Solved: Help! Security Tool has taken over my laptop!!

sugarjunkie2979 · 04:15 AM

I am using my iPhone to post this and have been searching for a solution to remove this program for about six hours now. Windows XP and my laptop is an Acer I don't use any p2p or pirate bay or anything I was doing a google search for cakes when I noticed my spybot disappear and two new icons appeared and all these pop ups for this fake security tool 2.20 showed up...???
So I can't open taskmanager using ctl alt del or through start run taskmgr
can not start up in safe mode (f8 repeatedly but nothing happens...?)
can not download anything from Internet (blocked by the security tool )
did a search of files and folders deleted 2 entries for security tool emptied recycle bin and deleted it through add/remove programs as well and restarted, did not work
can not use start run for any searches cannot open regedit
deleted temporary Internet files and can browse internet as usual (did not type in any passwords etc only searched for help on removing this program )
I have an external hard drive my files are all backed up on there
what can I do??? I need my laptop working can anyone help me get me laptop running again and get rid of this?
thanks in advance!

sugarjunkie2979 · 15-Dec-2010, 04:09 AM #2

Just wondering is there another way to open task manager? Or any downloadable program that this virus will allow me to download? The pop ups are unbelievable fro
this thing! Forgot to mention that I have spybot and it didn't stop this thing from taking over my laptop and I am unable to open it....

kevinf80 · 15-Dec-2010, 04:48 AM #3

Hello sugarjunkie2979,

I'm kevinf80 and I will be helping with any malware issues you may have with your system.

Please be aware that some of the logs I may ask for can be very complex and can take a long time to decipher. I am a volunteer here with a job and family so I ask that you be patient when waiting for replies.
Please DO NOT run any scans/tools/fixes on your own as this will conflict with the tools we are going to use.
Either print or Save to Notepad all instructions and please follow them carefully, if there's something you don't understand or that will not work please let me know and we will go through it together.
Malware is often buggy and can be very unstable, with that in mind it is advisable to backup any important data before we begin.
If you do not reply within 72 hours the thread will be closed, if you need more time let me know. Likewise if I do not respond within 48 hours feel free to PM me.
If you have any P2P applications installed such as BitTorrent, uTorrent, Limewire etc etc, please uninstall them before we begin.
If you are using Cracked or Illegal software your thread will be locked and all help will cease.

Please proceed as follows :-

Re-boot into Safemode with Networking:

Re-boot system, continuously tap the F8 key until you see the Windows Advanced Menu, from the available options select Safemode with Networking

Next,

Please download Malwarebytes Anti-Malware and save it to your desktop.
Alernative D/L mirror
Alternative D/L mirror

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
Please save the log to a location you will remember.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Next,

Re-boot into Normal mode and re-run Malwarebytes as above. Post both logs in your reply

Kevin

sugarjunkie2979 · 15-Dec-2010, 01:14 PM #4

Thanks so much Kevin!
It took a few tries but I got it into safemode and downloaded malwarebytes and it is scanning now 22 objects infected and it's only been running 2 min! I am shocked by that! Our whole family uses this laptop but that seems like a lot! Anyways thanks again will post logs when it is complete.
Jaclyn

sugarjunkie2979 · 15-Dec-2010, 01:36 PM #5

Here are the completed logs
Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org
Database version: 5322
Windows 5.1.2600 Service Pack 2 (Safe Mode)
Internet Explorer 8.0.6001.18372
15/12/2010 1:17:49 PM
mbam-log-2010-12-15 (13-17-49).txt
Scan type: Quick scan
Objects scanned: 149918
Time elapsed: 7 minute(s), 14 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 23
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 6
Files Infected: 13
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{0 0A6FAF1-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6 FAF1-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{0 7B18EA1-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{0 7B18EA9-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B1 8EA9-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B1 8EAB-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4D B7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2BA1 C226-EC1B-4471-A65F-D0688AC6EE3A} (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CC3 D8FE-F0E0-4DD1-A69A-8C56BCC7BEBF} (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CC3 D8FE-F0E0-4DD1-A69A-8C56BCC7BEC0} (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3DC2 01FB-E9C9-499C-A11F-23C360D7C3F8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6FD3 1ED6-7C94-4BBC-8E95-F927F4D3A949} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9FF0 5104-B030-46FC-94B8-81276E4E27DF} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{F526 5733-588B-46C8-8921-65AAB76EBE99} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{F919 FBD3-A96B-4679-AF26-F551439BB5FD} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dLkPh05 600 (Rogue.SystemTool) -> Value: dLkPh05600 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform\Zango 10.3.37.0 (Adware.Zango) -> Value: Zango 10.3.37.0 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\82066123 (Trojan.SCTool.Gen) -> Value: 82066123 -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
c:\documents and settings\all users\application data\salesmonitor (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\salesmonitor\Data (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\systemerrorfixer (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\systemerrorfixer\Data (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
c:\documents and settings\Joann\application data\systemerrorfixer (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
c:\documents and settings\Joann\application data\systemerrorfixer\Logs (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
Files Infected:
c:\documents and settings\all users\application data\dlkph05600\dlkph05600.exe (Rogue.SystemTool) -> Quarantined and deleted successfully.
c:\documents and settings\Joann\application data\microsoft\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Joann\application data\microsoft\Windows\shell.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\Joann\local settings\Temp\0.0437447482825718.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Joann\local settings\Temp\0.06702917333176561.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Joann\local settings\Temp\dwm.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\Joann\application data\microsoft\stor.cfg (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\systemerrorfixer\Data\ac (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\systemerrorfixer\Data\em (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\systemerrorfixer\Data\oid (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\systemerrorfixer\Data\user (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
c:\documents and settings\Joann\application data\systemerrorfixer\Logs\update.log (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.

Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org
Database version: 5322
Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18372
15/12/2010 1:30:05 PM
mbam-log-2010-12-15 (13-30-05).txt
Scan type: Quick scan
Objects scanned: 150430
Time elapsed: 8 minute(s), 58 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)

kevinf80 · 15-Dec-2010, 02:58 PM #6

Hiya Jaclyn,

Yep Malwarebytes has done a good job for us, OK lets have a deeper look and see if anything is lurking. As follows please:

Step 1

Download

TFC to your desktop, from either of the following links
Link 1
Link 2

Make sure any open work is saved. TFC will close all open application windows.
Double-click TFC.exe to run the program.
If prompted, click "Yes" to reboot.

TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

Step 2

Download

OTL from any of the following links and save to your Desktop:

Link 1
Link 2
Link 3

Double click on the icon to run it. Vista and Windows 7 users right click and select Run as Administrator. Make sure all other windows are closed and to let it run uninterrupted.
In the lower right corner, checkmark "LOP Check" and checkmark "Purity Check".

Under the Custom Scan box paste this in

Code:

      netsvcs
      drivers32
      %SYSTEMDRIVE%\*.*
      %systemroot%\*. /mp /s
      CREATERESTOREPOINT
      %systemroot%\System32\config\*.sav
      HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them in your reply

Copy and paste OTL Txt and ExtrasTxt in your reply.

Step 3

Download Security Check by screen317 from HERE or HERE.
Save it to your Desktop.
Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

What i`d like in your reply :-

OTL Txt
Extras Txt
Log from Security Checks
System update, any specific issues or concerns

Kevin

sugarjunkie2979 · 18-Dec-2010, 10:53 PM #7

Ok here are the first set of logs

OTL logfile created on: 18/12/2010 10:46:04 PM - Run 1
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\Joann\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18372)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

502.00 Mb Total Physical Memory | 213.00 Mb Available Physical Memory | 42.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 28.32 Gb Total Space | 3.37 Gb Free Space | 11.90% Space Free | Partition Type: NTFS
Drive D: | 27.56 Gb Total Space | 27.30 Gb Free Space | 99.05% Space Free | Partition Type: NTFS
Drive E: | 4.07 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF

Computer Name: JOANN-08B4D292C | User Name: Joann | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/12/18 22:41:16 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Joann\Desktop\OTL.exe
PRC - [2010/08/13 11:58:56 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2008/11/24 22:38:42 | 000,185,872 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2008/05/23 07:58:34 | 000,594,600 | ---- | M] ( ) -- C:\WINDOWS\system32\lxducoms.exe
PRC - [2007/08/09 02:27:52 | 000,073,728 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe
PRC - [2007/06/13 05:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005/06/06 22:46:24 | 000,057,344 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
PRC - [2004/08/16 15:17:20 | 001,287,168 | ---- | M] (OSA Technologies Inc.) -- C:\Acer\eManager\anbmServ.exe

========== Modules (SafeList) ==========

MOD - [2010/12/18 22:41:16 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Joann\Desktop\OTL.exe
MOD - [2006/08/25 10:45:55 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe -- (McComponentHostService)
SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
SRV - [2010/08/13 11:58:56 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2008/05/23 07:58:34 | 000,594,600 | ---- | M] ( ) [Auto | Running] -- C:\WINDOWS\System32\lxducoms.exe -- (lxdu_device)
SRV - [2008/05/23 07:58:22 | 000,098,984 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxduserv.exe -- (lxduCATSCustConnectService)
SRV - [2007/08/09 02:27:52 | 000,073,728 | ---- | M] (HP) [Auto | Running] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)
SRV - [2005/07/25 14:25:18 | 000,491,520 | ---- | M] ( ) [On_Demand | Stopped] -- C:\WINDOWS\System32\lxcgcoms.exe -- (lxcg_device)
SRV - [2004/08/16 15:17:20 | 001,287,168 | ---- | M] (OSA Technologies Inc.) [Auto | Running] -- C:\Acer\eManager\anbmServ.exe -- (anbmService)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\Wbutton.sys -- (Wbutton)
DRV - [2007/05/20 11:02:56 | 000,094,064 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\k510mdm.sys -- (k510mdm)
DRV - [2007/05/20 11:02:56 | 000,085,408 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\k510mgmt.sys -- (k510mgmt) Sony Ericsson K510 USB WMC Device Management Drivers (WDM)
DRV - [2007/05/20 11:02:56 | 000,083,344 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\k510obex.sys -- (k510obex)
DRV - [2007/05/20 11:02:55 | 000,058,288 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\k510bus.sys -- (k510bus) Sony Ericsson K510 Driver driver (WDM)
DRV - [2007/05/20 11:02:55 | 000,008,336 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\k510mdfl.sys -- (k510mdfl)
DRV - [2007/01/23 15:45:00 | 000,034,576 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LHidFilt.Sys -- (LHidFilt)
DRV - [2007/01/23 15:45:00 | 000,033,296 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LMouFilt.Sys -- (LMouFilt)
DRV - [2006/12/03 23:30:22 | 000,012,464 | ---- | M] (Macrovision Europe Ltd) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\CdaD10BA.SYS -- (CdaD10BA)
DRV - [2006/03/16 15:13:13 | 000,006,912 | ---- | M] (NewTech Infosystems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NTIDrvr.sys -- (NTIDrvr)
DRV - [2005/04/19 09:40:52 | 002,317,504 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2005/04/07 18:08:46 | 000,078,208 | ---- | M] (Acer Value Labs, USA) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\epm-shd.sys -- (EpmShd)
DRV - [2005/02/04 09:59:46 | 000,193,216 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2005/01/14 15:57:16 | 000,004,010 | ---- | M] (Windows (R) 2000 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\osanbm.sys -- (osanbm)
DRV - [2005/01/10 02:47:14 | 000,449,888 | R--- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ar5211.sys -- (AR5211)
DRV - [2004/12/15 14:18:34 | 000,207,232 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWICH.sys -- (HSFHWICH)
DRV - [2004/12/15 14:18:28 | 000,703,232 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2004/12/15 14:18:26 | 001,038,208 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2004/10/07 20:16:04 | 000,035,840 | ---- | M] (Oak Technology Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\AFS2K.SYS -- (AFS2K)
DRV - [2004/08/03 17:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2004/07/19 13:10:00 | 000,004,096 | ---- | M] (Acer Value Labs, USA) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\epm-psd.sys -- (EpmPsd)
DRV - [2003/12/05 05:46:36 | 000,010,368 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc)
DRV - [2003/04/28 11:27:06 | 000,009,867 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\HOTKEY.sys -- (Hotkey)
DRV - [2000/12/19 18:29:52 | 000,002,343 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\Launch Manager\POWERKEY.SYS -- (POWERKEY)

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.* >
[2006/03/16 13:36:27 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2009/09/10 19:08:44 | 000,000,210 | -HS- | M] () -- C:\boot.ini
[2006/03/18 01:25:27 | 000,000,484 | ---- | M] () -- C:\CDFE.log
[2006/03/16 13:36:27 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2010/12/14 20:18:37 | 001,228,854 | ---- | M] () -- C:\fsqwr.bmp
[2010/12/18 22:39:42 | 526,897,152 | -HS- | M] () -- C:\hiberfil.sys
[2007/04/17 11:28:54 | 000,000,525 | ---- | M] () -- C:\hpfr3420.xml
[2007/04/17 11:28:53 | 000,003,248 | ---- | M] () -- C:\hpfr3425.log
[2006/03/16 13:36:27 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2008/07/25 11:02:37 | 000,000,006 | ---- | M] () -- C:\ISACER.ID
[2009/10/17 12:23:19 | 000,000,140 | ---- | M] () -- C:\KEError log 10-17-2009 (11h34m53s).txt
[2008/05/17 10:31:06 | 000,006,610 | ---- | M] () -- C:\logfile
[2010/08/13 06:51:10 | 000,008,054 | ---- | M] () -- C:\lxcg.log
[2006/03/16 22:04:29 | 000,000,000 | ---- | M] () -- C:\lxcgfire.000
[2006/03/18 01:25:22 | 000,000,000 | ---- | M] () -- C:\lxcgfire.csv
[2006/03/16 22:05:09 | 000,000,867 | ---- | M] () -- C:\LXCGINST.000
[2006/03/18 01:25:59 | 000,000,867 | ---- | M] () -- C:\LXCGINST.csv
[2010/12/15 17:07:03 | 007,552,477 | ---- | M] () -- C:\lxcgscan.log
[2006/03/16 22:05:55 | 000,091,428 | ---- | M] () -- C:\lxcgunst.000
[2007/04/23 15:40:00 | 000,277,211 | ---- | M] () -- C:\lxcgunst.001
[2008/04/09 11:53:03 | 000,351,137 | ---- | M] () -- C:\lxcgunst.002
[2008/04/09 11:54:02 | 000,351,137 | ---- | M] () -- C:\lxcgunst.003
[2008/04/09 11:55:46 | 000,351,137 | ---- | M] () -- C:\lxcgUNST.004
[2008/11/10 13:48:09 | 000,359,129 | ---- | M] () -- C:\lxcgUNST.005
[2008/11/10 13:48:17 | 000,359,129 | ---- | M] () -- C:\lxcgUNST.006
[2008/11/10 13:48:46 | 000,359,129 | ---- | M] () -- C:\lxcgUNST.007
[2008/11/10 13:48:53 | 000,359,129 | ---- | M] () -- C:\lxcgUNST.008
[2008/11/10 13:49:14 | 000,359,129 | ---- | M] () -- C:\lxcgUNST.009
[2009/02/02 20:13:39 | 000,363,458 | ---- | M] () -- C:\lxcgUNST.010
[2009/02/02 20:13:48 | 000,363,458 | ---- | M] () -- C:\lxcgUNST.011
[2009/02/02 20:14:02 | 000,363,458 | ---- | M] () -- C:\lxcgUNST.012
[2009/02/02 20:29:02 | 000,363,458 | ---- | M] () -- C:\lxcgUNST.csv
[2006/03/16 13:36:27 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2004/08/04 07:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2004/08/04 07:00:00 | 000,250,032 | RHS- | M] () -- C:\ntldr
[2010/12/18 22:39:40 | 792,723,456 | -HS- | M] () -- C:\pagefile.sys
[2006/03/28 16:25:37 | 000,000,322 | ---- | M] () -- C:\sorrySave.0
[2006/03/29 10:12:56 | 000,000,322 | ---- | M] () -- C:\sorrySave.1
[2007/09/16 23:00:27 | 000,000,232 | -H-- | M] () -- C:\sqmdata00.sqm
[2007/09/16 23:13:02 | 000,000,232 | -H-- | M] () -- C:\sqmdata01.sqm
[2007/09/17 00:17:45 | 000,000,232 | -H-- | M] () -- C:\sqmdata02.sqm
[2007/09/17 00:43:14 | 000,000,232 | -H-- | M] () -- C:\sqmdata03.sqm
[2007/09/17 02:54:35 | 000,000,232 | -H-- | M] () -- C:\sqmdata04.sqm
[2007/09/17 03:01:23 | 000,000,232 | -H-- | M] () -- C:\sqmdata05.sqm
[2007/09/17 10:54:40 | 000,000,232 | -H-- | M] () -- C:\sqmdata06.sqm
[2007/09/17 10:54:47 | 000,000,232 | -H-- | M] () -- C:\sqmdata07.sqm
[2007/09/18 10:40:34 | 000,000,232 | -H-- | M] () -- C:\sqmdata08.sqm
[2008/02/09 14:40:38 | 000,000,268 | -H-- | M] () -- C:\sqmdata09.sqm
[2008/02/13 07:37:29 | 000,000,232 | -H-- | M] () -- C:\sqmdata10.sqm
[2008/05/04 16:37:29 | 000,000,232 | -H-- | M] () -- C:\sqmdata11.sqm
[2008/05/04 21:36:34 | 000,000,232 | -H-- | M] () -- C:\sqmdata12.sqm
[2008/05/19 21:33:00 | 000,000,232 | -H-- | M] () -- C:\sqmdata13.sqm
[2008/06/03 21:34:34 | 000,000,268 | -H-- | M] () -- C:\sqmdata14.sqm
[2008/06/18 20:23:50 | 000,000,232 | -H-- | M] () -- C:\sqmdata15.sqm
[2008/07/04 18:42:10 | 000,000,232 | -H-- | M] () -- C:\sqmdata16.sqm
[2007/09/16 23:00:27 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt00.sqm
[2007/09/16 23:13:02 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt01.sqm
[2007/09/17 00:17:45 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt02.sqm
[2007/09/17 00:43:14 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt03.sqm
[2007/09/17 02:54:35 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt04.sqm
[2007/09/17 03:01:23 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt05.sqm
[2007/09/17 10:54:40 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt06.sqm
[2007/09/17 10:54:47 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt07.sqm
[2007/09/18 10:40:34 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt08.sqm
[2008/02/09 14:40:38 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt09.sqm
[2008/02/13 07:37:29 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt10.sqm
[2008/05/04 16:37:28 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt11.sqm
[2008/05/04 21:36:34 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt12.sqm
[2008/05/19 21:33:00 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt13.sqm
[2008/06/03 21:34:34 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt14.sqm
[2008/06/18 20:23:49 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt15.sqm
[2008/07/04 18:42:10 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt16.sqm
[2008/11/17 21:43:15 | 000,000,510 | ---- | M] () -- C:\updatedatfix.log
[2008/04/06 18:08:31 | 000,000,150 | ---- | M] () -- C:\YServer.txt

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >
[2006/03/16 08:21:32 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2006/03/16 08:21:32 | 000,634,880 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2006/03/16 08:21:32 | 000,876,544 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install\\LastSuccessTime: 2008-09-13 07:07:47
< End of report >

sugarjunkie2979 · 18-Dec-2010, 11:00 PM #8

Next log,

Results of screen317's Security Check version 0.99.8
Windows XP Service Pack 2
Out of date service pack!!
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
McAfee Security Scan Plus
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
Java(TM) SE Runtime Environment 6 Update 1
Java(TM) 6 Update 5
Out of date Java installed!
Adobe Flash Player 9.0.124.0
Adobe Reader 7.0.5
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent
``````````End of Log````````````

Today a blue screen popped up I was not even using my laptop it was just sitting open and the blue screen I can't remember all of what it said ut the alarming part was where it said beginning dump of physical memory???
Does that mean the virus is still lurking?
Thanks again for all your help!!!

kevinf80 · 19-Dec-2010, 04:53 AM #9

Hello sugarjunkie2979,

You have not had a windows update since sept 2008, any reason for that? you have not updated to Service Pack 3 (SP3) Your Adobe reader and Flash Player are not current Java is similar. I dont see any dedicated Antivirus program and Windows Firewall is OFF...

To enable Windows Firewall, follow these steps:

1. Click Start, click Run, type Firewall.cpl and then click OK.
2. On the General tab, click On (recommended).
3. Click OK.

A blue screen of death can happen for many reasons. It may happen once and never again, or it may continue to happen:

1. Hardware Malfunction
2. Software Malfunction
3. Drivers are conflicting with software
4. Drivers Corrupt
5. Missing or corrupt windows files
6. Malware

Run the following scans and post the logs in your reply:

Step 1

Please download this program Blue Screen Viewer and unzip "Bluescreen View.exe" to your desktop.
Next, Right click on "My Computer" and select "Properties" select "Advanced Tab." From the "Start up and Recovery" section select "settings" make sure the default folder is "%SystemRoot%\Minidump".
Go back to your desktop and double click on Bluescreen Viewer to run it, if there is any info available the program will grab the most recent. Choose save from the Toolbar and copy paste to your next reply. If there is no information available try and re-create the BSOD and try again with the tool to collect the information.

Step 2

Please run the MGA Diagnostic Tool and post back the report it creates:

Download MGADiag to your desktop.
Double-click on MGADiag.exe to launch the program
Click "Continue"
Ensure that the "Windows" tab is selected (it should be by default).
Click the "Copy" button to copy the MGA Diagnostic Report to the Windows clipboard.
Paste the MGA Diagnostic Report back here in your next reply.

Post the logs from Blue screen viewer and MGA in your reply.

Kevin

sugarjunkie2979 · 19-Dec-2010, 08:35 AM **#10**

Thank you I will do all that but just wondering what do you mean by windows update? I am not all that knowledgable about computers and greatly appreciate your help

Also does that mean I should update the adobe java and flash player too? Where do I find these updates? Thanks

sugarjunkie2979 · 19-Dec-2010, 08:38 AM **#11**

Also what is service pack 3?
Thanks

kevinf80 · 19-Dec-2010, 08:53 AM **#12**

Microsoft releases updates on the second Tuesday of every month, these are security and enhancement related. Windows XP Service Pack 3 (SP3) is the final Windows XP service pack, a collection of previously-released fixes and product enhancements, as well as a few new features that are unique to this release.
Without all current Service packs and updates your system is vulnerable to infection. The same goes for any Utility or Security application, updates are released to try and stay one step ahead of malware writers. I`ll give you links to Java and Adobe later.
I need to see the results of the scans i`ve asked you to complete.

Kevin

sugarjunkie2979 · 19-Dec-2010, 10:00 AM **#13**

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Genuine
Validation Code: 0
Cached Validation Code: N/A
Windows Product Key: *****-*****-48673-P3F7M-Q3B8M
Windows Product Key Hash: G1xEtP84iYGqB6D4khOu+/tPVlE=
Windows Product ID: 76477-OEM-2168236-09388
Windows Product ID Type: 3
Windows License Type: OEM System Builder
Windows OS version: 5.1.2600.2.00010300.2.0.hom
ID: {7A29E2AA-7ED1-4E82-8B31-227AE9DEDB4A}(1)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: Registered, 1.7.17.0
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005
Resolution Status: N/A
Vista WgaER Data-->
ThreatID(s): N/A
Version: N/A
Windows XP Notifications Data-->
Cached Result: 0
File Exists: Yes
Version: 1.7.17.0
WgaTray.exe Signed By: Microsoft
WgaLogon.dll Signed By: Microsoft
OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002
OGA Data-->
Office Status: 100 Genuine
Microsoft Word 2002 - 100 Genuine
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-230-1_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005
Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Internet Explorer\IEXPLORE.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed
File Scan Data-->
Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{7A29E2AA-7ED1-4E82-8B31-227AE9DEDB4A}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010300.2.0.hom</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-Q3B8M</PKey><PID>76477-OEM-2168236-09388</PID><PIDType>3</PIDType><SID>S-1-5-21-823518204-884357618-839522115</SID><SYSTEM><Manufacturer>Acer</Manufacturer><Model>Aspire 3610</Model></SYSTEM><BIOS><Manufacturer>Phoenix Technologies LTD</Manufacturer><Version>V1.07 </Version><SMBIOSVersion major="2" minor="31"/><Date>20050926000000.000000+000</Date></BIOS><HWID>4A7C3407018400D2</HWID><UserLCID>1009</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification><File Name="WgaTray.exe" Version="1.7.17.0"/><File Name="WgaLogon.dll" Version="1.7.17.0"/></GANotification></MachineData> <Software><Office><Result>100</Result><Products><Product GUID="{911B0409-6000-11D3-8CFE-0050048383C9}"><LegitResult>100</LegitResult><Name>Microsoft Word 2002</Name><Ver>10</Ver><Val>9CF5E85BB9ACDFA</Val><Hash>1Ggu41R2+mA+9tA2HepOcmjwtV0=</Hash><Pid>54189-OEM-1650002-00509</Pid><PidType>16</PidType></Product></Products><Applications><App Id="1B" Version="10" Result="100"/></Applications></Office></Software></GenuineResults>
Licensing Data-->
N/A
Windows Activation Technologies-->
N/A
HWID Data-->
N/A
OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: 178A0:Acer Incorporated
Marker string from OEMBIOS.DAT: N/A, hr = 0x80004005
OEM Activation 2.0 Data-->
N/A
==================================================
Dump File : Mini121410-02.dmp
Crash Time : 14/12/2010 8:19:29 PM
Bug Check String : CRITICAL_OBJECT_TERMINATION
Bug Check Code : 0x000000f4
Parameter 1 : 0x00000003
Parameter 2 : 0x82c03748
Parameter 3 : 0x82c038bc
Parameter 4 : 0x805c773e
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+21aef
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 5.1.2600.3093 (xpsp_sp2_gdr.070227-2254)
Processor : 32-bit
Computer Name :
Full Path : C:\WINDOWS\Minidump\Mini121410-02.dmp
Processors Count : 1
Major Version : 15
Minor Version : 2600
==================================================
I can't locate the results of the other MGA diagnostic I can't find where the clipboard is? I did a search online and it said in system 32 folder but I dont have one??

kevinf80 · 19-Dec-2010, 12:49 PM **#14**

Hiya jaclyn,

Proceed as follows please :-

Step 1

Re-open to run it. (Vista and Win 7 users, right click on OTL and "Run as administrator")
Click on the button.
Click Yes to begin the cleanup process and remove tools, including this application
You may be asked to reboot the machine to finish the cleanup process - if so, choose Yes

Step 2

Uninstall the following from Add/Remove Programs via Start > Control Panel :-

Java(TM) SE Runtime Environment 6 Update 1
Java(TM) 6 Update 5
Adobe Flash Player 9.0.124.0
Adobe Reader 7.0.5

Step 3

You were using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version.
For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system.
The most current version of Sun Java is: Java Runtime Environment Version 6 Update 23.

Go to Sun Java
Select Windows 7/XP/Vista/2000/2003/2008
Install the new version by running the newly-downloaded file with the java icon which will be at your desktop, and follow the on-screen instructions.
Reboot your computer

Step 4

Go Here and get the SP3 installer, save it to your Desktop. Next,
Re-boot into safe mode and run the SP3 installer, once installed re-boot into Normal mode and check for updates. Keep re-booting and checking for updates until there are none left.

Step 5

Go Here and download Microsoft Security Essentials, once installed it will want to update and do a quick scan; allow that to happen. Let me know if it finds anything.

Post back when the above steps are completed, also tell me if you have any issues or concerns. There will be a few more steps for you to complete after this...

Kevin

sugarjunkie2979 · 19-Dec-2010, 07:42 PM **#15**

All steps completed except how do I check for windows updates??
Also my laptop is painfully slow now is there something I need to do to get it back to regular speed? Thanks again!

Similar Threads
Title	Thread Starter	Forum	Replies	Last Post
"Personal Security" has taken over my laptop	songuy	Virus & Other Malware Removal	1	08-Dec-2009 08:03 PM
Please Help Hazardous Virus Has Taken Over My Computer	steedastan15	Virus & Other Malware Removal	1	24-Jun-2008 09:31 AM
Please Help Hazardous Virus Has Taken Over My Computer	steedastan15	Virus & Other Malware Removal	0	23-Jun-2008 07:06 PM
Help! Album Art Has Taken Over My Music Folder!!	MeMa	Windows XP	1	22-Sep-2005 04:16 PM
[Solved] HELP PLEASE - About:Blank has taken over my browser	nontechie	Virus & Other Malware Removal	41	11-Sep-2004 04:28 PM

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Search
Search for:

Solved: Help! Security Tool has taken over my laptop!!

Find the solution to your computer problem!

Find the solution to your
computer problem!