Have a baddie

[grace too]

Specs: Vista Home Premium 32-Bit, Service Pack 2, Internet Explorer 9

Tonight while doing a Google search, my browser suddenly shut down on its own. A Live Security Platinum screen popped up and started running a virus scan. As far as I know, I don't even have this program. So I didn't click anything, but tried to access the Task Manager to shut it down, and it wouldn't let me, a warning came up saying that the Task Manager was infected. In fact, anything (Adaware and Microsoft Security Essentials) I tried to access was infected according to this Live Security Platinum, I was even unable to open up a browser, including Chrome.

I rebooted and as soon as the desktop appeared, that scan started up all over again. This time I was able to open Chrome after I let the scan run its course (it ran very quickly which adds to my skepticism because usually scans take a long time).

Any advice or help would be greatly appreciated. Thank you in advance.

[Aaflac]

Welcome to the forum, grace too!

Let's see what the following short scan shows...

Please download RogueKiller

•When you get to the website, go to where it says:
(Download link) Lien de téléchargement:
•Click the dark-blue button to download.
•Save to the Desktop

•Close all windows and browsers
•XP: Double-click the program to run it
•Vista/Seven: Right-click and select 'Run as Administrator'
•Press: SCAN
•A report opens on the Desktop: RKreport.txt

Please provide the RKreport.txt (Mode: Scan) in your reply.

Note:
If RogueKiller is blocked, do not hesitate to try running it again.
If it still fails to run, right-click on the downloaded icon and select: Rename
Then, rename it to winlogon.exe and try again.



If you cannot download, but can run programs, instead of downloading the program requested to the problem computer, download it to a clean computer.

Next, save it to a USB flash drive (or removable media), move it to the Desktop of the infected computer, and run the program as described at the beginning of these instructions.

[grace too]

Hello Aaflac,

Thank you for your warm welcome and your help with this matter.

As requested the Rogue Killer report as follows:


RogueKiller V7.6.3 [07/08/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files...3-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User: Pandora [Admin rights]
Mode: Scan -- Date: 07/16/2012 14:14:03

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 6 ¤¤¤
[SUSP PATH] HKCU\[...]\Run : cdloader ("C:\Users\Pandora\AppData\Roaming\mjusbsp\cdloade r2.exe" MAGICJACK) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-2569225185-2745256017-3556029199-1000[...]\Run : cdloader ("C:\Users\Pandora\AppData\Roaming\mjusbsp\cdloade r2.exe" MAGICJACK) -> FOUND
[SUSP PATH] HKCU\[...]\RunOnce : 036E19321A4FAF35F6D847552F3B707C (C:\ProgramData\036E19321A4FAF35F6D847552F3B707C\0 36E19321A4FAF35F6D847552F3B707C.exe) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-2569225185-2745256017-3556029199-1000[...]\RunOnce : 036E19321A4FAF35F6D847552F3B707C (C:\ProgramData\036E19321A4FAF35F6D847552F3B707C\0 36E19321A4FAF35F6D847552F3B707C.exe) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost
::1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
[...]


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD3200AAJS-22B4A0 ATA Device +++++
--- User ---
[MBR] 4d10d44d8aa464449fd23d4f381b0342
[BSP] 6e00aa916a5768fe5b7cc11d6760da8b : Acer tatooed MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 63 | Size: 15005 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 30734336 | Size: 116076 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 268457984 | Size: 174161 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1].txt >>
RKreport[1].txt


P.S. - When I boot the computer the Live Security Platinum still comes up, and there's also a shortcut to it on the desktop. I have not clicked on or touched either.

[Aaflac]

Yep...the culprit is there.

Let's get into Safe Mode with Networking...

To get into the Windows Vista Safe Mode with Networking option, do the following:
•Restart the computer...
•As the computer is booting tap the F8 Key, repeatedly, until you see the Windows Advanced Options Menu
•Use the arrow keys to select Safe Mode with Networking
•Now, press the Enter key.

Log in to the User that is infected.


Now, let's press on with RogueKiller...
•Please quit all programs
•Right-click the RogueKiller file and select 'Run as Administrator'
•Wait until the Prescan finishes
•Then, press: Scan
•Once the scan is done, click the Registry tab.
•Make sure the only the following four entries are checked (uncheck the MagicJack entries):

[SUSP PATH] HKCU\[...]\RunOnce : 036E19321A4FAF35F6D847552F3B707C (C:\ProgramData\036E19321A4FAF35F6D847552F3B707C\
036E19321A4FAF35F6D847552F3B707C.exe) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-2569225185-2745256017-3556029199-1000[...]\RunOnce : 036E19321A4FAF35F6D847552F3B707C (C:\ProgramData\036E19321A4FAF35F6D847552F3B707C\0 36E19321A4FAF35F6D847552F3B707C.exe) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

•Next, press the [Delete] button.

Please post the new RKreport (Mode: Delete), created on the Desktop, in your reply.

(The RKreport also opens using the Report button on the console.)

Now, restart the computer in normal mode, and post back on whether the Live Security Platinum still comes up.

If not, right-click the Live Security Platinum icon, and press: Delete

When you get done with these steps, post back the results, as requested, but try not to use the computer until I see what the reports show.

Thanks for your patience.

[grace too]

Hi Aaflac,

I have followed your instructions but I made a mistake by reversing the order of "posting the RKreport (Mode: Delete)" and "restart the computer in normal mode". I hope I haven't messed up, I'm sorry.

After reboot the Live Security Platinum did not come up, so I deleted its icon on the desktop.

There are 3 RK reports on my desktop named 1, 2, and 3. I hope these are what you were asking for. They are in order as follows:


RogueKiller V7.6.3 [07/08/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files...3-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User: Pandora [Admin rights]
Mode: Scan -- Date: 07/16/2012 14:14:03

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 6 ¤¤¤
[SUSP PATH] HKCU\[...]\Run : cdloader ("C:\Users\Pandora\AppData\Roaming\mjusbsp\cdloade r2.exe" MAGICJACK) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-2569225185-2745256017-3556029199-1000[...]\Run : cdloader ("C:\Users\Pandora\AppData\Roaming\mjusbsp\cdloade r2.exe" MAGICJACK) -> FOUND
[SUSP PATH] HKCU\[...]\RunOnce : 036E19321A4FAF35F6D847552F3B707C (C:\ProgramData\036E19321A4FAF35F6D847552F3B707C\0 36E19321A4FAF35F6D847552F3B707C.exe) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-2569225185-2745256017-3556029199-1000[...]\RunOnce : 036E19321A4FAF35F6D847552F3B707C (C:\ProgramData\036E19321A4FAF35F6D847552F3B707C\0 36E19321A4FAF35F6D847552F3B707C.exe) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost
::1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
[...]


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD3200AAJS-22B4A0 ATA Device +++++
--- User ---
[MBR] 4d10d44d8aa464449fd23d4f381b0342
[BSP] 6e00aa916a5768fe5b7cc11d6760da8b : Acer tatooed MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 63 | Size: 15005 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 30734336 | Size: 116076 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 268457984 | Size: 174161 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1].txt >>
RKreport[1].txt



RogueKiller V7.6.3 [07/08/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files...3-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Safe mode with network support
User: Pandora [Admin rights]
Mode: Scan -- Date: 07/16/2012 23:30:53

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 6 ¤¤¤
[SUSP PATH] HKCU\[...]\Run : cdloader ("C:\Users\Pandora\AppData\Roaming\mjusbsp\cdloade r2.exe" MAGICJACK) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-2569225185-2745256017-3556029199-1000[...]\Run : cdloader ("C:\Users\Pandora\AppData\Roaming\mjusbsp\cdloade r2.exe" MAGICJACK) -> FOUND
[SUSP PATH] HKCU\[...]\RunOnce : 036E19321A4FAF35F6D847552F3B707C (C:\ProgramData\036E19321A4FAF35F6D847552F3B707C\0 36E19321A4FAF35F6D847552F3B707C.exe) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-2569225185-2745256017-3556029199-1000[...]\RunOnce : 036E19321A4FAF35F6D847552F3B707C (C:\ProgramData\036E19321A4FAF35F6D847552F3B707C\0 36E19321A4FAF35F6D847552F3B707C.exe) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost
::1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
[...]


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD3200AAJS-22B4A0 ATA Device +++++
--- User ---
[MBR] 4d10d44d8aa464449fd23d4f381b0342
[BSP] 6e00aa916a5768fe5b7cc11d6760da8b : Acer tatooed MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 63 | Size: 15005 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 30734336 | Size: 116076 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 268457984 | Size: 174161 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt



RogueKiller V7.6.3 [07/08/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files...3-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Safe mode with network support
User: Pandora [Admin rights]
Mode: Remove -- Date: 07/16/2012 23:32:30

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 5 ¤¤¤
[SUSP PATH] HKCU\[...]\Run : cdloader ("C:\Users\Pandora\AppData\Roaming\mjusbsp\cdloade r2.exe" MAGICJACK) -> NOT SELECTED
[SUSP PATH] HKUS\S-1-5-21-2569225185-2745256017-3556029199-1000[...]\Run : cdloader ("C:\Users\Pandora\AppData\Roaming\mjusbsp\cdloade r2.exe" MAGICJACK) -> NOT SELECTED
[SUSP PATH] HKCU\[...]\RunOnce : 036E19321A4FAF35F6D847552F3B707C (C:\ProgramData\036E19321A4FAF35F6D847552F3B707C\0 36E19321A4FAF35F6D847552F3B707C.exe) -> DELETED
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost
::1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
[...]


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD3200AAJS-22B4A0 ATA Device +++++
--- User ---
[MBR] 4d10d44d8aa464449fd23d4f381b0342
[BSP] 6e00aa916a5768fe5b7cc11d6760da8b : Acer tatooed MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 63 | Size: 15005 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 30734336 | Size: 116076 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 268457984 | Size: 174161 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt


Thank you for your help, Aaflac.
P.S. - I will not use this computer again until I get the okay from you.

[Aaflac]

Please do the following...

Download Malwarebytes' Anti-Malware
Save to the Desktop.

MBAM may make changes to the Registry as part of its disinfection routine.
If using other security programs that detect Registry changes, they may interfere or alert you.
Please, either temporarily disable such programs as shown here, or permit them to allow the changes.

Windows Vista: Right-click and select 'Run as Administrator'

When the installation begins, follow the prompts and do not make any changes to default settings.

Make sure you leave both of these checked:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware

Click: Finish

MBAM automatically starts and you are asked to update the program.

If an update is found, the program automatically updates itself.
Press the OK button to close that box and continue.


On the Scanner tab:
Make sure the Perform Full Scan option is selected.

Then click on the Scan button.

If asked to select the drives to scan, leave all the drives selected.
Click on the Start Scan button.

The scan may take some time to complete, so please be patient.

When the scan is finished, a message box shows The scan completed successfully. Click 'Show Results' to display all objects found

Click OK to close the message box and continue with the removal process.


Back at the main Scanner screen:
Click on the Show Results button to see a list of any malware found.
Make sure that everything is checked, and click: Remove Selected

When removal is completed, a report opens in Notepad.

The log is automatically saved and can be viewed by clicking the Logs tab.

Please copy/paste the entire contents of the MBAM report in your reply.

Exit MBAM when done.

After running Malwarebytes', you can use the computer as you wish.

The malware is incapacitated, however, we will run some more programs to make sure.

[grace too]

Hello Aaflac,

I have followed your instructions regarding Malwarebytes' Anti-Malware program, and have saved the log file. It is as follows:


Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.17.11

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Pandora :: PANDORA-PC [administrator]

7/17/2012 1:27:27 PM
mbam-log-2012-07-17 (13-27-27).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|J:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 466078
Time elapsed: 1 hour(s), 26 minute(s), 49 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\Live Security Platinum (Trojan.Lameshield) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\ProgramData\036E19321A4FAF35F6D847552F3B707C\03 6E19321A4FAF35F6D847552F3B707C.exe (Trojan.Lameshield) -> Quarantined and deleted successfully.
C:\Users\Pandora\Desktop\RK_Quarantine\036E19321A4 FAF35F6D847552F3B707C.exe.vir (Trojan.Lameshield) -> Quarantined and deleted successfully.

(end)

Thank you again for your help.

[Aaflac]

You're doing good!

Please enable the viewing of hidden files in Vista, as decribed here.

Since the following file was found as 'Suspicious' in the innitial RogueKiller scan, please submit the file for analysis to VirusTotal, so we can remove any doubt:
C:\Users\Pandora\AppData\Roaming\mjusbsp\cdloader2.exe


When you get to the website, use the Browse button to navigate to the location of C:\Users\Pandora\AppData\Roaming\mjusbsp\cdloader2.exe
Click on the file, then, click the Open button.
The file is now displayed in the Submit Box.

Scroll down and click Send File, and wait for the results.

If you get a message saying: 'File has already been analyzed', click: 'Reanalyze file now'

Once scanned, and you see the full results page on your screen, go up to the address bar at the top of the browser, and copy the http:\\etc. address there.

Then, provide the http:\\ address to the results page in your reply.


In addition to VirusTotal, also submit the same file to one of the folllowing:
Jotti's VirusScan
VirSCcan

Once there, do the folowing:

• In the File to Scan (Upload, or, Submit) box, click the Browse button and locate the C:\Users\Pandora\AppData\Roaming\mjusbsp\cdloader2.exe file.
• Click the Open button in the Browse prompt, and, when the file shows, click the Submit (or Upload) button on the website.
• If you get a message saying File has already been analyzed, click: Reanalyze or Scan again

Also post the link for the file analysis in your reply.

[grace too]

Hi Aaflac

I followed your instructions for enabling the viewing of hidden files in Vista.

However when I tried to follow the path to the cdloader2.exe to submit to VirusTotal, I got halted at the Application Data folder. The Application Data folder was (not greyed out but same effect) lighter in colour than the other folders, and when clicked upon a pop-up message came up reading "C:\Users\Pandora\ApplicationData is not accessible. Access is denied. And an OK button.

I went back into the Control Panel and followed the path to make sure that the radio button for Show hidden files or folders was selected and that the checkmarks were removed for Hide extensions for known file types and Hide protected operating system files. Sure enough, they were.

Sorry that it's not working. What would you like me to do now?

Thank you for sticking me with and helping.

[Aaflac]

My bad.

That is one of those folders in Vista/Windows Seven that exists, but does not exist.
If you are totally confused, we'll be confused together. Not to worry!

Let's press on and run the ESET Online Scanner:

Please disable your AntiVirus program and any AntiSpyware programs while performing the scan.
It precludes conflicts, and will speed up scan time.

For information on how to disable protective programs, refer to this link:
http://www.bleepingcomputer.com/forums/topic114351.html

You will need to use Internet Explorer (IE) for this scan, since the scanner is implemented as an ActiveX control.
Right-click on the IE shortcut and select: Run as Administrator

Download ESET Online Scanner

Press the ESET Online Scanner download button

• In the prompt that appears, check 'Yes' to Accept Terms of Use, and click the 'Start' button
• Allow the ActiveX to download, and click: 'Install'
• Click Start
• Make sure that the option Remove found threats is unticked.
• Click Scan
• Wait for the scan to finish
• If any threats are found, click the 'List of found threats', then click Export to text file....
• Save the file to your Desktop as: ESET Scan.

Please provide the contents of ESET Scan in your reply.

[grace too]

Lol yes it is a little confusing.

So I disabled all of the anti-virus/adaware/firewall programs that I was aware of having, and was prompted to reboot.

After reboot I opened IE as administrator, went to the ESET Online Scanner site, removed the checkmark for remove threats found, and then ran the scan.

When the scan was finished, it said there was no threats found. But I am wondering if when I rebooted after disabling all of the av progs., if that might have (a) rehidden the hidden files/folders again, and/or (b) restarted some/any of the disabled av progs.?

Bottom line is, I guess I'm wondering why it came up with no threats found. (I know, I should be happy, and I am... but curious, lol)

[Aaflac]

ESET is a reliable online scan. If it did not come up with any threats, that is probably the case. No scanner picks up every single threat, it is normally a play catch up in the malware game, but, at this point we have no reason to believe that ESET is providing erroneous info.

Are you able to browse on the Internet, run programs, access the Task Manager, etc.?

Next, please download DDS
Save to the Desktop

Temporarily disable your AntiVirus, Firewall, and any other AntiSpyware applications. They may interfere with the programs we are about to run.

If you wish to look at information on how to disable these programs, please refer to the information available through this link

Vista: Right-click DDS and select 'Run as Administrator'

When done, DDS opens two logs:
-DDS.txt (Opens on the Desktop)
-Attach.txt (Minimized on the TaskBar)

Please post both reports (do not attach) in your reply.

[grace too]

Glad to hear that ESET is a reliable online scan, I figured as much if you were suggesting that I use it. But it's nice to get reassurance, lol.

Yes, I am able to browse on the Internet, run programs, access the Task Manager, etc.

So I have downloaded DDS, disabled my av protection, and ran the scan. Note: It did not give me the option when I right-clicked on the shortcut icon to Run as Administrator, so I ran it as is. I hope that's okay.

The 2 reports are as follows:

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 9/19/2010 11:55:12 PM
System Uptime: 7/19/2012 10:38:00 PM (3 hours ago)
.
Motherboard: Acer | | RS740DVF
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 4400+ | AM2 | 2000/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 113 GiB total, 65.422 GiB free.
D: is FIXED (NTFS) - 170 GiB total, 161.542 GiB free.
E: is CDROM ()
G: is Removable
H: is Removable
I: is Removable
J: is CDROM ()
K: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e96f-e325-11ce-bfc1-08002be10318}
Description: Microsoft PS/2 Mouse
Device ID: ACPI\PNP0F03\4&2A700557&0
Manufacturer: Microsoft
Name: Microsoft PS/2 Mouse
PNP Device ID: ACPI\PNP0F03\4&2A700557&0
Service: i8042prt
.
==== System Restore Points ===================
.
RP636: 7/5/2012 9:43:28 PM - Windows Update
RP637: 7/7/2012 4:16:46 PM - Scheduled Checkpoint
RP638: 7/9/2012 10:40:16 PM - Windows Update
RP639: 7/10/2012 7:13:05 PM - Scheduled Checkpoint
RP640: 7/11/2012 6:27:29 PM - Windows Update
RP641: 7/15/2012 12:09:47 AM - Windows Update
RP642: 7/17/2012 3:47:21 PM - Scheduled Checkpoint
RP643: 7/18/2012 9:14:29 PM - Windows Update
.
==== Installed Programs ======================
.
ABBYY FineReader 6.0 Sprint
Acer Arcade Live Main Page
Acer Assist
Acer DV Magician
Acer DVDivine
Acer eDataSecurity Management
Acer Empowering Technology
Acer eRecovery Management
Acer eSettings Management
Acer GameZone Console DTV 2.0.1.1
Acer HomeMedia
Acer HomeMedia Connect
Acer HomeMedia Trial Creator
Acer Registration
Acer ScreenSaver
Acer SlideShow DVD
Acer VideoMagician
Activation Assistant for the 2007 Microsoft Office suites
Ad-Aware
Adobe AIR
Adobe Download Manager
Adobe Flash Player 11 ActiveX
Adobe Reader 8.3.1
Agatha Christie Death on the Nile
Alice Greenfingers
ATI Catalyst Install Manager
Azada
Backspin Billiards
Big Kahuna Reef
Bookworm Deluxe
Bricks of Egypt
Cake Mania
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Vista
Catalyst Control Center Localization Chinese Standard
Catalyst Control Center Localization Chinese Traditional
Catalyst Control Center Localization Czech
Catalyst Control Center Localization Danish
Catalyst Control Center Localization Dutch
Catalyst Control Center Localization Finnish
Catalyst Control Center Localization French
Catalyst Control Center Localization German
Catalyst Control Center Localization Greek
Catalyst Control Center Localization Hungarian
Catalyst Control Center Localization Italian
Catalyst Control Center Localization Japanese
Catalyst Control Center Localization Korean
Catalyst Control Center Localization Norwegian
Catalyst Control Center Localization Polish
Catalyst Control Center Localization Portuguese
Catalyst Control Center Localization Russian
Catalyst Control Center Localization Spanish
Catalyst Control Center Localization Swedish
Catalyst Control Center Localization Thai
Catalyst Control Center Localization Turkish
ccc-core-static
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
Chicken Invaders 3
Chuzzle
Compatibility Pack for the 2007 Office system
Cradle of Rome
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
Diner Dash Flo on the Go
EMDB 1.36
ESET Online Scanner v3
eSobi v2
FileZilla Client 3.5.3
Flip Words 2
Gemsweeper
Google Chrome
Google Talk Plugin
Google Update Helper
Great Adventures - Lost in Mountains
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Imikimi Plugin
Jane Angel - Templar Mystery
Java Auto Updater
Java(TM) 6 Update 29
Jewel Quest Solitaire
Kick N Rush
Lexmark 1200 Series
Lexmark Fax Solutions
LightScribe 1.4.142.1
magicJack
Mahjong Escape Ancient China
Mahjongg Artifacts
Malwarebytes Anti-Malware version 1.62.0.1300
Mavis Beacon Teaches Typing 12 Standard
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office 2000 Disc 2
Microsoft Office 2000 Professional
Microsoft Office 2010 Service Pack 1 (SP1)
Microsoft Office Excel MUI (English) 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Standard 2010
Microsoft Office Word MUI (English) 2010
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Word Supplemental Templates and Wizards
Microsoft Works
Mozilla Firefox 10.0.2 (x86 en-US)
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Mystery Case Files - Huntsville
Mystery Solitaire - Secret Island
NTI Backup Now 5
NTI Backup Now Standard
NTI Media Maker 8
Panda ActiveScan 2.0
PG583_32_inf
PokerStars
PrimoPDF -- brought to you by Nitro PDF Software
Realtek High Definition Audio Driver
Replay Media Catcher 4
Samantha Swift and the Hidden Roses of Athena
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft Excel 2010 (KB2597166) 32-Bit Edition
Security Update for Microsoft InfoPath 2010 (KB2553322) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2553091)
Security Update for Microsoft Office 2010 (KB2553096)
Security Update for Microsoft Office 2010 (KB2553371) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2553447) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2598039) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2598243) 32-Bit Edition
Security Update for Microsoft PowerPoint 2010 (KB2553185) 32-Bit Edition
Skins
Spybot - Search & Destroy
Trend Micro RUBotted 2.0 Beta
Turbo Pizza
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft Office 2010 (KB2553065)
Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553270) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition
Update for Microsoft Office 2010 (KB2566458)
Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition
Update for Microsoft Office 2010 (KB2597091) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2589345) 32-Bit Edition
Update for Microsoft Outlook 2010 (KB2553248) 32-Bit Edition
Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition
VC 9.0 Runtime
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VLC media player 2.0.1
Windows Driver Package - YUAN High-Tech Development Co. Ltd. (OmniTV) Media (12/14/2007 6.1.32.42)
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live Sign-in Assistant
Windows Live Upload Tool
WinPcap 4.1.1
Yahoo! Messenger
ZoneAlarm Firewall
ZoneAlarm Free Firewall
ZoneAlarm LTD Toolbar
ZoneAlarm Security
Zuma Deluxe
.
==== Event Viewer Messages From Past Week ========
.
7/19/2012 12:27:48 AM, Error: Microsoft-Windows-ResourcePublication [1002] - Element Provider\Microsoft.Base.Publication/Publication/Computer failed to publish. Ensure that both PKEY_PUBSVCS_METADATA and PKEY_PUBSVCS_TYPE are set properly on the function instance and there were no errors adding the function instance.
7/19/2012 10:05:08 PM, Error: Service Control Manager [7022] - The NTI Backup Now 5 Backup Service service hung on starting.
7/16/2012 11:26:54 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
7/16/2012 11:26:42 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
7/16/2012 11:26:31 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
7/16/2012 11:26:22 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
7/16/2012 11:26:06 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: MpFilter pavboot spldr Wanarpv6
7/16/2012 11:26:06 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
7/16/2012 11:24:08 PM, Error: Service Control Manager [7043] - The Group Policy Client service did not shut down properly after receiving a preshutdown control.
.
==== End Of File ===========================


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by Pandora at 1:15:00 on 2012-07-20
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1790.1139 [GMT -4:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
FW: ZoneAlarm Free Firewall Firewall *Disabled* {E6380B7E-D4B2-19F1-083E-56486607704B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe
C:\Windows\system32\svchost.exe -k apphost
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\lxczcoms.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Trend Micro\RUBotted\RUBotSrv.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Acer\Empowering Technology\SysMonitor.exe
C:\Program Files\Acer\Empowering Technology\Framework.Launcher.exe
C:\Program Files\Lexmark 1200 Series\LXCZbmgr.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = https://www.google.ca/
mStart Page = hxxp://en.us.acer.yahoo.com
mDefault_Page_URL = hxxp://en.us.acer.yahoo.com
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: ShowBarObj Class: {83a2f9b1-01a2-4aa5-87d1-45b6b8505e96} - c:\program files\acer\empowering technology\edatasecurity\x86\ActiveToolBand.dll
BHO: ZoneAlarm Security Engine Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\Tru stCheckerIEPlugin.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\program files\acer\empowering technology\edatasecurity\x86\eDStoolbar.dll
TB: ZoneAlarm Security Engine: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\Tru stCheckerIEPlugin.dll
uRun: [cdloader] "c:\users\pandora\appdata\roaming\mjusbsp\cdloader 2.exe" MAGICJACK
uRun: [Google Update] "c:\users\pandora\appdata\local\google\update\Goog leUpdate.exe" /c
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Acer Empowering Technology Monitor] c:\program files\acer\empowering technology\SysMonitor.exe
mRun: [EmpoweringTechnology] c:\program files\acer\empowering technology\Framework.Launcher.exe boot
mRun: [PCMMediaSharing] c:\program files\acer arcade live\acer homemedia connect\kernel\dms\PCMMediaSharing.exe
mRun: [eRecoveryService]
mRun: [lxczbmgr.exe] "c:\program files\lexmark 1200 series\lxczbmgr.exe"
mRun: [Trend Micro RUBotted V2.0 Beta] c:\program files\trend micro\rubotted\RUBottedGUI.exe
mRun: [ZoneAlarm] "c:\program files\checkpoint\zonealarm\zatray.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [ISW]
StartupFolder: c:\users\pandora\appdata\roaming\microsoft\windows \start menu\programs\startup\OneNote 2010 Screen Clipper and Launcher.lnk.disabled
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\sta rtup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\programdata\microsoft\windows\start menu\programs\startup\MiniMavis.lnk.disabled
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {8C279F4E-917E-4CD2-8DF0-D9C73C0CE763} - hxxp://zone.msn.com/bingame/zpagames/zpa_wof.cab55579.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} - hxxp://zone.msn.com/bingame/zpagames/zpa_txhe.cab79352.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} - hxxp://zone.msn.com/bingame/zpagames/zpa_pool.cab56649.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{BCD16A46-17CF-48A7-97D2-C94905809BB8} : DhcpNameServer = 192.168.1.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\pandora\appdata\roaming\mozilla\firefox\p rofiles\bnkztkpi.default\
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\checkpoint\zaforcefield\trustchecker\bin\npF FApi.dll
FF - plugin: c:\program files\common files\oberon media\ncadapter\1.0.0.8\npapicomadapter.dll
FF - plugin: c:\program files\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: c:\program files\nos\bin\np_gp.dll
FF - plugin: c:\users\pandora\appdata\local\google\update\1.3.2 1.115\npGoogleUpdate3.dll
FF - plugin: c:\users\pandora\appdata\roaming\mozilla\plugins\n pgoogletalk.dll
FF - plugin: c:\users\pandora\appdata\roaming\mozilla\plugins\n pgtpo3dautoplugin.dll
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-11-6 64512]
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 171064]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboo t.sys [2011-9-23 28552]
R2 Acer HomeMedia Connect Service;Acer HomeMedia Connect Service;c:\program files\acer arcade live\acer homemedia connect\kernel\dms\CLMSServer.exe [2008-3-15 269448]
R2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\newtech infosystems\nti backup now 5\client\Agentsvc.exe [2008-2-25 21752]
R2 ETService;Empowering Technology Service;c:\program files\acer\empowering technology\service\ETService.exe [2008-3-15 24576]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 ISWKL;ZoneAlarm LTD Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2011-11-3 27056]
R2 IswSvc;ZoneAlarm LTD Toolbar IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2011-11-3 497320]
R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\newtech infosystems\nti backup now 5\BackupSvc.exe [2008-2-25 49152]
R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\newtech infosystems\nti backup now 5\SchedulerSvc.exe [2008-2-25 131072]
R2 RUBotSrv;Trend Micro RUBotted Service;c:\program files\trend micro\rubotted\RUBotSrv.exe [2011-9-23 439632]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2011-12-8 1153368]
R3 appliandMP;appliandMP;c:\windows\system32\drivers\ appliand.sys [2010-6-24 28256]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
R3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV 3.SYS [2008-1-20 987648]
R3 VSTHWBS2;VSTHWBS2;c:\windows\system32\drivers\VSTB S23.SYS [2008-1-20 251904]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\ v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-9-20 135664]
S3 appliand;Applian Network Service;c:\windows\system32\drivers\appliand.sys [2010-6-24 28256]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-9-20 135664]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-11-3 2152720]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-11-3 15232]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 74112]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2012-3-26 214952]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2008-1-20 21504]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EX E [2010-1-9 4640000]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30 319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-07-20 04:51:02 56200 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{5b50ce88-7caf-4295-9970-f6fc0f152521}\offreg.dll
2012-07-20 02:11:32 6891424 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{5b50ce88-7caf-4295-9970-f6fc0f152521}\mpengine.dll
2012-07-19 06:11:15 6891424 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{e8434204-bbc7-4ceb-ab31-f275166a6cc9}\mpengine.dll
2012-07-19 05:10:45 -------- d-----w- c:\program files\ESET
2012-07-19 01:15:51 6891424 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-07-17 17:24:41 -------- d-----w- c:\users\pandora\appdata\roaming\Malwarebytes
2012-07-17 17:23:22 -------- d-----w- c:\programdata\Malwarebytes
2012-07-17 17:23:20 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-17 17:23:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-07-16 07:07:49 -------- d-----w- c:\programdata\036E19321A4FAF35F6D847552F3B707C
2012-07-11 22:45:51 2047488 ----a-w- c:\windows\system32\win32k.sys
2012-07-11 22:29:59 678912 ----a-w- c:\program files\internet explorer\iedvtool.dll
2012-07-11 22:29:59 387584 ----a-w- c:\program files\internet explorer\jsdbgui.dll
2012-07-11 22:29:58 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-07-11 18:45:16 708608 ----a-w- c:\program files\common files\system\ado\msado15.dll
2012-07-11 18:45:07 1401856 ----a-w- c:\windows\system32\msxml6.dll
2012-07-11 18:45:07 1248768 ----a-w- c:\windows\system32\msxml3.dll
2012-07-11 18:45:05 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-07-11 18:45:04 278528 ----a-w- c:\windows\system32\schannel.dll
2012-07-11 18:45:04 204288 ----a-w- c:\windows\system32\ncrypt.dll
2012-07-07 21:09:10 -------- d-----w- c:\users\pandora\.thumbnails
2012-07-07 21:05:52 -------- d-----w- c:\users\pandora\.gimp-2.6
2012-07-04 19:12:21 713784 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{93bcd715-78b0-4eb6-952a-2ce07ea00eae}\gapaengine.dll
2012-06-21 17:46:42 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-21 17:46:10 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-21 17:44:48 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-21 17:44:47 33792 ----a-w- c:\windows\system32\wuapp.exe
.
==================== Find3M ====================
.
2012-07-19 01:12:58 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-19 01:12:57 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-02 08:33:25 1800192 ----a-w- c:\windows\system32\jscript9.dll
2012-06-02 08:25:08 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-06-02 08:20:33 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-06-02 08:16:52 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-05-31 16:25:14 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-05-01 14:03:49 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-04-23 16:00:53 984064 ----a-w- c:\windows\system32\crypt32.dll
2012-04-23 16:00:53 98304 ----a-w- c:\windows\system32\cryptnet.dll
2012-04-23 16:00:53 133120 ----a-w- c:\windows\system32\cryptsvc.dll
.
============= FINISH: 1:16:22.37 ===============


Thank you again, Aaflac for your help.

[Aaflac]

Good grief!! My apology!!

Somehow I overlooked this topic.

DDS shows you have two AntiVirus programs installed:
AV: Lavasoft Ad-Watch Live! Anti-Virus
AV: Microsoft Security Essentials

Please make sure you have only one AntiVirus program, as running two AntiVirus programs is counter-productive.
The following is quoted from quietman7, a well known Malware Analyst in the Security Forums:

Quote:

Each anti-virus often interprets the activity of the other as a virus. If one AV finds a virus and then the other also finds the same virus, both programs will be competing over exclusive rights on dealing with that virus. Each AV
will attempt to remove the offending file and quarantine it. If one finds and quarantines the file before the other one does, then you encounter the problem of both wanting to scan each other's zipped or archived files, and each reporting the other's quarantined contents. This can lead to a repetitive cycle of endless alerts that continually warn you that a virus has been found, when that is not the case.

Are you paying for the Lavasoft program?

Post back as to whether both programs are free, or not.

Also, please download Security Check
Save it to the Desktop.
Right-click SecurityCheck.exe and select 'Run as Administrator'
Follow the onscreen instructions (on the black screen)
When done, a Notepad document opens automatically: checkup.txt

Please post the contents of checkup.txt in your reply.

[grace too]

Hi Aaflac:

I came back several times after my last post, but since you didn't respond, I assumed all was okay, lol. Anyway, I'm glad you replied and I came back one more time to check up.

Something weird that has been happening is that whenever I open Chrome, it is a blank screen with the spinning blue O. It'll stay like that forever if I let it. But if I open Chrome a 2nd time, it'll start right up and display my homepage (Google).

To answer your question, I am not paying for the Lavasoft program or the Microsoft Security Essentials. Which one do you suggest I get rid of?

When I click on the _Security Check_ link I get the following error page: Oops! Google Chrome could not find xn--http-996a

Thanks in advance.