Re: Need to know what is safe to delete.
80 views
Skip to first unread message
Roger Karlsson
May 13, 2013, 8:50:39 AM5/13/13
to freefix...@googlegroups.com
Hello Lynn,
Sorry for the delay. We've had some holidays here in Sweden.
I've examined your FreeFixer log but I could not see any malware. Did
the other anti-malware programs you have installed on your computer
detect and remove some unwanted software already? That could explain why
I can only see legitimate files and settings in the FreeFixer log.
/Roger
On 2013-05-07 19:12, lynn wrote:
> Hi,
> Someone remotely accessed my computer a few days ago and I think they
> have been very busy. The following is the log report I got from Free
> Fixer (which is awesome btw) I will gladly donate what I can, but I'm
> pretty sure I have a keylogger and I don't want to access my bank or
> paypal accounts via computer until I know it is safe to do so. I'm
> pretty sure they are monitoring visits to urls. Any help would be
> appreciated.
> Thank you.
> FreeFixer v1.04 log
> http://www.freefixer.com/
> Operating system: Windows Vista Service Pack 2
> Log dated 2013-05-07 10:27
>
> AppInit_DLLs
> C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL (file is missing)
> Autorun.inf files
> e:\autorun.inf, open = Setup.exe
> Transport service providers (4 whitelisted)
> {2083D21F-4069-415A-A5BF-B981D95C649C} - C:\Windows\system32\nvLsp.dll
> {561A1E9F-D78B-40E3-866D-4CE5CF6BB83F} - C:\Windows\system32\nvLsp.dll
> Browser Helper Objects (11 whitelisted)
> {02478D38-C3F9-4efb-9B51-7695ECA05670}, , (no file specified)
> {5C255C8A-E604-49b4-9D64-90988571CECB}, , (no file specified)
> {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96}, ShowBarObj Class, C:\Program
> Files\Acer\Empowering Technology\eDataSecurity\x86\ActiveToolBand.dll
> Internet Explorer toolbars (3 whitelisted)
> HKLM\..\Toolbar\{5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - Acer
> eDataSecurity Management - C:\Program Files\Acer\Empowering
> Technology\eDataSecurity\x86\eDStoolbar.dll
> Internet Explorer extensions
> HKLM\..\Extensions\{0C4CC089-D306-440D-9772-464E226F6539} - Virtual
> Keyboard
> HKLM\..\Extensions\{219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - Blog This
> HKLM\..\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49} - Send to
> OneNote
> HKLM\..\Extensions\{898EA8C8-E7FF-479B-8935-AEC46303B9E5} - Skype Plug-In
> HKLM\..\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263} - Research
> HKLM\..\Extensions\{CCF151D8-D089-449F-A5A4-D9909053F20F} - URLs check
> HKLM\..\Extensions\{DDE87865-83C5-48c4-8357-2F5B1AA84522} - Show or
> hide HP Smart Web Printing
> Basic Internet Explorer settings
> HKCU\..\Main, Search Page = http://www.google.com
> HKLM\..\Main, Default_Page_URL =
> http://homepage.acer.com/rdr.aspx?b=ACAW&l=1009&s=1&o=vp32&d=1109&m=aspire_x1300
> HKCU\..\Desktop\General, Wallpaper =
> C:\Users\Arden\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows
> Photo Gallery Wallpaper.jpg
> Registry Startups (10 whitelisted)
> HKLM\..\Run, EmpoweringTechnology = C:\Program Files\Acer\Empowering
> Technology\Framework.Launcher.exe boot
> HKLM\..\Run, eDataSecurity Loader = C:\Program Files\Acer\Empowering
> Technology\eDataSecurity\x86\eDSloader.exe
> HKLM\..\Run, PCMMediaSharing = C:\Program Files\Acer Arcade Live\Acer
> HomeMedia Connect\Kernel\DMS\PCMMediaSharing.exe
> HKLM\..\Run, Acer Product Registration = "C:\Program Files\Acer\Acer
> Registration\ACE1.exe" /startup
> HKLM\..\Run, Acer Assist Launcher = C:\Program Files\Acer\Acer
> Assist\launcher.exe
> HKLM\..\Run, QuickTime Task = "C:\Program Files\QuickTime\QTTask.exe"
> -atboottime
> HKLM\..\Run, ArcSoft Connection Service = C:\Program Files\Common
> Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
> HKCU\..\Run, Device Detection = C:\Program Files\FUJIFILM\MyFinePix
> Studio\dd.exe
> Processes (64 whitelisted)
> C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
> C:\Program Files\Acer Arcade Live\Acer HomeMedia
> Connect\Kernel\DMS\CLMSServer.exe
> C:\Program Files\Acer\Empowering
> Technology\eDataSecurity\x86\eDSService.exe
> C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
> C:\Program Files\CyberLink\Shared Files\RichVideo.exe
> C:\Program Files\bin32\nSvcAppFlt.exe
> C:\Program Files\bin32\nSvcIp.exe
> C:\Program Files\Acer\Empowering Technology\Framework.Launcher.exe
> C:\Program Files\Acer\Empowering
> Technology\eDataSecurity\x86\eDSLoader.exe
> C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
> C:\Program Files\FUJIFILM\MyFinePix Studio\dd.exe
> C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
> C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
> C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
> C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
> C:\Program Files\FreeFixer\freefixer.exe
> Services (77 whitelisted)
> ACDaemon, ArcSoft Connect Daemon, c:\program files\common
> files\arcsoft\connection service\bin\acservice.exe
> Acer HomeMedia Connect Service, Acer HomeMedia Connect Service,
> c:\program files\acer arcade live\acer homemedia
> connect\kernel\dms\clmsserver.exe
> eDataSecurity Service, eDataSecurity Service, c:\program
> files\acer\empowering technology\edatasecurity\x86\edsservice.exe
> ETService, Empowering Technology Service, c:\program
> files\acer\empowering technology\service\etservice.exe
> ForceWare Intelligent Application Manager (IAM), ForceWare Intelligent
> Application Manager (IAM), c:\program files\bin32\nsvcappflt.exe
> nSvcIp, ForceWare IP service, c:\program files\bin32\nsvcip.exe
> RichVideo, Cyberlink RichVideo Service(CRVS), c:\program
> files\cyberlink\shared files\richvideo.exe
> Svchost.exe Modules (229 whitelisted)
> C:\Windows\system32\nvLsp.dll
> c:\program files\hp\digital imaging\bin\hpqddsvc.dll
> c:\program files\hp\digital imaging\bin\hpqddcmn.dll
> c:\program files\hp\digital imaging\bin\hpqcxs08.dll
> C:\Program Files\HP\Digital Imaging\bin\hpocxi08.dll
> C:\Program Files\HP\Digital Imaging\bin\hpqcob08.dll
> c:\windows\system32\hpzinw12.dll
> c:\windows\system32\hpzipm12.dll
> Explorer.exe Modules (125 whitelisted)
> C:\Program Files\Acer\Empowering
> Technology\eDataSecurity\x86\PSDProtect.dll
> C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\sysenv.dll
> C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcBmh.dll
> Drivers (57 whitelisted)
> MpKslb39f2ab0, , c:\programdata\microsoft\microsoft
> antimalware\definition
> updates\{149a21e7-4fe9-4b7d-bd91-9aec35bb3659}\mpkslb39f2ab0.sys (file
> is missing)
> PSDFilter, PSDFilter, C:\Windows\system32\drivers\psdfilter.sys
> PSDNServ, PSDNServ, C:\Windows\system32\drivers\psdnserv.sys
> psdvdisk, PSDVdisk, C:\Windows\system32\drivers\psdvdisk.sys
> SASDIFSV, SASDIFSV, c:\program files\superantispyware\sasdifsv.sys
> SASKUTIL, SASKUTIL, c:\program files\superantispyware\saskutil.sys
> Firefox Extensions
> FireShot,
> C:\Users\Arden\AppData\Roaming\Mozilla\Firefox\Profiles\7fxqksm4.default-1350771489433\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\install.rdf
> Kaspersky URL Advisor, C:\Program Files\Mozilla
> Firefox\extensions\linkf...@kaspersky.ru_bak2\install.rdf
> Recently created/modified files (26 whitelisted)
> 20 hours, c:\Program Files\FreeFixer\Uninstall.exe
> 20 hours, c:\Users\Arden\Downloads\freefixersetup.exe
> 21 hours, c:\Users\Arden\AppData\Local\Temp\nso56F8.tmp\AccessControl.dll
> 1 day, c:\Program Files\Malwarebytes' Anti-Malware\7z.dll
> The following errors occurred during the scan:
> Problems opening folder 'c:\Windows\System32\LogFiles\WMI\RtBackup' to
> enumerate files. FindFirstFile failed. System error message: Access is
> denied. Error code: 5.
> An unexpected exception occurred in the Csrss.exe Memory Scan Plugin:
> QueryFullProcessImageName failed while trying to get a process full
> path. Process handle: 000005C0. System error message: A device
> attached to the system is not functioning. Error code: 31.
> End of FreeFixer log
> --
> You received this message because you are subscribed to the Google
> Groups "FreeFixer User Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to freefixer-for...@googlegroups.com.
> To post to this group, send email to freefix...@googlegroups.com.
> Visit this group at http://groups.google.com/group/freefixer-forum?hl=en.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
Sorry for the delay. We've had some holidays here in Sweden.
I've examined your FreeFixer log but I could not see any malware. Did
the other anti-malware programs you have installed on your computer
detect and remove some unwanted software already? That could explain why
I can only see legitimate files and settings in the FreeFixer log.
/Roger
On 2013-05-07 19:12, lynn wrote:
> Hi,
> Someone remotely accessed my computer a few days ago and I think they
> have been very busy. The following is the log report I got from Free
> Fixer (which is awesome btw) I will gladly donate what I can, but I'm
> pretty sure I have a keylogger and I don't want to access my bank or
> paypal accounts via computer until I know it is safe to do so. I'm
> pretty sure they are monitoring visits to urls. Any help would be
> appreciated.
> Thank you.
> FreeFixer v1.04 log
> http://www.freefixer.com/
> Operating system: Windows Vista Service Pack 2
> Log dated 2013-05-07 10:27
>
> AppInit_DLLs
> C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL (file is missing)
> Autorun.inf files
> e:\autorun.inf, open = Setup.exe
> Transport service providers (4 whitelisted)
> {2083D21F-4069-415A-A5BF-B981D95C649C} - C:\Windows\system32\nvLsp.dll
> {561A1E9F-D78B-40E3-866D-4CE5CF6BB83F} - C:\Windows\system32\nvLsp.dll
> Browser Helper Objects (11 whitelisted)
> {02478D38-C3F9-4efb-9B51-7695ECA05670}, , (no file specified)
> {5C255C8A-E604-49b4-9D64-90988571CECB}, , (no file specified)
> {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96}, ShowBarObj Class, C:\Program
> Files\Acer\Empowering Technology\eDataSecurity\x86\ActiveToolBand.dll
> Internet Explorer toolbars (3 whitelisted)
> HKLM\..\Toolbar\{5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - Acer
> eDataSecurity Management - C:\Program Files\Acer\Empowering
> Technology\eDataSecurity\x86\eDStoolbar.dll
> Internet Explorer extensions
> HKLM\..\Extensions\{0C4CC089-D306-440D-9772-464E226F6539} - Virtual
> Keyboard
> HKLM\..\Extensions\{219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - Blog This
> HKLM\..\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49} - Send to
> OneNote
> HKLM\..\Extensions\{898EA8C8-E7FF-479B-8935-AEC46303B9E5} - Skype Plug-In
> HKLM\..\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263} - Research
> HKLM\..\Extensions\{CCF151D8-D089-449F-A5A4-D9909053F20F} - URLs check
> HKLM\..\Extensions\{DDE87865-83C5-48c4-8357-2F5B1AA84522} - Show or
> hide HP Smart Web Printing
> Basic Internet Explorer settings
> HKCU\..\Main, Search Page = http://www.google.com
> HKLM\..\Main, Default_Page_URL =
> http://homepage.acer.com/rdr.aspx?b=ACAW&l=1009&s=1&o=vp32&d=1109&m=aspire_x1300
> HKCU\..\Desktop\General, Wallpaper =
> C:\Users\Arden\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows
> Photo Gallery Wallpaper.jpg
> Registry Startups (10 whitelisted)
> HKLM\..\Run, EmpoweringTechnology = C:\Program Files\Acer\Empowering
> Technology\Framework.Launcher.exe boot
> HKLM\..\Run, eDataSecurity Loader = C:\Program Files\Acer\Empowering
> Technology\eDataSecurity\x86\eDSloader.exe
> HKLM\..\Run, PCMMediaSharing = C:\Program Files\Acer Arcade Live\Acer
> HomeMedia Connect\Kernel\DMS\PCMMediaSharing.exe
> HKLM\..\Run, Acer Product Registration = "C:\Program Files\Acer\Acer
> Registration\ACE1.exe" /startup
> HKLM\..\Run, Acer Assist Launcher = C:\Program Files\Acer\Acer
> Assist\launcher.exe
> HKLM\..\Run, QuickTime Task = "C:\Program Files\QuickTime\QTTask.exe"
> -atboottime
> HKLM\..\Run, ArcSoft Connection Service = C:\Program Files\Common
> Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
> HKCU\..\Run, Device Detection = C:\Program Files\FUJIFILM\MyFinePix
> Studio\dd.exe
> Processes (64 whitelisted)
> C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
> C:\Program Files\Acer Arcade Live\Acer HomeMedia
> Connect\Kernel\DMS\CLMSServer.exe
> C:\Program Files\Acer\Empowering
> Technology\eDataSecurity\x86\eDSService.exe
> C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
> C:\Program Files\CyberLink\Shared Files\RichVideo.exe
> C:\Program Files\bin32\nSvcAppFlt.exe
> C:\Program Files\bin32\nSvcIp.exe
> C:\Program Files\Acer\Empowering Technology\Framework.Launcher.exe
> C:\Program Files\Acer\Empowering
> Technology\eDataSecurity\x86\eDSLoader.exe
> C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
> C:\Program Files\FUJIFILM\MyFinePix Studio\dd.exe
> C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
> C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
> C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
> C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
> C:\Program Files\FreeFixer\freefixer.exe
> Services (77 whitelisted)
> ACDaemon, ArcSoft Connect Daemon, c:\program files\common
> files\arcsoft\connection service\bin\acservice.exe
> Acer HomeMedia Connect Service, Acer HomeMedia Connect Service,
> c:\program files\acer arcade live\acer homemedia
> connect\kernel\dms\clmsserver.exe
> eDataSecurity Service, eDataSecurity Service, c:\program
> files\acer\empowering technology\edatasecurity\x86\edsservice.exe
> ETService, Empowering Technology Service, c:\program
> files\acer\empowering technology\service\etservice.exe
> ForceWare Intelligent Application Manager (IAM), ForceWare Intelligent
> Application Manager (IAM), c:\program files\bin32\nsvcappflt.exe
> nSvcIp, ForceWare IP service, c:\program files\bin32\nsvcip.exe
> RichVideo, Cyberlink RichVideo Service(CRVS), c:\program
> files\cyberlink\shared files\richvideo.exe
> Svchost.exe Modules (229 whitelisted)
> C:\Windows\system32\nvLsp.dll
> c:\program files\hp\digital imaging\bin\hpqddsvc.dll
> c:\program files\hp\digital imaging\bin\hpqddcmn.dll
> c:\program files\hp\digital imaging\bin\hpqcxs08.dll
> C:\Program Files\HP\Digital Imaging\bin\hpocxi08.dll
> C:\Program Files\HP\Digital Imaging\bin\hpqcob08.dll
> c:\windows\system32\hpzinw12.dll
> c:\windows\system32\hpzipm12.dll
> Explorer.exe Modules (125 whitelisted)
> C:\Program Files\Acer\Empowering
> Technology\eDataSecurity\x86\PSDProtect.dll
> C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\sysenv.dll
> C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcBmh.dll
> Drivers (57 whitelisted)
> MpKslb39f2ab0, , c:\programdata\microsoft\microsoft
> antimalware\definition
> updates\{149a21e7-4fe9-4b7d-bd91-9aec35bb3659}\mpkslb39f2ab0.sys (file
> is missing)
> PSDFilter, PSDFilter, C:\Windows\system32\drivers\psdfilter.sys
> PSDNServ, PSDNServ, C:\Windows\system32\drivers\psdnserv.sys
> psdvdisk, PSDVdisk, C:\Windows\system32\drivers\psdvdisk.sys
> SASDIFSV, SASDIFSV, c:\program files\superantispyware\sasdifsv.sys
> SASKUTIL, SASKUTIL, c:\program files\superantispyware\saskutil.sys
> Firefox Extensions
> FireShot,
> C:\Users\Arden\AppData\Roaming\Mozilla\Firefox\Profiles\7fxqksm4.default-1350771489433\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\install.rdf
> Kaspersky URL Advisor, C:\Program Files\Mozilla
> Firefox\extensions\linkf...@kaspersky.ru_bak2\install.rdf
> Recently created/modified files (26 whitelisted)
> 20 hours, c:\Program Files\FreeFixer\Uninstall.exe
> 20 hours, c:\Users\Arden\Downloads\freefixersetup.exe
> 21 hours, c:\Users\Arden\AppData\Local\Temp\nso56F8.tmp\AccessControl.dll
> 1 day, c:\Program Files\Malwarebytes' Anti-Malware\7z.dll
> The following errors occurred during the scan:
> Problems opening folder 'c:\Windows\System32\LogFiles\WMI\RtBackup' to
> enumerate files. FindFirstFile failed. System error message: Access is
> denied. Error code: 5.
> An unexpected exception occurred in the Csrss.exe Memory Scan Plugin:
> QueryFullProcessImageName failed while trying to get a process full
> path. Process handle: 000005C0. System error message: A device
> attached to the system is not functioning. Error code: 31.
> End of FreeFixer log
> --
> You received this message because you are subscribed to the Google
> Groups "FreeFixer User Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to freefixer-for...@googlegroups.com.
> To post to this group, send email to freefix...@googlegroups.com.
> Visit this group at http://groups.google.com/group/freefixer-forum?hl=en.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
Reply all
Reply to author
Forward
0 new messages