If this were my system, where a major upgrade like Vista SP1 was installed while active serious malware and likely security software enabled existed, I would be concerned with some as yet unseen corruption having occurred. The amount of questionable software now installed there might be an issue, and the changes from one to another security software also an issue. Even running an experimental version of Firefox brings unknown corruption. And if any of the software is not from authorized sources, and to be square again, I sense little of it is, then you really are sorta not doing it right there.
Personally I would reformat this drive and reinstall, and get a fresh start. And not just due to malware, since we clean that here many times each day.
If you would like to continue with the repairs, and agree to make no other changes unless we discuss them here first, and no active use while this system is being repaired, then let's repeat the steps again.
Disable all security software, open and update Malwarebytes, and run a Complete Scan with that now. if it suggests a reboot be sure to do that.
Then after the reboot run a new Deckards scan, as you have been doing, and post both those logs here for review please.
Hey Thomas, I reformatted my dads laptop (the infected one)but according to msconfig msserver is still there, it's 99.999% better than it was though, your help cleaning this last problem up would be appreciated. I will make no changes at all unless you say so and I appologize again for making this clean up so difficult but please be aware that this is not my laptop and I cannot be held responsible for what my father does on his laptop.
Not quite sure what you are referring to right now. There are two computers you are addressing there? Is the HijackThis log from an entirely different computer (it appears to be the very similar to what we have been working on)?
Not quite a reformat, since that would have removed the infection. I am assuming a repair/over-the-top reinstall instead. We'll go with the same procedures I ended the last post with - here are the steps again if you need the downloads again.
To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.
Download Malwarebytes' Anti-Malware from Here or Here.
Double Click mbam-setup.exe to install the application.
* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply. If it calls for a reboot to complete the repairs do that as well then.
============================
Still making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK):
"%userprofile%\desktop\dss.exe" /config
When the DSS Configuration display opens click the "Check All" button. Next, under Main Log, again uncheck the following:
System Restore Temp Cleanup Process Modules
Then under Extra Log, uncheck all the boxes except this one:
Security Center
Don't make any other changes at this time. Then click the "Scan!" button to start the scan.
Once the scan has completed a textbox will appear - copy/paste those contents back here please (main.txt). (The logs can also be found in the C:\Deckard\System Scanner folder)
and here is the dss log:
Deckard's System Scanner v20071014.68
Run by Graham on 2008-06-05 19:58:11
Computer is in Normal Mode.
Total Physical Memory: 1014 MiB (1024 MiB recommended).
Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window and select Paste. Then click the red MoveIt! button. A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder, in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose "Yes".
Go Here and download ATF Cleaner. Click on the downloaded file to run it, and select "Select All", then click Empty Selected (and close ATF).
If you have them, also click on Firefox/Opera at the top and repeat the steps (and close ATF). Firefox/Opera will need to be closed first for the cleaning to be effective.
On Windows Vista that "Windows Temp" is disabled, to empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator"
Then Go here for an online AV scan. Follow all prompts to Allow all ActiveX objects to install. If your AV alerts you while the scan installs ignore this - Panda's Active Scan method is often mistaken for infection activity.
When the scan completes do not click any of the disinfection links provided. Click the small "Export to:" button and save the log file to your desktop. Then copy the contents of that ActiveScan.txt file back here for review please.
Still making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK):
"%userprofile%\desktop\dss.exe" /config
When the DSS Configuration display opens click the "Check All" button. Next, under Main Log, again uncheck the following:
System Restore Temp Cleanup Process Modules
Then under Extra Log, uncheck all the boxes.
Don't make any other changes at this time. Then click the "Scan!" button to start the scan.
Once the scan has completed a textbox will appear - copy/paste those contents back here please (main.txt). (The logs can also be found in the C:\Deckard\System Scanner folder)
Post that along with the Panda log and the OTMoveIt log please.
it wasn't me, my dad must have ignored my warnings and tried to install something, if anything has changed I appologize, it's my dad. he's a git. scan logs in a few minutes.
Comments
Personally I would reformat this drive and reinstall, and get a fresh start. And not just due to malware, since we clean that here many times each day.
If you would like to continue with the repairs, and agree to make no other changes unless we discuss them here first, and no active use while this system is being repaired, then let's repeat the steps again.
Disable all security software, open and update Malwarebytes, and run a Complete Scan with that now. if it suggests a reboot be sure to do that.
Then after the reboot run a new Deckards scan, as you have been doing, and post both those logs here for review please.
here is a hijackthis log on the cleaned disk:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:12:23, on 04/06/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\Windows Tooltip\VisualToolTip.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Users\Graham\AppData\Local\Temp\RtkBtMnt.exe
C:\Windows\system32\igfxext.exe
C:\Windows\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.com/customize/ycomp/defaults/sp/*http://uk.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.uk.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.uk.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Windows\system32\ActiveToolBand.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: (no name) - {C3358EEC-7766-42D6-9C70-3DEE628961F2} - C:\Windows\system32\vtUkHwWo.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "c:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [WarReg_PopUp] C:\Acer\WR_PopUp\WarReg_PopUp.exe
O4 - HKLM\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe
O4 - HKLM\..\Run: [VisualTooltip] C:\Program Files\Windows Tooltip\VisualToolTip.exe
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\jkkIayVp.dll,#1
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [f02085f7] rundll32.exe "C:\Windows\system32\tcsyuomd.dll",b
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: eDataSecurity Service - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 9676 bytes
To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.
Download Malwarebytes' Anti-Malware from Here or Here.
Double Click mbam-setup.exe to install the application.
* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply. If it calls for a reboot to complete the repairs do that as well then.
============================
Still making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK):
"%userprofile%\desktop\dss.exe" /config
When the DSS Configuration display opens click the "Check All" button. Next, under Main Log, again uncheck the following:
System Restore
Temp Cleanup
Process Modules
Then under Extra Log, uncheck all the boxes except this one:
Security Center
Don't make any other changes at this time. Then click the "Scan!" button to start the scan.
Once the scan has completed a textbox will appear - copy/paste those contents back here please (main.txt). (The logs can also be found in the C:\Deckard\System Scanner folder)
Post that along with the Malwarebytes log please.
anyway here is the malwarebytes log:
Malwarebytes' Anti-Malware 1.14
Database version: 826
19:55:34 05/06/2008
mbam-log-6-5-2008 (19-55-34).txt
Scan type: Quick Scan
Objects scanned: 34742
Time elapsed: 3 minute(s), 31 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Users\Graham\Local Settings\Temporary Internet Files\Content.IE5\5R38A3YN\kb456456[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
Deckard's System Scanner v20071014.68
Run by Graham on 2008-06-05 19:58:11
Computer is in Normal Mode.
Total Physical Memory: 1014 MiB (1024 MiB recommended).
-- HijackThis (run as Graham.exe)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:58:16, on 05/06/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\Windows Tooltip\VisualToolTip.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\igfxext.exe
C:\Users\Graham\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Users\Graham\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Graham.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.com/customize/ycomp/defaults/sp/*http://uk.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.uk.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.uk.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Windows\system32\ActiveToolBand.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "c:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [WarReg_PopUp] C:\Acer\WR_PopUp\WarReg_PopUp.exe
O4 - HKLM\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe
O4 - HKLM\..\Run: [VisualTooltip] C:\Program Files\Windows Tooltip\VisualToolTip.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: eDataSecurity Service - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 9516 bytes
-- File Associations
.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled
R3 NTIDrvr (Upper Class Filter Driver) - c:\windows\system32\drivers\ntidrvr.sys <Not Verified; NewTech Infosystems, Inc.; >
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled
R2 eLockService (eLock Service) - c:\acer\empowering technology\elock\service\elockserv.exe <Not Verified; Acer Inc.; Acer eLock Management>
R2 eNet Service - c:\acer\empowering technology\enet\enet service.exe <Not Verified; Acer Inc.; Acer eNet Management>
R2 eRecoveryService (eRecovery Service) - c:\acer\empowering technology\erecovery\erecoveryservice.exe <Not Verified; Acer Inc.; eRecoveryService>
R2 eSettingsService (eSettings Service) - c:\acer\empowering technology\esettings\service\capuserv.exe <Not Verified; ; Service>
R2 MobilityService - c:\acer\mobility center\mobilityservice.exe -p
R2 WMIService (ePower Service) - c:\acer\empowering technology\epower\epowersvc.exe <Not Verified; acer; Acer ePower Management>
-- Device Manager: Disabled
No disabled devices found.
-- Scheduled Tasks
2008-06-04 18:08:18 272 --a
C:\Windows\Tasks\Uniblue SpeedUpMyPC Nag.job
2008-06-04 17:38:24 394 --a
C:\Windows\Tasks\Uniblue SpeedUpMyPC.job
2008-06-04 13:52:58 490 --a
C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - Graham.job
-- Files created between 2008-05-05 and 2008-06-05
2008-06-05 11:27:55 0 d
C:\Users\All Users\Malwarebytes
2008-06-05 11:27:52 0 d
C:\Program Files\Malwarebytes' Anti-Malware
2008-06-04 20:34:17 131072 --a
C:\Windows\PreLaunch.exe <Not Verified; Wistron Corp.; PreLaunch>
2008-06-04 20:33:50 32768 --a
C:\Windows\RUNXMLPL.EXE <Not Verified; Wistron Corp.; Wistron RunXMLPL>
2008-06-04 20:33:46 0 d
C:\Windows\Lan
2008-06-04 20:15:38 1331 --ahs---- C:\Windows\system32\SuENonnn.ini2
2008-06-04 19:39:40 0 d
C:\Windows\SoftwareDistribution
2008-06-04 19:39:29 0 d
C:\Program Files\CONEXANT
2008-06-04 19:38:17 0 d
C:\Windows\system32\Lang
2008-06-04 19:38:15 0 d
C:\Intel
2008-06-04 19:04:46 1281 --ahs---- C:\Windows\system32\oWwHkUtv.ini2
2008-06-04 18:32:01 0 d
C:\Program Files\MSXML 4.0
2008-06-04 18:18:44 0 d
C:\Program Files\Trend Micro
2008-06-04 18:01:49 1450 --ahs---- C:\Windows\system32\wGNmmTwa.ini2
2008-06-04 17:53:58 0 --a
C:\Windows\nsreg.dat
2008-06-04 17:38:00 0 d
C:\Program Files\Uniblue
2008-06-04 16:57:22 8224 --a
C:\Windows\system32\GDIPFONTCACHEV1.DAT
2008-06-04 16:23:53 0 d
C:\Program Files\Microsoft Visual Studio 8
2008-06-04 16:14:15 0 d
C:\Program Files\DAEMON Tools Lite
2008-06-04 15:49:23 0 d
C:\Installed Games
2008-06-04 15:48:38 0 d-a
C:\Users\All Users\TEMP
2008-06-04 15:45:07 0 d
C:\Windows\Haunted Hotel
2008-06-04 15:45:06 0 d
C:\Program Files\Haunted Hotel
2008-06-04 15:30:01 0 d
C:\Program Files\Oberon Media
2008-06-04 15:18:30 717296 --a
C:\Windows\system32\drivers\sptd.sys
2008-06-04 15:13:35 0 d
C:\Windows\Dream Chronicles 2 - The Eternal Maze
2008-06-04 15:13:35 0 d
C:\Program Files\Dream Chronicles 2 - The Eternal Maze
2008-06-04 15:07:13 0 d
C:\Program Files\Microsoft Silverlight
2008-06-04 15:00:38 0 d
C:\Program Files\Duke Nukem - Manhattan Project
2008-06-04 14:39:56 0 d
C:\Program Files\Auslogics
2008-06-04 14:39:09 0 d--h
C:\Users\All Users\{A850D4D9-871B-4234-908D-21C457767270}
2008-06-04 14:39:06 0 d
C:\Program Files\Stardock
2008-06-04 14:28:42 0 d
C:\Program Files\Lavasoft
2008-06-04 14:28:39 0 d
C:\Users\All Users\Lavasoft
2008-06-04 14:27:11 0 d
C:\Program Files\Common Files\Wise Installation Wizard
2008-06-04 14:21:42 0 d
C:\Program Files\duke3d
2008-06-04 14:14:07 0 d
C:\Program Files\Windows Tooltip
2008-06-04 13:57:18 0 d
C:\Windows\Sprill - The Mystery of The Bermuda Triangle
2008-06-04 13:57:17 0 d
C:\Program Files\Sprill - The Mystery of The Bermuda Triangle
2008-06-04 13:30:50 0 d
C:\Windows\Agatha Christie - Death on the Nile {h33t} {oi812heet}
2008-06-04 13:30:50 0 d
C:\Program Files\Agatha Christie - Death on the Nile {h33t} {oi812heet}
2008-06-04 13:23:33 0 --a
C:\Windows\popcinfo.dat
2008-06-04 13:23:33 0 d
C:\Program Files\PopCap Games
2008-06-04 13:17:22 0 d
C:\Program Files\Kasparov Chessmate
2008-06-04 13:17:06 0 d
C:\Program Files\ReflexiveArcade
2008-06-04 12:49:03 0 d
C:\Users\All Users\Google
2008-06-04 12:48:30 0 d
C:\Users\All Users\Google Updater
2008-06-04 12:48:25 0 d
C:\Program Files\Google
2008-06-04 12:45:30 0 d
C:\Users\All Users\Yahoo! Companion
2008-06-04 12:38:44 0 d
C:\Program Files\uTorrent
2008-06-04 12:26:19 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-06-04 12:25:16 0 d
C:\Program Files\Windows Live
2008-06-04 12:24:33 0 d
C:\Users\All Users\WLInstaller
2008-06-04 12:18:40 0 d
C:\Program Files\Yahoo!
2008-06-04 12:10:11 0 d
C:\Program Files\Launch Manager
2008-06-04 12:08:40 327680 --a
C:\Windows\system32\Remove_eRecovery.exe <Not Verified; Acer Inc.; >
2008-06-04 12:08:40 16384 --a
C:\Windows\system32\LauncheRyAgentUser.exe <Not Verified; ; LauncheRyAgentUser>
2008-06-04 12:08:40 16384 --a
C:\Windows\system32\ClearEvent.exe
2008-06-04 12:08:40 368640 --a
C:\Windows\system32\CheckD2DSystem.exe <Not Verified; Acer Inc.; CheckD2DSystem.exe>
2008-06-04 12:08:05 6080 --a
C:\Windows\system32\drivers\zntport.sys <Not Verified; Zeal SoftStudio; NTPort Library>
2008-06-04 12:08:05 8704 --a
C:\Windows\system32\drivers\TVicPort64.sys <Not Verified; EnTech Taiwan; TVicPort Generic Device Driver for Windows 95/98/ME/NT/2000/2003/XP/XP64>
2008-06-04 12:08:05 14544 --a
C:\Windows\system32\drivers\TVicPort.sys <Not Verified; EnTech Taiwan; TVicPort Generic Device Driver for Windows 95/98/ME/NT/2000/2003/XP/XP64>
2008-06-04 12:07:12 65536 --a
C:\Windows\system32\NATTraversal.dll
2008-06-04 12:04:18 0 d
C:\Windows\system32\i386
2008-06-04 12:01:50 90112 -ra
C:\Windows\system32\eNetHook.dll <Not Verified; acer; acer eNetManagement>
2008-06-04 11:58:30 83554304 --a
C:\Windows\system32\acer.scr
2008-06-04 11:58:06 40368034 --a
C:\Windows\system32\acer.exe <Not Verified; Macromedia, Inc.; Shockwave Flash>
2008-06-04 11:57:58 0 d
C:\Program Files\Acer Inc
2008-06-04 11:57:53 0 d
C:\Windows\ACER
2008-06-04 11:50:00 0 d--hs---- C:\$RECYCLE.BIN
2008-06-04 11:49:13 0 dr
C:\Users\Graham\Searches
2008-06-04 11:49:03 0 dr
C:\Users\Graham\Contacts
2008-06-04 11:46:42 0 d--hs---- C:\Users\Graham\Templates
2008-06-04 11:46:42 0 d--hs---- C:\Users\Graham\Start Menu
2008-06-04 11:46:42 0 d--hs---- C:\Users\Graham\SendTo
2008-06-04 11:46:42 0 d--hs---- C:\Users\Graham\Recent
2008-06-04 11:46:42 0 d--hs---- C:\Users\Graham\PrintHood
2008-06-04 11:46:42 0 d--hs---- C:\Users\Graham\NetHood
2008-06-04 11:46:42 0 d--hs---- C:\Users\Graham\My Documents
2008-06-04 11:46:42 0 d--hs---- C:\Users\Graham\Local Settings
2008-06-04 11:46:42 0 d--hs---- C:\Users\Graham\Cookies
2008-06-04 11:46:42 0 d--hs---- C:\Users\Graham\Application Data
2008-06-04 11:46:41 0 dr
C:\Users\Graham\Videos
2008-06-04 11:46:41 0 dr
C:\Users\Graham\Saved Games
2008-06-04 11:46:41 0 dr
C:\Users\Graham\Pictures
2008-06-04 11:46:41 1310720 --ahs---- C:\Users\Graham\NTUSER.DAT
2008-06-04 11:46:41 0 dr
C:\Users\Graham\Music
2008-06-04 11:46:41 0 dr
C:\Users\Graham\Links
2008-06-04 11:46:41 0 dr
C:\Users\Graham\Favorites
2008-06-04 11:46:41 0 dr
C:\Users\Graham\Downloads
2008-06-04 11:46:41 0 dr
C:\Users\Graham\Documents
2008-06-04 11:46:41 0 dr
C:\Users\Graham\Desktop
2008-06-04 11:46:41 0 d--h
C:\Users\Graham\AppData
-- Find3M Report
2008-06-05 11:28:11 0 d
C:\Users\Graham\AppData\Roaming\Malwarebytes
2008-06-04 18:53:27 0 d
C:\Program Files\Windows Calendar
2008-06-04 18:36:55 0 d
C:\Program Files\Windows Mail
2008-06-04 18:15:02 0 d
C:\Program Files\Common Files\Symantec Shared
2008-06-04 17:58:04 0 d
C:\Program Files\MSBuild
2008-06-04 17:53:30 0 d
C:\Users\Graham\AppData\Roaming\Mozilla
2008-06-04 17:38:35 0 d
C:\Users\Graham\AppData\Roaming\Uniblue
2008-06-04 17:32:47 0 d
C:\Users\Graham\AppData\Roaming\uTorrent
2008-06-04 16:12:02 174 --ahs---- C:\Program Files\desktop.ini
2008-06-04 16:04:46 0 d
C:\Program Files\Windows Sidebar
2008-06-04 15:30:04 0 d
C:\Program Files\Common Files\Oberon Media
2008-06-04 15:18:28 0 d
C:\Users\Graham\AppData\Roaming\DAEMON Tools
2008-06-04 15:02:29 0 d--h
C:\Program Files\InstallShield Installation Information
2008-06-04 14:27:11 0 d
C:\Program Files\Common Files
2008-06-04 13:52:15 0 d
C:\Program Files\Norton Internet Security
2008-06-04 13:40:00 0 d
C:\Users\Graham\AppData\Roaming\CyberLink
2008-06-04 13:28:55 0 d
C:\Users\Graham\AppData\Roaming\Auslogics
2008-06-04 13:23:02 0 d
C:\Users\Graham\AppData\Roaming\WinRAR
2008-06-04 13:00:52 0 d
C:\Program Files\Symantec
2008-06-04 12:51:57 0 d
C:\Users\Graham\AppData\Roaming\Google
2008-06-04 11:51:24 0 d
C:\Users\Graham\AppData\Roaming\Macromedia
2008-06-04 11:49:05 0 d
C:\Users\Graham\AppData\Roaming\Identities
-- Registry Dump
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [03/08/2007 19:40]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [21/03/2007 21:00]
"RtHDVCpl"="RtHDVCpl.exe" [06/07/2007 20:06 C:\Windows\RtHDVCpl.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [09/05/2007 22:09]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [21/11/2006 21:44]
"osCheck"="c:\Program Files\Norton Internet Security\osCheck.exe" [21/11/2006 21:42]
"Acer Tour"="" []
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [05/04/2007 00:26]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [05/04/2007 00:26]
"Persistence"="C:\Windows\system32\igfxpers.exe" [05/04/2007 00:26]
"eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" [25/04/2007 16:33]
"eRecoveryService"="" []
"LManager"="C:\PROGRA~1\LAUNCH~1\LManager.exe" [12/07/2007 03:52]
"WarReg_PopUp"="C:\Acer\WR_PopUp\WarReg_PopUp.exe" [05/11/2006 21:48]
"Acer Tour Reminder"="C:\Acer\AcerTour\Reminder.exe" [22/05/2007 23:49]
"VisualTooltip"="C:\Program Files\Windows Tooltip\VisualToolTip.exe" [06/12/2007 11:21]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [29/01/2008 17:38]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [04/06/2008 12:48]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE WebClient
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc wlansvc EMDMgmt TabletInputService WPDBusEnum
LocalServiceNoNetwork PLA DPS BFE mpssvc
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c29e657a-3247-11dd-a8c6-0016d3ed3510}]
AutoRun\command- F:\SETUP.EXE
configure\command- F:\SETUP.EXE
install\command- F:\SETUP.EXE
*Newly Created Service* - COMHOST
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI
-- End of Deckard's System Scanner: finished at 2008-06-05 19:59:09
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\{c29e657a-3247-11dd-a8c6-0016d3ed3510}]
AutoRun\command- F:\SETUP.EXE
configure\command- F:\SETUP.EXE
install\command- F:\SETUP.EXE
Open OTMoveIt again.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C, or right-click and choose Copy):
Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window and select Paste. Then click the red MoveIt! button. A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder, in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose "Yes".
Go Here and download ATF Cleaner. Click on the downloaded file to run it, and select "Select All", then click Empty Selected (and close ATF).
If you have them, also click on Firefox/Opera at the top and repeat the steps (and close ATF). Firefox/Opera will need to be closed first for the cleaning to be effective.
On Windows Vista that "Windows Temp" is disabled, to empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator"
Then Go here for an online AV scan. Follow all prompts to Allow all ActiveX objects to install. If your AV alerts you while the scan installs ignore this - Panda's Active Scan method is often mistaken for infection activity.
When the scan completes do not click any of the disinfection links provided. Click the small "Export to:" button and save the log file to your desktop. Then copy the contents of that ActiveScan.txt file back here for review please.
Still making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK):
"%userprofile%\desktop\dss.exe" /config
When the DSS Configuration display opens click the "Check All" button. Next, under Main Log, again uncheck the following:
System Restore
Temp Cleanup
Process Modules
Then under Extra Log, uncheck all the boxes.
Don't make any other changes at this time. Then click the "Scan!" button to start the scan.
Once the scan has completed a textbox will appear - copy/paste those contents back here please (main.txt). (The logs can also be found in the C:\Deckard\System Scanner folder)
Post that along with the Panda log and the OTMoveIt log please.