\
.
Completion time: 2011-05-18 17:37:12
ComboFix-quarantined-files.txt 2011-05-19 00:37
ComboFix2.txt 2011-05-18 14:58
ComboFix3.txt 2011-05-18 14:50
.
Pre-Run: 216,426,225,664 bytes free
Post-Run: 216,403,316,736 bytes free
.
- - End Of File - - 8B7B24D13B6CB484329F7145FBA5DA22
One other thing--ComboFix never prompted me to download/install Windows Recovery Console. Does this mean I have it?
Hi, Daisy.
Quote from: Daisy on May 18, 2011, 11:06:44 PM
I tried to take a screenshot but did not know how to paste it in here. (I could paste into a WP document, but not here.) The manufacturers in the system configuration window/startup tab are Realtek (HD Audio), Intel, Microsoft, Adobe, Apple, Sun Microsys, and Malawarebytes. Each has a checked box by it.
Can you launch Malwarebytes or any of the other programs?
After you take a screen copy of the message box, save the image to your computer. Then, in your next reply, attach the image. Do this by clicking "+ Additional Options..." Then click the Browse button to navigate to the image. Select the image and then post your reply.
Please go
here (http://www.eset.com/onlinescan/) to run an on-line scan from ESET.
- Note: It is easiest if you use Internet explorer for this scan. (If you use an alternate browser, it will be necessary to download the ESET Smart Installer)
- Turn off the real time scanner of any existing antivirus program while performing the online scan
- Tick the box next to YES, I accept the Terms of Use.
- Click Start
- When asked, allow the ActiveX control to install
- Click Start
- Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
- Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
- Click Scan
- Wait for the scan to finish
- Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
- Copy and paste that log as a reply to this topic and also let me know how things are now.
I launched and could probably run Malawarebytes. I attached the ipod and it accessed itunes. Not sure what else to check.
As for the ESET instructions, I am using Internet Explorer. I do not understand Turn off the real time scanner of any existing antivirus program while performing the online scan. In other words, disable Malawarebytes trial and Microsoft Sec. Essentials?
This is where my screenshot is located on my computer, but it isn't showing in the preview. C:\Users\Susan\Documents\Screenshot.docx
Hi, Daisy.
Yes, disable your security software. However, you need to remember to turn it back on after the scan completes. If you have a lot on your computer, the scan may take a while.
I forgot in the previous reply to mention that the Recovery Console is for Windows XP, so no worries.
The attachment opened fine. I believe that the error you are seeing is due to ARO 2011 screwing up your registry. The reason I say this is because, although you are getting the message "Windows has blocked some startup programs" the image of the startup programs shows that they are indeed enabled.
Let's see if the System File Checker tool will help. The System File Checker tool scans system files and replaces incorrect versions of the system files by using the correct versions.
To run the System File Checker tool, follow these steps:
- Click Start, and then type cmd in the Start Search box.
- Right-click cmd in the Programs list, and then click Run as administrator.
- If you are prompted for an administrator password or confirmation, type your password or click Continue
- At the command prompt, type the following line, and then press ENTER:
sfc /scannow (note the space before the backslash)
- When the scan is complete, shutdown/restart the computer.
Let me know if System File Checker reported any errors or if you are still receiving that message.
But I didn't do ESET yet, should I do that first or skip it and do System File Checker?
You can do which ever one you want first. :)
Here's the log from ESET. I accidentally started the scan with the wrong settings--"Remove found threats" was ticked and "Scan Archives" was unticked. I stopped the scan, adjusted the settings, and started over. Oops, sorry.
Two things came up which I didn't expect--it detected Window Defender and said it might affect the performance and quality of scan. Also wanted to install the add-on: Online Scanner.cab from 'EST,spol.s.r.o. I said yes to that. Nothing about ActiveX.
Is this the log? So short
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
esets_scanner_update returned -1 esets_gle=53251
esets_scanner_update returned -1 esets_gle=53251
When I go to "search for files or folders" and type in CMD, I get a window called "search results in indexed locations." There are two things there: DDS.txt and another document (request for reimbursement). I don't see a program list.
Ah, Daisy. You are missing one of the great enhancements in Windows Vista and Windows 7. All you need to do is click the Windows Vista "Start Orb" and begin typing in the the search box. See the attached image.
Are you referring to the start orb in the lower lefthand corner, where I scroll up to "search?" Or is the link you put in your last post something else?
Yes, I'm referring to the Start Orb in the lower left hand corner as shown in the image I attached to my previous post.
Click the Start Orb. When the window opens, in the space immediately above the Start Orb (and below the link for All Programs type cmd.exe. Then proceed with the instructions for the System File Checker tool.
When I click the orb, there is no space to type anything but a list of options starting from the bottom going up: Shut Down, Run, Help & Support, Search, Settings, Documents, Programs, Windows Update, Default Programs.
You must be using the old classic view in Windows Vista. Select Programs > Accessories > Command Prompt.
The Command Prompt box comes up. It looks like this:
Microsoft Windows (Version 6.0.6002)
Copywright blah blah blah
C:/Users/Susan_
I don't know what to do next. Where do I type cmd?
Good job!
At the command prompt, type the following line, and then press ENTER: sfc /scannow (note the space before the backslash). When the scan is complete, shutdown/restart the computer.
Please let me know if System File Checker reported any errors or if you are still receiving that message about the startup programs.
When I type in sfc /scannow, here is the message I get:
You must be an administrator running a console session in order to use the sfc utility.
Then, let's run sfc as Administrator. Select Programs > Accessories. Right-click Command Prompt and select to Run as Administrator. Then try sfc /scannow.
I ran System File Checker. Here are the results:
Verification 100% complete.
Windows Resource Protection found corrupt files but was unable to fix some of them.
Details are included in the CBS.Log windir/Logs/CBS/CBS.log. For example C:/Windows/Logs/CBS/CBS.log
I shut down and started up again, and the blocked start-up window still pops up.
Do I need to undo anything (administrator setting)?
QuoteWindows Resource Protection found corrupt files but was unable to fix some of them.
Ok, note that some of the corrupt files were fixed but not all. Let's see if System File Checker can accomplish additional repairs.
Run sfc as Administrator. Select Programs > Accessories. Right-click Command Prompt and select to Run as Administrator. Then run sfc /scannow again.
Note any message as before. Then shut down/restart and run System File Checker one more time.
Please let me know the results.
Hi--
I ran SFC again and got same message..."but was unable to fix some of them." I shut down computer, started again. Ran the SFC scan again, got same message box.
Please know that I have not disabled anything for the scans--Microsoft Sec. Ess. or Malawarebytes.
Are you totally frustrated with this? Losing enthusiasm?
Susan
Oh, and I'm still getting the blocked software warning.
Corrine, when I do get that warning, it displays some other choices one of which is "Run blocked program," an when I click that Malawarebytes is the only choice. There is another window which I have tried to attach. Would there be any instructions there which would help?
Hi, Susan. No, I'm neither frustrated nor losing enthusiasm.
The other window you attached is the from the Windows Help & Support and explains how to run the blocked program.
Unless you have paid for the licensed version of Malwarebytes, you do not need it to run at startup. So, let's try removing it from startup as indicated in the help page.
Do this only if you have the free version of MBAM:
To disable a program or a service during the Windows Vista startup process, follow these steps:
-- Click the Blocked startup programs icon that is in the notification area.
-- Click Show or remove blocked startup programs. This starts Software Explorer in Windows Defender.
-- Locate, and then click to select the startup program or the startup service that is in Software Explorer.
-- Click Disable, and then click Yes in the confirmation dialog box.
ONLY In the event you have the paid/licensed version of MBAM, do the following:
-- Click the Blocked startup programs icon that is in the notification area.
-- Point to Run blocked program, and then click the program or the service in the list that you want to start.
-- If you are prompted for an administrator password or confirmation, type the password, or click Continue.
Let me know, please. :)
I believe I have the free/trial version of MBAM but I wish I could see those words when I open it. I don't remember buying it, and they are encouraging me to do so on the opening page, comparing free vs. paid with a purchase button.
To go on, every time I open the list of blocked programs, I get a request for permission to continue from "User Account Control," so I just click continue.
When I have the Blocked Startup Programs window open, I do not know how to access Windows Defender or Software Explorer. If I go to the "Services" tab there, I see Windows Defender. It is checked as "stopped." Also at the bottom of the window it says Note that some secure Microsoft services may not be disabled.
When I go to Windows Defender through the orb, it says WD is off. I can click to turn it on.
No, you do not want to turn on Windows Defender. It was turned off when you installed Microsoft Security Essentials. MSE includes the anti-spyware engine from Windows Defender.
If you purchased MBAM, you would not see anything encouraging you to purchase a license. So, you can go ahead and follow the steps to disable.
As to "User Account Control", referred to by the initials UAC, that is good. The point of a UAC prompt is to provide permission to make system changes. YOU are taking an action so YOU are approving the UAC prompt. Should you not be making changes to your computer (installing software, security updates, or changes like now), then instead of allowing, you will cancel.
What is "Software Explorer"?
Let's make just one change and see what happens. Make the change for MBAM.
To disable a program or a service during the Windows Vista startup process, follow these steps:
Click the Blocked startup programs icon that is in the notification area. OK--DONE
Click Show or remove blocked startup programs. OK--DONE
This starts Software Explorer in Windows Defender. WHERE? SHOULD I SEE A WINDOW? HOW DO I GET THERE?
Locate, and then click to select the startup program or the startup service that is in Software Explorer. I'M LOST. I'M LOOKING FOR MALAWAREBYTES?
FYI--when I go to the list of blocked programs and uncheck Malawarebytes, the "Enable All" buttons becomes active.
Well, no wonder you are confused! I did a quick search at Microsoft to find the instructions you had in the Help topic so I could paste them here. That topic must have been written prior to MSE and makes no sense in this situation. (it was from http://support.microsoft.com/kb/930367). So forget what I posted above.
As to unchecking MBAM and the "Enable All" button no longer being grayed out, that is before the change all the programs listed were checked load at start up. I don't have programs like Adobe or Java or iTunes (if I used it) checked since they can be accessed quickly enough when needed.
Actually, I control start up programs with WinPatrol, but we'll talk about that later.
After disabling MBAM, what happens when you do a shutdown/restart? If there is a different message shown, please make a copy.
Do you mean uncheck MBAM in the System Configuration/Blocked Programs window, then check "Apply", shut down, then start up?
Do that?
Yup! You got it.
As I recall, I thought MBAM was listed as a program blocked at start up. Since it is checked, I was hoping removing it from start up would solve the problem.
P.S. Are you having fun yet?
P.S. Are you having fun yet?
YES, I'm having fun now....restarted the computer twice--once with a complete shutdown and manual restart and once with the automatic restart...no blocked programs window!!!!!!!!!!!!!!!!!
It was so odd, the window reporting that all those programs were blocked....it just doesn't seem to make sense to me.
So where next, uninstall Malawarebytes or what?
YIPPEE!!!
No, I don't want you to uninstall MBAM. It is a good program to have on board. Let me go back to check you last log and see where we left off before addressing the start up problem.
I knew I had mentioned earlier that there was something I needed to have you update. Your version of Adobe Reader is out of date and has had critical security updates. You can install the latest version of Adobe Reader from http://get.adobe.com/reader/
Please post back and let me know that your computer is working correctly now and then I'll post final instructions.
Seems to be working fine. I do have some questions but will ask you when you are finished. Got the Adobe Reader downloaded. I appreciate that.
Please do the following to implement cleanup procedures and also to reset System Restore points:
Click Start > Run and copy/paste the following bolded text into the Run box and click OK:
ComboFix /Uninstall Note: In the event you wish to contribute to the ongoing development of ComboFix, the developer is accepting donations via PayPal (https://www.paypal.com/cgi-bin/webscr?cmd=_donations&business=combofix%40live%2ecom&item_name=ComboFix&no_shipping=0&no_note=1&tax=0¤cy_code=USD&bn=PP%2dDonationsBF&charset=UTF%2d8).
You have Microsoft Security Essentials installed as your antivirus program. If you don't have the Windows Vista Firewall turned on, please do the following:
-- Open Windows Firewall by clicking the Start button, clicking Control Panel, clicking Security, and then clicking Windows Firewall.
-- Click Turn Windows Firewall on or off. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
-- Click On (recommended), and then click OK.
To check if your system is missing security updates or has insecure applications, install Secunia Personal Software Inspector (http://secunia.com/vulnerability_scanning/personal/) or, alternatively, visit http://secunia.com/software_inspector/ . The Secunia Software Inspector runs through your browser with no installation or download required and does the following:
- Detects insecure versions of applications installed
- Verifies that all Microsoft patches are applied
- Assists you in updating your system and applications
Install and update SpywareBlaster to prevent the installation of spyware and other potentially unwanted software: http://www.javacoolsoftware.com/spywareblaster.html
My favorite security software is WinPatrol which includes the features described at http://www.winpatrol.com/features.html
Now let's see your questions.
As for the Secunia scan, Adobe Flash Player is insecure and needs to be updated, download link is there. Run or Save? (I never know.)
OK, here are the questions.
Note: In the event you wish to contribute to the ongoing development of ComboFix, the developer is accepting donations via PayPal. I will do that.
I saved The Adobe Flash Player update. Should I have run it? What is the difference?
The Firewall is on.
Shall I run Secunia periodically?
Would SpywareBlaster be in addition to Malawarebytes and Microsoft Security Essentials? Any conflicts with that?
Would WinPatrol be in place of something else on the computer? Would something have to be removed?
Does Java update automatically?
What programs would I need to run myself on a regular basis? Malawarebytes?
I still have ComboFix, dds.scr, JavaRa files/icons on my desktop. Can they be deleted?
I cannot find the landzdown information page I saw when I first joined, telling how the group formed and who you are. I would like to share with my son.
Finally, not related to anything we have done. In the lower right corner of the screen where I have "safely remove hardware, computer status, Realtek, Intel graphics, network, volume" and then the clock—I thought I used to have my printer icon there too, but it is no longer there. Is it possible to have it there? It's helpful when I'm printing something and I want to stop it.
I want to offer my sincere thanks for your incredible patience, time, and expertise in walking me through this. You are right, I do have a better understanding of the computer. Do you enjoy this work? Is it like solving a puzzle? In the beginning, my stomach was in a knot, really! My deepest appreciation for all you did.
Hi, Susan.
QuoteI saved The Adobe Flash Player update. Should I have run it? What is the difference?
I prefer to save files that I am downloading from the Internet. I designate where the file is to be saved (my downloads folder) and periodically delete the files. In fact, after installing the downloaded program, it is fine to go back and delete the installation file. See Run vs. Save - Downloading any program or file from internet Tricks and Troubleshooting (http://www.computerfreetips.com/internet_tips/run_net.html).
Have you installed the Flash Player update?
QuoteShall I run Secunia periodically?
Yes. Once a month should be sufficient.
QuoteWould SpywareBlaster be in addition to Malawarebytes and Microsoft Security Essentials? Any conflicts with that?
Yes, SpywareBlaster would be in addition to MBAM and MSE. It will not conflict with either (good question!). Here's a tutorial from Bleeping Computer: Using SpywareBlaster to protect your computer from Spyware, Hijackers, and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html).
QuoteWould WinPatrol be in place of something else on the computer? Would something have to be removed?
WinPatrol is a supplement to your computer security. The features listed below are among the reasons I use WinPatrol (http://winpatrol.com/), described more fully at the WinPatrol Features (http://www.winpatrol.com/features.html) page:
- Delay Startup Programs
- Warn if AutoUpdate Status Changes
- Track Date/Time Programs are First Detected
- Prevents Changes to File Type Associations
- Keylogger Detection
- Kill Multiple Tasks in One Step
- Twenty Thousand Program Descriptions
- Disable Vulnerable Active X Controls
QuoteDoes Java update automatically?
You should see an indicator in the system tray when Java has an update. However, I've observed that it is rather slow at providing update notifications. Running Secunia periodically will notify you if you have an out-of-date version of Java installed.
QuoteWhat programs would I need to run myself on a regular basis? Malawarebytes?
Yes, MBAM needs to be updated prior to running a scan of your computer. As long as your computer doesn't seem to be having problems, a quick scan every week would be a good idea.
QuoteI still have ComboFix, dds.scr, JavaRa files/icons on my desktop. Can they be deleted?
The ComboFix icon shouldn't be on your desktop any longer. Did you run the uninstall instructions I provided? You can remove the other icons.
QuoteI cannot find the landzdown information page I saw when I first joined, telling how the group formed and who you are. I would like to share with my son.
I expect you mean the very old Welcome to The LandzDown Forum! (http://www.landzdown.com/index.php/topic,494.0.html) post. We've certainly come a long way since 2005!
QuoteFinally, not related to anything we have done. In the lower right corner of the screen where I have "safely remove hardware, computer status, Realtek, Intel graphics, network, volume" and then the clock—I thought I used to have my printer icon there too, but it is no longer there. Is it possible to have it there? It's helpful when I'm printing something and I want to stop it.
In looking at your installed programs, I see Kodak EasyShare but that appears to be for uploading pictures. I don't see a printer listed. Doesn't the icon show up when you queue something to the printer? That is the way my software works.
QuoteI want to offer my sincere thanks for your incredible patience, time, and expertise in walking me through this. You are right, I do have a better understanding of the computer. Do you enjoy this work? Is it like solving a puzzle? In the beginning, my stomach was in a knot, really! My deepest appreciation for all you did.
You are very welcome.
Yes, it is often a bit about solving a puzzle. The best part is not only helping someone regain control of their computer but also sharing information.
Now that you've found us, Susan, stop in any time.
yipppeeee!! wow what great work and a great team effort. Daisy you impressed me!
Now you can come on over to the landzdown lounge and play a game and relax!
I don't know if Adobe Flash Player update is "installed" or not. When I go to Program Files--Adobe, there are 3 things listed: Adobe Acrobat, Reader 9.0, and Reader 10.0. Are they both installed, and if so, can I delete 9.0? I feel really dumb.
I'll check out SpyBlaster and WinPatrol and probably will install both. Thank you for the recommendations.
The ComboFix file on desktop has two things in it: pev (listed as an application) and snapshot.00.dat. I did the uninstall for ComboFix and saw the little progress bar go all the way across. I also have a ComboFix log in the notepad.
As for the printer, it does not come up in the System File when I print. Kodak EasyShare is for one of those picture frames which I have gotten rid of so I could uninstall that. I'm not going to worry about the printer issue since everything is really working so well.
Also have something called CybDefInstallInfo--was that from our work?
Finally, ESET Online Scanner is in the program files too. Is that good to keep?
Thanks for helping with the clean-up.
Regarding Flash Player, go here and see what version it tells you is installed: http://www.adobe.com/software/flash/about/
Hi, Susan.
You didn't have Adobe Acrobat installed before. This is what you had & it was Adobe Reader that you needed to update:
QuoteAdobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9.4.4
Adobe Shockwave Player 11.5
You can delete the ComboFix from your desktop as well as the log in notepad.
Go ahead and delete CybDefInstallInfo. Cyber Defender is a "potentially unwanted program" (often referred to as PUP). It appears you had it installed on your computer at one time but it is not showing up in the installed programs list.
You can uninstall the ESET Online Scanner from Add/Remove Programs. If it is needed at some time in the future, it would be better to download a new copy since the engine may have changed by then.
You're welcome. I'm happy I was able to solve the problems (finally :) ). Let us know if you have any other questions.
Quote from: Corrine on May 23, 2011, 02:53:16 PM
Yes, it is often a bit about solving a puzzle. The best part is not only helping someone regain control of their computer but also sharing information.
It used to be an
easy puzzle to solve, at one point, I seem to remember!
Indeed, especially for the Jedi Master. ;)
Corinne, I haven't dropped out of here, just got overwhelmed at work and too tired to think. I'll get back to this in the next few days, maybe even tomorrow. I know I still have a few loose ends to tie up. Again, thank you so much for all the time and patience. I'm so glad I found landzend. What a tremendous resource.
Not to worry, Susan. We'll be here.
Checking the Adobe link you gave me for Flash Player, it said "You have version 10,2,159,1 installed."
But when I go to the Program Files--Adobe, below listed is all I see, no Adobe Flash Player:
Acrobat.com
Reader 9.0
Reader 10.0
When I go through Control Panel--Programs, I do see Adobe Flash Player listed.
Thank you for the run vs. save explanation. When you save, is a program also installed? (They say there are no dumb questions, but that just could be one!)
Not all applications get listed in the "Program Files", and Flash Player is one of those that isn't. The current version is 10.3.181.14, so you are not out-of-date by too long.
No, a program is not installed when you "save". That option downloads the program/installer (you can assign a location where it is stored) to your computer for you to install at a later time. It's meant as an extra layer of security should you wish to scan with something like an anti-virus before installing. That's especially useful if you are not sure of the "safety" of a program and want to do some further checking before installing and using it.
Hi,
Now I have the following on the computer:
Microsoft Security Essentials
Malawarebytes Anti-Malware
SpywareBlaster (just installed & "Enabled All Protection")
WinPatrol (just installed. Does the start-up programs window look OK? Wonder about AVGuninstall.)
It seems like a lot to me, but I guess it's like castle protection--you have the moat, the drawbridge,
the gatehouse, the flaming arrows, the catapult, etc., etc.???? Right?
What an excellent description!
You can have WinPatrol remove AVGUninstallURL from startup. Just launch WinPatrol (right-click on the Scotty dog in the task bar), accept the UAC prompt and highlight/click the AVGUninstallURL item on the Startup tab. Click Remove.
Daisy, you have hit the nail upon the head. A layered security protection scheme is likely the best option. Seems a bit redundant but it also seems most effective. :thumbsup:
Thank you, all. It's a good feeling to have the computer running well. I'd like to shoot a flaming arrow at whoever invented Vista Anti-Spyware. Because it says "Vista" users think it is part of their computer system, and as I recall, it has a little shield icon with 4 colors. Very confusing.
Love the little Scottie dog on WinPatrol.
Thanks again!
Susan