Adobe Reader/Vista/IE malware? -- Impossible to follow instructions

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

FanTan14

Thread Starter
Joined
Apr 6, 2013
Messages
23
My apologies that this is basically a duplicate post, but I've simplified it and given it a more descriptive title.

When I had trouble reading a PDF file, I tried downloading the latest version of Adobe Reader, and standard Google searches led me to a site with an installation package for something called Adobe Reader X 10.1.6. When I tried installing it, though, it just put out a "this is not a valid patch file" error message. I'd originally gotten this package using Chrome, but I got the same result using IE. When I tried to find an older version of Adobe Reader, though, I found a site with "old" versions that included version XI 11.0.2! That version installed with no problems and seemed to work correctly. When I tried to uninstall the X 10.2.6 version, though, it just put out the "this is not a valid patch file" error message. I couldn't find anything by the name Adobe Reader X with disk searches, and my attempt to delete it started some disk activity that DIDN'T STOP when I tried to shut my computer down, so I had to forcibly power down. I used my Neosmart Technologies Vista Repair Disk to try to restore my system, and neither the AVG 2013.0.3272 nor Clamwin 0.97.6 free virus-detection tools found any problems, but I still wasn't able to uninstall Adobe Reader X 10.1.6.

When I tried to follow suggestions on the TSG webpage, I found that I couldn't boot my system in safe mode -- the F8 key doesn't seem to do anything, even when I tried a never-used keyboard I had.

When I tried following the "Everyone MUST read this BEFORE posting for help in this forum" instructions, I never was able to complete the instructions regarding GMER. The GMER software never asked me whether I wanted to do a full scan, so I never unchecked anything on the right-hand side. I also didn't know how to interpret its output well enough to know whether it had warned me of "rootkit activity", with one exception that I'll describe shortly.

The first time I tried running GMER, it produced several lines of output, then stopped. I don't remember whether the Save button was active or not. Thinking I was following instructions, I clicked the Scan button. This started a long scanning process. My AVG and Clamwin tools both happened to start their scheduled weekly scans shortly after the GMER scan started, so I stopped both of them and restarted the GMER scan.

The second time I tried running GMER, it behaved, as best I remember, the same as the first time; I again clicked the Scan button to begin a long scanning process, then left to watch a move. When I returned, my AVG 2013 software had identified the GMER software as malware, deactivated it, and asked me whether to allow it. When I clicked on "Allow", though, the AVG software seemed to hang, neither terminating or saying that it had deleted the GMER software.

I then uninstalled my AVG and Clamwin software, deleted the GMER software on my desktop, deleted the log files that I'd earlier produced using HijackThis.exe and dds.scr, produced new log files with HijackThis.exe and dds.scr, and tried running the GMER software again.

The third time I tried running GMER, it produced two or three lines of output, the last line being, as I remember, something like "apparent rootkit activity detected in sector 0", but when I clicked the Scan button, it produced no more output in roughly an hour.

I tried deleting GMER, downloading it again, and running it again one or two more times, but it never produced any output.

I then used my Neosmart Technologies Vista repair disk again and tried following the "Everyone MUST read this BEFORE posting for help in this forum" instructions again, but GMER still didn't work.

So I misunderstood the GMER instructions and screwed something up, or whatever malware I'm dealing with figured out how to disable GMER. (I would advise rewriting the GMER instructions to make them more explicit for minimal-sys-op-skill people like me.) The final log files I produced with HijackThis.exe and dds.scr, though, follow:

hijackthis.log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:29:06 AM, on 4/7/2013
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v9.00 (9.00.8112.16470)
Boot mode: Normal

Running processes:
C:\windows\system32\taskeng.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Windows\vsnp2uvc.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\EMET\EMET_notifier.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\Drive\googledrivesync.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Google\Drive\googledrivesync.exe
C:\Users\Brackin\Desktop\HijackThis.exe
C:\windows\system32\SearchProtocolHost.exe
C:\windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=1&o=vp32&d=1208&m=et1161-07
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=1&o=vp32&d=1208&m=et1161-07
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer, optimized for Bing and MSN
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
O2 - BHO: Partner BHO Class - {83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4} - C:\ProgramData\Partner\partner.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [P2Go_Menu] "C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\ProgramData\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [snp2uvc] C:\Windows\vsnp2uvc.exe
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [EMET Notifier] C:\Program Files\EMET\EMET_notifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe"
O4 - HKCU\..\Run: [cdloader] "C:\Users\Brackin\AppData\Roaming\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [ehTray.exe] C:\windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\Brackin\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Facebook Update] "C:\Users\Brackin\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver
O4 - HKCU\..\Run: [GoogleDriveSync] "C:\Program Files\Google\Drive\googledrivesync.exe" /autostart
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /minimized /regrun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-3423416320-2911575123-2288992155-1007\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'UpdatusUser')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll
O9 - Extra button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {7BABCBE7-ECFF-4EA0-A344-1DC32458A6ED} (NTR Plugin 1.2.4) - http://na.ntrsupport.com/inquiero/mod/setup/ntrplugin124v_30.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://clubgames.pogo.com/online2/pogop/bejeweled2/popcaploader_v6.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\windows\system32\browseui.dll
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrlAPI - Unknown owner - C:\cygwin\bin\cygrunsrv.exe
O23 - Service: Empowering Technology Service (ETService) - Unknown owner - C:\Program Files\EMACHINES\eMachines Recovery Management\Service\ETService.exe
O23 - Service: GamesAppService - WildTangent, Inc. - C:\Program Files\WildTangent Games\App\GamesAppService.exe
O23 - Service: Google Update Service (gupdate1c997fa3617d700) (gupdate1c997fa3617d700) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\windows\system32\nvvsvc.exe
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
O23 - Service: Skype C2C Service - Skype Technologies S.A. - C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files\Skype\Updater\Updater.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.11\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.1.36\bin\mysqld.exe

--
End of file - 9811 bytes

dds.txt:

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16470 BrowserJavaVersion: 10.17.2
Run by Brackin at 6:30:00 on 2013-04-07
.
============== Running Processes ================
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\nvvsvc.exe
C:\windows\system32\SLsvc.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\windows\system32\nvvsvc.exe
C:\windows\System32\spoolsv.exe
C:\windows\system32\taskeng.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\windows\system32\SearchIndexer.exe
C:\Windows\System32\WUDFHost.exe
C:\windows\system32\taskeng.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Program Files\Google\Update\1.3.21.135\GoogleCrashHandler.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Windows\vsnp2uvc.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\EMET\EMET_notifier.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\Drive\googledrivesync.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Drive\googledrivesync.exe
C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\Program Files\InstallShield Installation Information\{7F811A54-5A09-4579-90E1-C93498E230D9}\setup.exe
C:\windows\system32\vssvc.exe
C:\windows\servicing\TrustedInstaller.exe
C:\windows\system32\SearchProtocolHost.exe
C:\Program Files\EMACHINES\eMachines Recovery Management\Service\ETService.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k rpcss
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k GPSvcGroup
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\windows\system32\svchost.exe -k imgsvc
C:\windows\System32\svchost.exe -k WerSvcGroup
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\windows\System32\svchost.exe -k swprv
.
============== Pseudo HJT Report ===============
.
uWindow Title = Internet Explorer, optimized for Bing and MSN
uSearch Page = hxxp://search.live.com
mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=1&o=vp32&d=1208&m=et1161-07
mDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=1&o=vp32&d=1208&m=et1161-07
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Partner BHO Class: {83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4} - c:\programdata\partner\partner.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: Google Gears Helper: {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
uRun: [cdloader] "c:\users\brackin\appdata\roaming\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Google Update] "c:\users\brackin\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [Facebook Update] "c:\users\brackin\appdata\local\facebook\update\FacebookUpdate.exe" /c /nocrashserver
uRun: [GoogleDriveSync] "c:\program files\google\drive\googledrivesync.exe" /autostart
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /minimized /regrun
mRun: [Windows Defender] c:\program files\windows defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [P2Go_Menu] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"
mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\programdata\scansoft\paperport\11\config\ereg\Ereg.ini
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [snp2uvc] c:\windows\vsnp2uvc.exe
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [EMET Notifier] c:\program files\emet\EMET_notifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [eRecoveryService] <no file>
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
DPF: {7BABCBE7-ECFF-4EA0-A344-1DC32458A6ED} - hxxp://na.ntrsupport.com/inquiero/mod/setup/ntrplugin124v_30.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://clubgames.pogo.com/online2/pogop/bejeweled2/popcaploader_v6.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{ABF127C2-0520-4364-BA2A-AAB26DA78954} : DHCPNameServer = 209.18.47.61 209.18.47.62
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
AppInit_DLLs= c:\progra~1\google\google~1\GOEC62~1.DLL
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\26.0.1410.43\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\brackin\appdata\roaming\mozilla\firefox\profiles\av91m596.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://my.msn.com/
FF - component: c:\program files\google\google gears\firefox\lib\ff36\gears.dll
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - component: c:\users\brackin\appdata\roaming\mozilla\firefox\profiles\av91m596.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\users\brackin\appdata\roaming\mozilla\firefox\profiles\av91m596.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\common files\avg secure search\sitesafetyinstaller\14.2.0\npsitesafety.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.135\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\nuance\pdf reader\bin\nppdf.dll
FF - plugin: c:\program files\wildtangent games\app\browserintegration\registered\0\NP_wtapp.dll
FF - plugin: c:\users\brackin\appdata\local\facebook\video\skype\npFacebookVideoCalling.dll
FF - plugin: c:\users\brackin\appdata\local\google\update\1.3.21.135\npGoogleUpdate3.dll
FF - plugin: c:\users\brackin\appdata\roaming\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\users\brackin\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\users\brackin\appdata\roaming\mozilla\plugins\npo1d.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_6_602_180.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
FF - ExtSQL: 2013-04-04 13:23; {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}; c:\program files\mozilla firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF - ExtSQL: !HIDDEN! 2009-09-02 03:01; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============
.
R? BrlAPI;BrlAPI
R? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86
R? GamesAppService;GamesAppService
R? GoogleDesktopManager-080708-050100;Google Desktop Manager 5.7.808.7150
R? gupdate1c997fa3617d700;Google Update Service (gupdate1c997fa3617d700)
R? MSSQLServerADHelper100;SQL Active Directory Helper Service
R? Partner Service;Partner Service
R? RsFx0103;RsFx0103 Driver
R? SkypeUpdate;Skype Updater
R? SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS)
R? WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0
S? ETService;Empowering Technology Service
S? FontCache;Windows Font Cache Service
S? Skype C2C Service;Skype C2C Service
S? TomTomHOMEService;TomTomHOMEService
.
=============== Created Last 30 ================
.
2013-04-07 06:20:03 -------- d---a-w- C:\boot
2013-04-06 09:44:06 6162704 ----a-w- c:\windows\system32\nvopencl.dll
2013-04-06 09:44:06 19915552 ----a-w- c:\windows\system32\nvoglv32.dll
2013-04-06 09:44:06 10919200 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2013-04-06 09:44:05 7754560 ----a-w- c:\windows\system32\nvcuda.dll
2013-04-06 09:44:05 2577184 ----a-w- c:\windows\system32\nvcuvid.dll
2013-04-06 09:44:05 1869088 ----a-w- c:\windows\system32\nvcuvenc.dll
2013-04-06 09:44:05 17560352 ----a-w- c:\windows\system32\nvcompiler.dll
2013-03-27 10:19:34 73432 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-03-27 10:19:34 693976 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-03-27 06:58:44 234 ----a-w- C:\Quarantine.reg
2013-03-27 06:58:44 -------- d-----w- c:\users\brackin\appdata\local\Facebook
2013-03-24 07:52:24 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2013-03-24 07:52:05 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
2013-03-21 21:11:58 15872 ----a-w- c:\windows\system32\drivers\usb8023.sys
2013-03-17 19:49:55 -------- d-----w- c:\users\brackin\appdata\roaming\TuneUp Software
2013-03-17 19:31:31 -------- d--h--w- c:\programdata\Common Files
2013-03-17 19:31:30 -------- d-----w- c:\users\brackin\appdata\local\MFAData
2013-03-17 19:31:30 -------- d-----w- c:\programdata\MFAData
.
==================== Find3M ====================
.
2013-03-06 15:48:45 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-03-06 15:48:41 861088 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-03-06 15:48:41 782240 ----a-w- c:\windows\system32\deployJava1.dll
2013-02-02 03:38:35 1800704 ----a-w- c:\windows\system32\jscript9.dll
2013-02-02 03:30:32 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2013-02-02 03:30:21 1129472 ----a-w- c:\windows\system32\wininet.dll
2013-02-02 03:26:47 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2013-02-02 03:26:21 420864 ----a-w- c:\windows\system32\vbscript.dll
2013-02-02 03:23:28 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2013-01-31 11:21:23 892704 ----a-w- c:\windows\system32\nvdispgenco32.dll
2013-01-31 11:21:23 2446416 ----a-w- c:\windows\system32\nvapi.dll
2013-01-31 11:21:23 15413704 ----a-w- c:\windows\system32\nvd3dum.dll
2013-01-31 11:21:23 1010464 ----a-w- c:\windows\system32\nvdispco32.dll
2013-01-31 09:01:05 2859296 ----a-w- c:\windows\system32\nvsvc.dll
2013-01-31 09:01:04 3970848 ----a-w- c:\windows\system32\nvcpl.dll
2013-01-31 09:00:48 634656 ----a-w- c:\windows\system32\nvvsvc.exe
2013-01-31 09:00:48 62752 ----a-w- c:\windows\system32\nvshext.dll
2013-01-31 09:00:48 108832 ----a-w- c:\windows\system32\nvmctray.dll
.
============= FINISH: 6:33:01.73 ===============

attach.txt:

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 12/5/2008 10:35:30 PM
System Uptime: 4/7/2013 6:21:11 AM (0 hours ago)
.
Motherboard: eMachines | | MCP61PM-GM
Processor: AMD Athlon(tm) Dual Core Processor 4050e | Socket AM2 | 2100/201mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 288 GiB total, 190.206 GiB free.
D: is FIXED (NTFS) - 73 GiB total, 43.231 GiB free.
G: is Removable
H: is CDROM ()
I: is Removable
J: is Removable
K: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
Adobe Flash Player 11 Plugin
Adobe Reader X (10.1.6)
Adobe Reader XI (11.0.02)
Agere Systems PCI-SV92PP Soft Modem
Apple Application Support
Apple Mobile Device Support
Apple Software Update
BigFix
Bonjour
Brother MFL-Pro Suite
Cisco Connect
Compatibility Pack for the 2007 Office system
CyberLink LabelPrint
CyberLink Power2Go
Digital Media Reader
EasyBits GO
eMachines Games
eMachines Recovery Management
EMET
Facebook Video Calling 1.0.0.8953
Facebook Video Calling 1.2.0.287
GearDrvs
GIMP 2.8.4
GlassFish Server Open Source Edition 3.1
GlassFish Server Open Source Edition 3.1 b29
Google Chrome
Google Desktop
Google Drive
Google Earth
Google Gears
Google Talk Plugin
Google Update Helper
GPL Ghostscript 8.63
GSview 4.9
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Microsoft Visual Basic 2008 Express Edition with SP1 - ENU (KB945282)
Hotfix for Microsoft Visual Basic 2008 Express Edition with SP1 - ENU (KB946040)
Hotfix for Microsoft Visual Basic 2008 Express Edition with SP1 - ENU (KB946308)
Hotfix for Microsoft Visual Basic 2008 Express Edition with SP1 - ENU (KB946344)
Hotfix for Microsoft Visual Basic 2008 Express Edition with SP1 - ENU (KB947540)
Hotfix for Microsoft Visual Basic 2008 Express Edition with SP1 - ENU (KB947789)
Hotfix for Microsoft Visual Basic 2008 Express Edition with SP1 - ENU (KB948127)
Hotfix for Microsoft Visual Basic 2008 Express Edition with SP1 - ENU (KB951708)
Hotfix for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB945282)
Hotfix for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB946040)
Hotfix for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB946308)
Hotfix for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB947540)
Hotfix for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB947789)
Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB945282)
Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB946040)
Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB946308)
Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB947540)
Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB947789)
Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB948127)
Hotfix for Microsoft Visual Web Developer 2008 Express Edition with SP1 - ENU (KB945282)
Hotfix for Microsoft Visual Web Developer 2008 Express Edition with SP1 - ENU (KB946040)
Hotfix for Microsoft Visual Web Developer 2008 Express Edition with SP1 - ENU (KB946308)
Hotfix for Microsoft Visual Web Developer 2008 Express Edition with SP1 - ENU (KB946344)
Hotfix for Microsoft Visual Web Developer 2008 Express Edition with SP1 - ENU (KB946581)
Hotfix for Microsoft Visual Web Developer 2008 Express Edition with SP1 - ENU (KB947540)
Hotfix for Microsoft Visual Web Developer 2008 Express Edition with SP1 - ENU (KB947789)
Hotfix for Microsoft Visual Web Developer 2008 Express Edition with SP1 - ENU (KB951708)
iCloud
iTunes
Java 7 Update 17
Java Auto Updater
Java DB 10.4.1.3
Java(TM) 6 Update 22
Java(TM) 6 Update 37
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Development Kit 6 Update 12
magicJack
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft IntelliPoint 6.2
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office File Validation Add-In
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office SharePoint Designer 2007 Service Pack 3 (SP3)
Microsoft Office Standard Edition 2003
Microsoft Office Suite Activation Assistant
Microsoft Office Visual Web Developer 2007
Microsoft Office Visual Web Developer MUI (English) 2007
Microsoft SQL Server 2008
Microsoft SQL Server 2008 Browser
Microsoft SQL Server 2008 Common Files
Microsoft SQL Server 2008 Database Engine Services
Microsoft SQL Server 2008 Database Engine Shared
Microsoft SQL Server 2008 Management Objects
Microsoft SQL Server 2008 Native Client
Microsoft SQL Server 2008 RsFx Driver
Microsoft SQL Server 2008 Setup Support Files
Microsoft SQL Server Compact 3.5 SP1 Design Tools English
Microsoft SQL Server Compact 3.5 SP1 English
Microsoft SQL Server Database Publishing Wizard 1.3
Microsoft SQL Server VSS Writer
Microsoft Visual Basic 2008 Express Edition with SP1 - ENU
Microsoft Visual C# 2008 Express Edition with SP1 - ENU
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Express Edition with SP1 - ENU
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Microsoft Visual Studio Web Authoring Component
Microsoft Visual Web Developer 2008 Express Edition with SP1 - ENU
Microsoft Windows SDK for Visual Studio 2008 Headers and Libraries
Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for .NET Framework - enu
Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for Web - enu
Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for Win32
Microsoft Works
Mozilla Firefox 12.0 (x86 en-US)
Mozilla Maintenance Service
MSDN Library for Visual Studio 2008 Express Editions SP1
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NetBeans IDE 7.0
NVIDIA Control Panel 307.83
NVIDIA Drivers
NVIDIA Graphics Driver 307.83
NVIDIA Install Application
NVIDIA Update 1.10.8
NVIDIA Update Components
Objective Caml 3.11.0
OGA Notifier 2.0.0048.0
OpenOffice.org 3.4.1
PaperPort Image Printer
QuickTime
Realtek High Definition Audio Driver
ScanSoft PaperPort 11
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Visual Basic 2008 Express Edition with SP1 - ENU (KB2251487)
Security Update for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB2251487)
Security Update for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB2251487)
Security Update for Microsoft Visual Web Developer 2008 Express Edition with SP1 - ENU (KB2251487)
Service Pack 1 for SQL Server 2008 (KB968369)
Skype Click to Call
Skype™ 6.1
Sokoban YASC
Spelling Dictionaries Support For Adobe Reader 9
Sql Server Customer Experience Improvement Program
SQL Server System CLR Types
TomTom HOME
TomTom HOME Visual Studio Merge Modules
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 suites (KB2596620) 32-Bit Edition
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Visual Studio Web Authoring Component (KB945140)
Update Installer for WildTangent Games App
USB2.0 UVC Camera
Vim 7.2 (self-installing)
WampServer 2.0
WildTangent Games App
Windows Live installer
Windows Live Mail
Windows Media Player Firefox Plugin
Windows NT Backup - Restore Utility
.
==== End Of File ===========================

And as I've described, I'm sorry but I was never able to produce an ark.txt file. If someone can tell me how to make GMER work on my computer again, then I'll be happy to give you an ark.txt file.
 

FanTan14

Thread Starter
Joined
Apr 6, 2013
Messages
23
Can someone get back to me on this, please? The TSG website led me to expect having to wait a day or two, but now it's been four days since my initial post on this problem. I'd hoped to have a clean computer before doing my taxes.
 

FanTan14

Thread Starter
Joined
Apr 6, 2013
Messages
23
I'll keep adding a "please reply" note every couple of days, even after it's too late to deal with the problem my initial post identified before doing my taxes.
 

FanTan14

Thread Starter
Joined
Apr 6, 2013
Messages
23
Time's growing short to do my taxes, so I couldn't wait for a reply any longer. I took things into my uninformed hands.

I first uninstalled every Adobe program except the "Adobe Reader X (10.1.6)" one whose uninstall operation fails; all the other Adobe programs uninstalled without any problems. I then downloaded a PDF reader from another company and deleted every file with "Adobe" or "adobe" in its full path-name named in the hijackthis.log, dds.txt, and attach.txt files given in my first post in this thread -- including "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe", which was difficult because it was initiated when my system boots up.

Despite all this, the "Adobe Reader X (10.1.6)" program still shows as being installed and trying to uninstall it still fails.

I then ran HijackThis.exe and dds.scr again, downloaded GMER again, and this time got the GMER scan to finish, as I'll explain shortly. Here's how the HijackThis.exe and dds.scr outputs changed, shown using a Cygwin "diff" command:

hijackthis.log changes:

2c2
< Scan saved at 6:29:06 AM, on 4/7/2013
---
> Scan saved at 1:40:01 AM, on 4/14/2013
4c4
< MSIE: Internet Explorer v9.00 (9.00.8112.16470)
---
> MSIE: Internet Explorer v9.00 (9.00.8112.16476)
8d7
< C:\windows\system32\taskeng.exe
9a9
> C:\windows\system32\taskeng.exe
13d12
< C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
16a16
> C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
21a22
> C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
22a24
> C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe
24d25
< C:\Program Files\Windows Media Player\wmpnscfg.exe
26c27
< C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
---
> C:\Program Files\Windows Media Player\wmpnscfg.exe
29d29
< C:\windows\system32\SearchProtocolHost.exe
43c43
< O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
---
> O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (file missing)
65a66
> O4 - HKLM\..\Run: [Nuance PDF Reader-reminder] "C:\Program Files\Nuance\PDF Reader\Ereg\Ereg.exe" -r "C:\ProgramData\Nuance\PDF Reader\Ereg\Ereg.ini"
71a73
> O4 - HKCU\..\Run: [ISUSPM] "C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe" -scheduler
90,91c92
< O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
< O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
---
> O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Unknown owner - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe (file missing)
111c112
< End of file - 9811 bytes
---
> End of file - 9895 bytes

dds.txt changes:

2,3c2,6
< Internet Explorer: 9.0.8112.16470 BrowserJavaVersion: 10.17.2
< Run by Brackin at 6:30:00 on 2013-04-07
---
> Internet Explorer: 9.0.8112.16476 BrowserJavaVersion: 10.17.2
> Run by Brackin at 1:40:30 on 2013-04-14
> Microsoft® Windows Vista&#8482; Home Premium 6.0.6002.2.1252.1.1033.18.2942.1270 [GMT -4:00]
> .
> SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
15d17
< C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
26d27
< C:\windows\system32\taskeng.exe
27a29
> C:\windows\system32\taskeng.exe
32d33
< C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
35a37
> C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
40a43
> C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
41a45
> C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe
43d46
< C:\Program Files\Windows Media Player\wmpnscfg.exe
45,46c48
< C:\Program Files\Windows Media Player\wmpnetwk.exe
< C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
---
> C:\Program Files\Windows Media Player\wmpnscfg.exe
47a50
> C:\Program Files\Windows Media Player\wmpnetwk.exe
51a55
> C:\windows\system32\DllHost.exe
54c58
< C:\Program Files\EMACHINES\eMachines Recovery Management\Service\ETService.exe
---
> C:\windows\system32\SearchFilterHost.exe
77c81
< BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
---
> BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -
88a93
> uRun: [ISUSPM] "c:\programdata\flexnet\connect\11\ISUSPM.exe" -scheduler
130c135
< mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\26.0.1410.43\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
---
> mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\26.0.1410.64\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
173,187c178,192
< R? BrlAPI;BrlAPI
< R? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86
< R? GamesAppService;GamesAppService
< R? GoogleDesktopManager-080708-050100;Google Desktop Manager 5.7.808.7150
< R? gupdate1c997fa3617d700;Google Update Service (gupdate1c997fa3617d700)
< R? MSSQLServerADHelper100;SQL Active Directory Helper Service
< R? Partner Service;Partner Service
< R? RsFx0103;RsFx0103 Driver
< R? SkypeUpdate;Skype Updater
< R? SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS)
< R? WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0
< S? ETService;Empowering Technology Service
< S? FontCache;Windows Font Cache Service
< S? Skype C2C Service;Skype C2C Service
< S? TomTomHOMEService;TomTomHOMEService
---
> R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
> R2 Skype C2C Service;Skype C2C Service;c:\programdata\skype\toolbars\skype c2c service\c2c_service.exe [2013-1-31 3289208]
> R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2012-8-28 92632]
> S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
> S2 ETService;Empowering Technology Service;c:\program files\emachines\emachines recovery management\service\ETService.exe [2008-12-5 24576]
> S2 gupdate1c997fa3617d700;Google Update Service (gupdate1c997fa3617d700);c:\program files\google\update\GoogleUpdate.exe [2009-2-26 133104]
> S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-1-8 161536]
> S3 BrlAPI;BrlAPI;c:\cygwin\bin\cygrunsrv.exe [2009-2-26 68096]
> S3 GamesAppService;GamesAppService;c:\program files\wildtangent games\app\GamesAppService.exe [2010-10-12 206072]
> S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
> S4 GoogleDesktopManager-080708-050100;Google Desktop Manager 5.7.808.7150;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-12-5 24064]
> S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2008-7-10 47128]
> S4 Partner Service;Partner Service;c:\programdata\partner\partner.exe [2009-2-25 110576]
> S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-3-30 239336]
> S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2009-3-30 366936]
190a196,203
> 2013-04-09 23:11:57 1082232 ----a-w- c:\windows\system32\drivers\ntfs.sys
> 2013-04-09 23:11:55 3603816 ----a-w- c:\windows\system32\ntkrnlpa.exe
> 2013-04-09 23:11:55 3551080 ----a-w- c:\windows\system32\ntoskrnl.exe
> 2013-04-09 23:11:54 64000 ----a-w- c:\windows\system32\smss.exe
> 2013-04-09 23:11:54 49152 ----a-w- c:\windows\system32\csrsrv.dll
> 2013-04-09 23:11:53 2067968 ----a-w- c:\windows\system32\mstscax.dll
> 2013-04-09 23:11:52 376320 ----a-w- c:\windows\system32\winsrv.dll
> 2013-04-09 23:11:49 2049024 ----a-w- c:\windows\system32\win32k.sys
199,200d211
< 2013-03-27 10:19:34 73432 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
< 2013-03-27 10:19:34 693976 ----a-w- c:\windows\system32\FlashPlayerApp.exe
216,221c227,232
< 2013-02-02 03:38:35 1800704 ----a-w- c:\windows\system32\jscript9.dll
< 2013-02-02 03:30:32 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
< 2013-02-02 03:30:21 1129472 ----a-w- c:\windows\system32\wininet.dll
< 2013-02-02 03:26:47 142848 ----a-w- c:\windows\system32\ieUnatt.exe
< 2013-02-02 03:26:21 420864 ----a-w- c:\windows\system32\vbscript.dll
< 2013-02-02 03:23:28 2382848 ----a-w- c:\windows\system32\mshtml.tlb
---
> 2013-02-22 03:46:00 1800704 ----a-w- c:\windows\system32\jscript9.dll
> 2013-02-22 03:38:00 1129472 ----a-w- c:\windows\system32\wininet.dll
> 2013-02-22 03:37:50 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
> 2013-02-22 03:34:17 142848 ----a-w- c:\windows\system32\ieUnatt.exe
> 2013-02-22 03:34:03 420864 ----a-w- c:\windows\system32\vbscript.dll
> 2013-02-22 03:31:46 2382848 ----a-w- c:\windows\system32\mshtml.tlb
232c243
< ============= FINISH: 6:33:01.73 ===============
---
> ============= FINISH: 1:43:28.07 ===============

attach.txt changes:

10c10
< System Uptime: 4/7/2013 6:21:11 AM (0 hours ago)
---
> System Uptime: 4/14/2013 1:33:28 AM (0 hours ago)
17,18c17,18
< C: is FIXED (NTFS) - 288 GiB total, 190.206 GiB free.
< D: is FIXED (NTFS) - 73 GiB total, 43.231 GiB free.
---
> C: is FIXED (NTFS) - 288 GiB total, 189.57 GiB free.
> D: is FIXED (NTFS) - 73 GiB total, 44.688 GiB free.
32d31
< Adobe Flash Player 11 Plugin
34d32
< Adobe Reader XI (11.0.02)
157a156
> Nuance PDF Reader

When I ran GMER this time, it stopped without producing any output. I then unchecked "IAT/EAT" and "Quick Scan" on the right, checked "C" on the right, and clicked the "Scan" button. After several hours, the scan terminated successfully and produced the following output, which I put in a file named ark.txt:

Contents of ark.txt:

GMER 2.1.19163 - http://www.gmer.net
Rootkit scan 2013-04-14 08:25:54
Windows 6.0.6002 Service Pack 2 \Device\Harddisk1\DR1 -> \Device\0000004a ST332081 rev.SD23 298.09GB
Running: 2gurgdsl.exe; Driver: C:\Users\Brackin\AppData\Local\Temp\uxdiyfog.sys


---- Kernel code sections - GMER 2.1 ----

? C:\Users\Brackin\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !

---- EOF - GMER 2.1 ----

If anyone reads this, please post a reply.. Otherwise, I'll just have to do my taxes on a computer containing some strange program that I can't delete, which I'd really, really, really hoped to avoid.
 

FanTan14

Thread Starter
Joined
Apr 6, 2013
Messages
23
I re-installed the AVG free virus scanner and ran a full-computer scan. This time it found and removed two copies of the JS/Agent virus in parts of my computer that haven't changed in a long time. The damned copy of "Adobe Reader X (10.1.6)" is still there, though, and trying to uninstall it still fails with an "invalid patch file" error.
 

FanTan14

Thread Starter
Joined
Apr 6, 2013
Messages
23
I'll keep posting follow-up notes every couple of days in the hope that someone eventually replies. I still want to know what that damned "Adobe Reader X (10.1.6)" thing is and how to get rid of it. If it's some kind of malware, then it has probably already stolen my social security number from my doing my taxes and maybe a password I use for some commercial accounts. I won't log in to my brokerage account, make a system back-up, or change a password again until it's gone and I have some idea what it was.
 

FanTan14

Thread Starter
Joined
Apr 6, 2013
Messages
23
As a point of curiosity, if no malware is involved, can't any Windows sys-op go easily from a Control Panel list of installed programs to the full path names of these programs' executable code? Isn't this just a matter of knowing how Control Panel produces its list of installed programs? If no malware is involved in my case, can't one of you tell me how to find and remove whatever's producing my Control Panel listing of program "Adobe Reader X (10.1.6)" that fails to uninstall?
 

FanTan14

Thread Starter
Joined
Apr 6, 2013
Messages
23
I'll keep posting and waiting. Guys, what happens when you go to http://get.adobe.com/reader/ and download "Adobe Reader X (10.1.4)" into a safe environment? I didn't record the web address I downloaded from, but when I used the same process I just used to find http://get.adobe.com/reader/, I got something that wouldn't run, wouldn't uninstall, started some disk activity that didn't stop until I forcibly powered down my computer, and that I can't find. If it isn't malware, shouldn't I be able to find and remove it easily?
 

FanTan14

Thread Starter
Joined
Apr 6, 2013
Messages
23
Three other notes:
1. The website contains the line "Please note, depending on your settings, you may have to temporarily disable your antivirus software." Do legitimate Adobe websites contain such a warning? I don't remember from years of downloading Adobe products with no problems.
2. Links supposedly going to Adobe Reader XI were redirected to this Adobe Reader X download page. Would Adobe actually do such a thing?
3. I've recently uninstalled and re-installed my Chrome browser. What sort of malware could misdirect a fresh browser?
 

FanTan14

Thread Starter
Joined
Apr 6, 2013
Messages
23
Searching for "latest Adobe reader" in Bing gives me two websites:

One listed as --
Adobe - Adobe Reader download - All versions
which goes to http://get.adobe.com/reader/
but that page offers only "Adobe Reader X (10.1.4)" and warns that anti-virus software might need to be disabled.

The other, listed as --
PDF reader, PDF viewer | Adobe Reader XI
goes to http://www.adobe.com/products/reader.html,
but clicking on the "Download now" button goes to http://www.adobe.com/go/rx_reader_marquee1_reader_download?promoid=HRZAC,
which immediately goes to http://get.adobe.com/reader/?promoid=HRZAC,
which again offers only "Adobe Reader X (10.1.4)" and warns that anti-virus software might need to be disabled.

So whatever is causing links labeled as "Adobe Reader XI" and "Adobe Reader all versions" to go to a page offering only an "Adobe Reader X (10.1.4)" that neither runs nor uninstalls for me and is neither the latest version nor the XI version of Adobe Reader is doing this for both Bing and Google.

If Adobe is just broken, shouldn't it be easy for one of you sys-ops to tell me how to find and remove the "Adobe Reader X (10.1.4)" that I installed?
 

FanTan14

Thread Starter
Joined
Apr 6, 2013
Messages
23
The neighbor who recommended the TSG website to me told me that he got a reply quickly and it saved him about $200. So what does it take to get a reply here? Would links to Web articles saying that Adobe Reader has recently been used for spear-phishing attacks help? Are operating systems other than Vista more popular here? To repeat something I've said before, if anyone who isn't authorized to reply to the Virus & Other Malware Removal would send a personal note, then I'd appreciate it. I've asked two questions and received only one question in reply, which I answered. So what's the deal here?
 

FanTan14

Thread Starter
Joined
Apr 6, 2013
Messages
23
I'll keep posting updates for a month or two waiting for some sort of reply, either in a forum or one of the TSG website's Private Messages. So far, I've received no answers and been encouraged to download unsigned software.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top