Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with TDSSserv.sys


  • This topic is locked This topic is locked
16 replies to this topic

#1 mattsdad

mattsdad

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 29 January 2009 - 11:02 PM

I've got a machine that I believe has had a virus. The system event log shows that Windows Defender found changes to the following on December 10, 2008:
Path Found: bho:HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D5BF49A2-94F1-42BD-F434-3604812C807D}
Path Found: regkey:HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TDSSserv.sys;file:C:\Windows\system32\drivers\TDSSserv.sys
Path Found: runkey:HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\xsjfn83jkemfofght
Path Found: runkey:HKCU@S-1-5-21-2305850314-670001670-2916706878-1000\Software\Microsoft\Windows\CurrentVersion\Run\\xsjfn83jkemfofght
All were listed as "Alert Type: Unclassified software"
The system log shows that the machine then did an unplanned reboot.

I believe AVG found some instances of a "Lighty.???" (virtumonde???) trojan and removed it.
However, now this machine won't install update KB958215 and doesn't seem to allow a system restore operation. It shows an error code of 80070020 during a "Windows Update" for KB958215. I tried to download and install KB958215 manually and get the error message "Not enough storage is available to process this command.
Here is the DDS.txt report:

DDS (Ver_09-01-19.01) - NTFSx86
Run by tom at 21:35:28.82 on Thu 01/29/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1013.215 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
AV: Trend Micro Internet Security *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Windows\system32\taskeng.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
C:\Users\tom\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\QuickTime\qttask.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Acer\Empowering Technology\eNet\eNet Service.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Acer\Mobility Center\MobilityService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
C:\Windows\ehome\ehmsas.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\igfxext.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10a.exe
C:\Windows\system32\taskeng.exe
C:\Users\tom\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSEARCH PAGE = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.us.acer.yahoo.com
mDefault_Page_URL = hxxp://en.us.acer.yahoo.com
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -startup
uRun: [Uniblue RegistryBooster 2009] c:\program files\uniblue\registrybooster\StartRegistryBooster.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe
mRun: [Acer Tour]
mRun: [SetPanel]
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [Acer Product Registration] "c:\program files\acer registration\ACE1.exe" /startup
mRun: [Acer Assist Launcher] c:\program files\acer assist\launcher.exe
mRun: [eRecoveryService]
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
StartupFolder: c:\users\tom\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\empowe~1.lnk - c:\acer\empowering technology\eAPLauncher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\nkbmon~1.lnk - c:\program files\nikon\pictureproject\NkbMonitor.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: avgrsstx.dll eNetHook.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-29 97928]
R3 AvgWfpX;AVG Free8 Firewall Driver x86;c:\windows\system32\drivers\avgwfpx.sys [2009-1-29 69128]
R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-1-29 875288]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-29 231704]
S3 BXWZY;BXWZY;c:\users\tom\appdata\local\temp\BXWZY.exe [2009-1-19 412544]
S3 LKRKSV;LKRKSV;c:\users\tom\appdata\local\temp\LKRKSV.exe [2009-1-19 424832]

=============== Created Last 30 ================

2009-01-29 15:10 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-01-29 13:35 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-29 13:34 69,128 a------- c:\windows\system32\drivers\avgwfpx.sys
2009-01-29 13:34 97,928 a------- c:\windows\system32\drivers\avgldx86.sys
2009-01-29 13:34 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-01-29 13:34 <DIR> --d----- c:\program files\AVG
2009-01-29 13:34 <DIR> --d----- c:\programdata\avg8
2009-01-29 13:34 <DIR> --d----- c:\progra~2\avg8
2009-01-29 12:50 <DIR> --d----- c:\program files\Trend Micro
2009-01-28 22:51 241,152 a------- c:\windows\system32\PortableDeviceApi.dll
2009-01-28 22:51 425,472 a------- c:\windows\system32\PhotoMetadataHandler.dll
2009-01-28 22:51 712,704 a------- c:\windows\system32\WindowsCodecs.dll
2009-01-28 22:51 347,136 a------- c:\windows\system32\WindowsCodecsExt.dll
2009-01-28 22:51 147,456 a------- c:\windows\system32\Faultrep.dll
2009-01-28 22:51 125,952 a------- c:\windows\system32\wersvc.dll
2009-01-28 22:31 1,645,568 a------- c:\windows\system32\connect.dll
2009-01-18 23:15 <DIR> --d----- C:\SDFix
2009-01-18 22:59 <DIR> --d----- c:\users\tom\appdata\roaming\Uniblue
2009-01-18 21:18 <DIR> --d----- c:\programdata\NortonInstaller
2009-01-18 21:18 <DIR> --d----- c:\progra~2\NortonInstaller
2009-01-18 20:54 318,976 a------- c:\windows\system32\CF12256.exe
2009-01-15 23:31 2,048 a------- c:\windows\system32\tzres.dll
2009-01-15 18:27 288,768 a------- c:\windows\system32\drivers\srv.sys

==================== Find3M ====================

2009-01-15 18:22 2,710 a------- c:\windows\system32\TDSSfopt.dll
2009-01-06 20:25 20 ----h--- c:\programdata\PKP_DLec.DAT
2009-01-06 20:25 20 ----h--- c:\progra~2\PKP_DLec.DAT
2008-12-10 19:37 143,360 a------- c:\windows\inf\infstrng.dat
2008-12-10 19:37 86,016 a------- c:\windows\inf\infstor.dat
2008-12-10 19:37 51,200 a------- c:\windows\inf\infpub.dat
2008-10-31 21:44 52,736 a------- c:\windows\apppatch\iebrshim.dll
2008-10-31 21:44 2,154,496 a------- c:\windows\apppatch\AcGenral.dll
2008-10-31 21:44 541,696 a------- c:\windows\apppatch\AcLayers.dll
2008-10-31 21:44 460,288 a------- c:\windows\apppatch\AcSpecfc.dll
2008-10-31 21:44 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2008-10-31 21:44 28,672 a------- c:\windows\system32\Apphlpdm.dll
2008-09-30 20:30 174 a--sh--- c:\program files\desktop.ini
2008-09-30 20:17 665,600 a------- c:\windows\inf\drvindex.dat
2006-11-02 06:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 06:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 06:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 06:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 03:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 03:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 03:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 03:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-10-21 22:00 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-10-21 22:00 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-10-21 22:00 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 21:37:25.82 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 05 February 2009 - 11:30 AM

Please download Malwarebytes' Anti-Malware from HERE or HERE

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.




NEXT


Please download RSIT by random/random and save it to your Desktop.
  • Double click on RSIT.exe to run RSIT
  • Before you click "Continue", make sure you change the List files/folders created or modified in the last 3 months
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt and info.txt in your next reply.



NEXT


Please download GMER and unzip it to your Desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread.


Post me these logs in your next reply.. Post each log in separate post..

1. Malwarebytes'
2. RSIT log.txt
3. RSIT info.txt
4. Attach GMER result..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 mattsdad

mattsdad
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 06 February 2009 - 12:31 AM

1) Here is the log from Malwarebytes:

Malwarebytes' Anti-Malware 1.33
Database version: 1733
Windows 6.0.6001 Service Pack 1

2/5/2009 11:01:29 PM
mbam-log-2009-02-05 (23-01-29).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 108658
Time elapsed: 1 hour(s), 50 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d5bf49a2-94f1-42bd-f434-3604812c807d} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\tom\AppData\Local\Temp\TDSS46c0.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\TDSSdotf.log (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Windows\System32\TDSSfopt.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\TDSSsbxq.log (Trojan.TDSS) -> Quarantined and deleted successfully.

#4 mattsdad

mattsdad
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 06 February 2009 - 12:33 AM

2.) Here is the RSIT log.txt information:
Logfile of random's system information tool 1.05 (written by random/random)
Run by tom at 2009-02-05 23:08:08
Microsoft® Windows Vista™ Home Premium Service Pack 1
System drive C: has 27 GB (51%) free of 53 GB
Total RAM: 1013 MB (33% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:08:22 PM, on 2/5/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\QuickTime\qttask.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Users\tom\AppData\Local\Temp\RtkBtMnt.exe
C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\system32\igfxsrvc.exe
C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Windows\ehome\ehmsas.exe
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Windows\system32\igfxext.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\tom\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\tom.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.us.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [Acer Product Registration] "C:\Program Files\Acer Registration\ACE1.exe" /startup
O4 - HKLM\..\Run: [Acer Assist Launcher] C:\Program Files\Acer Assist\launcher.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] c:\program files\uniblue\registrybooster\StartRegistryBooster.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Empowering Technology Launcher.lnk = ?
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA} - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll eNetHook.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BXWZY - Sysinternals - www.sysinternals.com - C:\Users\tom\AppData\Local\Temp\BXWZY.exe
O23 - Service: eDataSecurity Service - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LKRKSV - Sysinternals - www.sysinternals.com - C:\Users\tom\AppData\Local\Temp\LKRKSV.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8041 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2009-01-29 455960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - Acer eDataSecurity Management - C:\Windows\system32\eDStoolbar.dll [2007-01-02 151552]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-19 1008184]
"RtHDVCpl"=C:\Windows\RtHDVCpl.exe [2006-11-30 4186112]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2006-10-22 815104]
"eDataSecurity Loader"=C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe [2007-01-02 464168]
"Acer Tour"= []
"SetPanel"= []
"LManager"=C:\PROGRA~1\LAUNCH~1\LManager.exe [2006-12-08 614400]
"Acer Product Registration"=C:\Program Files\Acer Registration\ACE1.exe [2006-12-13 3166208]
"Acer Assist Launcher"=C:\Program Files\Acer Assist\launcher.exe [2006-12-07 1261568]
"eRecoveryService"= []
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2007-12-27 155648]
"IgfxTray"=C:\Windows\system32\igfxtray.exe [2007-10-18 141848]
"HotKeysCmds"=C:\Windows\system32\hkcmd.exe [2007-10-18 166424]
"Persistence"=C:\Windows\system32\igfxpers.exe [2007-10-18 133656]
"ISUSPM Startup"=C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe [2005-08-11 249856]
"ISUSScheduler"=C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2005-08-11 81920]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2009-01-29 1261336]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes' Anti-Malware"=C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe [2009-01-14 399504]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"=C:\Program Files\Windows Sidebar\sidebar.exe [2008-01-19 1233920]
"ehTray.exe"=C:\Windows\ehome\ehTray.exe [2008-01-19 125952]
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe [2008-01-19 202240]
"Search Protection"=C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe []
"ISUSPM Startup"=C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe [2005-08-11 249856]
"Uniblue RegistryBooster 2009"=c:\program files\uniblue\registrybooster\StartRegistryBooster.exe []

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Empowering Technology Launcher.lnk - C:\Acer\Empowering Technology\eAPLauncher.exe
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe

C:\Users\tom\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="avgrsstx.dll eNetHook.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\Windows\system32\igfxdev.dll [2007-10-18 200704]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======List of files/folders created in the last 3 months======

2009-02-05 23:08:08 ----D---- C:\rsit
2009-02-05 21:06:58 ----D---- C:\Users\tom\AppData\Roaming\Malwarebytes
2009-02-05 21:06:50 ----D---- C:\ProgramData\Malwarebytes
2009-02-05 21:06:50 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-01-29 15:10:03 ----HD---- C:\$AVG8.VAULT$
2009-01-29 13:35:00 ----A---- C:\Windows\system32\avgrsstx.dll
2009-01-29 13:34:39 ----D---- C:\Program Files\AVG
2009-01-29 13:34:38 ----D---- C:\ProgramData\avg8
2009-01-29 12:50:35 ----D---- C:\Program Files\Trend Micro
2009-01-28 22:53:25 ----A---- C:\Windows\system32\msshooks.dll
2009-01-28 22:53:25 ----A---- C:\Windows\system32\msscb.dll
2009-01-28 22:53:22 ----A---- C:\Windows\system32\thawbrkr.dll
2009-01-28 22:53:22 ----A---- C:\Windows\system32\SearchFilterHost.exe
2009-01-28 22:53:22 ----A---- C:\Windows\system32\propsys.dll
2009-01-28 22:53:22 ----A---- C:\Windows\system32\propdefs.dll
2009-01-28 22:53:22 ----A---- C:\Windows\system32\msstrc.dll
2009-01-28 22:53:22 ----A---- C:\Windows\system32\mssprxy.dll
2009-01-28 22:53:22 ----A---- C:\Windows\system32\mssitlb.dll
2009-01-28 22:53:22 ----A---- C:\Windows\system32\msshsq.dll
2009-01-28 22:53:21 ----A---- C:\Windows\system32\srchadmin.dll
2009-01-28 22:53:21 ----A---- C:\Windows\system32\korwbrkr.dll
2009-01-28 22:53:20 ----A---- C:\Windows\system32\xmlfilter.dll
2009-01-28 22:53:20 ----A---- C:\Windows\system32\wsepno.dll
2009-01-28 22:53:20 ----A---- C:\Windows\system32\rtffilt.dll
2009-01-28 22:53:20 ----A---- C:\Windows\system32\offfilt.dll
2009-01-28 22:53:20 ----A---- C:\Windows\system32\nlhtml.dll
2009-01-28 22:53:20 ----A---- C:\Windows\system32\mimefilt.dll
2009-01-28 22:53:19 ----A---- C:\Windows\system32\msscntrs.dll
2009-01-28 22:53:19 ----A---- C:\Windows\system32\chtbrkr.dll
2009-01-28 22:53:19 ----A---- C:\Windows\system32\chsbrkr.dll
2009-01-28 22:53:18 ----A---- C:\Windows\system32\tquery.dll
2009-01-28 22:53:18 ----A---- C:\Windows\system32\SearchProtocolHost.exe
2009-01-28 22:53:18 ----A---- C:\Windows\system32\SearchIndexer.exe
2009-01-28 22:53:17 ----A---- C:\Windows\system32\mssvp.dll
2009-01-28 22:53:17 ----A---- C:\Windows\system32\mssrch.dll
2009-01-28 22:53:17 ----A---- C:\Windows\system32\mssphtb.dll
2009-01-28 22:53:17 ----A---- C:\Windows\system32\mssph.dll
2009-01-28 22:51:54 ----A---- C:\Windows\system32\PortableDeviceApi.dll
2009-01-28 22:51:51 ----A---- C:\Windows\system32\PhotoMetadataHandler.dll
2009-01-28 22:51:50 ----A---- C:\Windows\system32\WindowsCodecsExt.dll
2009-01-28 22:51:50 ----A---- C:\Windows\system32\WindowsCodecs.dll
2009-01-28 22:51:12 ----A---- C:\Windows\system32\Faultrep.dll
2009-01-28 22:51:11 ----A---- C:\Windows\system32\wersvc.dll
2009-01-28 22:31:27 ----A---- C:\Windows\system32\connect.dll
2009-01-19 00:35:10 ----A---- C:\avenger.txt
2009-01-18 23:15:41 ----D---- C:\SDFix
2009-01-18 22:59:05 ----D---- C:\Users\tom\AppData\Roaming\Uniblue
2009-01-18 21:18:07 ----D---- C:\ProgramData\NortonInstaller
2009-01-18 20:54:05 ----A---- C:\Windows\system32\CF12256.exe
2009-01-18 20:53:49 ----A---- C:\Windows\system32\swsc.exe
2009-01-18 20:53:40 ----A---- C:\Bug.txt
2009-01-15 23:32:03 ----A---- C:\Windows\system32\mshtml.dll
2009-01-15 23:31:10 ----A---- C:\Windows\system32\tzres.dll
2009-01-13 22:10:24 ----SHD---- C:\Config.Msi
2008-12-11 21:05:00 ----D---- C:\ProgramData\Ultima_T15
2008-12-11 21:05:00 ----D---- C:\ProgramData\EnterNHelp
2008-12-11 17:36:26 ----A---- C:\Windows\system32\gdi32.dll
2008-12-11 17:30:00 ----A---- C:\Windows\system32\Apphlpdm.dll
2008-12-11 17:29:58 ----A---- C:\Windows\system32\GameUXLegacyGDFs.dll
2008-12-11 17:29:58 ----A---- C:\Windows\system32\gameux.dll
2008-12-11 17:29:44 ----A---- C:\Windows\system32\shell32.dll
2008-12-11 17:16:28 ----A---- C:\Windows\explorer.exe
2008-12-11 17:16:23 ----A---- C:\Windows\system32\mf.dll
2008-12-11 17:16:22 ----A---- C:\Windows\system32\WMVCORE.DLL
2008-12-11 17:16:21 ----A---- C:\Windows\system32\WMNetMgr.dll
2008-12-11 17:16:21 ----A---- C:\Windows\system32\logagent.exe
2008-12-10 20:25:15 ----A---- C:\Windows\ntbtlog.txt
2008-12-10 20:18:18 ----D---- C:\Windows\Minidump
2008-12-01 16:44:33 ----D---- C:\ProgramData\Yahoo!
2008-12-01 16:44:30 ----D---- C:\Users\tom\AppData\Roaming\Yahoo!
2008-11-19 16:57:18 ----A---- C:\Windows\system32\wups2.dll
2008-11-19 16:57:18 ----A---- C:\Windows\system32\wuauclt.exe
2008-11-19 16:57:17 ----A---- C:\Windows\system32\wucltux.dll
2008-11-19 16:57:17 ----A---- C:\Windows\system32\wuaueng.dll
2008-11-19 16:56:53 ----A---- C:\Windows\system32\wups.dll
2008-11-19 16:56:53 ----A---- C:\Windows\system32\wudriver.dll
2008-11-19 16:56:53 ----A---- C:\Windows\system32\wuapi.dll
2008-11-19 16:56:37 ----A---- C:\Windows\system32\wuwebv.dll
2008-11-19 16:56:37 ----A---- C:\Windows\system32\wuapp.exe
2008-11-12 15:38:33 ----A---- C:\Windows\system32\msxml3.dll
2008-11-12 15:38:29 ----A---- C:\Windows\system32\msxml6.dll
2008-11-10 10:48:30 ----A---- C:\Windows\system32\win32spl.dll

======List of files/folders modified in the last 3 months======

2009-02-05 23:08:22 ----D---- C:\Windows\Temp
2009-02-05 23:01:29 ----D---- C:\Windows\System32
2009-02-05 21:07:35 ----SHD---- C:\System Volume Information
2009-02-05 21:06:53 ----D---- C:\Windows\system32\drivers
2009-02-05 21:06:50 ----RD---- C:\Program Files
2009-02-05 21:06:50 ----HD---- C:\ProgramData
2009-02-05 21:05:47 ----D---- C:\Windows\system32\catroot2
2009-02-05 21:05:47 ----D---- C:\Windows\system32\catroot
2009-02-05 21:05:43 ----D---- C:\Windows\winsxs
2009-01-30 19:33:33 ----D---- C:\Windows\Prefetch
2009-01-29 13:34:18 ----SHD---- C:\Windows\Installer
2009-01-29 13:34:14 ----D---- C:\Program Files\Common Files\microsoft shared
2009-01-29 13:33:33 ----SD---- C:\Users\tom\AppData\Roaming\Microsoft
2009-01-29 13:33:33 ----D---- C:\Windows
2009-01-29 13:12:57 ----D---- C:\Windows\inf
2009-01-29 13:12:57 ----A---- C:\Windows\system32\PerfStringBackup.INI
2009-01-28 23:17:14 ----D---- C:\Windows\rescache
2009-01-28 22:57:34 ----D---- C:\Windows\system32\en-US
2009-01-28 22:57:34 ----D---- C:\Windows\PolicyDefinitions
2009-01-28 22:57:33 ----D---- C:\Windows\ehome
2009-01-26 21:38:18 ----D---- C:\MyWorks
2009-01-26 21:38:08 ----D---- C:\ProgramData\CyberLink
2009-01-18 22:17:26 ----D---- C:\Windows\system32\WDI
2009-01-15 23:33:33 ----D---- C:\ProgramData\Microsoft Help
2009-01-15 22:29:33 ----SD---- C:\ProgramData\Microsoft
2009-01-13 23:32:48 ----D---- C:\Windows\system32\wbem
2009-01-13 23:31:16 ----D---- C:\Windows\system32\migration
2009-01-13 23:31:16 ----D---- C:\Windows\AppPatch
2009-01-13 23:31:16 ----D---- C:\Program Files\Internet Explorer
2009-01-13 23:31:15 ----D---- C:\Windows\Tasks
2009-01-13 23:31:15 ----D---- C:\Windows\system32\spool
2009-01-13 23:31:15 ----D---- C:\Windows\system32\Msdtc
2009-01-13 23:31:00 ----D---- C:\Program Files\Yahoo!
2009-01-13 23:30:49 ----D---- C:\Windows\registration
2009-01-09 19:35:28 ----A---- C:\Windows\system32\mrt.exe
2008-12-11 17:31:13 ----D---- C:\Windows\Logs
2008-12-10 19:37:38 ----D---- C:\ProgramData\Trend Micro
2008-11-12 15:35:00 ----D---- C:\Users\tom\AppData\Roaming\Adobe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\Windows\System32\Drivers\avgldx86.sys [2009-01-29 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\Windows\System32\Drivers\avgmfx86.sys [2009-01-29 26824]
R1 DritekPortIO;Dritek General Port I/O; \??\C:\PROGRA~1\LAUNCH~1\DPortIO.sys [2006-11-02 20112]
R2 int15;int15; \??\C:\Acer\Empowering Technology\eRecovery\int15.sys [2006-12-07 76584]
R2 mdmxsdk;mdmxsdk; C:\Windows\system32\DRIVERS\mdmxsdk.sys [2006-06-19 12672]
R2 XAudio;XAudio; C:\Windows\system32\DRIVERS\xaudio.sys [2006-08-04 8192]
R3 athr;Atheros Extensible Wireless LAN device driver; C:\Windows\system32\DRIVERS\athr.sys [2007-12-11 761856]
R3 AvgWfpX;AVG Free8 Firewall Driver x86; C:\Windows\System32\Drivers\avgwfpx.sys [2009-01-29 69128]
R3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\Windows\system32\DRIVERS\bcm4sbxp.sys [2006-11-02 45056]
R3 Cam5607;Acer OrbiCam; C:\Windows\System32\Drivers\BisonC07.sys [2006-12-26 792368]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\Windows\system32\DRIVERS\CmBatt.sys [2008-01-18 14208]
R3 DKbFltr;Dritek Keyboard Filter Driver; C:\Windows\system32\DRIVERS\DKbFltr.sys [2006-11-02 21264]
R3 EMSCR;EMSCR; C:\Windows\system32\DRIVERS\EMS7SK.sys [2006-10-25 62208]
R3 ESDCR;ESDCR; C:\Windows\system32\DRIVERS\ESD7SK.sys [2006-10-25 42240]
R3 ESMCR;ESMCR; C:\Windows\system32\DRIVERS\ESM7SK.sys [2006-10-25 76928]
R3 HSF_DPV;HSF_DPV; C:\Windows\system32\DRIVERS\HSX_DPV.sys [2006-11-08 986624]
R3 HSXHWAZL;HSXHWAZL; C:\Windows\system32\DRIVERS\HSXHWAZL.sys [2006-11-08 206848]
R3 igfx;igfx; C:\Windows\system32\DRIVERS\igdkmd32.sys [2007-10-18 2009088]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHDA.sys [2006-11-30 1655464]
R3 NTIDrvr;Upper Class Filter Driver; C:\Windows\system32\DRIVERS\NTIDrvr.sys [2007-01-13 6144]
R3 sdbus;sdbus; C:\Windows\system32\DRIVERS\sdbus.sys [2008-01-18 88576]
R3 SynTP;Synaptics TouchPad Driver; C:\Windows\system32\DRIVERS\SynTP.sys [2006-10-22 179896]
R3 winachsf;winachsf; C:\Windows\system32\DRIVERS\HSX_CNXT.sys [2006-11-08 659968]
R3 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\DRIVERS\wmiacpi.sys [2008-01-18 11264]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-18 5632]
S3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
S3 HSFHWAZL;HSFHWAZL; C:\Windows\system32\DRIVERS\VSTAZL3.SYS [2006-11-02 200704]
S3 ialm;ialm; C:\Windows\system32\DRIVERS\igdkmd32.sys [2007-10-18 2009088]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-18 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-18 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-18 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-18 6016]
S3 UIUSys;Conexant Setup API; C:\Windows\system32\DRIVERS\UIUSYS.SYS []
S3 usbscan;USB Scanner Driver; C:\Windows\system32\DRIVERS\usbscan.sys [2008-01-19 35328]
S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-18 83328]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 avg8emc;AVG Free8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2009-01-29 875288]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2009-01-29 231704]
R2 eDataSecurity Service;eDataSecurity Service; C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe [2007-01-02 457512]
R2 eLockService;eLock Service; C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe [2006-12-22 24576]
R2 eNet Service;eNet Service; C:\Acer\Empowering Technology\eNet\eNet Service.exe [2006-12-28 126976]
R2 eRecoveryService;eRecovery Service; C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe [2006-12-28 49152]
R2 eSettingsService;eSettings Service; C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe [2007-01-02 24576]
R2 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2006-12-14 61440]
R2 MobilityService;MobilityService; C:\Acer\Mobility Center\MobilityService.exe [2006-11-24 107008]
R2 RichVideo;Cyberlink RichVideo Service(CRVS); C:\Program Files\CyberLink\Shared Files\RichVideo.exe [2006-07-19 262247]
R2 WMIService;ePower Service; C:\Acer\Empowering Technology\ePower\ePowerSvc.exe [2007-01-02 135168]
R2 XAudioService;XAudioService; C:\Windows\system32\DRIVERS\xaudio.exe [2006-08-04 386560]
S3 BXWZY;BXWZY; C:\Users\tom\AppData\Local\Temp\BXWZY.exe [2009-01-19 412544]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 LKRKSV;LKRKSV; C:\Users\tom\AppData\Local\Temp\LKRKSV.exe [2009-01-19 424832]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2007-08-24 443776]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]

-----------------EOF-----------------

#5 mattsdad

mattsdad
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 06 February 2009 - 12:35 AM

3.) Here is the RSIT info.txt information:
info.txt logfile of random's system information tool 1.05 2009-02-05 23:08:28

======Uninstall list======

-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B145EC69-66F5-11D8-9D75-000129760D75}\setup.exe" -uninstall
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B804C424-B66D-447A-84BD-C6B88C392C3A}\setup.exe" -uninstall
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F79A208D-D929-11D9-9D77-000129760D75}\setup.exe" -uninstall
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
Acer Arcade Deluxe-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EFBDC2B0-FAA8-4B78-8DE1-AEBE7958FA37}\setup.exe" -uninstall
Acer Assist-->C:\Program Files\Acer Assist\uninstall.exe
Acer eDataSecurity Management-->C:\Acer\Empowering Technology\eDataSecurity\eDSnstHelper.exe -Operation UNINSTALL
Acer eLock Management-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{116FF17B-1A30-4FC2-9B01-5BC5BD46B0B3}\setup.exe" -l0x9 -removeonly
Acer Empowering Technology-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AB6097D9-D722-4987-BD9E-A076E2848EE2}\setup.exe" -l0x9 -removeonly
Acer eNet Management-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C06554A1-2C1E-4D20-B613-EE62C79927CC}\setup.exe" -l0x9 -removeonly
Acer ePower Management-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{58E5844B-7CE2-413D-83D1-99294BF6C74F}\setup.exe" -l0x9 -removeonly
Acer ePresentation Management-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BF839132-BD43-4056-ACBF-4377F4A88E2A}\setup.exe" -l0x9 -removeonly
Acer eSettings Management-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CE65A9A0-9686-45C6-9098-3C9543A412F0}\setup.exe" -l0x9 -removeonly
Acer GridVista-->C:\Windows\UnInst32.exe GridV.UNI
Acer Mobility Center Plug-In-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{11316260-6666-467B-AC34-183FCB5D4335}\setup.exe" -l0x9 -removeonly
Acer OrbiCam -->C:\Program Files\InstallShield Installation Information\{DD1DED37-2486-4F56-8F89-56AA814003F5}\setup.exe -runfromtemp -l0x0009 -removeonly
Acer OrbiCam-->Rundll32.exe BisonR07.dll,WinMainRmv
Acer Registration-->C:\Program Files\Acer Registration\uninstall.exe
Acer ScreenSaver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{79DD56FC-DB8B-47F5-9C80-78B62E05F9BC}\setup.exe" -l0x9 -removeonly
Acer Tour-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{94389919-B0AA-4882-9BE8-9F0B004ECA35}\setup.exe" -l0x9 -removeonly
Adobe Flash Player 10 ActiveX-->C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
ArcSoft Panorama Maker 3-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A5F68DC8-0278-4AD8-B413-861509B5F25B}\Setup.exe" -l0x9
Atheros for Acer Driver v7.2.0.127_Foxconn Installation Program-->C:\Program Files\InstallShield Installation Information\{28006915-2739-4EBE-B5E8-49B25D32EB33}\SETUP.exe -runfromtemp -l0x0009 -removeonly
AVG Free 8.0-->C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
Broadcom Driver v4.102.15.63_Foxconn Installation Program-->C:\Program Files\InstallShield Installation Information\{88410D8F-8529-492B-B556-2394A29B811B}\SETUP.exe -runfromtemp -l0x0009 -removeonly
HDAUDIO Soft Data Fax Modem with SmartCP-->C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFAOR2C06_118\HXFSETUP.EXE -U -IAcrSUN32z.inf
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Intel® Graphics Media Accelerator Driver-->C:\Windows\system32\igxpun.exe -uninstall
Launch Manager-->C:\Windows\UnInst32.exe LManager.UNI
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Home and Student 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall HOMESTUDENTR /dll OSETUP.DLL
Microsoft Office Home and Student 2007-->MsiExec.exe /X{91120000-002F-0000-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833)-->MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 Parser and SDK-->MsiExec.exe /I{716E0306-8318-4364-8B8F-0CC4E9376BAC}
Nikon Message Center-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}\Setup.exe" -l0x9 UNINSTALL
NTI Backup NOW! 4.7-->"C:\Program Files\InstallShield Installation Information\{67ADE9AF-5CD9-4089-8825-55DE4B366799}\setup.exe" -removeonly
NTI CD & DVD-Maker-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2} /l1033 CDM7
PictureProject-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FF3999BE-1A7B-4738-88AA-97BF14094A4A}\Setup.exe" -l0x9 UNINSTALL
PowerProducer-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B7A0CE06-068E-11D6-97FD-0050BACBF861}\Setup.EXE" -uninstall
QuickTime-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{0B69DA57-BC7D-461D-B7D6-2AA9F08869CD} /l1033
Realtek High Definition Audio Driver-->RtlUpd.exe -r -m
Security Update for 2007 Microsoft Office System (KB951550)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {B243E9A5-ED77-4F1B-B338-2486FD82DC85}
Security Update for 2007 Microsoft Office System (KB951944)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {797AE457-BA17-4BBC-B501-25FB3A0103C7}
Security Update for 2007 Microsoft Office System (KB958439)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {6491B8AA-D11C-4648-A461-6234B31EB7E2}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Microsoft Office Excel 2007 (KB958437)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {648FC016-2D6B-4A16-8D87-404533642F4B}
Security Update for Microsoft Office OneNote 2007 (KB950130)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {F1B2401C-B610-4BF2-AA1C-52C55827A8F4}
Security Update for Microsoft Office PowerPoint 2007 (KB951338)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {558B709B-821B-4FC5-90FC-9A8890641E77}
Security Update for Microsoft Office system 2007 (KB954326)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {5F7F6FFF-395D-480E-8450-64F385D82C5F}
Security Update for Microsoft Office system 2007 (KB956828)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {885E081B-72BD-4E76-8E98-30B4BE468FAC}
Security Update for Microsoft Office Word 2007 (KB956358)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {4551666D-0FD6-4C69-8A81-1C6F2E64517C}
Security Update for Visio 2007 (KB947590)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {6BAD036C-261F-4BEF-96CF-C20678D07A41}
SMSC Fast Infrared Driver-->C:\Program Files\InstallShield Installation Information\{1AEC7728-1640-4E98-AABC-5EBE3FB57FE4}\setup.exe -runfromtemp -l0x0009 -removeonly
Synaptics Pointing Device Driver-->rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Update for Office 2007 (KB946691)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}

=====HijackThis Backups=====

O22 - SharedTaskScheduler: KJhaiufhw3nrih7wefywjfsdfd - {D5BF49A2-94F1-42BD-F434-3604812C807D} - C:\Windows\system32\jsdf768wude.dll (file missing)

======Security center information======

AV: AVG Anti-Virus Free
AV: Trend Micro Internet Security (disabled)
AS: Trend Micro Internet Security
AS: AVG Anti-Virus Free (disabled)
AS: Windows Defender (disabled)

System event log

Computer Name: tom-PC
Event Code: 7036
Message: The Windows Modules Installer service entered the stopped state.
Record Number: 51930
Source Name: Service Control Manager
Time Written: 20090206031407.000000-000
Event Type: Information
User:

Computer Name: tom-PC
Event Code: 1000
Message: Windows Defender scan has started.
Scan ID: {2F9692CF-D821-4647-A3F6-3ACF454E8F8A}
Scan Type: AntiSpyware
Scan Parameters: Quick Scan
User: NT AUTHORITY\NETWORK SERVICE
Record Number: 51931
Source Name: Microsoft-Windows-Windows Defender
Time Written: 20090206032240.000000-000
Event Type: Information
User:

Computer Name: tom-PC
Event Code: 7036
Message: The WinHTTP Web Proxy Auto-Discovery Service service entered the stopped state.
Record Number: 51932
Source Name: Service Control Manager
Time Written: 20090206033352.000000-000
Event Type: Information
User:

Computer Name: tom-PC
Event Code: 7036
Message: The WinHTTP Web Proxy Auto-Discovery Service service entered the running state.
Record Number: 51933
Source Name: Service Control Manager
Time Written: 20090206043130.000000-000
Event Type: Information
User:

Computer Name: tom-PC
Event Code: 7036
Message: The WinHTTP Web Proxy Auto-Discovery Service service entered the stopped state.
Record Number: 51934
Source Name: Service Control Manager
Time Written: 20090206044800.000000-000
Event Type: Information
User:

Application event log

Computer Name: tom-PC
Event Code: 1
Message: Successful auto update of third-party root certificate:: Subject: <CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, S=UT, C=US> Sha1 thumbprint: <E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46>.
Record Number: 8691
Source Name: Microsoft-Windows-CAPI2
Time Written: 20090206030605.000000-000
Event Type: Information
User:

Computer Name: tom-PC
Event Code: 8194
Message: Successfully created restore point (Process = C:\Windows\system32\svchost.exe -k netsvcs; Description = Windows Update).
Record Number: 8692
Source Name: System Restore
Time Written: 20090206030740.000000-000
Event Type: Information
User:

Computer Name: tom-PC
Event Code: 8194
Message: Successfully created restore point (Process = C:\Windows\system32\svchost.exe -k netsvcs; Description = Windows Update).
Record Number: 8693
Source Name: System Restore
Time Written: 20090206030807.000000-000
Event Type: Information
User:

Computer Name: tom-PC
Event Code: 8224
Message: The VSS service is shutting down due to idle timeout.
Record Number: 8694
Source Name: VSS
Time Written: 20090206031059.000000-000
Event Type: Information
User:

Computer Name: tom-PC
Event Code: 5
Message: Unsupported service control request (see data below)
Record Number: 8695
Source Name: LightScribeService
Time Written: 20090206050826.000000-000
Event Type: Information
User:

Security event log

Computer Name: tom-PC
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys
Record Number: 19965
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090206050820.341991-000
Event Type: Audit Failure
User:

Computer Name: tom-PC
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys
Record Number: 19966
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090206050820.373191-000
Event Type: Audit Failure
User:

Computer Name: tom-PC
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys
Record Number: 19967
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090206050820.404391-000
Event Type: Audit Failure
User:

Computer Name: tom-PC
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys
Record Number: 19968
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090206050820.451191-000
Event Type: Audit Failure
User:

Computer Name: tom-PC
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys
Record Number: 19969
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090206050820.482391-000
Event Type: Audit Failure
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=x86
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 14 Stepping 12, GenuineIntel
"PROCESSOR_REVISION"=0e0c
"NUMBER_OF_PROCESSORS"=2
"CLASSPATH"=C:\Program Files\QuickTime\QTSystem\QTJava.zip
"QTJAVA"=C:\Program Files\QuickTime\QTSystem\QTJava.zip

-----------------EOF-----------------

#6 mattsdad

mattsdad
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 06 February 2009 - 12:43 AM

4.) The gmer.log is attached to this post.

Attached Files

  • Attached File  gmer.log   46.34KB   6 downloads


#7 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 06 February 2009 - 03:59 AM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#8 mattsdad

mattsdad
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 06 February 2009 - 12:07 PM

5.) Here is the ComboFix log.
ComboFix 09-02-06.01 - tom 2009-02-06 10:36:13.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1013.326 [GMT -6:00]
Running from: c:\users\tom\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
AV: Trend Micro Internet Security *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
c:\programdata\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\System32\Desktop_.ini
c:\windows\system32\TDSSwqsc.dat
c:\windows\system32\x64

----- BITS: Possible infected sites -----

hxxp://download.yimg.com
.
((((((((((((((((((((((((( Files Created from 2009-01-06 to 2009-02-06 )))))))))))))))))))))))))))))))
.

2009-02-06 10:22 . 2009-02-06 10:22 107,272 --a------ c:\windows\System32\drivers\avgtdix.sys
2009-02-05 23:19 . 2009-02-05 23:19 250 --a------ c:\windows\gmer.ini
2009-02-05 23:08 . 2009-02-05 23:08 <DIR> d-------- C:\rsit
2009-02-05 21:06 . 2009-02-05 21:06 <DIR> d-------- c:\users\tom\AppData\Roaming\Malwarebytes
2009-02-05 21:06 . 2009-02-05 21:06 <DIR> d-------- c:\users\All Users\Malwarebytes
2009-02-05 21:06 . 2009-02-05 21:06 <DIR> d-------- c:\programdata\Malwarebytes
2009-02-05 21:06 . 2009-02-05 21:06 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-05 21:06 . 2009-01-14 16:11 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2009-02-05 21:06 . 2009-01-14 16:11 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2009-01-29 15:10 . 2009-01-29 15:10 <DIR> d--h----- C:\$AVG8.VAULT$
2009-01-29 13:35 . 2009-02-06 10:22 10,520 --a------ c:\windows\System32\avgrsstx.dll
2009-01-29 13:34 . 2009-02-06 10:23 <DIR> d-------- c:\windows\System32\drivers\Avg
2009-01-29 13:34 . 2009-02-06 10:23 <DIR> d-------- c:\users\All Users\avg8
2009-01-29 13:34 . 2009-02-06 10:23 <DIR> d-------- c:\programdata\avg8
2009-01-29 13:34 . 2009-01-29 13:34 <DIR> d-------- c:\program files\AVG
2009-01-29 13:34 . 2009-02-06 10:22 325,128 --a------ c:\windows\System32\drivers\avgldx86.sys
2009-01-29 12:50 . 2009-01-29 12:50 <DIR> d-------- c:\program files\Trend Micro
2009-01-28 22:51 . 2008-08-27 21:40 712,704 --a------ c:\windows\System32\WindowsCodecs.dll
2009-01-28 22:51 . 2008-08-27 21:40 425,472 --a------ c:\windows\System32\PhotoMetadataHandler.dll
2009-01-28 22:51 . 2008-08-27 21:40 347,136 --a------ c:\windows\System32\WindowsCodecsExt.dll
2009-01-28 22:51 . 2008-10-21 21:57 241,152 --a------ c:\windows\System32\PortableDeviceApi.dll
2009-01-28 22:51 . 2008-09-17 22:56 147,456 --a------ c:\windows\System32\Faultrep.dll
2009-01-28 22:51 . 2008-09-17 22:56 125,952 --a------ c:\windows\System32\wersvc.dll
2009-01-28 22:31 . 2008-10-20 23:25 1,645,568 --a------ c:\windows\System32\connect.dll
2009-01-18 23:15 . 2008-11-06 02:03 <DIR> d-------- C:\SDFix
2009-01-18 22:59 . 2009-01-18 22:59 <DIR> d-------- c:\users\tom\AppData\Roaming\Uniblue
2009-01-18 21:18 . 2009-01-18 21:18 <DIR> d-------- c:\users\All Users\NortonInstaller
2009-01-18 21:18 . 2009-01-18 21:18 <DIR> d-------- c:\programdata\NortonInstaller
2009-01-15 23:31 . 2008-10-21 19:22 2,048 --a------ c:\windows\System32\tzres.dll
2009-01-15 18:27 . 2008-12-15 20:42 288,768 --a------ c:\windows\System32\drivers\srv.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-27 03:38 --------- d-----w c:\programdata\CyberLink
2009-01-16 05:33 --------- d-----w c:\programdata\Microsoft Help
2009-01-14 05:31 --------- d-----w c:\programdata\Yahoo!
2009-01-14 05:31 --------- d-----w c:\program files\Yahoo!
2009-01-14 04:01 --------- d-----w c:\users\tom\AppData\Roaming\Yahoo!
2009-01-07 02:25 20 ---h--w c:\users\All Users\PKP_DLec.DAT
2009-01-07 02:25 20 ---h--w c:\programdata\PKP_DLec.DAT
2008-12-12 03:05 --------- d-----w c:\programdata\Ultima_T15
2008-12-12 03:05 --------- d-----w c:\programdata\EnterNHelp
2008-12-11 01:37 --------- d-----w c:\programdata\Trend Micro
2008-10-01 02:30 174 --sha-w c:\program files\desktop.ini
2008-10-22 04:00 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-10-22 04:00 32,768 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-10-22 04:00 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-08-11 249856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-22 815104]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-01-02 464168]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2006-12-08 614400]
"Acer Product Registration"="c:\program files\Acer Registration\ACE1.exe" [2006-12-13 3166208]
"Acer Assist Launcher"="c:\program files\Acer Assist\launcher.exe" [2006-12-07 1261568]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-12-27 155648]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-10-18 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-10-18 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-10-18 133656]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-06 1601304]
"RtHDVCpl"="RtHDVCpl.exe" [2006-11-30 c:\windows\RtHDVCpl.exe]

c:\users\tom\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2007-01-13 528384]
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2007-12-27 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll eNetHook.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{9DD875FE-78F0-4301-A80C-729BFF3F3125}"= UDP:c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\MCE Deluxe Suite.exe:CyberLink MCE Deluxe Suite
"{D889881C-2F8A-46CD-89FF-820D08F25743}"= TCP:c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\MCE Deluxe Suite.exe:CyberLink MCE Deluxe Suite
"{360FD227-3A97-40CE-B1C6-0E1C36A1885F}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{4CD9864E-D2DE-4E84-8B8C-89E297658DE2}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{6F0C035B-1345-4A42-8D74-2F504BA5820C}"= UDP:c:\users\tom\AppData\Local\Temp\WZSE0.TMP\SymNRT.exe:Norton Removal Tool
"{B5F55CED-034C-4C31-BC1B-996605C3052F}"= TCP:c:\users\tom\AppData\Local\Temp\WZSE0.TMP\SymNRT.exe:Norton Removal Tool
"{2337000E-E3F0-41F9-A468-E80849386C33}"= c:\program files\AVG\AVG8\avgemc.exe:avgemc.exe
"{C4A3CD2D-D6A8-4F05-945F-7E216AC55F02}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [2009-01-29 325128]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [2009-02-06 107272]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-01-29 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-29 298264]
S3 BXWZY;BXWZY;c:\users\tom\AppData\Local\Temp\BXWZY.exe --> c:\users\tom\AppData\Local\Temp\BXWZY.exe [?]
S3 LKRKSV;LKRKSV;c:\users\tom\AppData\Local\Temp\LKRKSV.exe --> c:\users\tom\AppData\Local\Temp\LKRKSV.exe [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - AVGTDIX
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Search Protection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe
HKCU-Run-Uniblue RegistryBooster 2009 - c:\program files\uniblue\registrybooster\StartRegistryBooster.exe
HKLM-Run-Acer Tour - (no file)
HKLM-Run-SetPanel - (no file)
HKLM-Run-eRecoveryService - (no file)


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.us.acer.yahoo.com
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-06 10:39:33
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(588)
c:\windows\system32\eNetHook.dll

- - - - - - - > 'lsass.exe'(660)
c:\windows\system32\eNetHook.dll
.
Completion time: 2009-02-06 10:41:43
ComboFix-quarantined-files.txt 2009-02-06 16:41:40

Pre-Run: 28,567,982,080 bytes free
Post-Run: 28,947,255,296 bytes free

166 --- E O F --- 2009-02-06 03:08:07

#9 mattsdad

mattsdad
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 06 February 2009 - 12:08 PM

6.) And here is a fresh HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:49:30 AM, on 2/6/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\mobsync.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\QuickTime\qttask.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\igfxext.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE
C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Windows\Explorer.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [Acer Product Registration] "C:\Program Files\Acer Registration\ACE1.exe" /startup
O4 - HKLM\..\Run: [Acer Assist Launcher] C:\Program Files\Acer Assist\launcher.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Empowering Technology Launcher.lnk = ?
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA} - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll eNetHook.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BXWZY - Unknown owner - C:\Users\tom\AppData\Local\Temp\BXWZY.exe (file missing)
O23 - Service: eDataSecurity Service - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LKRKSV - Unknown owner - C:\Users\tom\AppData\Local\Temp\LKRKSV.exe (file missing)
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 6677 bytes

#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 06 February 2009 - 01:07 PM

1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
BXWZY
LKRKSV

File::
c:\users\tom\AppData\Local\Temp\BXWZY.exe
c:\users\tom\AppData\Local\Temp\LKRKSV.exe

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the ComboFix log in your next reply..





Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic


Post me these logs in your next reply..

1. ComboFix
2. ESET Online Scanner
3. Tell me, how's the computer now? :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#11 mattsdad

mattsdad
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 06 February 2009 - 03:53 PM

7.) After running the requested script, here is the latest combofix log.
ComboFix 09-02-06.01 - tom 2009-02-06 12:26:27.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1013.315 [GMT -6:00]
Running from: c:\users\tom\Desktop\ComboFix.exe
Command switches used :: c:\users\tom\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
AV: Trend Micro Internet Security *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\users\tom\AppData\Local\Temp\BXWZY.exe
c:\users\tom\AppData\Local\Temp\LKRKSV.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_BXWZY
-------\Service_LKRKSV


((((((((((((((((((((((((( Files Created from 2009-01-06 to 2009-02-06 )))))))))))))))))))))))))))))))
.

2009-02-06 10:22 . 2009-02-06 10:22 107,272 --a------ c:\windows\System32\drivers\avgtdix.sys
2009-02-05 23:19 . 2009-02-05 23:19 250 --a------ c:\windows\gmer.ini
2009-02-05 23:08 . 2009-02-05 23:08 <DIR> d-------- C:\rsit
2009-02-05 21:06 . 2009-02-05 21:06 <DIR> d-------- c:\users\tom\AppData\Roaming\Malwarebytes
2009-02-05 21:06 . 2009-02-05 21:06 <DIR> d-------- c:\users\All Users\Malwarebytes
2009-02-05 21:06 . 2009-02-05 21:06 <DIR> d-------- c:\programdata\Malwarebytes
2009-02-05 21:06 . 2009-02-05 21:06 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-05 21:06 . 2009-01-14 16:11 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2009-02-05 21:06 . 2009-01-14 16:11 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2009-01-29 15:10 . 2009-01-29 15:10 <DIR> d--h----- C:\$AVG8.VAULT$
2009-01-29 13:35 . 2009-02-06 10:22 10,520 --a------ c:\windows\System32\avgrsstx.dll
2009-01-29 13:34 . 2009-02-06 10:23 <DIR> d-------- c:\windows\System32\drivers\Avg
2009-01-29 13:34 . 2009-02-06 10:23 <DIR> d-------- c:\users\All Users\avg8
2009-01-29 13:34 . 2009-02-06 10:23 <DIR> d-------- c:\programdata\avg8
2009-01-29 13:34 . 2009-01-29 13:34 <DIR> d-------- c:\program files\AVG
2009-01-29 13:34 . 2009-02-06 10:22 325,128 --a------ c:\windows\System32\drivers\avgldx86.sys
2009-01-29 12:50 . 2009-01-29 12:50 <DIR> d-------- c:\program files\Trend Micro
2009-01-28 22:51 . 2008-08-27 21:40 712,704 --a------ c:\windows\System32\WindowsCodecs.dll
2009-01-28 22:51 . 2008-08-27 21:40 425,472 --a------ c:\windows\System32\PhotoMetadataHandler.dll
2009-01-28 22:51 . 2008-08-27 21:40 347,136 --a------ c:\windows\System32\WindowsCodecsExt.dll
2009-01-28 22:51 . 2008-10-21 21:57 241,152 --a------ c:\windows\System32\PortableDeviceApi.dll
2009-01-28 22:51 . 2008-09-17 22:56 147,456 --a------ c:\windows\System32\Faultrep.dll
2009-01-28 22:51 . 2008-09-17 22:56 125,952 --a------ c:\windows\System32\wersvc.dll
2009-01-28 22:31 . 2008-10-20 23:25 1,645,568 --a------ c:\windows\System32\connect.dll
2009-01-18 23:15 . 2008-11-06 02:03 <DIR> d-------- C:\SDFix
2009-01-18 22:59 . 2009-01-18 22:59 <DIR> d-------- c:\users\tom\AppData\Roaming\Uniblue
2009-01-18 21:18 . 2009-01-18 21:18 <DIR> d-------- c:\users\All Users\NortonInstaller
2009-01-18 21:18 . 2009-01-18 21:18 <DIR> d-------- c:\programdata\NortonInstaller
2009-01-15 23:31 . 2008-10-21 19:22 2,048 --a------ c:\windows\System32\tzres.dll
2009-01-15 18:27 . 2008-12-15 20:42 288,768 --a------ c:\windows\System32\drivers\srv.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-27 03:38 --------- d-----w c:\programdata\CyberLink
2009-01-16 05:33 --------- d-----w c:\programdata\Microsoft Help
2009-01-14 05:31 --------- d-----w c:\programdata\Yahoo!
2009-01-14 05:31 --------- d-----w c:\program files\Yahoo!
2009-01-14 04:01 --------- d-----w c:\users\tom\AppData\Roaming\Yahoo!
2009-01-07 02:25 20 ---h--w c:\users\All Users\PKP_DLec.DAT
2009-01-07 02:25 20 ---h--w c:\programdata\PKP_DLec.DAT
2008-12-12 03:05 --------- d-----w c:\programdata\Ultima_T15
2008-12-12 03:05 --------- d-----w c:\programdata\EnterNHelp
2008-12-11 01:37 --------- d-----w c:\programdata\Trend Micro
2008-10-01 02:30 174 --sha-w c:\program files\desktop.ini
2008-10-22 04:00 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-10-22 04:00 32,768 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-10-22 04:00 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-02-06_10.40.05.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 02:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2009-02-06 16:39:36 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2009-02-06 18:31:28 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2009-02-06 16:39:30 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2009-02-06 18:31:28 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2009-02-06 16:29:02 9,960 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2305850314-670001670-2916706878-1000_UserData.bin
+ 2009-02-06 16:57:16 10,102 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2305850314-670001670-2916706878-1000_UserData.bin
- 2009-02-06 16:29:02 70,494 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-02-06 16:57:16 70,698 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2009-02-06 16:28:59 54,018 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-02-06 16:57:14 54,372 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-08-11 249856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-22 815104]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-01-02 464168]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2006-12-08 614400]
"Acer Product Registration"="c:\program files\Acer Registration\ACE1.exe" [2006-12-13 3166208]
"Acer Assist Launcher"="c:\program files\Acer Assist\launcher.exe" [2006-12-07 1261568]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-12-27 155648]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-10-18 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-10-18 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-10-18 133656]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-06 1601304]
"RtHDVCpl"="RtHDVCpl.exe" [2006-11-30 c:\windows\RtHDVCpl.exe]

c:\users\tom\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2007-01-13 528384]
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2007-12-27 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll eNetHook.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{9DD875FE-78F0-4301-A80C-729BFF3F3125}"= UDP:c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\MCE Deluxe Suite.exe:CyberLink MCE Deluxe Suite
"{D889881C-2F8A-46CD-89FF-820D08F25743}"= TCP:c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\MCE Deluxe Suite.exe:CyberLink MCE Deluxe Suite
"{360FD227-3A97-40CE-B1C6-0E1C36A1885F}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{4CD9864E-D2DE-4E84-8B8C-89E297658DE2}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{6F0C035B-1345-4A42-8D74-2F504BA5820C}"= UDP:c:\users\tom\AppData\Local\Temp\WZSE0.TMP\SymNRT.exe:Norton Removal Tool
"{B5F55CED-034C-4C31-BC1B-996605C3052F}"= TCP:c:\users\tom\AppData\Local\Temp\WZSE0.TMP\SymNRT.exe:Norton Removal Tool
"{2337000E-E3F0-41F9-A468-E80849386C33}"= c:\program files\AVG\AVG8\avgemc.exe:avgemc.exe
"{C4A3CD2D-D6A8-4F05-945F-7E216AC55F02}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [2009-01-29 325128]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [2009-02-06 107272]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-01-29 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-29 298264]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.us.acer.yahoo.com
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-06 12:31:33
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(1180)
c:\acer\Empowering Technology\EPOWER\SysHook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\acer\Empowering Technology\eDataSecurity\eDSService.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\acer\Empowering Technology\eLock\Service\eLockServ.exe
c:\acer\Empowering Technology\eNet\eNet Service.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\acer\Mobility Center\MobilityService.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\System32\drivers\XAudio.exe
c:\acer\Empowering Technology\eRecovery\eRecoveryService.exe
c:\acer\Empowering Technology\eSettings\Service\capuserv.exe
c:\acer\Empowering Technology\ePower\ePowerSvc.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\System32\wbem\unsecapp.exe
c:\program files\Launch Manager\LManager.exe
c:\program files\AVG\AVG8\avgtray.exe
c:\windows\System32\igfxsrvc.exe
c:\windows\ehome\ehmsas.exe
c:\acer\Empowering Technology\eNet\eNMTray.exe
c:\acer\Empowering Technology\ePower\ePower_DMC.exe
c:\acer\Empowering Technology\Acer.Empowering.Framework.Supervisor.exe
c:\acer\Empowering Technology\eRecovery\eRAgent.exe
c:\users\tom\AppData\Local\Temp\RtkBtMnt.exe
c:\windows\System32\igfxext.exe
c:\windows\System32\dllhost.exe
.
**************************************************************************
.
Completion time: 2009-02-06 12:36:32 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-06 18:36:27
ComboFix2.txt 2009-02-06 16:41:44

Pre-Run: 28,781,260,800 bytes free
Post-Run: 28,416,602,112 bytes free

201 --- E O F --- 2009-02-06 03:08:07

#12 mattsdad

mattsdad
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 06 February 2009 - 03:56 PM

8.) And here is the log from the ESET online scanner.
The computer seems to be stable now, although it seems to still be complaining about being unable to install the KB985215 security update.

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3834 (20090206)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=26b118e2dc94c643a0968470f4227975
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-02-06 07:15:26
# local_time=2009-02-06 01:15:26 (-0600, Central Standard Time)
# country="United States"
# osver=6.0.6001 NT Service Pack 1
# scanned=132819
# found=0
# scan_time=1601

#13 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 07 February 2009 - 12:38 AM

although it seems to still be complaining about being unable to install the KB985215 security update.


First of all, log looks good to me..

I couldn't find any credible info on "KB985215 security update".. Can you tell me what it is?.. I might have to direct you to Windows forum due to this one.. :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#14 mattsdad

mattsdad
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 10 February 2009 - 12:55 PM

I'm not sure what KB958215 is, other than it appears to be a Windows Security Update, and Vista's Windows Update deems it an "important update".
I've attached (uploaded) a segment of the system event log which shows the Windows Update failure.
Currently AGV, Windows Defender, and Windows Firewall are all disabled, so I'm pretty sure these are not getting in the way of the Windows Update.

In short, the system event shows:

"Windows Servicing failed to complete the process of setting package KB958215 (Security Update) into Resolved(Resolved) state"
- System
- Provider
[ Name] Microsoft-Windows-Servicing
[ Guid] {bd12f3b8-fc40-4a61-a307-b7a013a069c1}
[ EventSourceName] Microsoft-Windows-Servicing
- EventID 4375
[ Qualifiers] 49152
Version 0
Level 2
Task 0
Opcode 0
Keywords 0x80000000000000
- TimeCreated
[ SystemTime] 2009-02-10T17:23:34.000Z
EventRecordID 60468
Correlation
- Execution
[ ProcessID] 0
[ ThreadID] 0
Channel System
Computer tom-PC
- Security
[ UserID] S-1-5-18
- UserData
- CbsPackageChangeState
PackageIdentifier KB958215
ReleaseType Security Update
PackageState Resolved
PackageAssembly Package_for_KB958215_client~31bf3856ad364e35~x86~~6.0.1.0
Operation Staged
OperationCompleted True
ErrorCode 0x80070020
RebootOption False
MissingElements

Attached Files



#15 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 10 February 2009 - 10:52 PM

Erm.. Not sure what that's about.. I'll head you to Windows forum after we finish with the cleaning process..

Lets do some cleanup...


Please download OTCleanIt and save it to Desktop.
  • Make sure you have internet connection..
  • Double-click OTCleanIt.exe
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes



Please read these excellent articles by miekiemoes :
Help! My computer is slow!
How to prevent Malware



Then please seek further assistance at our Windows Vista forum below.. Tell them about your computer problem and also tell them that we send you there :thumbup2:

http://www.bleepingcomputer.com/forums/f/72/windows-vista/

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users