1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Inactive File does not have program associated with it

Discussion in 'Malware and Virus Removal Archive' started by rikki, 2012/03/05.

  1. 2012/03/05
    rikki

    rikki Well-Known Member Thread Starter

    Joined:
    2010/01/27
    Messages:
    258
    Likes Received:
    1
    [Inactive] File does not have program associated with it

    Since upgrading Vista to SP2 I have been getting the following error message: This file does not have a program associated with it for performing this action. Create an association in the Set Associations control panel.

    This error occurs when I try to click on several Control Panel functions (Administrative Tools, Ease of Access Centre, Personalisation, etc.), It also occurs when I click on \system32\control.exe or when I click on Explore under any folder and when I right-click on Computer and then click Properties. It also occurs in other cases. These are just examples.

    I posted a request for help on this here: http://www.windowsbbs.com/windows-vista/102040-file-does-not-have-program-associated.html#post584362. I was advised that the problem was probably due to malware and told to follow the instructions on this forum (http://www.windowsbbs.com/malware-virus-removal/announcements.html). I downloaded and ran the four programs according to the advice but no malware was detected. I reported this fact back to the other thread and was advised by team member rsinfo to post the problem and logs on this forum even though no malware was detected. Following that advice, this is what I am doing. The logs follow in subsequent posts.
     
    rikki,
    #1
  2. 2012/03/05
    rikki

    rikki Well-Known Member Thread Starter

    Joined:
    2010/01/27
    Messages:
    258
    Likes Received:
    1
    error: File does not have program associated with it - logs

    mbam log

    Malwarebytes Anti-Malware 1.60.1.1000
    www.malwarebytes.org

    Database version: v2012.03.05.08

    Windows Vista Service Pack 2 x86 NTFS
    Internet Explorer 7.0.6002.18005
    User :: ANGELHAMMER [administrator]

    6/03/2012 16:14:44
    mbam-log-2012-03-06 (16-14-44).txt

    Scan type: Full scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 325811
    Time elapsed: 27 minute(s), 59 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 1
    C:\Program Files\iPod Converter\AbdioConverter\myutil.dll (Spyware.Passwords) -> Quarantined and deleted successfully.

    (end)


    aswmbr log

    aswMBR version 0.9.9.1649 Copyright(c) 2011 AVAST Software
    Run date: 2012-03-06 16:49:03
    -----------------------------
    16:49:03.951 OS Version: Windows 6.0.6002 Service Pack 2
    16:49:03.951 Number of processors: 3 586 0x203
    16:49:03.951 ComputerName: ANGELHAMMER UserName: User
    16:49:07.835 Initialize success
    16:49:18.573 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T1L0-4
    16:49:18.573 Disk 0 Vendor: WDC_WD6400AAKS-22A7B2 01.03B01 Size: 610480MB BusType: 3
    16:49:18.588 Disk 0 MBR read successfully
    16:49:18.588 Disk 0 MBR scan
    16:49:18.588 Disk 0 unknown MBR code
    16:49:18.588 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 15005 MB offset 63
    16:49:18.604 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 238170 MB offset 30734336
    16:49:18.620 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 357302 MB offset 518506496
    16:49:18.620 Disk 0 scanning sectors +1250260992
    16:49:18.666 Disk 0 scanning C:\Windows\system32\drivers
    16:49:22.317 Service scanning
    16:49:33.003 Modules scanning
    16:49:41.801 Disk 0 trace - called modules:
    16:49:41.817 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS pciide.sys PCIIDEX.SYS atapi.sys
    16:49:41.832 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85f65448]
    16:49:41.832 3 CLASSPNP.SYS[8b7c98b3] -> nt!IofCallDriver -> [0x85e33268]
    16:49:41.832 5 acpi.sys[806136bc] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T1L0-4[0x84f1c5a8]
    16:49:41.832 Scan finished successfully
    16:50:40.046 Disk 0 MBR has been saved successfully to "C:\Docs\MBR.dat "
    16:50:40.046 The log file has been saved successfully to "C:\Docs\aswMBR.txt "

    gmer log

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-03-06 17:47:18
    Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T1L0-4 WDC_WD6400AAKS-22A7B2 rev.01.03B01
    Running: gmer.exe; Driver: C:\Users\User\AppData\Local\Temp\ufdcaaow.sys


    ---- Kernel code sections - GMER 1.0.15 ----

    ? System32\drivers\wjrkmbs.sys The system cannot find the path specified. !
    .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x91203000, 0x38E905, 0xE8000020]
    ? C:\Users\User\AppData\Local\Temp\aswMBR.sys The system cannot find the file specified. !

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Windows\Explorer.EXE[3068] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [738C7817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3068] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [7391A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3068] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [738CBB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3068] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [738BF695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3068] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [738C75E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3068] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [738BE7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3068] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [738F8395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3068] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [738CDA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3068] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [738BFFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3068] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [738BFF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3068] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [738B71CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3068] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [7394CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3068] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [738EC8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3068] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [738BD968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3068] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [738B6853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3068] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [738B687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3068] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [738C2AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3068] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateThread] [100027E0] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Egis Inc. PSD DragDrop Protection/Egis Inc.)
    IAT C:\Windows\Explorer.EXE[3068] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!FreeLibraryAndExitThread] [10001D90] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Egis Inc. PSD DragDrop Protection/Egis Inc.)
    IAT C:\Windows\Explorer.EXE[3068] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [10002B30] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Egis Inc. PSD DragDrop Protection/Egis Inc.)
    IAT C:\Windows\Explorer.EXE[3068] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [100011D0] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Egis Inc. PSD DragDrop Protection/Egis Inc.)

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy1 snapman.sys (Acronis Snapshot API/Acronis)
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy2 snapman.sys (Acronis Snapshot API/Acronis)
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy3 snapman.sys (Acronis Snapshot API/Acronis)
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy4 snapman.sys (Acronis Snapshot API/Acronis)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 snapman.sys (Acronis Snapshot API/Acronis)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 snapman.sys (Acronis Snapshot API/Acronis)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 snapman.sys (Acronis Snapshot API/Acronis)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 snapman.sys (Acronis Snapshot API/Acronis)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume7 snapman.sys (Acronis Snapshot API/Acronis)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume8 snapman.sys (Acronis Snapshot API/Acronis)
    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----

    dds log

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 7.0.6002.18005
    Run by User at 17:48:45 on 2012-03-06
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.64.1033.18.3326.2013 [GMT 13:00]
    .
    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Windows\system32\atiesrxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
    C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
    C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
    C:\Windows\system32\atieclxx.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
    C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
    C:\Program Files\Sony\PMB\PMBDeviceInfoProvider.exe
    C:\Windows\system32\PnkBstrA.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    D:\PRTG Network Monitor\PRTG Server.exe
    D:\PRTG Network Monitor\PRTG Probe.exe
    C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    C:\Program Files\ShadowExplorer\sesvc.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\WUDFHost.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Program Files\Google\Update\GoogleUpdate.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
    C:\Windows\RtHDVCpl.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Sony\PMB\PMBVolumeWatcher.exe
    C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
    C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
    C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\VCOM\PowerDesk\PDExplo.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = about:blank
    uDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=1409&s=1&o=vp32&d=1208&m=aspire_m3201
    mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=1409&s=1&o=vp32&d=1208&m=aspire_m3201
    mDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=1409&s=1&o=vp32&d=1208&m=aspire_m3201
    uInternet Settings,ProxyOverride = *.local
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: ShowBarObj Class: {83a2f9b1-01a2-4aa5-87d1-45b6b8505e96} - c:\program files\acer\empowering technology\edatasecurity\x86\ActiveToolBand.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\program files\acer\empowering technology\edatasecurity\x86\eDStoolbar.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe
    mRun: [RtHDVCpl] RtHDVCpl.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe "
    mRun: [PMBVolumeWatcher] c:\program files\sony\pmb\PMBVolumeWatcher.exe
    mRun: [DiscWizardMonitor.exe] c:\program files\seagate\discwizard\DiscWizardMonitor.exe
    mRun: [AcronisTimounterMonitor] c:\program files\seagate\discwizard\TimounterMonitor.exe
    mRun: [Acronis Scheduler2 Service] "c:\program files\common files\seagate\schedule2\schedhlp.exe "
    StartupFolder: c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\OneNote Table Of Contents.onetoc2
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\powerd~1.lnk - c:\program files\vcom\powerdesk\PDExplo.exe
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    Trusted Zone: clonewarsadventures.com
    Trusted Zone: freerealms.com
    Trusted Zone: soe.com
    Trusted Zone: sony.com
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: DhcpNameServer = 192.168.1.2
    TCP: Interfaces\{C9795B23-821A-4994-9D98-B77E1CB144B1} : DhcpNameServer = 192.168.1.2
    LSA: Authentication Packages = msv1_0 relog_ap
    .
    ============= SERVICES / DRIVERS ===============
    .
    R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-5-25 176128]
    R2 AMD FUEL Service;AMD FUEL Service;c:\program files\ati technologies\ati.ace\fuel\Fuel.Service.exe [2011-5-25 294400]
    R2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\newtech infosystems\nti backup now 5\client\Agentsvc.exe [2008-3-4 16384]
    R2 ETService;Empowering Technology Service;c:\program files\acer\empowering technology\service\ETService.exe [2008-3-16 24576]
    R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\newtech infosystems\nti backup now 5\BackupSvc.exe [2008-4-26 45056]
    R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\newtech infosystems\nti backup now 5\SchedulerSvc.exe [2008-4-26 131072]
    R2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files\sony\pmb\PMBDeviceInfoProvider.exe [2011-3-15 428384]
    R2 PRTG7CoreService;PRTG 7 Core Server Service;d:\prtg network monitor\PRTG Server.exe [2010-5-23 3314472]
    R2 PRTG7ProbeService;PRTG 7 Probe Service;d:\prtg network monitor\PRTG Probe.exe [2010-5-23 3491624]
    R2 sesvc;ShadowExplorer Service;c:\program files\shadowexplorer\sesvc.exe [2011-8-10 9216]
    R3 amdiox86;AMD IO Driver;c:\windows\system32\drivers\amdiox86.sys [2011-7-9 37944]
    R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atikmdag.sys [2011-5-25 7800832]
    R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2011-5-25 245760]
    R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdLH3.sys [2011-3-31 97808]
    R3 PSSDK42;PSSDK42;c:\windows\system32\drivers\pssdk42.sys [2010-5-23 38976]
    R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [2010-5-4 27632]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 gupdate1ca7094edf85ca0;Google Update Service (gupdate1ca7094edf85ca0);c:\program files\google\update\GoogleUpdate.exe [2009-11-29 133104]
    S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2010-5-4 13224]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-11-29 133104]
    S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    S3 WSVD;WSVD;c:\windows\system32\drivers\WSVD.sys [2009-3-25 81704]
    .
    =============== Created Last 30 ================
    .
    .
    ==================== Find3M ====================
    .
    2012-03-06 03:46:52 38976 ----a-w- c:\windows\system32\drivers\pssdk42.sys
    2011-12-10 03:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-05-11 07:21:42 257024 ----a-w- c:\program files\Trial-Reset.exe
    .
    ============= FINISH: 17:48:57.30 ===============

    attach.txt

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft® Windows Vista™ Home Premium
    Boot Device: \Device\HarddiskVolume2
    Install Date: 25/12/2008 3:42:10
    System Uptime: 6/03/2012 16:45:14 (1 hours ago)
    .
    Motherboard: Acer | | RS780HVF
    Processor: AMD Phenom(tm) 8650 Triple-Core Processor | AM2 | 2300/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 233 GiB total, 93.67 GiB free.
    D: is FIXED (NTFS) - 349 GiB total, 170.535 GiB free.
    E: is CDROM ()
    F: is Removable
    I: is Removable
    J: is Removable
    L: is Removable
    N: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4d36e96b-e325-11ce-bfc1-08002be10318}
    Description: Standard PS/2 Keyboard
    Device ID: ACPI\PNP0303\4&14DDEF44&0
    Manufacturer: (Standard keyboards)
    Name: Standard PS/2 Keyboard
    PNP Device ID: ACPI\PNP0303\4&14DDEF44&0
    Service: i8042prt
    .
    Class GUID: {4d36e96f-e325-11ce-bfc1-08002be10318}
    Description: Microsoft PS/2 Mouse
    Device ID: ACPI\PNP0F03\4&14DDEF44&0
    Manufacturer: Microsoft
    Name: Microsoft PS/2 Mouse
    PNP Device ID: ACPI\PNP0F03\4&14DDEF44&0
    Service: i8042prt
    .
    ==== System Restore Points ===================
    .
    RP840: 21/09/2011 10:40:33 - Windows Vista™ Service Pack 2
    RP841: 22/09/2011 - Scheduled Checkpoint
    RP842: 22/09/2011 14:16:10 - Scheduled Checkpoint
    RP843: 23/09/2011 9:45:00 - Scheduled Checkpoint
    RP844: 6/03/2012 17:40:51 - Scheduled Checkpoint
    .
    ==== Installed Programs ======================
    .
    AAC Decoder
    Acer DV Magician
    Acer DVDivine
    Acer eDataSecurity Management
    Acer Empowering Technology
    Acer eSettings Management
    Acer ScreenSaver
    Acer SlideShow DVD
    Acer VideoMagician
    Activation Assistant for the 2007 Microsoft Office suites
    Ad-Aware
    Adobe Creative Suite 2
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 8.1.0
    AMD APP SDK Runtime
    AMD Fuel
    AMD System Monitor
    AMD VISION Engine Control Center
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    ArtMoney SE v7.33.2
    ATI Catalyst Install Manager
    Audacity 1.3.13 (Unicode)
    AutoHotkey 1.0.48.05
    AutoUpdate
    AVS Update Manager 1.0
    AVS Video Converter 6
    AVS4YOU Software Navigator 1.3
    Bonjour
    Canon iP4200
    Catalyst Control Center - Branding
    Catalyst Control Center Graphics Previews Common
    Catalyst Control Center InstallProxy
    ccc-utility
    CCC Help English
    CD-LabelPrint
    CDBurnerXP
    CopyTrans Suite Remove Only
    DivX Codec
    DivX Converter
    DivX Player
    DivX Plus DirectShow Filters
    DivX Plus Web Player
    DivX Version Checker
    eSobi v2
    ffdshow v1.1.3958 [2011-07-31]
    FFmpeg v0.6.2 for Audacity
    FishEye
    Flash Drive Tester v1.14
    Fraps
    FrostWire 4.21.1
    Google Chrome
    Google Update Helper
    H.264 Decoder
    Half-Life(R) 2
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    IHMC CmapLite v5.04.01
    IHMC CmapTools v5.04.01
    iPod Converter v1.6 (Try)
    IrfanView (remove only)
    IsoBuster 2.5
    iTunes
    J2SE Runtime Environment 5.0 Update 8
    Java Auto Updater
    Java(TM) 6 Update 22
    K-Lite Codec Pack 7.5.0 (Full)
    LADSPA_plugins-win-0.4.15
    LAME v3.98.3 for Audacity
    LightScribe 1.4.142.1
    LimeWire 5.5.8
    Malwarebytes Anti-Malware version 1.60.1.1000
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft .NET Framework 4 Extended
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Home and Student 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Silverlight
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
    Microsoft Works
    MKV Splitter
    Motorola SM56 Speakerphone Modem
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 4.0 SP3 Parser
    MTG Cropped Card Pics (up to Eventide)
    MTG GamePack for Magic Workstation
    NTI Backup Now 5
    NTI Backup Now Standard
    NTI Media Maker 8
    OGA Notifier 2.0.0048.0
    OpenOffice.org 3.2
    Pando Media Booster
    PCFriendly
    PG583_32_inf
    PMB
    PowerDesk 6
    PRTG Network Monitor
    PunkBuster Services
    QuickTime
    Realtek High Definition Audio Driver
    Seagate*DiscWizard
    ShadowExplorer 0.8
    Sony Ericsson Themes Creator 4.16.2.6
    SpeedFan (remove only)
    Steam(TM)
    Tansee iPhone Transfer Photo
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update Service
    Vanguard: Saga of Heroes
    VC80CRTRedist - 8.0.50727.4053
    Ventrilo Client
    VideoReDo TVSuite Version 4.20.7.628
    Visual C++ 2008 x86 Runtime - (v9.0.30729)
    Visual C++ 2008 x86 Runtime - v9.0.30729.01
    VLC media player 1.1.11
    Winamp
    Winamp Application Detect
    Windows Driver Package - YUAN High-Tech Development Co. Ltd. (OmniTV) Media (12/14/2007 6.1.32.42)
    Windows Resource Kit Tools - SubInAcl.exe
    WinRAR archiver
    Yahoo! Toolbar
    Ycopy 1.0d
    .
    ==== Event Viewer Messages From Past Week ========
    .
    6/03/2012 16:47:14, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: i8042prt Lbd
    .
    ==== End Of File ===========================
     
    rikki,
    #2


  3. to hide this advert.

  4. 2012/03/05
    rikki

    rikki Well-Known Member Thread Starter

    Joined:
    2010/01/27
    Messages:
    258
    Likes Received:
    1
    Sorry, one infection was detected when I did a deep scan (not on the initial scan). It is shown in the log file. However, quarantining this had no effect on the problem I am having.
     
    rikki,
    #3
  5. 2012/03/06
    Admin.

    Admin. Administrator Administrator Staff

    Joined:
    2001/12/30
    Messages:
    6,687
    Likes Received:
    107
    I see you have P2P software ( Azures, Limewire, BitTorrent, uTorrent etc…) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

    Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares and their infections.

    References for the risk of these programs are here, and here.

    I would strongly recommend that you uninstall them, and read the links above for educational value!

    Note: Please be advised that continued use of these programs after being warned of the danger of infections from them, may result in the discontinued help of future cleaning of your system here at WindowsBBS Malware and Virus removal.

    A Malware expert will have a look at your log in due course.
     
    Admin.,
    #4
  6. 2012/03/06
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    =============================================================

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2
    64-bit users go HERE
    • Double-click SystemLook.exe to run it.
    • Vista users:: Right click on SystemLook.exe, click Run As Administrator
    • Copy the content of the following box and paste it into the main textfield:
      Code:
      :reg
HKEY_CLASSES_ROOT\.cpl /s
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
     
    broni,
    #5
  7. 2012/03/06
    rikki

    rikki Well-Known Member Thread Starter

    Joined:
    2010/01/27
    Messages:
    258
    Likes Received:
    1
    @Admin: Thank you for your quick reply. The computer was given to me and I only use it for video editing. The P2P software was already on it. I don't use this computer on-line at all. It has no network or Internet connection.

    I can't uninstall anything now. That is one of the Control Panel functions that gives me the file association error. All of this did work correctly before I upgraded to SP2. It has only become an issue since then.

    @broni: Also thank you for the response. I will do what you suggest within the next day or two. I don't have time right now.
     
    rikki,
    #6
  8. 2012/03/06
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Ok....
     
    broni,
    #7
  9. 2012/03/07
    rikki

    rikki Well-Known Member Thread Starter

    Joined:
    2010/01/27
    Messages:
    258
    Likes Received:
    1
    SystemLook 30.07.11 by jpshortstuff
    Log created at 11:36 on 07/03/2012 by User
    Administrator - Elevation successful

    ========== reg ==========

    [HKEY_CLASSES_ROOT\.cpl]
    @= "cplfile "
    "Generic "= "system "

    [HKEY_CLASSES_ROOT\.cpl\PersistentHandler]
    @= "{098f2470-bae0-11cd-b579-08002b30bfeb} "


    -= EOF =-
     
    rikki,
    #8
  10. 2012/03/07
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    That looks normal.

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results ". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion ", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
    There are 4 different versions. If one of them won't run then download and try to run the other one.
    Vista and Win7 users need to right click Rkill and choose Run as Administrator
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.exe
    • Double-click on the Rkill icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.
    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #9
  11. 2012/03/07
    rikki

    rikki Well-Known Member Thread Starter

    Joined:
    2010/01/27
    Messages:
    258
    Likes Received:
    1
    I just ran Combofix and am posting the log below. It ran fine but my problem still hasn't gone away, also not after rebooting.

    ComboFix 12-03-07.05 - User 08/03/2012 11:34:38.1.3 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.64.1033.18.3326.2364 [GMT 13:00]
    Running from: f:\antivir\ComboFix.exe
    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\program files\Program Files
    c:\program files\Program Files\Common Files\Adobe\Color\ACE1Cache.lst
    c:\program files\Program Files\Common Files\Adobe\TypeSpt\AdobeFnt.lst
    c:\program files\Program Files\Common Files\Adobe\Workflow\Options.txt
    C:\SETUP.EXE
    c:\users\User\AppData\Roaming\.#
    c:\windows\system32\Gdiplus.dll
    c:\windows\system32\tooldownloadreadme.htm
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-02-07 to 2012-03-07 )))))))))))))))))))))))))))))))
    .
    .
    2012-03-07 22:38 . 2012-03-07 22:38 -------- d-----w- c:\users\User\AppData\Local\temp
    2012-03-07 22:38 . 2012-03-07 22:38 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-03-07 22:38 . 2012-03-07 22:38 -------- d-----w- c:\users\Administrator\AppData\Local\temp
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-03-07 21:43 . 2010-05-23 07:01 38976 ----a-w- c:\windows\system32\drivers\pssdk42.sys
    2011-12-10 03:24 . 2011-09-05 23:40 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-05-11 07:21 . 2011-09-20 23:30 257024 ----a-w- c:\program files\Trial-Reset.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
    @= "{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA} "
    [HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
    2008-07-30 01:52 121392 ----a-w- c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray.exe "= "c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
    "WMPNSCFG "= "c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SMSERIAL "= "c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2007-02-02 630784]
    "RtHDVCpl "= "RtHDVCpl.exe" [2008-05-20 6144000]
    "QuickTime Task "= "c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
    "iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
    "PMBVolumeWatcher "= "c:\program files\Sony\PMB\PMBVolumeWatcher.exe" [2011-03-15 650080]
    "DiscWizardMonitor.exe "= "c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe" [2007-08-08 1169456]
    "AcronisTimounterMonitor "= "c:\program files\Seagate\DiscWizard\TimounterMonitor.exe" [2007-08-08 1945424]
    "Acronis Scheduler2 Service "= "c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe" [2007-08-08 148760]
    .
    c:\users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OneNote Table Of Contents.onetoc2 [2010-2-11 3656]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    PowerDesk 6.lnk - c:\program files\VCOM\PowerDesk\PDExplo.exe [2011-8-7 2146304]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA "= 0 (0x0)
    "EnableUIADesktopToggle "= 0 (0x0)
    .
    [HKLM\~\startupfolder\C:^Users^User^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
    path=c:\users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LimeWire On Startup.lnk
    backup=c:\windows\pss\LimeWire On Startup.lnk.Startup
    backupExtension=.Startup
    .
    [HKLM\~\startupfolder\C:^Users^User^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
    path=c:\users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
    backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
    backupExtension=.Startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Empowering Technology Monitor]
    2008-06-02 17:26 319488 ----a-w- c:\program files\Acer\Empowering Technology\SysMonitor.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2007-03-08 11:38 40048 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BkupTray]
    2008-04-26 05:36 28672 ----a-w- c:\program files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eDataSecurity Loader]
    2008-07-30 01:52 526896 ----a-w- c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EmpoweringTechnology]
    2008-06-02 17:26 319488 ----a-w- c:\program files\Acer\Empowering Technology\Framework.Launcher.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2011-06-07 05:51 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-11-29 05:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2010-05-13 22:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
    2009-12-21 05:45 39424 ----a-w- c:\program files\Winamp\winampa.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
    2008-01-21 02:23 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
    "DisableMonitoring "=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
    "AntiVirusOverride "=dword:00000001
    "AntiSpywareOverride "=dword:00000001
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-03-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-11-29 01:40]
    .
    2012-03-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-11-29 01:40]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = about:blank
    mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=1409&s=1&o=vp32&d=1208&m=aspire_m3201
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    Trusted Zone: clonewarsadventures.com
    Trusted Zone: freerealms.com
    Trusted Zone: soe.com
    Trusted Zone: sony.com
    TCP: DhcpNameServer = 192.168.1.2
    .
    - - - - ORPHANS REMOVED - - - -
    .
    MSConfigStartUp-12CFG214-K641-12SF-N85P - c:\recycler\S-1-5-21-0243936033-3052116371-381863308-1811\vsbntlo.exe
    MSConfigStartUp-Steam - i:\valve\Steam\\Steam.exe
    AddRemove-Activation Assistant for the 2007 Microsoft Office suites - c:\programdata\{174892B1-CBE7-44F5-86FF-AB555EFD73A3}\Microsoft Office Activation Assistant.exe
    AddRemove-LimeWire - d:\limewire\uninstall.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-03-08 11:38
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\npggsvc]
    "ImagePath "= "c:\windows\system32\GameMon.des -service "
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-509930130-3037423088-1028249883-1000\Software\SecuROM\License information*]
    "datasecu "=hex:4f,52,cb,c3,79,3c,0d,5a,a0,0b,a0,6a,f4,39,bd,ab,44,9e,60,23,c7,
    db,b0,33,65,10,e8,7f,2b,32,1f,42,73,38,cf,00,eb,99,b8,61,c8,4c,e9,46,9e,14,\
    "rkeysecu "=hex:8f,8f,c3,3a,90,90,fb,2b,38,68,43,1c,3f,fe,bd,41
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial "=dword:00000000
    "MSCurrentCountry "=dword:000000b5
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'lsass.exe'(848)
    c:\windows\system32\relog_ap.dll
    .
    Completion time: 2012-03-08 11:40:00
    ComboFix-quarantined-files.txt 2012-03-07 22:39
    .
    Pre-Run: 113,295,613,952 bytes free
    Post-Run: 112,896,512,000 bytes free
    .
    - - End Of File - - 5D7D5493CDD98787D6798EE2072F87C5
     
    rikki,
    #10
  12. 2012/03/07
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    So far I don't see much there.

    My instructions clearly say to run Combofix from the desktop:
    Please move the file to proper location.

    Then, you're not running any AV program.
    Install ONE of these:
    - Avast! free antivirus: http://www.avast.com/eng/download-avast-home.html
    - free Microsoft Security Essentials: http://windows.microsoft.com/en-GB/windows/products/security-essentials
    - free Comodo Antivirus: http://www.comodo.com/home/internet-security/antivirus.php
    Update, run full scan, report on any findings.

    When done...

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\tasks\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
    broni,
    #11
  13. 2012/03/08
    rikki

    rikki Well-Known Member Thread Starter

    Joined:
    2010/01/27
    Messages:
    258
    Likes Received:
    1
    I'm sorry I ran Combofix from the wrong folder. I didn't really think about it.

    A major frustration I am having with this is that the computer with the problem does not have an Internet connection so I am having to download everything on another computer and transfer it via a flash drive. That is why I ran Combofix from the flash drive instead of the Desktop.

    Also for this reason, I am finding it impossible to put a new anti-virus program on the affected computer. Every program I can find insists on doing an internal update of the anti-virus database after it is installed. Well do'h, I can't update without an Internet connection. It used to be possible to download the update databases separately. I wish it still was and I don't understand why this should have to be such a problem, unless it has something to do with security, but it is really frustrating. The assumption nowadays seems to be that everyone simply has to be connected to the Internet, end of story. I don't what people with off-line computers (and I'm sure I'm not the only one) are supposed to do.

    I just tried running Combofix again from the Desktop. Now it won't work at all, also not from the original folder. I keep getting the following error: Illegal operation attempted on a registry key that has been marked for deletion.

    I have no idea what this means or what I am supposed to do about it. As per your instructions, I haven't changed anything on this system since we started trying to fix this problem, other than copying and running the programs you have directed me to. I'm not sure now what to do next. I have downloaded OTL but have not run it yet. The new problem with Combofix makes me hesitant to try anything without checking with you first.
     
    rikki,
    #12
  14. 2012/03/08
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Restart computer to fix the issue.
    I don't need another Combofix log.

    At what point did you lose internet connection?
    You didn't tell me about it.
     
    broni,
    #13
  15. 2012/03/08
    rikki

    rikki Well-Known Member Thread Starter

    Joined:
    2010/01/27
    Messages:
    258
    Likes Received:
    1
    Thanks, I discovered that after I posted.

    The computer I am trying to fix has never had an Internet connection since I obtained it. I stated all this in my original post on the other forum that I linked to. The computer was given to me because the previous owner tried to clean the CPU fan, which was clogged and causing the chip to overheat. He didn't know what he was doing and removed the CPU, then bent the pins trying to get it back in. I was able to fix it and the hardware has worked fine ever since.

    I have been using the computer for video processing and it has worked fine for that. I have not tried to get it on-line because I have no need and didn't want to mess with my existing set-up.

    Although the computer seemed to be working ok, there were issues with burning DVDs and a technician friend suggested I should upgrade to SP2 as it was still running with SP1 on it. I had already intended to do that anyway and my friend, who works for a computer shop, gave me the file. It was named Windows6.0-KB948465-X86.exe. The upgrade seemed to work normally, but since then I have had this problem.

    While trying to learn more about it, I have discovered that Control Panel functions that do not depend on .cpl files all produce the error. These include Administrative Tools, Ease of Access Centre, Personalisation, etc. Date and Time and other cpl functions work normally. Two things that don't work are the uninstall function and System Restore. I also get the error if I click on control.exe, or explorer.exe, though Explorer does work when accessed through a shortcut or associated file. The error also occurs if I right-click on Computer and then Properties. It occurs if I click on explore via the folder context menu, but not if I click on Explorer. I'm sure it probably also occurs elsewhere, but these are the things I have verified.

    That's everything I can think of. It worked okay, if not perfectly, before I installed SP2, now it is a bit of a mess and I don't know why. I'm still hoping to find an answer.
     
    rikki,
    #14
  16. 2012/03/08
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Telling the truth I don't see anything malicious there so it'd be probably better idea to create new topic in Windows forum.
     
    broni,
    #15

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...