Please help I am so frustrated

[Akasha]

Hi, I am new to alot of this, but not comp stupid, I recently found out *by admission* my very soon to be X was accessing my computer remotely. So i bought the advanced systems program ect. I did a hijack scan, and this is what I got back. I dont want to delete the wrong items. Please help. Also if there is anyone out there that can help me figure out how to completely remove his remote administration files I would love you forever. I would like to have it all fixed before I move out next week if possible. *he works for a communication company*

 

 

hijacLogfile of IObit HijackScan v1.0.2.0

Scan saved at 6:21:36, on 2011-2-2

 

Running processes:

C:\Windows\System32\smss.exe

C:\Windows\system32\csrss.exe

C:\Windows\system32\csrss.exe

C:\Windows\system32\wininit.exe

C:\Windows\system32\winlogon.exe

C:\Windows\system32\services.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe

C:\Windows\system32\Ati2evxx.exe

C:\Windows\System32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\Ati2evxx.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Program Files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Windows\System32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\System32\svchost.exe

C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe

C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe

C:\Windows\system32\Taskmgr.exe

C:\Windows\System32\svchost.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\taskeng.exe

C:\Windows\System32\svchost.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Windows\system32\Dwm.exe

C:\Windows\system32\WUDFHost.exe

C:\Windows\System32\alg.exe

C:\Windows\system32\locator.exe

C:\Users\Kristy\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Kristy\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Program Files\Application Updater\ApplicationUpdater.exe

C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe

C:\Program Files\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe

C:\Program Files\IObit\IObit Security 360\is360.exe

C:\Program Files\IObit\IObit Security 360\is360tray.exe

C:\Program Files\IObit\IObit Security 360\IS360srv.exe

C:\Program Files\IObit\Advanced SystemCare 3\Awc.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Program Files\IObit\IObit Security 360\a_hijackscan.exe

C:\Users\Kristy\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Kristy\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Kristy\AppData\Local\Google\Chrome\Application\chrome.exe

 

O2 - BHO: IObit Toolbar - {0BDA0769-FD72-49F4-9266-E1FB004F4D8F} - C:\Program Files\IObit Toolbar\IE\4.1\iobitToolbarIE.dll

O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll

O3 - Toolbar: Zynga Toolbar - {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files\Zynga\tbZyn1.dll

O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll

O3 - Toolbar: IObit Toolbar - {0BDA0769-FD72-49F4-9266-E1FB004F4D8F} - C:\Program Files\IObit Toolbar\IE\4.1\iobitToolbarIE.dll

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [AlcxMonitor] ALCXMNTR.EXE

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [ATICustomerCare] "C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe"

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [iObit Security 360] "C:\Program Files\IObit\IObit Security 360\IS360tray.exe" /autostart

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: []

O4 - HKLM|\Software\Microsoft\Windows\CurrentVersion\Run\: [searchSettings] "C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe"

O9 - Extra button: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} -

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93}Java Plug-in 1.6.0_23 - http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}Java Plug-in 1.6.0_23 - http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}Java Plug-in 1.6.0_23 - http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

O23 - Service: AMD FUEL Service (AMD FUEL Service) - Advanced Micro Devices, Inc. - C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe

O23 - Service: AMD Reservation Manager (AMD Reservation Manager) - Advanced Micro Devices - C:\Program Files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe

O23 - Service: Application Host Helper Service (AppHostSvc) - Unknown - %windir%\system32\svchost.exe

O23 - Service: Ati External Event Utility (Ati External Event Utility) - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe

O23 - Service: DCOM Server Process Launcher (DcomLaunch) - Unknown -

O23 - Service: Diagnostic Policy Service (DPS) - Unknown -

O23 - Service: Group Policy Client (gpsvc) - Unknown -

O23 - Service: Windows CardSpace (idsvc) - Unknown - %systemroot%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe

O23 - Service: Net.Tcp Port Sharing Service (NetTcpPortSharing) - Unknown - %systemroot%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe

O23 - Service: Quality Windows Audio Video Experience (QWAVE) - Unknown - %windir%\system32\svchost.exe

O23 - Service: Remote Procedure Call (RPC) (RpcSs) - Unknown -

O23 - Service: Security Accounts Manager (SamSs) - Unknown -

O23 - Service: Secondary Logon (seclogon) - Unknown - %windir%\system32\svchost.exe

O23 - Service: Distributed Link Tracking Client (TrkWks) - Unknown -

O23 - Service: Windows Modules Installer (TrustedInstaller) - Unknown -

O23 - Service: Windows Process Activation Service (WAS) - Unknown - %windir%\system32\svchost.exe

O23 - Service: Diagnostic Service Host (WdiServiceHost) - Unknown -

O23 - Service: Diagnostic System Host (WdiSystemHost) - Unknown -

O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown - %ProgramFiles%\Windows Media Player\wmpnetwk.exe

O23 - Service: IS360service (IS360service) - IObit - C:\Program Files\IObit\IObit Security 360\IS360srv.exe

O23 - Service: Application Updater (Application Updater) - Spigot, Inc. - C:\Program Files\Application Updater\ApplicationUpdater.exe

k log.........

[So_sad]

Welcome to the forums, Akasha :wink:

 

Well-well... Let's find this *thing* and remove it, shall we ?

 

I'm not seeing it in the Hijack scan you've provided but, don't worry, Hijack doesn't show much anyway so we'll look deeper and make a positive ID. Then we'll remove whatever was installed.

 

Please follow instructions for Step #3 from the following post :

http://forums.iobit.com/showthread.php?t=6216

 

The forum here doesn't allow large posts, so you'll need to use two replies to show us the DDS logs. One reply per log, please (DDS.txt and Attach.txt).

 

See you soon :-)

 

===

[Akasha]

dds.txt

 

DDS (Ver_10-12-12.01) - NTFSx86

Run by Kristy at 16:53:30.95 on Thu 02/03/2011

Internet Explorer: 9.0.7930.16406

Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1470.846 [GMT -7:00]

 

AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}

SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

 

============== Running Processes ===============

 

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k rpcss

c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe

C:\Windows\system32\Ati2evxx.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k GPSvcGroup

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\Ati2evxx.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe

C:\Program Files\Application Updater\ApplicationUpdater.exe

C:\Windows\System32\svchost.exe -k ipripsvc

C:\Program Files\IObit\IObit Security 360\IS360srv.exe

C:\Windows\System32\svchost.exe -k LPDService

C:\Windows\System32\svchost.exe -k HPZ12

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe

c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe

C:\Windows\system32\taskeng.exe

C:\Windows\Explorer.EXE

C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe

C:\Program Files\IObit\Game Booster\gbtray.exe

C:\Program Files\IObit\Smart Defrag 2\SmartDefrag.exe

C:\Windows\system32\taskeng.exe

C:\Program Files\IObit\IObit Security 360\is360tray.exe

C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Windows\system32\svchost.exe -k apphost

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\system32\notepad.exe

C:\Users\Kristy\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Kristy\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Kristy\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Kristy\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Kristy\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Kristy\Downloads\dds.pif

C:\Windows\system32\wbem\wmiprvse.exe

 

============== Pseudo HJT Report ===============

 

uSearch Page = hxxp://www.google.com

uStart Page = hxxp://facebook.com/

uURLSearchHooks: IObit Toolbar: {0bda0769-fd72-49f4-9266-e1fb004f4d8f} - c:\program files\iobit toolbar\ie\4.1\iobitToolbarIE.dll

uURLSearchHooks: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyn1.dll

uURLSearchHooks: H - No File

uURLSearchHooks: H - No File

uURLSearchHooks: H - No File

mURLSearchHooks: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyn1.dll

BHO: IObit Toolbar: {0bda0769-fd72-49f4-9266-e1fb004f4d8f} - c:\program files\iobit toolbar\ie\4.1\iobitToolbarIE.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll

BHO: wit for ie: {75ed56af-4dc9-4243-a30c-4ef4dd0ca28f} - WitBHO Class

BHO: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyn1.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: {9d425283-d487-4337-bab6-ab8354a81457} - Search Toolbar

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - No File

TB: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyn1.dll

TB: IObit Toolbar: {0bda0769-fd72-49f4-9266-e1fb004f4d8f} - c:\program files\iobit toolbar\ie\4.1\iobitToolbarIE.dll

TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

TB: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} -

TB: {23256F20-0D9B-4323-B005-6E5DE569C4B7} - No File

TB: {30F9B915-B755-4826-820B-08FBA6BD249D} - No File

TB: {FE337D7B-1447-4780-9A52-48BDAC438235} - No File

TB: {7A5F72D2-9BBF-443F-9D35-26FC7E858E77} - No File

mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun

mRun: [ATICustomerCare] "c:\program files\ati\aticustomercare\ATICustomerCare.exe"

mRun: [iObit Security 360] "c:\program files\iobit\iobit security 360\IS360tray.exe" /autostart

mRun: [searchSettings] "c:\program files\common files\spigot\search settings\SearchSettings.exe"

mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

 

============= SERVICES / DRIVERS ===============

 

R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [2011-2-3 15672]

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 165264]

R1 MpKslfbdecc7a;MpKslfbdecc7a;c:\programdata\microsoft\microsoft antimalware\definition updates\{f297b08d-2dc3-4f9e-a447-9d7bc2d11de8}\MpKslfbdecc7a.sys [2011-2-3 28752]

R1 StarPortLite;StarPort Storage Controller (Lite);c:\windows\system32\drivers\StarPortLite.sys [2010-12-4 93544]

R2 AMD FUEL Service;AMD FUEL Service;c:\program files\ati technologies\ati.ace\fuel\Fuel.Service.exe [2011-1-4 284672]

R2 AMD Reservation Manager;AMD Reservation Manager;c:\program files\ati technologies\ati.ace\reservation manager\AMD Reservation Manager.exe [2010-6-17 140224]

R2 Application Updater;Application Updater;c:\program files\application updater\ApplicationUpdater.exe [2010-11-18 386560]

R2 iprip;RIP Listener;c:\windows\system32\svchost.exe -k ipripsvc [2010-7-21 21504]

R2 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2011-2-2 312152]

R3 AE1000;Linksys AE1000 Driver;c:\windows\system32\drivers\ae1000va.sys [2010-7-19 836384]

R3 amdiox86;AMD IO Driver;c:\windows\system32\drivers\amdiox86.sys [2011-1-29 37944]

R3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2010-7-21 21504]

R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-3-25 43392]

R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 54144]

R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2010-11-11 206360]

S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2010-7-21 54632]

S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]

 

=============== File Associations ===============

 

.scr=DWGTrueViewScriptFile

 

=============== Created Last 30 ================

 

2011-02-03 22:19:36 28752 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{f297b08d-2dc3-4f9e-a447-9d7bc2d11de8}\MpKslfbdecc7a.sys

2011-02-03 12:50:08 280064 ----a-w- c:\windows\system32\XpsGdiConverter.dll

2011-02-03 12:50:08 135680 ----a-w- c:\windows\system32\XpsRasterService.dll

2011-02-03 12:50:07 979456 ----a-w- c:\windows\system32\MFH264Dec.dll

2011-02-03 12:50:07 797184 ----a-w- c:\windows\system32\FntCache.dll

2011-02-03 12:50:07 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll

2011-02-03 12:50:07 302592 ----a-w- c:\windows\system32\mfmp4src.dll

2011-02-03 12:50:07 261632 ----a-w- c:\windows\system32\mfreadwrite.dll

2011-02-03 12:50:07 219648 ----a-w- c:\windows\system32\d3d10_1core.dll

2011-02-03 12:50:07 161280 ----a-w- c:\windows\system32\d3d10_1.dll

2011-02-03 12:50:07 1174528 ----a-w- c:\windows\system32\d3d10warp.dll

2011-02-03 12:50:06 680960 ----a-w- c:\windows\system32\d2d1.dll

2011-02-03 12:50:06 1068032 ----a-w- c:\windows\system32\DWrite.dll

2011-02-03 08:33:53 15672 ----a-w- c:\windows\system32\drivers\SmartDefragDriver.sys

2011-02-02 11:41:58 -------- d-----w- c:\program files\Application Updater

2011-02-02 11:41:56 -------- d-----w- c:\program files\common files\Spigot

2011-02-02 11:41:55 -------- d-----w- c:\program files\IObit Toolbar

2011-02-02 04:34:53 5890896 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{f297b08d-2dc3-4f9e-a447-9d7bc2d11de8}\mpengine.dll

2011-01-31 11:39:19 -------- d-----w- c:\program files\FoxTabMP4Converter

2011-01-30 09:47:26 439632 ------w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{944378c5-3b4e-4f50-81e4-04048ff4a7fa}\gapaengine.dll

2011-01-29 22:36:37 5890896 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\updates\mpengine.dll

2011-01-29 22:20:39 -------- d-----w- c:\program files\Microsoft Security Client

2011-01-29 22:19:17 221568 ----a-w- c:\windows\system32\drivers\netio.sys

2011-01-29 12:43:11 -------- d-----w- c:\users\kristy\appdata\local\AMD

2011-01-29 12:42:48 -------- d-----w- c:\users\kristy\appdata\local\ATI

2011-01-29 11:20:43 -------- d-----w- c:\progra~2\AMD

2011-01-29 11:20:09 37944 ----a-w- c:\windows\system32\drivers\amdiox86.sys

2011-01-29 11:19:39 -------- d-----w- c:\program files\ATI Technologies

2011-01-29 11:19:33 -------- d-----w- c:\program files\ATI

2011-01-29 11:18:23 -------- dc----w- C:\ATI

2011-01-29 10:24:30 -------- d-----w- c:\users\kristy\appdata\local\Zynga

2011-01-29 09:36:35 -------- d-----w- c:\users\kristy\appdata\roaming\IObit

2011-01-28 14:47:06 43520 ----a-w- c:\windows\system32\drivers\Rtnicxp.sys

2011-01-28 14:46:57 -------- d-----w- c:\program files\Realtek

2011-01-28 11:51:12 -------- d-----w- c:\progra~2\IObit

2011-01-28 11:51:10 -------- d-----w- c:\program files\IObit

2011-01-05 03:53:48 472808 ----a-w- c:\windows\system32\deployJava1.dll

 

==================== Find3M ====================

 

 

============= FINISH: 16:54:32.18 ===============

[Akasha]

attach.txt

 

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

 

DDS (Ver_10-12-12.01)

 

Microsoft® Windows Vista™ Home Basic

Boot Device: \Device\HarddiskVolume1

Install Date: 7/18/2010 10:31:35 PM

System Uptime: 2/3/2011 2:59:32 PM (2 hours ago)

 

Motherboard: ASUSTek Computer INC. | | Amberine M

Processor: AMD Sempron Processor 3400+ | Socket 939 | 2000/200mhz

 

==== Disk Partitions =========================

 

C: is FIXED (NTFS) - 75 GiB total, 33.417 GiB free.

D: is CDROM ()

E: is CDROM (CDFS)

F: is Removable

G: is Removable

H: is Removable

I: is Removable

 

==== Disabled Device Manager Items =============

 

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}

Description: Microsoft Tun Miniport Adapter

Device ID: ROOT\*TUNMP\0000

Manufacturer: Microsoft

Name: Teredo Tunneling Pseudo-Interface

PNP Device ID: ROOT\*TUNMP\0000

Service: tunmp

 

Class GUID: {6bdd1fc6-810f-11d0-bec7-08002be2092f}

Description: HP Photosmart 2600

Device ID: LPTENUM\HPPHOTOSMART_1115\4&351EB385&0&LPT1.4

Manufacturer: Hewlett-Packard

Name: HP Photosmart 2600

PNP Device ID: LPTENUM\HPPHOTOSMART_1115\4&351EB385&0&LPT1.4

Service: usbscan

 

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}

Description: WAN Miniport (L2TP)

Device ID: ROOT\MS_L2TPMINIPORT\0000

Manufacturer: Microsoft

Name: WAN Miniport (L2TP)

PNP Device ID: ROOT\MS_L2TPMINIPORT\0000

Service: Rasl2tp

 

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}

Description: WAN Miniport (Network Monitor)

Device ID: ROOT\MS_NDISWANBH\0000

Manufacturer: Microsoft

Name: WAN Miniport (Network Monitor)

PNP Device ID: ROOT\MS_NDISWANBH\0000

Service: NdisWan

 

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}

Description: WAN Miniport (PPPOE)

Device ID: ROOT\MS_PPPOEMINIPORT\0000

Manufacturer: Microsoft

Name: WAN Miniport (PPPOE)

PNP Device ID: ROOT\MS_PPPOEMINIPORT\0000

Service: RasPppoe

 

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}

Description: WAN Miniport (PPTP)

Device ID: ROOT\MS_PPTPMINIPORT\0000

Manufacturer: Microsoft

Name: WAN Miniport (PPTP)

PNP Device ID: ROOT\MS_PPTPMINIPORT\0000

Service: PptpMiniport

 

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}

Description: WAN Miniport (SSTP)

Device ID: ROOT\MS_SSTPMINIPORT\0000

Manufacturer: Microsoft

Name: WAN Miniport (SSTP)

PNP Device ID: ROOT\MS_SSTPMINIPORT\0000

Service: RasSstp

 

==== System Restore Points ===================

 

RP302: 2/2/2011 5:28:33 AM - Windows Modules Installer

RP304: 2/2/2011 9:21:29 AM - IObit Uninstaller RestorePoint

RP306: 2/2/2011 9:28:44 AM - IObit Uninstaller RestorePoint

RP308: 2/2/2011 9:33:42 AM - IObit Uninstaller RestorePoint

RP310: 2/2/2011 9:36:24 AM - IObit Uninstaller RestorePoint

RP312: 2/2/2011 9:38:07 AM - IObit Uninstaller RestorePoint

RP313: 2/3/2011 3:54:07 AM - Scheduled Checkpoint

RP314: 2/3/2011 5:49:38 AM - Windows Update

RP315: 2/3/2011 5:50:50 AM - Windows Update

RP317: 2/3/2011 3:39:42 PM - IObit Uninstaller RestorePoint

RP318: 2/3/2011 3:44:12 PM - Windows Modules Installer

 

==== Installed Programs ======================

 

Adobe AIR

Adobe Flash Player 10 ActiveX

Adobe Flash Player 10 Plugin

Adobe Reader 9.3.4

Advanced SystemCare 3

AMD Fuel

ATI Catalyst Install Manager

ATI Catalyst Registration

Bejeweled Blitz

Catalyst Control Center - Branding

Catalyst Control Center Graphics Previews Common

Catalyst Control Center InstallProxy

ccc-core-static

ccc-utility

CCC Help English

Deepica

Endless Mahjong

Family Puzzle

Game Booster

Google Chrome

Great Mahjong

Haali Media Splitter

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Identity Patrol v2.0

IObit Security 360

IObit Toolbar v4.1

Jabber

Jasc Paint Shop Pro 9

Java Auto Updater

Java 6 Update 23

Junk Mail filter update

Lost Treasures Of El Dorado

Lovely Puzzle

Mahjong City

Microsoft .NET Framework 3.5 SP1

Microsoft Antimalware

Microsoft Application Error Reporting

Microsoft Choice Guard

Microsoft Security Client

Microsoft Security Essentials

Microsoft Sync Framework Runtime Native v1.0 (x86)

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319

MSVCRT

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

QuickTime

Realtek 8139 and 8139C+ Ethernet Network Card Driver for Windows Vista

Realtek AC'97 Audio

Smart Defrag 2

Solitaire Haven

The Lord of the Rings FREE Trial

Tibet Quest

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

WinAVI All in One Converter

Windows Live Call

Windows Live Communications Platform

Windows Live Essentials

Windows Live Family Safety

Windows Live Mail

Windows Live Messenger

Windows Live Movie Maker

Windows Live Photo Gallery

Windows Live Sign-in Assistant

Windows Live Toolbar

Windows Live Upload Tool

Windows Live Writer

Word Quest

Xml Viewer

Zynga Toolbar

 

==== End Of File ===========================

[Akasha]

Thank you!!

 

Thankyou for taking the time to help me :grin:

[So_sad]

You bet :wink:

 

Thanks for those logs ; well done.

 

Just so you know, I'm taking it slow, meaning the DDS tool I had you run can see things, but not all deeply hidden programs/components. We have other tools for that. I just want to make sure we cover all the bases, step by step. So for now, a few more questions, if I may :

 

I can see one program installed that can be used for some mild spying, with remote access, and it's a legitimate Microsoft program that comes with "Windows Live Essentials" ; the sub program in question is named "Windows Live Family Safety".

Now, this sub program is offered whenever you download Windows Live, or upgrade Windows Live to a newer version.

 

Question #1 : did you install and configure this parental control program within Windows Live ?

 

Question #2 : does your soon-to-be ex_ have his own account on your computer ? If yes, is it an administrator type account and do you have access to that account, if password protected ?

 

Question #3 : could you log into his Windows Live account if you had to, right now ? Meaning do you know his password ? Don't share it with us if you know it lol ; a simple yes or no will do just fine :mrgreen:

 

Question #4 : did he give you any specifics about what he was doing remotely, exactly ? That parental control thing from Microsoft can allow a "parent" (whoever installed the thing, basically) to remotely monitor which web sites are accessed, from any browser under any account on the machine, but I don't believe it has keylogging or screen capture capabilities. More complex spy programs can do that though.

 

Question #5 : I see you have a program installed named "Identity Patrol v2.0", which is used to sniff out spy programs. Did you install this yourself ? Ok if you did, it's fine then.

 

===

 

Once I've heard back from you on those questions, we'll get started. If you haven't installed the parental control thing yourself and don't need it, then we'll remove it. From there, we'll see if we need to dig deeper, or not.

 

See you soon :-)

[So_sad]

Here I am again. I forgot to mention one important thing : I have other basic stuff for you to look into, but I need to be sure of a few things first :

 

- Will you bring the Linksys AE1000 router with you when you move out ?

- Does your soon-to-be x_ still have access to your computer ? From now and until you move out ?

 

I just need to be sure, because if he reads what we're doing here, he could quickly adapt and cover his tracks. Since I don't know what his real intentions are/were, I have to plan ahead, just in case...

[Akasha]

Answers, and more info that might be usefull

 

Ok I am networked through a wireless Cisco router to my next door neighbors connection that we split the bill for, the router i do believe is theirs. i will be taking the Cisco one with me, they may be one in the same not sure, But the thing is my X works for Action Communications here in Tucson, AZ. (actioncommunications.com) I did notice there is a connection hidden through hard wire, and a hidden administrator, I am the only one who uses this computer, other than my daughter once in a while when her laptop is charging, My X never uses this computer or has access to the password. The thing is that when I first got the computer, he had his friend from work come over and *try to help me* get it set up. Keep in mind he is a person that does not want to do anything for me ever, so that alone struck me strange, he also installed a networking card at the time I was not in the room the whole time because I went to make dinner. But when I did come back into the room my personal account was no longer there, he had made a new account he said for *both of us*. After that I could no longer access some files I would get a access denied pop up. So I was a bit angry confronted him, denial on his behalf, so I went to format my disk and do a reinstall, access denied upon attempt to format. Needless to say after a week of pulling my hair out, I was able to do what I believed to be a complete format and reinstall. Within two days it was all back to the same way. So I just left it the way it was because every time i tried to do uninstall something it would just reinstall on its own. The main server for the Tucson area Internet is in the same building he works in, he is Microsoft certified, But claims to me to be computer *stupid*. Well I am far from a Idiot so I have for a bit over a year now trying to figure it all out on my own. With no luck. I do believe there is some kind of boot record to with reinstalling everything, and does Azure mean anything to you??

[Akasha]

Answers to your Questions:

 

1. I did not install or configure any parental programs on the computer or on Windows Live at all, I actually disabled them, so I thought.

 

2.To my knowledge my X does not have any account on this computer, there should be my Admin account, KM and the account I use mostly which is the Kristy account. But there is a user account called Administrator.T00L????

T00L is the name of my computer, this account is in addition to my two accounts I created.

 

3.No I do not know his password, But I am sure he does have a account at work, that is the only place he uses a computer, he is the main Tech for the company but mainly programs radios, and transmitters. FM stuff.

 

4.He did make a mention to me about when he gets done at the end of the day he logs on to see what I did and where I went online....I have seen stuff on here for screen capture, audio, ect. I also can not access the *real* cmd.exe without using keyboard controls.

 

5.As far as Identity Patrol goes, I do not recall installing, but I did recently do a forced uninstall. Not sure if it worked yet or not.

 

 

PS I also can not install IE 6 or higher, it seems the only browser I can use is IE 5 ?? and I did not install that, I do believe Vista comes with IE6 or 7

 

 

hopes some of this helps, feel free to email me directly if need be :-) I forgot to mention, I see alot of -1 on stuff and alot of scripting, and visual studio stuff,I personally did not install visual studio anything on here if that helps.

[So_sad]

Hi Akasha,

 

Thanks for all those details.

 

From what you're saying, it's possible that your X was merely using the Windows Live parental control thing to monitor your surfing. So we'll try to uninstall that (steps below). This could also explain the restrictions you've experienced, trying to install/uninstall things

 

I'm more worried about what the "friend" did, with that account for "the both of you". Vista has a hidden administrator account ; very few people ever use it, and the account is disabled by default as well as hidden. That's the account you see (Administrator.TOOL). He enabled it (the friend) and that's highly suspicious. Can you access that account ? If you can, we can disable it ; if he password protected it and you can't get in, we'll need to weigh our options...

 

About the Linksys router. Here's what it looks like :

http://homestore.cisco.com/en-us/Adapters/Linksys-AE1000-Wirelessn-connector_stcVVproductId97826164VVcatId551966VVviewprod.htm

It connects through USB and the software for it is installed on your machine, so it has to be yours. I asked if you were taking it with you because we'll need to do a hard reset on it, but not now. If you reset it now, you may lose your connection (shared) and it might prove difficult for the both of us to fix it via a forum. It needs to be reset because they (friend and X) may have configured it for remote access.

 

About Internet Explorer : what I see here is that you have IE9, which is still in Beta. This is the newest version available. Which version do you actually see when you open IE ? I can't see IE9 in your list of installed programs, which I find really strange...

 

Identity Patrol is still showing in the list of programs and it's hard to say whether you were successful in removing part of it or not.

 

"Azure" is a cloud computing service provided by Microsoft. Do you see this on your machine and if so, where ?

 

=====

 

First, let's try to remove the parental control program :

 

Control Panel > Programs > Programs and Features > Windows Live Essentials > click Uninstall/Change > click Uninstall > Uncheck the Family Safety Filter item > click Continue > Done.

 

Let me know how it went :wink:

 

===