etavares Posted October 25, 2011 Posted October 25, 2011 Hello, urmaserendipity85. If the computer is running fine, no need to worry about Trusteer. That being said, I am a bit concerned that you can't see program files. Let's take a look. Download SystemLook from one of the links below and save it to your Desktop. Download Mirror #1 Download Mirror #2 If you have a 64-bit system, please download the 64 bit version from here: SystemLook (64-bit) Double-click SystemLook.exe to run it. A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff". Copy and Paste the content of the following codebox into the main textfield under "File": :folderfind *Program* Please Confirm everything is copied and Pasted as I have provided above Click the Look button to start the scan. When finished, a notepad window will open with the results of the scan. Please post this log in your next reply. Note: The log can also be found on your Desktop entitled SystemLook.txt 2nd Note: The scan may take a while from several seconds to a minute or more depending on the number of files you have and how fast your computer can perform the task etavares Quote etavares is a member of:Alliance of Security Analysis ProfessionalsUnified Network of Instructors and Trained Eliminators
urmaserendipity85 Posted October 25, 2011 Author Posted October 25, 2011 here we are: SystemLook 30.07.11 by jpshortstuff Log created at 12:39 on 25/10/2011 by Emma Administrator - Elevation successful ========== folderfind ========== Searching for "*Program*" C:\Program Files dr-h--- [11:18 02/11/2006] C:\ProgramData d------ [11:18 02/11/2006] C:\ProgramData\Microsoft\Windows\Start Menu\Programs dr----- [11:18 02/11/2006] C:\Users\All Users\Microsoft\Windows\Start Menu\Programs dr----- [11:18 02/11/2006] C:\Users\Default\AppData\Roaming\Media Center Programs d------ [12:37 02/11/2006] C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs d------ [11:18 02/11/2006] C:\Users\Emma\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\ProgramData d------ [12:06 21/10/2011] C:\Users\Emma\AppData\Local\VirtualStore\Program Files dr----- [11:18 02/11/2006] C:\Users\Emma\AppData\Local\VirtualStore\ProgramData d--h--- [11:18 02/11/2006] C:\Users\Emma\AppData\Roaming\Media Center Programs d------ [17:46 20/07/2009] C:\Users\Emma\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\66DWBDJ5\http://www.channel4.com\static\programmes d------ [13:31 22/10/2011] C:\Users\Emma\AppData\Roaming\Microsoft\Windows\Start Menu\Programs dr----- [17:46 20/07/2009] C:\Windows\Downloaded Program Files d---s-- [11:18 02/11/2006] C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Media Center Programs d------ [12:47 02/11/2006] C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs d------ [12:47 02/11/2006] C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Media Center Programs d------ [12:47 02/11/2006] C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs d------ [12:47 02/11/2006] C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs d------ [14:56 09/05/2010] C:\Windows\System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program d------ [12:55 02/11/2006] C:\Windows\winsxs\x86_microsoft-windows-h..-programs.resources_31bf3856ad364e35_6.0.6000.16386_en-us_9695d7ef4bd79eb0 d------ [12:41 02/11/2006] C:\_OTL\MovedFiles\10192011_203539\C_Program Files d------ [19:36 19/10/2011] C:\_OTL\MovedFiles\10192011_203539\C_Windows\Downloaded Program Files d------ [19:36 19/10/2011] -= EOF =- Quote
etavares Posted October 26, 2011 Posted October 26, 2011 OK, it appears to be there, but hidden. Click Start --> Run, type cmd and press Enter. At the command prompt, type attrib -h "C:\Program Files" and press Enter. Note the space after attrib, and after -h Then, you should be able to see C:\Program Files...it shouldn't be hidden. Did that work? Quote etavares is a member of:Alliance of Security Analysis ProfessionalsUnified Network of Instructors and Trained Eliminators
urmaserendipity85 Posted October 28, 2011 Author Posted October 28, 2011 Tried to do the above, and getting the BSOD continuously again. This seems to be very intermittent, but is also very annoying and very inconvenient. Any suggestions for preventing this from happening in the future? Thanks Quote
urmaserendipity85 Posted October 28, 2011 Author Posted October 28, 2011 also, computer keeps turning itself off every 10 minutes or so. It feels very hot when it does this, and my cooling pad recently broke. is it likely to be to do with this? and how do I fix it without another cooling pad? thanks :) Quote
etavares Posted October 28, 2011 Posted October 28, 2011 Hello, urmaserendipity85. I'm not thrilled with the response...something still seems to be amiss. Is the BSOD the same one you have been getting? Did you uninstall Trusteer? Running hot is a symptom...is the fan going? YOu should be abel to hear it. If no, we need to fix the fan. If yes, we need to fix the root cause of WHY it's running hot. Next, please download ComboFix from one of these locations: Bleepingcomputer InfoSpyware * IMPORTANT !!! Save ComboFix.exe to your Desktop as etavaresCF.exe Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.) Double click on etavaresCF.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: http://img.photobucket.com/albums/v706/ried7/whatnext.png Click on Yes, to continue scanning for malware. When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs. Note: After running Combofix, you may receive an error about "illegal operation on a registry key that has been marked for deletion." If you receive this error, please reboot and it should disappear. etavares Quote etavares is a member of:Alliance of Security Analysis ProfessionalsUnified Network of Instructors and Trained Eliminators
RandyL Posted October 29, 2011 Posted October 29, 2011 computer keeps turning itself off every 10 minutes or so. It feels very hot when it does this, and my cooling pad recently broke. I just wanted to mention that if this is a laptop you should only be using it on a hard flat surface. Not a lap, bed cushion, mat etc. As etavares said it could be a heat issue. Quote We are all members helping other members. Please return here where you may be able to help someone else. After all, no one knows everything and you may have the answer that someone needs.Get help with computer problems. Join Free PC Help here Donations are welcome. Read Here
urmaserendipity85 Posted October 29, 2011 Author Posted October 29, 2011 Here is the log, I'm using Chrome which doesn't give me an option to save things as different names (or it might do, but I haven't figured it out). If you need me to change the name and re run the scan, that's fine just let me know. ComboFix 11-10-29.03 - Emma 29/10/2011 14:55:13.2.2 - x86 Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.1917.1052 [GMT 1:00] Running from: c:\users\Emma\Downloads\ComboFix.exe AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160} SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD} SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((( Files Created from 2011-09-28 to 2011-10-29 ))))))))))))))))))))))))))))))) . . 2011-10-29 14:11 . 2011-10-29 14:11 -------- d-----w- c:\users\Emma\AppData\Local\temp 2011-10-29 14:11 . 2011-10-29 14:11 -------- d-----w- c:\users\Public\AppData\Local\temp 2011-10-29 14:11 . 2011-10-29 14:11 -------- d-----w- c:\users\Default\AppData\Local\temp 2011-10-29 13:42 . 2011-10-29 13:42 28752 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{DA8E8011-DDBF-427E-8A00-1F66FCE3E862}\MpKsl85a4ea10.sys 2011-10-29 13:42 . 2011-09-12 15:14 7269712 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll 2011-10-29 13:41 . 2011-10-29 13:41 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{DA8E8011-DDBF-427E-8A00-1F66FCE3E862}\offreg.dll 2011-10-29 13:41 . 2011-10-06 19:48 6668624 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{DA8E8011-DDBF-427E-8A00-1F66FCE3E862}\mpengine.dll 2011-10-29 13:39 . 2011-10-29 13:39 703824 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{94466F9E-1D7C-408B-B6AC-B1176AE9FADD}\gapaengine.dll 2011-10-29 12:56 . 2011-10-07 03:48 6668624 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{FD7A79F9-7D30-4BEE-856E-85288B3FFCC2}\mpengine.dll 2011-10-25 11:58 . 2011-10-25 11:58 -------- d-----w- c:\program files\iPod 2011-10-25 11:57 . 2011-10-25 12:01 -------- d-----w- c:\program files\iTunes 2011-10-25 11:42 . 2011-10-25 11:42 -------- d-----w- c:\program files\Bonjour 2011-10-21 11:17 . 2011-10-21 11:17 -------- d-----w- c:\program files\ESET 2011-10-21 10:41 . 2011-10-21 10:41 -------- d-----w- c:\program files\Common Files\Java 2011-10-19 19:35 . 2011-10-19 19:35 -------- d-----w- C:\_OTL 2011-10-19 19:29 . 2011-10-19 19:29 -------- d-----w- c:\program files\ERUNT 2011-10-15 12:56 . 2011-07-29 16:01 293376 ----a-w- c:\windows\system32\psisdecd.dll 2011-10-15 12:56 . 2011-07-29 16:01 217088 ----a-w- c:\windows\system32\psisrndr.ax 2011-10-15 12:56 . 2011-07-29 16:00 69632 ----a-w- c:\windows\system32\Mpeg2Data.ax 2011-10-15 12:56 . 2011-07-29 16:00 57856 ----a-w- c:\windows\system32\MSDvbNP.ax 2011-10-15 12:50 . 2011-09-14 10:51 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat 2011-10-15 12:49 . 2011-09-06 13:30 2043392 ----a-w- c:\windows\system32\win32k.sys 2011-10-15 12:44 . 2011-08-25 16:15 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll 2011-10-15 12:44 . 2011-08-25 16:14 238080 ----a-w- c:\windows\system32\oleacc.dll 2011-10-15 12:44 . 2011-08-25 16:14 563712 ----a-w- c:\windows\system32\oleaut32.dll 2011-10-15 12:44 . 2011-08-25 13:31 4096 ----a-w- c:\windows\system32\oleaccrc.dll 2011-10-08 14:12 . 2011-10-08 14:12 -------- d-----w- c:\program files\Apple Software Update 2011-10-08 10:09 . 2011-08-31 16:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-10-07 17:14 . 2011-10-07 17:14 -------- d-----w- c:\program files\NirSoft 2011-10-03 12:41 . 2011-10-03 12:43 -------- d-----w- c:\program files\QuickTime(223) . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-10-21 10:39 . 2010-06-02 19:33 472808 ----a-w- c:\windows\system32\deployJava1.dll 2011-09-25 18:00 . 2011-09-25 18:00 56336 ----a-w- c:\windows\system32\drivers\RapportKELL.sys 2011-08-30 22:05 . 2011-08-30 22:05 83816 ----a-w- c:\windows\system32\dns-sd.exe 2011-08-30 22:05 . 2011-08-30 22:05 73064 ----a-w- c:\windows\system32\dnssd.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0974BA1E-64EC-11DE-B2A5-E43756D89593}] 2009-12-20 09:51 87480 ---ha-w- c:\progra~1\BEARSH~1\MediaBar\ToolBar\BearshareMediabarDx.dll . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{74322BF9-DF26-493f-B0DA-6D2FC5E6429E}] 2010-10-19 12:53 585136 ---ha-w- c:\progra~1\BEARSH~1\MediaBar\Datamngr\IEBHO.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{0974BA1E-64EC-11DE-B2A5-E43756D89593}"= "c:\progra~1\BEARSH~1\MediaBar\ToolBar\BearshareMediabarDx.dll" [2009-12-20 87480] . [HKEY_CLASSES_ROOT\clsid\{0974ba1e-64ec-11de-b2a5-e43756d89593}] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1] @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 94208 ----a-w- c:\users\Emma\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2] @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 94208 ----a-w- c:\users\Emma\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3] @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 94208 ----a-w- c:\users\Emma\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920] "TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2008-01-29 430080] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-20 39408] "Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-08-18 17360520] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RtHDVCpl"="RtHDVCpl.exe" [2008-01-29 4911104] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1029416] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048] "topi"="c:\program files\TOSHIBA\Toshiba Online Product Information\topi.exe" [2007-07-10 581632] "Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2006-12-06 366400] "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-02-22 1836544] "Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2007-10-25 413696] "TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-01-17 431456] "SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2008-01-25 509816] "00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-01-22 712704] "Toshiba Registration"="c:\program files\Toshiba\Registration\ToshibaRegistration.exe" [2007-05-04 571024] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-07-21 61440] "Skytel"="Skytel.exe" [2007-11-20 1826816] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072] "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-08-31 1047208] "Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-08-31 1047208] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696] "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-10-09 421736] "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408] . c:\users\Emma\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Dropbox.lnk - c:\users\Emma\AppData\Roaming\Dropbox\bin\Dropbox.exe [2011-5-25 24176560] ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912] . c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ TRDCReminder.lnk - c:\program files\TOSHIBA\TRDCReminder\TRDCReminder.exe [2007-7-27 389120] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableUIADesktopToggle"= 0 (0x0) . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\progra~1\BEARSH~1\MediaBar\Datamngr\datamngr.dll c:\progra~1\BEARSH~1\MediaBar\Datamngr\IEBHO.dll c:\progra~1\Google\GOOGLE~3\GoogleDesktopNetwork3.dll . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] @="Service" . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware] "DisableMonitoring"="1" . R1 MpKsl0938bf77;MpKsl0938bf77;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{20DD8AA2-EFA6-44BD-BC08-A54D67ED8FA1}\MpKsl0938bf77.sys [x] R1 MpKsl11f24382;MpKsl11f24382;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{105F0CE2-10DE-40A7-9C57-C00620345318}\MpKsl11f24382.sys [x] R1 MpKsl1f0b6b75;MpKsl1f0b6b75;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9E20A51D-F7E5-4036-87F9-A9D709DBAEE2}\MpKsl1f0b6b75.sys [x] R1 MpKsl73e8b45d;MpKsl73e8b45d;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9AC2CF04-3A19-489A-970B-9096694C7F77}\MpKsl73e8b45d.sys [x] R1 MpKsl79419e93;MpKsl79419e93;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{20DD8AA2-EFA6-44BD-BC08-A54D67ED8FA1}\MpKsl79419e93.sys [x] R1 MpKsla09641b8;MpKsla09641b8;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F26B0E9A-A110-4094-9CD6-77C24A16BF95}\MpKsla09641b8.sys [x] R1 MpKsld05f167d;MpKsld05f167d;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{20DD8AA2-EFA6-44BD-BC08-A54D67ED8FA1}\MpKsld05f167d.sys [x] R1 MpKsldc442479;MpKsldc442479;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{69BE6673-3D2C-4B69-BE00-139B76369D54}\MpKsldc442479.sys [x] R1 MpKsle54ac536;MpKsle54ac536;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B8FAE9A2-A6F4-4C23-95AB-D0DB707BAA97}\MpKsle54ac536.sys [x] R1 MpKsle56fb53d;MpKsle56fb53d;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A01E9465-40B5-4F7A-A883-028AE8484E9D}\MpKsle56fb53d.sys [x] R1 MpKsle6e8eb8d;MpKsle6e8eb8d;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{11325081-BBB8-4E01-A969-6641850AA0EA}\MpKsle6e8eb8d.sys [x] R1 MpKslf8f46bc6;MpKslf8f46bc6;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9DDF9717-B884-4BC6-AD00-BAD70AAEB38B}\MpKslf8f46bc6.sys [x] R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [x] R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [x] R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384] R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-06-07 136176] R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [x] R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-06-07 136176] R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2010-10-24 54144] R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 206360] R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504] R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040] S0 RapportKELL;RapportKELL;c:\windows\System32\Drivers\RapportKELL.sys [2011-09-25 56336] S1 MpKsl85a4ea10;MpKsl85a4ea10;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{DA8E8011-DDBF-427E-8A00-1F66FCE3E862}\MpKsl85a4ea10.sys [2011-10-29 28752] S1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [2010-02-26 390528] S1 RapportCerberus_32029;RapportCerberus_32029;c:\programdata\Trusteer\Rapport\store\exts\RapportCerberus\32029\RapportCerberus32_32029.sys [2011-10-18 227312] S1 RtlProt;Realtke RtlProt WLAN Utility Protocol Driver;c:\windows\system32\DRIVERS\rtlprot.sys [2007-04-23 25896] S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2007-12-25 40960] S2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [2007-12-03 126976] S2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2009-12-17 497856] S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168] S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-10-24 43392] S3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys [2007-12-26 290304] . . --- Other Services/Drivers In Memory --- . *NewlyCreated* - MPKSL85A4EA10 *NewlyCreated* - MPNWMON *NewlyCreated* - NISDRV . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache . Contents of the 'Scheduled Tasks' folder . 2011-10-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-06-07 22:27] . 2011-10-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-06-07 22:27] . 2011-10-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1311213406-2224016735-102446658-1000Core.job - c:\users\Emma\AppData\Local\Google\Update\GoogleUpdate.exe [2011-09-18 22:41] . 2011-10-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1311213406-2224016735-102446658-1000UA.job - c:\users\Emma\AppData\Local\Google\Update\GoogleUpdate.exe [2011-09-18 22:41] . 2011-10-25 c:\windows\Tasks\Norton Security Scan for Emma.job - c:\program files\Norton Security Scan\Engine\3.0.0.103\Nss.exe [2011-03-11 07:25] . 2010-12-17 c:\windows\Tasks\User_Feed_Synchronization-{2BBCE6FC-CF1E-4531-9799-2F8987D23650}.job - c:\windows\system32\msfeedssync.exe [2011-04-20 18:47] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.bbc.co.uk/news/ uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000 TCP: DhcpNameServer = 192.168.1.254 DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab . - - - - ORPHANS REMOVED - - - - . AddRemove-Searchqu 406 MediaBar - c:\program files\Windows iLivid Toolbar\uninstall.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-10-29 15:11 Windows 6.0.6002 Service Pack 2 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . HKCU\Software\Microsoft\Windows\CurrentVersion\Run TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i??????T]r{?????V???V???V?0 V?X . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\S-1-5-21-1311213406-2224016735-102446658-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*] @Allowed: (Read) (RestrictedCode) "??"=hex:6a,5a,7f,45,13,e2,e3,ed,a2,a0,37,a5,1d,7c,05,a3,85,ae,4c,6e,8a,02,45, ac,1b,62,26,69,8e,02,e8,1d,06,95,80,70,8d,fe,c4,53,c0,26,0f,a4,bf,94,23,6a,\ "??"=hex:d0,ee,24,fc,75,ba,cc,21,f2,c6,67,5b,68,3a,c8,40 . [HKEY_USERS\S-1-5-21-1311213406-2224016735-102446658-1000\Software\SecuROM\License information*] "datasecu"=hex:8a,fb,d8,b4,5b,e0,e5,6c,29,fd,a5,e2,bd,57,d5,d3,38,07,6f,58,b2, e2,68,2b,e1,f4,31,00,b1,5b,64,7f,76,66,bd,87,bf,63,25,e7,17,c2,93,11,f3,04,\ "rkeysecu"=hex:c4,d8,62,62,b5,39,e9,12,16,00,12,5e,21,55,f6,49 . [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'Explorer.exe'(19800) c:\users\Emma\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll . Completion time: 2011-10-29 15:17:28 ComboFix-quarantined-files.txt 2011-10-29 14:17 . Pre-Run: 10,064,330,752 bytes free Post-Run: 10,001,604,608 bytes free . - - End Of File - - 4EED5936B439E47E2C100B2A5ACD0E8E The fan is running, and I never use my laptop on anything but a hard surface. I deleted trusteer from program files, as well as the file you suggested while in safe mode, and it now seems to be starting ok again. Could it have been switching itself off because it was in safe mode? Everything seems ok again now. I don't understand technology sometimes... :) Quote
etavares Posted October 30, 2011 Posted October 30, 2011 Everything looks OK there. Good that the fan is running. It shouldnt' have been switching itself off in safe mode. It could do that if it was low on battery, though. Please reply back in a day or two and let me know if it's been OK. If it starts to get hot, press Ctrl-Shift-Esc to bring up the Task Manager. Click the Processes tab, then click on the CPU column header to sort. Look for the programs that have a high number (> 10) in that column and let me know what program it is. IF it's running OK, just let me know and we'll clean up our work. Quote etavares is a member of:Alliance of Security Analysis ProfessionalsUnified Network of Instructors and Trained Eliminators
urmaserendipity85 Posted November 3, 2011 Author Posted November 3, 2011 Everything seems to be running fine now, happy days :) Quote
etavares Posted November 4, 2011 Posted November 4, 2011 OK, can you see C:\Program Files\ now? THat's the last item to fix before we clean up our work. Quote etavares is a member of:Alliance of Security Analysis ProfessionalsUnified Network of Instructors and Trained Eliminators
urmaserendipity85 Posted November 4, 2011 Author Posted November 4, 2011 Yep, deleted as described :) Quote
etavares Posted November 5, 2011 Posted November 5, 2011 Deleted? We didn't need to delete that, just ensure it's visible. Are you able to restore it from the Recycle Bin? Quote etavares is a member of:Alliance of Security Analysis ProfessionalsUnified Network of Instructors and Trained Eliminators
urmaserendipity85 Posted November 6, 2011 Author Posted November 6, 2011 Yeah sorry, I didn't delete the whole of program files, just C:\Program Files\Windows iLivid Toolbar\ as requested earlier. Program files is visible. Quote
etavares Posted November 6, 2011 Posted November 6, 2011 Hello, urmaserendipity85. OK, that makes sense to me now. :) Ok, good news. Your log appears clean. Let's clean up our mess. If your computer is running well; please do the steps listed below. At the end, I've also listed a few completely optional things you can do to further secure your computer. Safe surfing! Step 1 Uninstall ComboFix and Clean Up Click Start > Run and type combofix /Uninstall click OK (Note the space between combofix and /Uninstall) See below: http://i517.photobucket.com/albums/u338/Eextremeboy/CF_Uninstall-1.jpg Please advise if this step is missed for any reason as it performs some important actions. Download and Run OTC We will now remove the tools we used during this fix using OTC. Download OTC by OldTimer and save it to your desktop. If that link doesn't work, try this one. Double click http://i517.photobucket.com/albums/u338/Eextremeboy/OTC_Icon.jpgicon to start the program. If you are using Vista, please right-click and choose run as administrator Then Click the big http://i517.photobucket.com/albums/u338/Eextremeboy/CleanUp.jpg button. You will get a prompt saying "Begin Cleanup Process". Please select Yes. Restart your computer when prompted. If you ran Defogger and disabled your emulator, please don't forget to run it again and reenable it. See the instructions here to do so. Optional Items Please take the time to read below to secure your machine and take the necessary steps to keep it that way. System Still Slow? You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance. If you are running Windows Vista or Windows 7, please right-click on the icon, and select "Run As Administrator"; otherwise it won't work. If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware Protect yourself from malicious sites The HOSTS file can protect you from connecting to bad sites. See The Hosts File and what it can do for you for more background. Please download HostMan. It safeguards you with a regularly updated Hosts-file that blocks dangerous sites from opening. This adds another bit of safety while surfing the Internet. For installlation and setting up, follow these steps: Double-click the Downloaded installer and install the tool to a location of your choice Via the Startmenu, navigate to HostsMan and run the program. Click "Hosts" in the menu Click "Manage Updates" in the submenu Out of the three, select atleast one of the three (I have MVPS Host as my main one) Click "Add Update." After that you will only need to click on the following button to retrieve updates: http://i94.photobucket.com/albums/l84/SillyGerman/BleepingComputer/HostsXpert_update.png [*]Click the X to exit the program. [*]Note: If you were using a custom Hosts file you will need to replace any of those entries yourself. Keep Windows Up to Date It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates. Update your AntiVirus Software It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions. Make sure your applications have all of their updates It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates. Use a Firewall I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly. For a tutorial on Firewalls and a listing of some available ones see the link below: Understanding and Using Firewalls Install an AntiSpyware Program A highly recommended AntiSpyware program isMalwarebytes Anti-Malware. You can download the free version.. Installing this program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software. Update all these programs regularly Make sure you update all your programs regularly. Without regular updates you WILL NOT be protected when new malicious programs are released. You can use Secunia PSI to keep track of necessary updates. It can run in the background and constantly monitor your software; although I just run it once a week manually. It will alert you when an update is available for a variety of software. It is very useful. Follow this list and your potential for being infected again will reduce dramatically. Good luck! etavares Quote etavares is a member of:Alliance of Security Analysis ProfessionalsUnified Network of Instructors and Trained Eliminators
urmaserendipity85 Posted November 8, 2011 Author Posted November 8, 2011 Thank you so much for all your help! Quote
etavares Posted November 9, 2011 Posted November 9, 2011 You're welcome! Quote etavares is a member of:Alliance of Security Analysis ProfessionalsUnified Network of Instructors and Trained Eliminators
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.