Ace Spy problem

I ran a CA Yahoo! Anti-Spy scan two days ago and it detected Ace Spy 3.8 on my computer (Acer Aspire 9410Z laptop running Vista Home Premium). Before removing it, I ran full scans using SpyBot S&D, Windows Defender, AVG Anti-Spyware, and Avast! Antivirus - none of which detected the Ace Spy. I used CA to remove the Ace Spy, and now CA scans do not detect it, so I seem to be clean. I subsequently downloaded and ran SuperAntispyware, which found nothing. But I'm now wondering:

1. It's my understanding that somone must have physical access to a computer to load Ace Spy. Is this true? No one but me has physical access to my computer. Could it have snuck onto my computer when I downloaded something online?

2. CA indicated that Ace Spy was located in three registry keys, which are still there. Does the fact that they're still there indicate that the malware is still on my computer, or could those keys have been "cleaned" of the malware?

3. Is it significant that the other scans I ran before removing the Ace Spy didn't find it?

Also:

4. My System Restore has stopped working. I can make it work by running it in Safe Mode - and, yes, I know it works better in Safe Mode, anyway - but I've never had a problem running it normally. I've searched online and found many people whose Restore has stopped working, but no solutions other than "run it in Safe Mode." Why would it stop working, is there a fix, and could this problem be connected to the malware problem?

Thank you to anyone with the time and patience to respond to these concerns!

 

Hello and thank you for responding. I'm not sure this will be helpful, but I thought I'd do this before going through the READ & RUN ME FIRST process. I don't have a log of the scan, but I did note the registry keys for future reference. The CA scan simply listed the malware as "Ace Spy 3.8" and noted that it appeared in the following registry keys:

hkey_classses_root\interface\{4d6cc9b0-df77-11cf-8e74-00a0c90f26f8}\typelib
hkey_classses_root\interface\{27395f87-0c0c-101b-a3c9-08002b2f49fb}\typelib
hkey_classses_root\clsid\{27395f85-0c0c-101b-a3c9-08002b2f49fb}\inprocserver32

As I stated before, the keys themselves remain in my registry.

Your statement that a false positive is possible is intriguing, surprising, and frankly somewhat comforting, given that the alternative involves someone breaking into my apartment solely for the purpose of putting a keylogger on my computer - something that would be, to say the least, odd. I'm boring. I don't even have a crazy ex-girlfriend. Is there a short answer as to why the scan would falsely recognize a specific piece of malware?

In any case, if you think it best for me to do the full check, I'm happy to. I just want to be sure my computer's completely clean.

Again, thank you.

 

Okay, I'll get to work on the READ & RUN ME. In the meantime:

Yes, I'm sure no one else has ever had access to my computer.

AceSpy is not listed in my Add/Remove programs, nor does a search of my computer locate it.

I do frequent scans with the CA Anti-spy, just because it only takes a few seconds. I had done a couple on Monday afternoon and the only things that showed up were tracking cookies. Then Monday night I did another scan and the AceSpy appeared. During that interim I was alone with my computer. (I'd downloaded a movie online in that interim from a McAfee Site Advisor green site. That was how I thought at first that it had made its way onto my computer.) Could the AceSpy have been on my computer for some indefinite time before that, but, for some reason, wasn't detected by any scans?

Also, you wrote: I think it would be a good idea to run the complete READ & RUN ME so we can collect more info. However as noted above, a good commercial keylogger that is put in stealth mode will hide from view.

Does that mean that if it's on my computer, it still might not show up on the READ & RUN ME? If that's the case, then, in the end, how would I be sure it's gone?

 

Here are three of the scan logs.

 

Here's the ComboFix log. (And the CF quarantine log, as well - don't know if you need it.) One note: after ComboFix rebooted my machine, the blue window - saying that the window would close in a few seconds and a log would pop up - stayed up for about twenty minutes. I checked to see if there was a log in my C drive - there was - so I closed the window manually. Please let me know if I need to run the scan again.

(And per your note about a CA change - I did update the scanner recently, perhaps during that same time period.)

Thank you for this help.

 

Hi, Chas. I know I'm bumping myself, but I can't get back to this until tomorrow, anyway. Thought I'd let you know that my CA scan is, as of this afternoon, turning up:

1. Bifrost: hkey_current_user\software\wget
2. KaZaA: hkey_current_user\software\kazaa

And while we're at it, if you look at this and the scan logs and still feel that my CA scan has just started turning up false positives now for some reason, do you have a fix for it? Would there be any point in my continuing to use it? If not, which anti-spyware programs should I depend on? (Along with Windows Defender, I currently have the free versions of AVG, Spybot S & D, Threatfire, and avast! Antivirus.)

 

First, thank you for going over the logs and for your advice on this matter. It's good to know that my system hasn't been compromised.

Second, I'll remove the SUPERAntiSpyware, but should I remove the Malwarebytes, ComboFix, and MGTools, as well?

Third, I noticed in the hijackthis log - which I'm admittedly really inexperienced with - the entry "013 - Gopher Prefix:" This is okay?

Finally, I have a few questions regarding your last comments. I'll ask them here, but if you think it better I'll post them to the software forum.

Why should I not use Sandboxie and Threatfire? Did you mean both together, or either one? I'm unaware of their added "complexities." What are the problems they can cause? I'm certainly open to getting rid of them if it's better to do so - I just thought they were good extra protection.

The CA scan has up until recently been simply a very quick way to remove tracking cookies. But since it found the Bifrost and KaZaA - which were found by none of the other scanning I did for the READ & RUN - I'm thinking I should keep it. (Unless those were false positives as well!)

I looked into disabling Windows Defender, which doesn't seem to be of much use, anyway, but when I go into its Tools, then its Options, I'm not presented with the option for disabling it - I seem to be missing something there. I haven't encountered any problems before, but is it an issue that I have real-time protection from Defender, Threatfire, and avast! Antivirus all at the same time?

Again, thank you!

 

Done and done. Thank you very much for all the help!