Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MyWay.MyWebSearch


  • This topic is locked This topic is locked
15 replies to this topic

#1 syekidorp

syekidorp

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 17 February 2009 - 08:42 PM

Hello People

I've been referred here from the "Am I infected? What do I do?" forum.

http://www.bleepingcomputer.com/forums/t/202253/security-warning-a00ffe0dcexe/

"MyWay.MyWebSearch" which spybot detected but can't remove.

Here is the DDS log:


DDS (Ver_09-02-01.01) - NTFSx86
Run by Libby at 0:57:43.88 on 18/02/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.1013.294 [GMT 0:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Acer\ALaunch\ALaunchSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
C:\Acer\Empowering Technology\eNet\eNet Service.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Acer\Mobility Center\MobilityService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\DRIVERS\xaudio.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Acer\Empowering Technology\eAudio\eAudio.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\system32\igfxext.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE
C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Users\Libby\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Libby\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.stardoll.com/en/
uSEARCH PAGE = hxxp://uk.rd.yahoo.com/customize/ycomp/defaults/sp/*http://uk.yahoo.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.uk.acer.yahoo.com
mDefault_Page_URL = hxxp://en.uk.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: ALOT Toolbar: {5aa2ba46-9913-4dc7-9620-69ab0fa17ae7} - c:\program files\alot\bin\alot.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: ShowBarObj Class: {83a2f9b1-01a2-4aa5-87d1-45b6b8505e96} - c:\windows\system32\ActiveToolBand.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: ALOT Toolbar: {5aa2ba46-9913-4dc7-9620-69ab0fa17ae7} - c:\program files\alot\bin\alot.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Acer Tour Reminder]
uRun: [swg] c:\program files\google\googletoolbarnotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [ALaunch] c:\acer\alaunch\AlaunchClient.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe
mRun: [Acer Tour]
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [PlayMovie] "c:\program files\acer arcade deluxe\play movie\PMVService.exe"
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [eRecoveryService]
mRun: [Acer Tour Reminder] c:\acer\acertour\Reminder.exe
mRun: [WarReg_PopUp] c:\acer\wr_popup\WarReg_PopUp.exe
mRun: [SetPanel] c:\acer\apanel\APanel.cmd
mRun: [eAudio] "c:\acer\empowering technology\eaudio\eAudio.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRunOnce: [SpybotSnD] "c:\program files\spybot - search & destroy\SpybotSD.exe" /autocheck
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\empowe~1.lnk - c:\acer\empowering technology\eAPLauncher.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://sdlc-esd.sun.com/ESD7/JSCDL/jdk/6u12-b04/jinstall-6u12-windows-i586-jc.cab?AuthParam=1234199294_ee9e7b5f5a3d56c48ce7ff3bcc5d4ca7&GroupName=JSC&FilePath=/ESD7/JSCDL/jdk/6u12-b04/jinstall-6u12-windows-i586-jc.cab&File=jinstall-6u12-windows-i586-jc.cab&BHost=javadl.sun.com
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: avgrsstx.dll eNetHook.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-2-17 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-2-17 107272]
R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\acer arcade deluxe\play movie\000.fcl [2007-9-22 13560]
R2 ALaunchService;ALaunch Service;c:\acer\alaunch\ALaunchSvc.exe [2007-8-8 50688]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-2-17 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-17 298264]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2007-8-8 179712]
R3 enecir;ENE CIR Receiver;c:\windows\system32\drivers\enecir.sys [2007-8-8 32256]

=============== Created Last 30 ================

2009-02-17 20:35 --d----- c:\temp\rootalyz-0.2.1.35
2009-02-17 20:34 1,039,963 a------- c:\temp\rootalyz-0.2.1.35.zip
2009-02-17 16:44 --d----- c:\programdata\Spybot - Search & Destroy
2009-02-17 16:44 --d----- c:\program files\Spybot - Search & Destroy
2009-02-17 16:44 --d----- c:\progra~2\Spybot - Search & Destroy
2009-02-17 16:37 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-02-17 16:37 107,272 a------- c:\windows\system32\drivers\avgtdix.sys
2009-02-17 16:37 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2009-02-17 16:37 --d----- c:\windows\system32\drivers\Avg
2009-02-17 16:36 --d----- c:\program files\AVG
2009-02-17 16:36 --d----- c:\programdata\avg8
2009-02-17 16:36 --d----- c:\progra~2\avg8
2009-02-17 16:33 16,409,960 a------- c:\temp\spybotsd162.exe
2009-02-17 16:02 59,981,528 a------- c:\temp\avg_free_stf_en_8_233a1415.exe
2009-02-13 15:48 --d----- c:\users\libby\DoctorWeb
2009-02-13 14:39 --d----- c:\program files\iPod
2009-02-13 14:39 --d----- c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-02-13 14:39 --d----- c:\program files\iTunes
2009-02-13 14:39 --d----- c:\progra~2\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-02-13 14:31 --d----- c:\program files\Bonjour
2009-02-12 22:05 --d----- c:\programdata\SUPERAntiSpyware.com
2009-02-12 22:05 --d----- c:\progra~2\SUPERAntiSpyware.com
2009-02-12 22:03 --d----- c:\users\libby\appdata\roaming\SUPERAntiSpyware.com
2009-02-12 22:03 --d----- c:\program files\SUPERAntiSpyware
2009-02-12 17:41 398,336 a------- c:\windows\system32\TVWizudlg.exe
2009-02-12 17:41 140,288 a------- c:\windows\system32\igfxtvcx.dll
2009-02-12 17:23 21,879,664 a------- c:\temp\winvista_15121.exe
2009-02-12 17:21 --d----- c:\program files\SystemRequirementsLab
2009-02-12 16:26 --d----- c:\program files\Apoint2K
2009-02-11 19:50 --d----- c:\users\libby\appdata\roaming\Malwarebytes
2009-02-11 19:49 --d----- c:\programdata\Malwarebytes
2009-02-11 19:49 --d----- c:\progra~2\Malwarebytes
2009-02-11 10:49 118 a------- c:\windows\system32\MRT.INI
2009-02-11 10:43 428,544 a------- c:\windows\system32\EncDec.dll
2009-02-11 10:43 217,088 a------- c:\windows\system32\psisrndr.ax
2009-02-11 10:43 293,376 a------- c:\windows\system32\psisdecd.dll
2009-02-11 10:43 177,664 a------- c:\windows\system32\mpg2splt.ax
2009-02-11 10:43 80,896 a------- c:\windows\system32\MSNP.ax
2009-02-11 10:36 827,392 a------- c:\windows\system32\wininet.dll
2009-02-11 10:35 1,383,424 a------- c:\windows\system32\mshtml.tlb
2009-02-10 18:07 --d----- c:\temp\Audio_Realtek_v6.0.1.5477_Vistax32
2009-02-10 17:42 39,686,587 a------- c:\temp\Audio_Realtek_v6.0.1.5477_Vistax32.zip
2009-02-10 13:13 --d----- c:\temp\TouchPadDriver_Alps&Synaptics_v7.0.1101.17&v10.0.15_Vistax32
2009-02-09 17:08 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-09 16:14 54,065,146 a------- c:\temp\TouchPadDriver_Alps&Synaptics_v7.0.1101.17&v10.0.15_Vistax32.zip
2009-02-09 15:48 5,292,032 a------- c:\temp\WLANdriver_Intel_4965&3495_v11.5.0.34_Vistax32.zip
2009-02-09 13:37 784,896 a------- c:\windows\system32\rpcrt4.dll
2009-02-09 13:04 --d----- C:\PerfLogs
2009-02-09 12:31 --d----- C:\c65d66b16543a52d73d1df6ff320d8
2009-02-09 11:36 97,800 a------- c:\windows\system32\infocardapi.dll
2009-02-09 11:36 105,016 a------- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-02-09 11:36 622,080 a------- c:\windows\system32\icardagt.exe
2009-02-09 11:36 43,544 a------- c:\windows\system32\PresentationHostProxy.dll
2009-02-09 11:36 37,384 a------- c:\windows\system32\infocardcpl.cpl
2009-02-09 11:36 11,264 a------- c:\windows\system32\icardres.dll
2009-02-09 11:36 781,344 a------- c:\windows\system32\PresentationNative_v0300.dll
2009-02-09 11:36 326,160 a------- c:\windows\system32\PresentationHost.exe
2009-02-09 11:33 44,990,464 a------- c:\windows\ocsetup_install_NetFx3.etl
2009-02-09 11:33 49,152 a------- c:\windows\ocsetup_cbs_install_NetFx3.perf
2009-02-09 11:33 16,384 a------- c:\windows\ocsetup_cbs_install_NetFx3.dpx
2009-02-09 11:27 96,760 a------- c:\windows\system32\dfshim.dll
2009-02-09 11:27 282,112 a------- c:\windows\system32\mscoree.dll
2009-02-09 11:27 41,984 a------- c:\windows\system32\netfxperf.dll
2009-02-09 11:26 158,720 a------- c:\windows\system32\mscorier.dll
2009-02-09 11:26 83,968 a------- c:\windows\system32\mscories.dll
2009-01-28 16:23 --d----- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-01-25 17:44 --d----- c:\users\libby\Tracing
2009-01-25 17:38 --d----- c:\program files\Microsoft
2009-01-25 17:38 --d----- c:\program files\Windows Live SkyDrive
2009-01-25 17:17 --d----- c:\program files\common files\Windows Live

==================== Find3M ====================

2009-02-12 17:28 143,360 a------- c:\windows\inf\infstrng.dat
2009-02-12 17:28 86,016 a------- c:\windows\inf\infpub.dat
2009-02-12 17:26 143,360 a------- c:\windows\inf\infstor.dat
2009-02-10 13:20 100,418 a------- c:\windows\system32\Vxdif.dll
2009-02-10 13:14 163,376 a------- c:\windows\system32\drivers\Apfiltr.sys
2009-02-09 13:17 174 a--sh--- c:\program files\desktop.ini
2009-02-09 13:03 665,600 a------- c:\windows\inf\drvindex.dat
2009-02-09 12:45 101,888 a------- c:\windows\system32\ifxcardm.dll
2009-02-09 12:45 82,432 a------- c:\windows\system32\axaltocm.dll
2008-12-17 16:49 3,328 a------- c:\users\libby\appdata\roaming\wklnhst.dat
2008-12-16 11:27 993,816 a------- c:\windows\system32\igxpun.exe
2008-12-12 11:18 87,336 a------- c:\windows\system32\dns-sd.exe
2008-12-12 11:11 61,440 a------- c:\windows\system32\dnssd.dll
2008-12-02 22:37 49,480 a------- c:\windows\system32\sirenacm.dll
2008-12-02 12:49 8,198,680 a------- c:\windows\system32\TVWSetup.exe
2008-12-02 12:49 141,848 a------- c:\windows\system32\igfxtray.exe
2008-12-02 12:49 252,952 a------- c:\windows\system32\igfxsrvc.exe
2008-12-02 12:49 172,568 a------- c:\windows\system32\igfxext.exe
2008-12-02 12:49 150,552 a------- c:\windows\system32\igfxpers.exe
2008-12-02 12:49 668,696 a------- c:\windows\system32\igfxcfg.exe
2008-12-02 12:49 173,592 a------- c:\windows\system32\hkcmd.exe
2008-12-02 12:40 155,648 a------- c:\windows\system32\igfxCoIn_v1608.dll
2008-12-02 12:33 3,821,568 a------- c:\windows\system32\igdumd32.dll
2008-12-02 12:31 1,498,564 a------- c:\windows\system32\igkrng400.bin
2008-12-02 12:27 536,576 a------- c:\windows\system32\igdumdx32.dll
2008-12-02 12:22 2,580,480 a------- c:\windows\system32\igd10umd32.dll
2008-12-02 12:13 2,674,688 a------- c:\windows\system32\ig4dev32.dll
2008-12-02 12:13 4,112,384 a------- c:\windows\system32\ig4icd32.dll
2008-12-02 12:03 257,536 a------- c:\windows\system32\igfxTMM.dll
2008-12-02 12:03 59,392 a------- c:\windows\system32\oemdspif.dll
2008-12-02 12:03 200,192 a------- c:\windows\system32\igfxpph.dll
2008-12-02 12:03 23,552 a------- c:\windows\system32\igfxexps.dll
2008-12-02 12:02 51,712 a------- c:\windows\system32\igfxsrvc.dll
2008-12-02 12:02 130,048 a------- c:\windows\system32\igfxdo.dll
2008-12-02 12:02 94,208 a------- c:\windows\system32\hccutils.dll
2008-12-02 12:02 210,432 a------- c:\windows\system32\igfxdev.dll
2008-12-02 12:02 5,702,656 a------- c:\windows\system32\igfxress.dll
2008-12-02 12:00 319,456 a------- c:\windows\system32\difxapi.dll
2008-04-26 11:07 1,072,396 a------- c:\users\libby\xobglu32.dll
2008-04-26 11:07 63,488 a------- c:\users\libby\xobglu16.dll
2006-11-02 12:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 12:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 09:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 0:59:41.07 ===============

Any help you can give would be greatly appreciated.

Thanks in advance.

Sye

BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:29 AM

Posted 26 February 2009 - 01:36 PM

Hi syekidorp,

Welcome to BC HijackThis forum and sorry for the delay. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.
  • Tell me if you have done anything since previous post. Or you have run any other tools. Also tell me how is the current condition of your computer.

  • To get an idea about the current condition of you computer download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Set the scan files/folders to 3 Months.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

    Note 1: If you have difficulty finding the logs, the logs are in this folder: C:\rsit

    Note 2: The tool takes not more than one minute to scan the system.
You might want to save this page on your favorites, so you can find it again when you return.

#3 syekidorp

syekidorp
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 01 March 2009 - 01:55 PM

Hi farbar. Thanks for your help.

Here are the logs:

Logfile of random's system information tool 1.05 (written by random/random)
Run by Libby at 2009-03-01 18:37:37
Microsoft® Windows Vista™ Home Premium Service Pack 1
System drive C: has 42 GB (58%) free of 71 GB
Total RAM: 1013 MB (12% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:38:25, on 01/03/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe
C:\Windows\system32\igfxsrvc.exe
C:\Users\Libby\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Acer\Empowering Technology\eAudio\eAudio.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Windows\system32\igfxext.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\ehome\ehmsas.exe
C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE
C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Program Files\Apoint2K\Apntex.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Libby\Desktop\RSIT.exe
C:\Program Files\trend micro\Libby.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.com/customize/ycomp/def...://uk.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.stardoll.com/en/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.uk.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.uk.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ycomp/def...://uk.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ALOT Toolbar - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - C:\Program Files\alot\bin\alot.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Windows\system32\ActiveToolBand.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ALOT Toolbar - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - C:\Program Files\alot\bin\alot.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ALaunch] C:\Acer\ALaunch\AlaunchClient.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [PlayMovie] "C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe"
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe
O4 - HKLM\..\Run: [WarReg_PopUp] C:\Acer\WR_PopUp\WarReg_PopUp.exe
O4 - HKLM\..\Run: [SetPanel] C:\Acer\APanel\APanel.cmd
O4 - HKLM\..\Run: [eAudio] "C:\Acer\Empowering Technology\eAudio\eAudio.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Empowering Technology Launcher.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD7/JSCDL/jdk/6u1...=javadl.sun.com
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll eNetHook.dll
O23 - Service: ALaunch Service (ALaunchService) - Unknown owner - C:\Acer\ALaunch\ALaunchSvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: eDataSecurity Service - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 11227 bytes

======Scheduled tasks folder======

C:\Windows\tasks\RegCure Program Check.job
C:\Windows\tasks\RegCure.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
Yahoo! Toolbar Helper - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-11-29 436288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2009-02-17 1078552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5AA2BA46-9913-4dc7-9620-69AB0FA17AE7}]
ALOT Toolbar - C:\Program Files\alot\bin\alot.dll [2008-10-31 759080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83A2F9B1-01A2-4AA5-87D1-45B6B8505E96}]
ShowBarObj Class - C:\Windows\system32\ActiveToolBand.dll [2007-04-25 299008]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2008-11-18 408952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
AVG Security Toolbar - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2009-02-17 1968920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - c:\program files\google\googletoolbar1.dll [2008-01-05 2403392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-02-09 35840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - Acer eDataSecurity Management - C:\Windows\system32\eDStoolbar.dll [2007-04-25 151552]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-11-29 436288]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar1.dll [2008-01-05 2403392]
{5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - ALOT Toolbar - C:\Program Files\alot\bin\alot.dll [2008-10-31 759080]
{A057A204-BACC-4D26-9990-79A187E2698E} - AVG Security Toolbar - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2009-02-17 1968920]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-19 1008184]
"ALaunch"=C:\Acer\ALaunch\AlaunchClient.exe []
"RtHDVCpl"=C:\Windows\RtHDVCpl.exe [2007-07-06 4669440]
"eDataSecurity Loader"=C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe [2007-04-25 457216]
"Acer Tour"= []
"LManager"=C:\PROGRA~1\LAUNCH~1\LManager.exe [2007-06-27 752136]
"PlayMovie"=C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe [2007-05-24 206952]
"IAAnotif"=C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe [2007-03-21 174872]
"eRecoveryService"= []
"Acer Tour Reminder"=C:\Acer\AcerTour\Reminder.exe [2007-05-22 151552]
"WarReg_PopUp"=C:\Acer\WR_PopUp\WarReg_PopUp.exe [2006-11-05 57344]
"SetPanel"=C:\Acer\APanel\APanel.cmd []
"eAudio"=C:\Acer\Empowering Technology\eAudio\eAudio.exe [2007-06-11 1286144]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2008-01-05 185632]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]
"AppleSyncNotifier"=C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [2009-02-06 177472]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-02-09 148888]
"Apoint"=C:\Program Files\Apoint2K\Apoint.exe [2009-02-10 159744]
"IgfxTray"=C:\Windows\system32\igfxtray.exe [2008-12-02 141848]
"HotKeysCmds"=C:\Windows\system32\hkcmd.exe [2008-12-02 173592]
"Persistence"=C:\Windows\system32\igfxpers.exe [2008-12-02 150552]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2009-01-05 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2009-01-06 290088]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2009-02-17 1601304]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"=C:\Program Files\Windows Sidebar\sidebar.exe [2008-01-19 1233920]
"Acer Tour Reminder"= []
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe [2008-01-05 171448]
"ehTray.exe"=C:\Windows\ehome\ehTray.exe [2008-01-19 125952]
"msnmsgr"=C:\Program Files\Windows Live\Messenger\msnmsgr.exe [2008-12-02 3882312]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-01-26 2144088]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
Empowering Technology Launcher.lnk - C:\Acer\Empowering Technology\eAPLauncher.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="avgrsstx.dll eNetHook.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\Windows\system32\igfxdev.dll [2008-12-02 210432]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Wdf01000.sys]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======List of files/folders created in the last 3 months======

2009-03-01 18:37:38 ----D---- C:\Program Files\trend micro
2009-03-01 18:37:37 ----D---- C:\rsit
2009-02-17 16:44:58 ----D---- C:\ProgramData\Spybot - Search & Destroy
2009-02-17 16:44:58 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-02-17 16:37:18 ----A---- C:\Windows\system32\avgrsstx.dll
2009-02-17 16:36:45 ----D---- C:\Program Files\AVG
2009-02-17 16:36:44 ----D---- C:\ProgramData\avg8
2009-02-13 14:39:07 ----D---- C:\Program Files\iPod
2009-02-13 14:39:00 ----D---- C:\ProgramData\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-02-13 14:39:00 ----D---- C:\Program Files\iTunes
2009-02-13 14:36:39 ----D---- C:\Program Files\QuickTime
2009-02-13 14:31:34 ----D---- C:\Program Files\Bonjour
2009-02-12 22:25:13 ----A---- C:\Windows\ntbtlog.txt
2009-02-12 22:05:02 ----D---- C:\ProgramData\SUPERAntiSpyware.com
2009-02-12 22:03:57 ----D---- C:\Users\Libby\AppData\Roaming\SUPERAntiSpyware.com
2009-02-12 22:03:57 ----D---- C:\Program Files\SUPERAntiSpyware
2009-02-12 17:41:41 ----A---- C:\Windows\system32\TVWizudlg.exe
2009-02-12 17:41:41 ----A---- C:\Windows\system32\igfxtvcx.dll
2009-02-12 17:21:42 ----D---- C:\Program Files\SystemRequirementsLab
2009-02-12 16:26:27 ----D---- C:\Program Files\Apoint2K
2009-02-11 19:50:02 ----D---- C:\Users\Libby\AppData\Roaming\Malwarebytes
2009-02-11 19:49:55 ----D---- C:\ProgramData\Malwarebytes
2009-02-11 10:49:48 ----A---- C:\Windows\system32\MRT.INI
2009-02-11 10:43:27 ----A---- C:\Windows\system32\EncDec.dll
2009-02-11 10:43:23 ----A---- C:\Windows\system32\psisdecd.dll
2009-02-11 10:36:06 ----A---- C:\Windows\system32\mshtml.dll
2009-02-11 10:36:04 ----A---- C:\Windows\system32\ieframe.dll
2009-02-11 10:36:02 ----A---- C:\Windows\system32\urlmon.dll
2009-02-11 10:36:01 ----A---- C:\Windows\system32\wininet.dll
2009-02-11 10:36:01 ----A---- C:\Windows\system32\msfeeds.dll
2009-02-11 10:36:00 ----A---- C:\Windows\system32\mstime.dll
2009-02-11 10:36:00 ----A---- C:\Windows\system32\iertutil.dll
2009-02-11 10:35:59 ----A---- C:\Windows\system32\jsproxy.dll
2009-02-09 17:08:55 ----A---- C:\Windows\system32\deploytk.dll
2009-02-09 17:08:54 ----A---- C:\Windows\system32\javaws.exe
2009-02-09 17:08:54 ----A---- C:\Windows\system32\javaw.exe
2009-02-09 17:08:53 ----A---- C:\Windows\system32\java.exe
2009-02-09 17:08:04 ----D---- C:\Program Files\Java
2009-02-09 13:39:59 ----A---- C:\Windows\system32\msshooks.dll
2009-02-09 13:39:58 ----A---- C:\Windows\system32\msscb.dll
2009-02-09 13:39:55 ----A---- C:\Windows\system32\SearchFilterHost.exe
2009-02-09 13:39:55 ----A---- C:\Windows\system32\propdefs.dll
2009-02-09 13:39:55 ----A---- C:\Windows\system32\msstrc.dll
2009-02-09 13:39:55 ----A---- C:\Windows\system32\mssprxy.dll
2009-02-09 13:39:55 ----A---- C:\Windows\system32\mssitlb.dll
2009-02-09 13:39:55 ----A---- C:\Windows\system32\msshsq.dll
2009-02-09 13:39:54 ----A---- C:\Windows\system32\thawbrkr.dll
2009-02-09 13:39:54 ----A---- C:\Windows\system32\srchadmin.dll
2009-02-09 13:39:54 ----A---- C:\Windows\system32\propsys.dll
2009-02-09 13:39:54 ----A---- C:\Windows\system32\korwbrkr.dll
2009-02-09 13:39:50 ----A---- C:\Windows\system32\xmlfilter.dll
2009-02-09 13:39:50 ----A---- C:\Windows\system32\wsepno.dll
2009-02-09 13:39:50 ----A---- C:\Windows\system32\SearchProtocolHost.exe
2009-02-09 13:39:50 ----A---- C:\Windows\system32\SearchIndexer.exe
2009-02-09 13:39:50 ----A---- C:\Windows\system32\rtffilt.dll
2009-02-09 13:39:50 ----A---- C:\Windows\system32\offfilt.dll
2009-02-09 13:39:50 ----A---- C:\Windows\system32\nlhtml.dll
2009-02-09 13:39:50 ----A---- C:\Windows\system32\msscntrs.dll
2009-02-09 13:39:50 ----A---- C:\Windows\system32\mimefilt.dll
2009-02-09 13:39:50 ----A---- C:\Windows\system32\chtbrkr.dll
2009-02-09 13:39:50 ----A---- C:\Windows\system32\chsbrkr.dll
2009-02-09 13:39:49 ----A---- C:\Windows\system32\tquery.dll
2009-02-09 13:39:49 ----A---- C:\Windows\system32\mssvp.dll
2009-02-09 13:39:49 ----A---- C:\Windows\system32\mssrch.dll
2009-02-09 13:39:49 ----A---- C:\Windows\system32\mssphtb.dll
2009-02-09 13:39:49 ----A---- C:\Windows\system32\mssph.dll
2009-02-09 13:37:51 ----A---- C:\Windows\system32\rpcrt4.dll
2009-02-09 13:37:49 ----A---- C:\Windows\system32\pacerprf.dll
2009-02-09 13:37:48 ----A---- C:\Windows\system32\wersvc.dll
2009-02-09 13:37:48 ----A---- C:\Windows\system32\Faultrep.dll
2009-02-09 13:37:47 ----A---- C:\Windows\system32\emdmgmt.dll
2009-02-09 13:37:47 ----A---- C:\Windows\system32\dataclen.dll
2009-02-09 13:37:47 ----A---- C:\Windows\system32\cdd.dll
2009-02-09 13:37:45 ----A---- C:\Windows\system32\wshext.dll
2009-02-09 13:37:45 ----A---- C:\Windows\system32\wscript.exe
2009-02-09 13:37:45 ----A---- C:\Windows\system32\vbscript.dll
2009-02-09 13:37:45 ----A---- C:\Windows\system32\scrrun.dll
2009-02-09 13:37:45 ----A---- C:\Windows\system32\scrobj.dll
2009-02-09 13:37:45 ----A---- C:\Windows\system32\jscript.dll
2009-02-09 13:37:45 ----A---- C:\Windows\system32\cscript.exe
2009-02-09 13:04:02 ----D---- C:\PerfLogs
2009-02-09 12:31:45 ----D---- C:\c65d66b16543a52d73d1df6ff320d8
2009-02-09 11:36:27 ----A---- C:\Windows\system32\infocardapi.dll
2009-02-09 11:36:26 ----A---- C:\Windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-02-09 11:36:24 ----A---- C:\Windows\system32\PresentationHostProxy.dll
2009-02-09 11:36:24 ----A---- C:\Windows\system32\icardres.dll
2009-02-09 11:36:24 ----A---- C:\Windows\system32\icardagt.exe
2009-02-09 11:36:16 ----A---- C:\Windows\system32\PresentationNative_v0300.dll
2009-02-09 11:36:12 ----A---- C:\Windows\system32\PresentationHost.exe
2009-02-09 11:27:28 ----A---- C:\Windows\system32\dfshim.dll
2009-02-09 11:27:21 ----A---- C:\Windows\system32\mscoree.dll
2009-02-09 11:27:19 ----A---- C:\Windows\system32\netfxperf.dll
2009-02-09 11:26:58 ----A---- C:\Windows\system32\mscorier.dll
2009-02-09 11:26:51 ----A---- C:\Windows\system32\mscories.dll
2009-01-28 16:23:31 ----D---- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2009-01-25 17:38:46 ----D---- C:\Program Files\Microsoft
2009-01-25 17:38:25 ----D---- C:\Program Files\Windows Live SkyDrive
2009-01-25 17:38:07 ----D---- C:\Program Files\Windows Live
2009-01-25 17:17:40 ----D---- C:\Program Files\Common Files\Windows Live
2009-01-01 20:03:54 ----D---- C:\Program Files\Cooking Academy
2008-12-28 13:36:17 ----D---- C:\Program Files\RegCure
2008-12-23 16:04:44 ----D---- C:\Users\Libby\AppData\Roaming\Ashtons. Family Resort
2008-12-23 16:04:44 ----D---- C:\ProgramData\Ashtons. Family Resort
2008-12-12 18:46:35 ----A---- C:\Windows\system32\tzres.dll
2008-12-12 11:18:16 ----A---- C:\Windows\system32\dns-sd.exe
2008-12-12 11:11:46 ----A---- C:\Windows\system32\dnssd.dll
2008-12-11 18:06:25 ----A---- C:\Windows\system32\gdi32.dll
2008-12-11 18:06:15 ----A---- C:\Windows\system32\Apphlpdm.dll
2008-12-11 18:06:13 ----A---- C:\Windows\system32\GameUXLegacyGDFs.dll
2008-12-11 18:05:25 ----A---- C:\Windows\explorer.exe
2008-12-11 18:05:15 ----A---- C:\Windows\system32\shell32.dll
2008-12-11 17:55:32 ----A---- C:\Windows\system32\WMVCORE.DLL
2008-12-11 17:55:31 ----A---- C:\Windows\system32\mf.dll
2008-12-11 17:55:30 ----A---- C:\Windows\system32\WMNetMgr.dll
2008-12-11 17:55:29 ----A---- C:\Windows\system32\rrinstaller.exe
2008-12-11 17:55:29 ----A---- C:\Windows\system32\mfps.dll
2008-12-11 17:55:29 ----A---- C:\Windows\system32\mfpmp.exe
2008-12-11 17:55:29 ----A---- C:\Windows\system32\logagent.exe
2008-12-02 22:37:20 ----A---- C:\Windows\system32\sirenacm.dll
2008-12-02 12:49:44 ----A---- C:\Windows\system32\TVWSetup.exe
2008-12-02 12:49:36 ----A---- C:\Windows\system32\igfxcfg.exe
2008-12-02 12:40:18 ----A---- C:\Windows\system32\igfxCoIn_v1608.dll
2008-12-02 12:27:56 ----A---- C:\Windows\system32\igdumdx32.dll
2008-12-02 12:22:44 ----A---- C:\Windows\system32\igd10umd32.dll
2008-12-02 12:13:56 ----A---- C:\Windows\system32\ig4dev32.dll
2008-12-02 12:13:48 ----A---- C:\Windows\system32\ig4icd32.dll
2008-12-02 12:03:24 ----A---- C:\Windows\system32\oemdspif.dll
2008-12-02 12:03:18 ----A---- C:\Windows\system32\igfxpph.dll
2008-12-02 12:02:40 ----A---- C:\Windows\system32\igfxdo.dll

======List of files/folders modified in the last 3 months======

2009-03-01 18:37:53 ----D---- C:\Windows\Prefetch
2009-03-01 18:37:45 ----D---- C:\Windows\Temp
2009-03-01 18:37:38 ----RD---- C:\Program Files
2009-03-01 17:43:02 ----D---- C:\Windows\System32
2009-03-01 17:43:02 ----D---- C:\Windows\inf
2009-03-01 17:43:02 ----A---- C:\Windows\system32\PerfStringBackup.INI
2009-02-21 22:44:37 ----SHD---- C:\System Volume Information
2009-02-20 16:05:21 ----SHD---- C:\Windows\Installer
2009-02-18 00:53:04 ----D---- C:\temp
2009-02-17 21:26:16 ----D---- C:\ProgramData\Microsoft Help
2009-02-17 21:26:11 ----RSD---- C:\Windows\assembly
2009-02-17 21:25:38 ----D---- C:\Program Files\Microsoft Office
2009-02-17 21:25:38 ----D---- C:\Program Files\Common Files\microsoft shared
2009-02-17 21:25:29 ----D---- C:\Program Files\Microsoft Works
2009-02-17 21:25:22 ----D---- C:\Program Files\Common Files
2009-02-17 21:24:44 ----RSD---- C:\Windows\Fonts
2009-02-17 21:22:22 ----D---- C:\Windows\ShellNew
2009-02-17 18:13:14 ----SD---- C:\Windows\Downloaded Program Files
2009-02-17 16:44:58 ----HD---- C:\ProgramData
2009-02-17 16:37:17 ----D---- C:\Windows\system32\drivers
2009-02-17 16:36:44 ----D---- C:\Windows\system32\catroot2
2009-02-17 16:35:41 ----SD---- C:\Users\Libby\AppData\Roaming\Microsoft
2009-02-17 16:35:41 ----D---- C:\Windows
2009-02-17 16:20:40 ----D---- C:\Windows\system
2009-02-16 11:23:28 ----D---- C:\Windows\Minidump
2009-02-13 14:41:11 ----D---- C:\Program Files\Safari
2009-02-13 14:39:06 ----D---- C:\Program Files\Common Files\Apple
2009-02-12 17:41:41 ----D---- C:\Windows\system32\Lang
2009-02-12 17:41:34 ----D---- C:\Program Files\Intel
2009-02-12 17:31:24 ----D---- C:\Windows\system32\Tasks
2009-02-12 17:27:04 ----D---- C:\Windows\system32\catroot
2009-02-12 17:10:34 ----HD---- C:\Windows\system32\GroupPolicy
2009-02-11 20:12:18 ----D---- C:\Program Files\Internet Explorer
2009-02-11 11:10:59 ----D---- C:\Windows\winsxs
2009-02-11 10:49:37 ----D---- C:\Windows\Microsoft.NET
2009-02-11 10:44:58 ----D---- C:\Windows\ehome
2009-02-11 10:44:18 ----D---- C:\Program Files\Windows Mail
2009-02-10 16:03:10 ----D---- C:\Windows\system32\WDI
2009-02-10 13:20:05 ----A---- C:\Windows\system32\Vxdif.dll
2009-02-10 00:25:01 ----D---- C:\Windows\Logs
2009-02-09 14:04:51 ----D---- C:\Windows\rescache
2009-02-09 13:45:48 ----D---- C:\Windows\system32\en-US
2009-02-09 13:45:48 ----D---- C:\Windows\PolicyDefinitions
2009-02-09 13:28:23 ----D---- C:\Program Files\Adobe
2009-02-09 13:18:12 ----SHD---- C:\Boot
2009-02-09 13:17:52 ----ASH---- C:\Program Files\desktop.ini
2009-02-09 13:08:54 ----D---- C:\Program Files\Windows Calendar
2009-02-09 13:08:53 ----D---- C:\Program Files\Windows Sidebar
2009-02-09 13:08:53 ----D---- C:\Program Files\Movie Maker
2009-02-09 13:08:50 ----D---- C:\Program Files\Windows Media Player
2009-02-09 13:08:48 ----D---- C:\Program Files\Windows Collaboration
2009-02-09 13:08:47 ----D---- C:\Program Files\Windows Journal
2009-02-09 13:08:46 ----D---- C:\Program Files\Windows Photo Gallery
2009-02-09 13:08:38 ----D---- C:\Program Files\Common Files\System
2009-02-09 13:08:37 ----D---- C:\Program Files\Windows Defender
2009-02-09 13:08:36 ----D---- C:\Windows\servicing
2009-02-09 13:08:27 ----D---- C:\Windows\MSAgent
2009-02-09 13:08:25 ----D---- C:\Windows\L2Schemas
2009-02-09 13:08:25 ----D---- C:\Windows\IME
2009-02-09 13:08:25 ----D---- C:\Windows\DigitalLocker
2009-02-09 13:08:24 ----D---- C:\Windows\system32\ko-KR
2009-02-09 13:08:24 ----D---- C:\Windows\system32\da-DK
2009-02-09 13:08:24 ----D---- C:\Windows\system32\com
2009-02-09 13:08:15 ----D---- C:\Windows\system32\it-IT
2009-02-09 13:08:15 ----D---- C:\Windows\system32\el-GR
2009-02-09 13:08:15 ----D---- C:\Windows\system32\de-DE
2009-02-09 13:08:14 ----D---- C:\Windows\system32\oobe
2009-02-09 13:08:13 ----D---- C:\Windows\system32\sysprep
2009-02-09 13:08:13 ----D---- C:\Windows\system32\migration
2009-02-09 13:08:05 ----D---- C:\Windows\system32\AdvancedInstallers
2009-02-09 13:08:04 ----D---- C:\Windows\system32\sv-SE
2009-02-09 13:08:04 ----D---- C:\Windows\system32\setup
2009-02-09 13:08:04 ----D---- C:\Windows\system32\ru-RU
2009-02-09 13:08:04 ----D---- C:\Windows\system32\ias
2009-02-09 13:08:04 ----D---- C:\Windows\system32\he-IL
2009-02-09 13:08:04 ----D---- C:\Windows\system32\fr-FR
2009-02-09 13:08:03 ----D---- C:\Windows\system32\SLUI
2009-02-09 13:08:03 ----D---- C:\Windows\system32\pt-PT
2009-02-09 13:08:03 ----D---- C:\Windows\system32\hu-HU
2009-02-09 13:08:03 ----D---- C:\Windows\system32\fi-FI
2009-02-09 13:08:03 ----D---- C:\Windows\system32\cs-CZ
2009-02-09 13:08:00 ----D---- C:\Windows\system32\zh-CN
2009-02-09 13:08:00 ----D---- C:\Windows\system32\manifeststore
2009-02-09 13:08:00 ----D---- C:\Windows\system32\es-ES
2009-02-09 13:08:00 ----D---- C:\Windows\system32\en
2009-02-09 13:07:59 ----D---- C:\Windows\system32\zh-TW
2009-02-09 13:07:59 ----D---- C:\Windows\system32\ro-RO
2009-02-09 13:07:59 ----D---- C:\Windows\system32\pl-PL
2009-02-09 13:07:59 ----D---- C:\Windows\system32\ja-JP
2009-02-09 13:07:52 ----D---- C:\Windows\system32\wbem
2009-02-09 13:07:52 ----D---- C:\Windows\system32\tr-TR
2009-02-09 13:07:45 ----D---- C:\Windows\system32\nl-NL
2009-02-09 13:07:45 ----D---- C:\Windows\system32\nb-NO
2009-02-09 13:07:45 ----D---- C:\Windows\system32\ar-SA
2009-02-09 13:07:41 ----D---- C:\Windows\system32\migwiz
2009-02-09 13:07:39 ----D---- C:\Windows\system32\pt-BR
2009-02-09 13:04:36 ----D---- C:\Windows\AppPatch
2009-02-09 13:04:17 ----D---- C:\Windows\Boot
2009-02-09 13:04:09 ----D---- C:\Windows\system32\Boot
2009-02-09 13:00:11 ----D---- C:\Windows\system32\RTCOM
2009-02-09 12:45:15 ----A---- C:\Windows\system32\ifxcardm.dll
2009-02-09 12:45:03 ----A---- C:\Windows\system32\axaltocm.dll
2009-02-09 11:49:13 ----D---- C:\Windows\system32\XPSViewer
2009-02-09 10:56:14 ----D---- C:\Windows\system32\config
2009-02-09 10:56:04 ----D---- C:\Windows\Tasks
2009-02-09 10:56:04 ----D---- C:\Windows\system32\spool
2009-02-09 10:55:58 ----D---- C:\Windows\registration
2009-02-03 23:21:12 ----A---- C:\Windows\system32\mrt.exe
2009-01-26 14:23:42 ----D---- C:\Windows\system32\LogFiles
2009-01-25 17:17:21 ----SD---- C:\ProgramData\Microsoft
2009-01-01 20:06:59 ----D---- C:\Program Files\Sallys Spa
2009-01-01 19:36:49 ----D---- C:\Program Files\Sallys Salon
2009-01-01 19:12:53 ----D---- C:\Program Files\Jojos Fashion Show
2009-01-01 19:12:31 ----D---- C:\Program Files\Home Sweet Home
2009-01-01 19:12:10 ----D---- C:\Program Files\Realore
2009-01-01 19:10:51 ----D---- C:\Program Files\Fab Fashion
2009-01-01 19:10:29 ----D---- C:\Program Files\Diner Dash Flo On The Go
2009-01-01 19:10:08 ----D---- C:\Program Files\Diner Dash 2
2009-01-01 19:09:46 ----D---- C:\Program Files\Cooking Dash
2009-01-01 19:07:37 ----D---- C:\Program Files\Posh Shop
2008-12-16 11:27:24 ----A---- C:\Windows\system32\igxpun.exe
2008-12-07 12:12:19 ----AD---- C:\ProgramData\TEMP
2008-12-02 12:49:42 ----A---- C:\Windows\system32\igfxtray.exe
2008-12-02 12:49:40 ----A---- C:\Windows\system32\igfxsrvc.exe
2008-12-02 12:49:38 ----A---- C:\Windows\system32\igfxpers.exe
2008-12-02 12:49:38 ----A---- C:\Windows\system32\igfxext.exe
2008-12-02 12:49:34 ----A---- C:\Windows\system32\hkcmd.exe
2008-12-02 12:33:14 ----A---- C:\Windows\system32\igdumd32.dll
2008-12-02 12:03:52 ----A---- C:\Windows\system32\igfxTMM.dll
2008-12-02 12:03:12 ----A---- C:\Windows\system32\igfxexps.dll
2008-12-02 12:02:58 ----A---- C:\Windows\system32\igfxsrvc.dll
2008-12-02 12:02:30 ----A---- C:\Windows\system32\hccutils.dll
2008-12-02 12:02:24 ----A---- C:\Windows\system32\igfxdev.dll
2008-12-02 12:02:12 ----A---- C:\Windows\system32\igfxress.dll
2008-12-02 12:00:48 ----A---- C:\Windows\system32\difxapi.dll

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\Windows\System32\Drivers\avgldx86.sys [2009-02-17 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\Windows\System32\Drivers\avgmfx86.sys [2009-02-17 27656]
R1 AvgTdiX;AVG Free8 Network Redirector; C:\Windows\System32\Drivers\avgtdix.sys [2009-02-17 107272]
R1 DritekPortIO;Dritek General Port I/O; \??\C:\PROGRA~1\LAUNCH~1\DPortIO.sys [2006-11-02 20112]
R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}; \??\C:\Program Files\Acer Arcade Deluxe\Play Movie\000.fcl [2006-11-02 13560]
R2 int15;int15; \??\C:\Acer\Empowering Technology\eRecovery\int15.sys [2006-12-08 76584]
R2 mdmxsdk;mdmxsdk; C:\Windows\system32\DRIVERS\mdmxsdk.sys [2006-06-19 12672]
R2 rimmptsk;rimmptsk; C:\Windows\system32\DRIVERS\rimmptsk.sys [2007-02-24 39936]
R2 rimsptsk;rimsptsk; C:\Windows\system32\DRIVERS\rimsptsk.sys [2007-01-23 42496]
R2 rismxdp;Ricoh xD-Picture Card Driver; C:\Windows\system32\DRIVERS\rixdptsk.sys [2007-03-22 37376]
R2 XAudio;XAudio; C:\Windows\system32\DRIVERS\xaudio.sys [2007-01-30 8704]
R3 ApfiltrService;Alps Pointing-device Filter Driver; C:\Windows\system32\DRIVERS\Apfiltr.sys [2009-02-10 163376]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0; C:\Windows\system32\DRIVERS\b57nd60x.sys [2007-06-05 179712]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\Windows\system32\DRIVERS\CmBatt.sys [2008-01-19 14208]
R3 DKbFltr;Dritek Keyboard Filter Driver; C:\Windows\system32\DRIVERS\DKbFltr.sys [2006-11-02 21264]
R3 enecir;ENE CIR Receiver; C:\Windows\system32\DRIVERS\enecir.sys [2007-03-07 32256]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\Windows\System32\Drivers\GEARAspiWDM.sys [2008-04-17 15464]
R3 HSF_DPV;HSF_DPV; C:\Windows\system32\DRIVERS\HSX_DPV.sys [2007-04-26 984064]
R3 HSXHWAZL;HSXHWAZL; C:\Windows\system32\DRIVERS\HSXHWAZL.sys [2007-04-26 208384]
R3 igfx;igfx; C:\Windows\system32\DRIVERS\igdkmd32.sys [2008-12-02 4564992]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHDA.sys [2007-07-10 1792792]
R3 NETw4v32;Intel® Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit; C:\Windows\system32\DRIVERS\NETw4v32.sys [2007-08-08 2226688]
R3 NTIDrvr;Upper Class Filter Driver; C:\Windows\system32\DRIVERS\NTIDrvr.sys [2007-08-08 6144]
R3 sdbus;sdbus; C:\Windows\system32\DRIVERS\sdbus.sys [2008-01-19 88576]
R3 winachsf;winachsf; C:\Windows\system32\DRIVERS\HSX_CNXT.sys [2007-04-26 660480]
R3 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\DRIVERS\wmiacpi.sys [2008-01-19 11264]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-19 5632]
S3 gkmixern;gkmixern; \??\C:\Users\Libby\AppData\Local\Temp\gkmixern.sys []
S3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
S3 HSFHWAZL;HSFHWAZL; C:\Windows\system32\DRIVERS\VSTAZL3.SYS [2006-11-02 200704]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-19 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-19 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-19 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-19 6016]
S3 NETw3v32;Intel® PRO/Wireless 3945ABG Adapter Driver for Windows Vista 32 Bit; C:\Windows\system32\DRIVERS\NETw3v32.sys [2006-11-02 1781760]
S3 USBAAPL;Apple Mobile USB Driver; C:\Windows\System32\Drivers\usbaapl.sys [2008-02-18 30464]
S3 usbscan;USB Scanner Driver; C:\Windows\system32\DRIVERS\usbscan.sys [2008-01-19 35328]
S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2008-01-19 39936]
S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-19 83328]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 ALaunchService;ALaunch Service; C:\Acer\ALaunch\ALaunchSvc.exe [2007-01-26 50688]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-11-07 132424]
R2 Automatic LiveUpdate Scheduler;Automatic LiveUpdate Scheduler; C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe [2006-11-21 194240]
R2 avg8emc;AVG Free8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2009-02-17 903960]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2009-02-17 298264]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 eDataSecurity Service;eDataSecurity Service; C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe [2007-04-25 457512]
R2 eLockService;eLock Service; C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe [2007-03-14 24576]
R2 eNet Service;eNet Service; C:\Acer\Empowering Technology\eNet\eNet Service.exe [2007-05-22 135168]
R2 eRecoveryService;eRecovery Service; C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe [2007-02-13 53248]
R2 eSettingsService;eSettings Service; C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe [2007-05-10 24576]
R2 IAANTMON;Intel® Matrix Storage Event Monitor; C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe [2007-03-21 355096]
R2 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2007-01-17 61440]
R2 MobilityService;MobilityService; C:\Acer\Mobility Center\MobilityService.exe [2006-11-24 107008]
R2 RichVideo;Cyberlink RichVideo Service(CRVS); C:\Program Files\CyberLink\Shared Files\RichVideo.exe [2007-01-23 266343]
R2 SBSDWSCService;SBSD Security Center Service; C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
R2 WMIService;ePower Service; C:\Acer\Empowering Technology\ePower\ePowerSvc.exe [2007-09-14 167936]
R2 XAudioService;XAudioService; C:\Windows\system32\DRIVERS\xaudio.exe [2007-01-30 386560]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-01-06 536872]
S2 CLTNetCnService;Symantec Lic NetConnect service; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe /h ccCommon []
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-01-05 138168]
S3 LiveUpdate;LiveUpdate; C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE [2006-11-21 2541248]

-----------------EOF-----------------



info.txt logfile of random's system information tool 1.05 2009-03-01 18:38:32

======Uninstall list======

-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{31403E22-2FDB-452F-AE9E-20854633226D}\Setup.EXE" -uninst
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A450831D-25F6-4F42-9662-D000B25E0D82}\setup.exe" -uninstall
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AA4BF92B-2AAF-11DA-9D78-000129760D75}\setup.exe" -uninstall
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B145EC69-66F5-11D8-9D75-000129760D75}\setup.exe" -uninstall
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B804C424-B66D-447A-84BD-C6B88C392C3A}\setup.exe" -uninstall
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F79A208D-D929-11D9-9D77-000129760D75}\setup.exe" -uninstall
Acer Arcade Deluxe-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EFBDC2B0-FAA8-4B78-8DE1-AEBE7958FA37}\setup.exe" -uninstall
Acer eAudio Management-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{57265292-228A-41FA-9AEC-4620CBCC2739}\Setup.exe" -uninstall
Acer eDataSecurity Management-->C:\Acer\Empowering Technology\eDataSecurity\eDSnstHelper.exe -Operation UNINSTALL
Acer eLock Management-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{116FF17B-1A30-4FC2-9B01-5BC5BD46B0B3}\setup.exe" -l0x9 -removeonly
Acer Empowering Technology-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AB6097D9-D722-4987-BD9E-A076E2848EE2}\setup.exe" -l0x9 -removeonly
Acer eNet Management-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C06554A1-2C1E-4D20-B613-EE62C79927CC}\setup.exe" -l0x9 -removeonly
Acer ePower Management-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{58E5844B-7CE2-413D-83D1-99294BF6C74F}\setup.exe" -l0x9 -removeonly
Acer ePresentation Management-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BF839132-BD43-4056-ACBF-4377F4A88E2A}\setup.exe" -l0x9 -removeonly
Acer eSettings Management-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CE65A9A0-9686-45C6-9098-3C9543A412F0}\setup.exe" -l0x9 -removeonly
Acer GridVista-->C:\Windows\UnInst32.exe GridV.UNI
Acer Mobility Center Plug-In-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{11316260-6666-467B-AC34-183FCB5D4335}\setup.exe" -l0x9 -removeonly
Acer ScreenSaver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{79DD56FC-DB8B-47F5-9C80-78B62E05F9BC}\setup.exe" -l0x9 -removeonly
Acer Tour-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{94389919-B0AA-4882-9BE8-9F0B004ECA35}\setup.exe" -l0x9 -removeonly
Activation Assistant for the 2007 Microsoft Office suites-->"C:\ProgramData\{174892B1-CBE7-44F5-86FF-AB555EFD73A3}\Microsoft Office Activation Assistant.exe" REMOVE=TRUE MODIFY=FALSE
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)-->MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7}
Adobe Flash Player ActiveX-->C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player-->C:\Windows\System32\Macromed\SHOCKW~1\UNWISE.EXE C:\Windows\System32\Macromed\SHOCKW~1\Install.log
ALOT Toolbar-->"C:\Program Files\alot\alotUninst.exe"
ALPS Touch Pad Driver-->C:\Program Files\Apoint2K\Uninstap.exe ADDREMOVE
Apple Mobile Device Support-->MsiExec.exe /I{EC4455AB-F155-4CC1-A4C5-88F3777F9886}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
AVG Free 8.0-->C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
Bonjour-->MsiExec.exe /I{07287123-B8AC-41CE-8346-3D777245C35B}
Camera RAW Plug-In for EPSON Creativity Suite-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{93EA9C3E-BDFD-4309-A605-9B5BBC0CCEFD}\SETUP.EXE" -l0x9 UNINST
Choice Guard-->MsiExec.exe /I{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}
Cooking Academy-->"C:\Program Files\Cooking Academy\ReflexiveArcade\unins000.exe"
Dream Day Honeymoon-->"C:\Program Files\Dream Day Honeymoon\ReflexiveArcade\unins000.exe"
Dream Day Wedding-->"C:\Program Files\Dream Day Wedding\ReflexiveArcade\unins000.exe"
DVD Decrypter (Remove Only)-->"C:\Program Files\DVD Decrypter\uninstall.exe"
Dynasty-->"C:\Program Files\Acer GameZone\Dynasty\Uninstall.exe" "C:\Program Files\Acer GameZone\Dynasty\install.log"
EPSON Attach To Email-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{20C45B32-5AB6-46A4-94EF-58950CAF05E5} /l1033 ADDREMOVEDLG
EPSON Easy Photo Print-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3D78F2A2-C893-4ABD-B5FE-AD7011837755}\SETUP.EXE" -l0x9 UNINST
EPSON File Manager-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2EB81825-E9EE-44F4-8F51-1240C3898DC6}\Setup.exe" -l0x9 UNINST
EPSON Printer Software-->C:\Windows\system32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
EPSON Scan Assistant-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2A88F1BF-7041-4E42-84B1-6B4ACB83AC64}\Setup.exe" -l0x9 -u
EPSON Scan-->C:\Program Files\epson\escndv\setup\setup.exe /r
EPSON Stylus CX7300_CX8300_DX7400_DX8400 Manual-->C:\Program Files\EPSON\TPMANUAL\ES_CX_DX\ENG\USE_G\DOCUNINS.EXE
Galapago-->"C:\Program Files\Acer GameZone\Galapago\Uninstall.exe" "C:\Program Files\Acer GameZone\Galapago\install.log"
Google Toolbar for Internet Explorer-->MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer-->regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
HDAUDIO Soft Data Fax Modem with SmartCP-->C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFAOR2C06_118\UIU32m.exe -U -IAcrZUn32z.inf
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Intel® Graphics Media Accelerator Driver-->C:\Windows\system32\igxpun.exe -uninstall
Intel® Matrix Storage Manager-->C:\Windows\System32\Imsmudlg.exe
Intel® TV Wizard-->C:\Windows\system32\TVWizudlg.exe -uninstall
iTunes-->MsiExec.exe /I{F5C63795-2708-4D15-BF18-5ABBFF7DFFC8}
Java™ 6 Update 12-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216012FF}
Junk Mail filter update-->MsiExec.exe /I{4AB8B41B-3AF1-46BE-99B0-0ACD3B300C0A}
Launch Manager-->C:\Windows\UnInst32.exe LManager.UNI
LiveUpdate 3.2 (Symantec Corporation)-->"C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
Luxor 2-->"C:\Program Files\Acer GameZone\Luxor 2\Uninstall.exe" "C:\Program Files\Acer GameZone\Luxor 2\install.log"
Microsoft .NET Framework 3.5 SP1-->C:\Windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Works-->MsiExec.exe /I{6D52C408-B09A-4520-9B18-475B81D393F1}
MobileMe Control Panel-->MsiExec.exe /I{A14C24F6-615B-415E-84B0-610FDAD19B68}
MSVCRT-->MsiExec.exe /I{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833)-->MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
NTI Backup NOW! 4.7-->"C:\Program Files\InstallShield Installation Information\{67ADE9AF-5CD9-4089-8825-55DE4B366799}\setup.exe" -removeonly
NTI CD & DVD-Maker-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2} /l1033 CDM7
PowerProducer 3.72-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B7A0CE06-068E-11D6-97FD-0050BACBF861}\Setup.EXE" -uninstall
QuickTime-->MsiExec.exe /I{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek High Definition Audio Driver-->RtlUpd.exe -r -m
RegCure 1.5.1.3-->C:\Program Files\RegCure\uninst.exe
RICOH R5C83x/84x Flash Media Controller Driver Ver.3.51.01-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{59F6A514-9813-47A3-948C-8A155460CC2A}\setup.exe" -l0x9 anything
Safari-->MsiExec.exe /I{D90AFDE3-3E67-407A-ACA8-F0BAAD012F08}
Sallys Spa-->"C:\Program Files\Sallys Spa\ReflexiveArcade\unins000.exe"
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Spelling Dictionaries Support For Adobe Reader 8-->MsiExec.exe /I{AC76BA86-7AD7-5464-3428-800000000003}
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
System Requirements Lab-->C:\Program Files\SystemRequirementsLab\Uninstall.exe
The Sims Deluxe Edition-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{10798AE3-DCBB-43C3-9C93-C23512427E25}\Setup.exe" -l0009
Windows Live Call-->MsiExec.exe /I{020D8396-D6D9-4B53-A9A1-83C47E2E27AA}
Windows Live Communications Platform-->MsiExec.exe /I{F69E83CF-B440-43F8-89E6-6EA80712109B}
Windows Live Essentials-->C:\Program Files\Windows Live\Installer\wlarp.exe
Windows Live Essentials-->MsiExec.exe /I{D9D754A1-EAC5-406C-A28B-C49B1E846711}
Windows Live Mail-->MsiExec.exe /I{63C1109E-D977-49ED-BCE3-D00D0BF187D6}
Windows Live Messenger-->MsiExec.exe /X{0AAA9C97-74D4-47CE-B089-0B147EF3553C}
Windows Live Sign-in Assistant-->MsiExec.exe /I{505DF7A3-88D5-4DD6-9AD5-C98C2ED0CEC4}
Windows Live Upload Tool-->MsiExec.exe /I{205C6BDD-7B73-42DE-8505-9A093F35A238}
Yahoo! Toolbar-->C:\PROGRA~1\Yahoo!\common\unyt.exe
Zuma Deluxe-->"C:\Program Files\Acer GameZone\Zuma Deluxe\Uninstall.exe" "C:\Program Files\Acer GameZone\Zuma Deluxe\install.log"

======Hosts File======

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

======Security center information======

AS: Spybot - Search and Destroy (outdated)
AS: Windows Defender

System event log

Computer Name: Libby-PC
Event Code: 10029
Message: DCOM started the service wercplsupport with arguments "" in order to run the server:
{0E9A7BB5-F699-4D66-8A47-B919F5B6A1DB}
Record Number: 176266
Source Name: Microsoft-Windows-DistributedCOM
Time Written: 20090301174826.000000-000
Event Type: Information
User:

Computer Name: Libby-PC
Event Code: 7036
Message: The Problem Reports and Solutions Control Panel Support service entered the running state.
Record Number: 176267
Source Name: Service Control Manager
Time Written: 20090301174826.000000-000
Event Type: Information
User:

Computer Name: Libby-PC
Event Code: 7036
Message: The Problem Reports and Solutions Control Panel Support service entered the stopped state.
Record Number: 176268
Source Name: Service Control Manager
Time Written: 20090301174827.000000-000
Event Type: Information
User:

Computer Name: Libby-PC
Event Code: 7036
Message: The Windows Modules Installer service entered the stopped state.
Record Number: 176269
Source Name: Service Control Manager
Time Written: 20090301175057.000000-000
Event Type: Information
User:

Computer Name: Libby-PC
Event Code: 7036
Message: The WinHTTP Web Proxy Auto-Discovery Service service entered the stopped state.
Record Number: 176270
Source Name: Service Control Manager
Time Written: 20090301175719.000000-000
Event Type: Information
User:

Application event log

Computer Name: Libby-PC
Event Code: 1
Message: Certificate Services Client has been started successfully.
Record Number: 39280
Source Name: Microsoft-Windows-CertificateServicesClient
Time Written: 20090301173644.278800-000
Event Type: Information
User: NT AUTHORITY\SYSTEM

Computer Name: Libby-PC
Event Code: 0
Message:
Record Number: 39281
Source Name: iPod Service
Time Written: 20090301173736.000000-000
Event Type: Information
User:

Computer Name: Libby-PC
Event Code: 1001
Message: Performance counters for the WmiApRpl (WmiApRpl) service were removed successfully. The Record Data contains the new values of the system Last Counter and Last Help registry entries.
Record Number: 39282
Source Name: Microsoft-Windows-LoadPerf
Time Written: 20090301174302.000000-000
Event Type: Information
User:

Computer Name: Libby-PC
Event Code: 1000
Message: Performance counters for the WmiApRpl (WmiApRpl) service were loaded successfully. The Record Data in the data section contains the new index values assigned to this service.
Record Number: 39283
Source Name: Microsoft-Windows-LoadPerf
Time Written: 20090301174302.000000-000
Event Type: Information
User:

Computer Name: Libby-PC
Event Code: 5
Message: Unsupported service control request (see data below)
Record Number: 39284
Source Name: LightScribeService
Time Written: 20090301183830.000000-000
Event Type: Information
User:

Security event log

Computer Name: Libby-PC
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys
Record Number: 60712
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090301183822.987800-000
Event Type: Audit Failure
User:

Computer Name: Libby-PC
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys
Record Number: 60713
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090301183823.034600-000
Event Type: Audit Failure
User:

Computer Name: Libby-PC
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys
Record Number: 60714
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090301183823.081400-000
Event Type: Audit Failure
User:

Computer Name: Libby-PC
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys
Record Number: 60715
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090301183823.128200-000
Event Type: Audit Failure
User:

Computer Name: Libby-PC
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys
Record Number: 60716
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090301183823.175000-000
Event Type: Audit Failure
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=x86
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 13, GenuineIntel
"PROCESSOR_REVISION"=0f0d
"NUMBER_OF_PROCESSORS"=2
"CLASSPATH"=.;C:\Program Files\Java\jre6\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre6\lib\ext\QTJava.zip

-----------------EOF-----------------

thanks again

Sye

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:29 AM

Posted 01 March 2009 - 04:56 PM

Hi Sye,

You forgot to give me feedback about the question(s).

When running any tool or fixes in the course of disinfection please right-click the tool and select "run as administrator".
  • You have the program Spybot S&D (Teatimer option) running on your machine. We need to disable TeaTimer so it does not interfere with the fixes we are about to do. This will only take a few seconds.
    • First disable TeaTimer:
      • Run Spybot-S&D
      • Go to the Mode menu, and make sure Advanced Mode is selected
      • On the left hand side, choose Tools -> Resident
      • Uncheck Resident TeaTimer and OK any prompts
      • Restart your computer.
      Instruction is also here: How to disable TeaTimer during HijackThis Cleanup

      Note:If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

    • Then download ResetTeaTimer.exe to your desktop. (In case you use Firefox, rightclick the link and choose "Save Link As").
      • Doubleclick ResetTeaTimer.exe and let it run.
    Note: The Teatimer should be kept disabled until I give you the clean sign.


  • We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
    • Go to Start > Control Panel > Windows Defender.
    • Open Windows Defender.
    • Click on Tools, Options.
    • At the bottom of the Window Defender's page, under Administrator Options uncheck "use Windows Defender" and then Save.
    • Click Close.
    Note:When everything is done and your log is clean again, you can enable it again.

  • Now we need to make sure to turn off UAC ( UAC = User Account Control )
    • Click Start, and then click Control Panel.
    • In Control Panel, click User Accounts.
    • In the User Accounts window, click User Accounts.
    • In the User Accounts tasks window, click Turn User Account Control on or off.
    • If UAC is currently configured in Admin Approval Mode, the User Account Control message appears. Click Continue.
    • Clear the Use User Account Control (UAC) to help protect your computer check box, and then click OK. If it is already uncheck, then you should also notice a red shield with an X in it located in your system tray. Ignore any messages about UAC being disabled.
    • Click Restart Now to apply the change right away. (Restart even if you did not make the above change, we need to be sure that a reboot has occurred since the first time that UAC was disabled.)
    NOTE: DO NOT CONTINUE UNTIL UAC has been disabled and you have rebooted. The UAC should be kept disabled until I give you the clean sign before closing the topic.

  • Please go to start > Control Panel > Program Features and uninstall this adware related program:

    ALOT Toolbar

    Also delete the folder in bold: C:\Program Files\alot

  • You have still some leftovers from an incomplete uninstalled Norton Antivirus on your computer.

    To remove the leftovers please download and run the Norton Removal Tool.

    Note: Norton removal tool is one and the same for all versions named below. It doesn't matter which version you have.

    Warning: The Norton Removal Tool uninstalls all Norton 2008/2007/2006/2005/2004/2003 products and Norton 360 from your computer. If you use ACT! or WinFAX, back up those databases before you proceed.

  • Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications temporarily (see at the end of the step how to disable AVG). They may otherwise interfere with our tools.
    • Double click on ComboFix.exe & follow the prompts.
    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

    Note:Disable AVG Resident Shield:
    • Double click AVG system tray icon to open AVG.
    • In Overview section double click Resident Shield.
    • Uncheck Resident Shield Active.
    • Press Save Changes.

      Note: It is important to activate the resident shield immediately after running ComboFix.
  • Run Hijackthis. If you don't know how go to start > Run and copy and paste the following and click OK:

    "C:\Program Files\trend micro\Libby.exe"

    Click "Do a system scan and safe a logfile". Post the content of the log. Also tell me how is the current condition of your computer.
Please include in your next reply:
  • The Combofix log.
  • A fresh Hijackthis log.
  • Any comment or feedback about how it went and the current condition of your computer.


#5 syekidorp

syekidorp
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 02 March 2009 - 11:58 AM

Hi again farbar.

I had only made one change between your two posts. I disabled the automatic backup program.

The computer is running ok as far as I can tell. My only concern is the presence of the "MyWay.MyWebSearch" which spybot detected, and which I want to remove.

Here are the requested logs:

ComboFix 09-03-01.01 - Libby 2009-03-02 16:08:16.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1013.166 [GMT 0:00]
Running from: c:\users\Libby\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\drv\Tuner\Yuan\Resources\_desktop.ini
c:\windows\system32\x64

.
((((((((((((((((((((((((( Files Created from 2009-02-02 to 2009-03-02 )))))))))))))))))))))))))))))))
.

2009-03-02 15:55 . 2009-03-02 15:55 <DIR> d-------- c:\users\All Users\NortonInstaller
2009-03-02 15:55 . 2009-03-02 15:55 <DIR> d-------- c:\programdata\NortonInstaller
2009-03-01 18:37 . 2009-03-01 18:38 <DIR> d-------- C:\rsit
2009-03-01 18:37 . 2009-03-01 18:38 <DIR> d-------- c:\program files\trend micro
2009-02-17 20:35 . 2009-02-17 20:35 <DIR> d-------- c:\temp\rootalyz-0.2.1.35
2009-02-17 20:34 . 2009-02-17 20:35 1,039,963 --a------ c:\temp\rootalyz-0.2.1.35.zip
2009-02-17 16:44 . 2009-02-17 16:51 <DIR> d-------- c:\users\All Users\Spybot - Search & Destroy
2009-02-17 16:44 . 2009-02-17 16:51 <DIR> d-------- c:\programdata\Spybot - Search & Destroy
2009-02-17 16:44 . 2009-02-17 16:45 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-17 16:37 . 2009-03-02 15:15 <DIR> d-------- c:\windows\System32\drivers\Avg
2009-02-17 16:37 . 2009-02-17 16:37 325,128 --a------ c:\windows\System32\drivers\avgldx86.sys
2009-02-17 16:37 . 2009-02-17 16:37 107,272 --a------ c:\windows\System32\drivers\avgtdix.sys
2009-02-17 16:37 . 2009-02-17 16:37 10,520 --a------ c:\windows\System32\avgrsstx.dll
2009-02-17 16:36 . 2009-02-17 16:36 <DIR> d-------- c:\users\All Users\avg8
2009-02-17 16:36 . 2009-02-17 16:36 <DIR> d-------- c:\programdata\avg8
2009-02-17 16:36 . 2009-02-17 16:36 <DIR> d-------- c:\program files\AVG
2009-02-17 16:33 . 2009-02-17 16:33 16,409,960 --a------ c:\temp\spybotsd162.exe
2009-02-17 16:02 . 2009-02-17 16:02 59,981,528 --a------ c:\temp\avg_free_stf_en_8_233a1415.exe
2009-02-13 15:48 . 2009-02-13 15:48 <DIR> d-------- c:\users\Libby\DoctorWeb
2009-02-13 14:39 . 2009-02-13 14:39 <DIR> d-------- c:\users\All Users\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-02-13 14:39 . 2009-02-13 14:39 <DIR> d-------- c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-02-13 14:39 . 2009-02-13 14:39 <DIR> d-------- c:\program files\iTunes
2009-02-13 14:39 . 2009-02-13 14:39 <DIR> d-------- c:\program files\iPod
2009-02-13 14:36 . 2009-02-13 14:37 <DIR> d-------- c:\program files\QuickTime
2009-02-13 14:31 . 2009-02-13 14:31 <DIR> d-------- c:\program files\Bonjour
2009-02-12 22:05 . 2009-02-12 22:05 <DIR> d-------- c:\users\All Users\SUPERAntiSpyware.com
2009-02-12 22:05 . 2009-02-12 22:05 <DIR> d-------- c:\programdata\SUPERAntiSpyware.com
2009-02-12 22:03 . 2009-02-17 16:08 <DIR> d-------- c:\users\Libby\AppData\Roaming\SUPERAntiSpyware.com
2009-02-12 22:03 . 2009-02-17 16:08 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-02-12 17:41 . 2008-12-02 12:04 398,336 --a------ c:\windows\System32\TVWizudlg.exe
2009-02-12 17:41 . 2008-12-02 12:03 140,288 --a------ c:\windows\System32\igfxtvcx.dll
2009-02-12 17:23 . 2009-02-12 17:23 21,879,664 --a------ c:\temp\winvista_15121.exe
2009-02-12 17:21 . 2009-02-12 17:21 <DIR> d-------- c:\program files\SystemRequirementsLab
2009-02-12 16:26 . 2009-02-12 16:26 <DIR> d-------- c:\program files\Apoint2K
2009-02-11 19:50 . 2009-02-11 19:50 <DIR> d-------- c:\users\Libby\AppData\Roaming\Malwarebytes
2009-02-11 19:49 . 2009-02-11 19:49 <DIR> d-------- c:\users\All Users\Malwarebytes
2009-02-11 19:49 . 2009-02-11 19:49 <DIR> d-------- c:\programdata\Malwarebytes
2009-02-11 10:49 . 2009-02-11 10:49 118 --a------ c:\windows\System32\MRT.INI
2009-02-11 10:43 . 2008-12-05 04:32 428,544 --a------ c:\windows\System32\EncDec.dll
2009-02-11 10:43 . 2008-12-05 04:32 293,376 --a------ c:\windows\System32\psisdecd.dll
2009-02-11 10:43 . 2008-12-05 04:31 217,088 --a------ c:\windows\System32\psisrndr.ax
2009-02-11 10:43 . 2008-12-05 04:31 177,664 --a------ c:\windows\System32\mpg2splt.ax
2009-02-11 10:43 . 2008-12-05 04:31 80,896 --a------ c:\windows\System32\MSNP.ax
2009-02-11 10:36 . 2009-01-15 06:11 827,392 --a------ c:\windows\System32\wininet.dll
2009-02-11 10:35 . 2009-01-15 03:36 1,383,424 --a------ c:\windows\System32\mshtml.tlb
2009-02-10 18:07 . 2009-02-10 18:08 <DIR> d-------- c:\temp\Audio_Realtek_v6.0.1.5477_Vistax32
2009-02-10 17:42 . 2009-02-10 17:43 39,686,587 --a------ c:\temp\Audio_Realtek_v6.0.1.5477_Vistax32.zip
2009-02-10 13:13 . 2009-02-10 13:13 <DIR> d-------- c:\temp\TouchPadDriver_Alps&Synaptics_v7.0.1101.17&v10.0.15_Vistax32
2009-02-09 17:08 . 2009-02-09 17:08 <DIR> d-------- c:\program files\Java
2009-02-09 17:08 . 2009-02-09 17:08 410,984 --a------ c:\windows\System32\deploytk.dll
2009-02-09 16:14 . 2009-02-10 13:12 54,065,146 --a------ c:\temp\TouchPadDriver_Alps&Synaptics_v7.0.1101.17&v10.0.15_Vistax32.zip
2009-02-09 15:48 . 2009-02-09 15:48 5,292,032 --a------ c:\temp\WLANdriver_Intel_4965&3495_v11.5.0.34_Vistax32.zip
2009-02-09 13:37 . 2008-04-26 08:26 891,448 --a------ c:\windows\System32\drivers\tcpip.sys
2009-02-09 13:04 . 2009-02-09 13:04 <DIR> d-------- C:\PerfLogs
2009-02-09 12:31 . 2009-02-09 12:32 <DIR> d-------- C:\c65d66b16543a52d73d1df6ff320d8
2009-02-09 11:36 . 2008-06-20 01:18 781,344 --a------ c:\windows\System32\PresentationNative_v0300.dll
2009-02-09 11:36 . 2008-06-20 01:17 622,080 --a------ c:\windows\System32\icardagt.exe
2009-02-09 11:36 . 2008-06-20 01:18 326,160 --a------ c:\windows\System32\PresentationHost.exe
2009-02-09 11:36 . 2008-06-20 01:18 105,016 --a------ c:\windows\System32\PresentationCFFRasterizerNative_v0300.dll
2009-02-09 11:36 . 2008-06-20 01:17 97,800 --a------ c:\windows\System32\infocardapi.dll
2009-02-09 11:36 . 2008-06-20 01:18 43,544 --a------ c:\windows\System32\PresentationHostProxy.dll
2009-02-09 11:36 . 2008-06-20 01:17 37,384 --a------ c:\windows\System32\infocardcpl.cpl
2009-02-09 11:36 . 2008-06-20 01:17 11,264 --a------ c:\windows\System32\icardres.dll
2009-02-09 11:33 . 2009-02-09 11:36 44,990,464 --a------ c:\windows\ocsetup_install_NetFx3.etl
2009-02-09 11:33 . 2009-02-09 11:36 49,152 --a------ c:\windows\ocsetup_cbs_install_NetFx3.perf
2009-02-09 11:33 . 2009-02-09 11:36 16,384 --a------ c:\windows\ocsetup_cbs_install_NetFx3.dpx
2009-02-09 11:27 . 2008-07-27 18:00 282,112 --a------ c:\windows\System32\mscoree.dll
2009-02-09 11:27 . 2008-07-27 18:00 96,760 --a------ c:\windows\System32\dfshim.dll
2009-02-09 11:27 . 2008-07-27 18:00 41,984 --a------ c:\windows\System32\netfxperf.dll
2009-02-09 11:26 . 2008-07-27 18:00 158,720 --a------ c:\windows\System32\mscorier.dll
2009-02-09 11:26 . 2008-07-27 18:00 83,968 --a------ c:\windows\System32\mscories.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-02 15:56 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-17 21:26 --------- d-----w c:\programdata\Microsoft Help
2009-02-17 21:25 --------- d-----w c:\program files\Microsoft Works
2009-02-13 14:41 --------- d-----w c:\program files\Safari
2009-02-13 14:39 --------- d-----w c:\program files\Common Files\Apple
2009-02-12 17:41 --------- d-----w c:\program files\Intel
2009-02-11 10:44 --------- d-----w c:\program files\Windows Mail
2009-02-10 13:20 100,418 ----a-w c:\windows\System32\Vxdif.dll
2009-02-10 13:14 163,376 ----a-w c:\windows\system32\drivers\Apfiltr.sys
2009-02-09 13:17 174 --sha-w c:\program files\desktop.ini
2009-02-09 13:08 --------- d-----w c:\program files\Windows Sidebar
2009-02-09 13:08 --------- d-----w c:\program files\Windows Photo Gallery
2009-02-09 13:08 --------- d-----w c:\program files\Windows Journal
2009-02-09 13:08 --------- d-----w c:\program files\Windows Defender
2009-02-09 13:08 --------- d-----w c:\program files\Windows Collaboration
2009-02-09 13:08 --------- d-----w c:\program files\Windows Calendar
2009-02-09 12:45 82,432 ----a-w c:\windows\System32\axaltocm.dll
2009-02-09 12:45 101,888 ----a-w c:\windows\System32\ifxcardm.dll
2009-01-28 16:23 --------- d-----w c:\program files\Microsoft CAPICOM 2.1.0.2
2009-01-26 16:13 --------- d-----w c:\program files\Windows Live
2009-01-25 17:38 --------- d-----w c:\program files\Windows Live SkyDrive
2009-01-25 17:38 --------- d-----w c:\program files\Microsoft
2009-01-25 17:17 --------- d-----w c:\program files\Common Files\Windows Live
2008-12-17 16:49 3,328 ----a-w c:\users\Libby\AppData\Roaming\wklnhst.dat
2008-12-16 11:27 993,816 ----a-w c:\windows\System32\igxpun.exe
2008-12-12 11:18 87,336 ----a-w c:\windows\System32\dns-sd.exe
2008-12-12 11:11 61,440 ----a-w c:\windows\System32\dnssd.dll
2008-12-02 22:37 49,480 ----a-w c:\windows\System32\sirenacm.dll
2008-12-02 12:49 8,198,680 ----a-w c:\windows\System32\TVWSetup.exe
2008-12-02 12:49 668,696 ----a-w c:\windows\System32\igfxcfg.exe
2008-12-02 12:49 252,952 ----a-w c:\windows\System32\igfxsrvc.exe
2008-12-02 12:49 173,592 ----a-w c:\windows\System32\hkcmd.exe
2008-12-02 12:49 172,568 ----a-w c:\windows\System32\igfxext.exe
2008-12-02 12:49 150,552 ----a-w c:\windows\System32\igfxpers.exe
2008-12-02 12:49 141,848 ----a-w c:\windows\System32\igfxtray.exe
2008-12-02 12:40 155,648 ----a-w c:\windows\System32\igfxCoIn_v1608.dll
2008-12-02 12:33 3,821,568 ----a-w c:\windows\System32\igdumd32.dll
2008-12-02 12:31 1,498,564 ----a-w c:\windows\System32\igkrng400.bin
2008-12-02 12:27 536,576 ----a-w c:\windows\System32\igdumdx32.dll
2008-12-02 12:22 2,580,480 ----a-w c:\windows\System32\igd10umd32.dll
2008-12-02 12:13 4,112,384 ----a-w c:\windows\System32\ig4icd32.dll
2008-12-02 12:13 2,674,688 ----a-w c:\windows\System32\ig4dev32.dll
2008-12-02 12:03 59,392 ----a-w c:\windows\System32\oemdspif.dll
2008-12-02 12:03 257,536 ----a-w c:\windows\System32\igfxTMM.dll
2008-12-02 12:03 23,552 ----a-w c:\windows\System32\igfxexps.dll
2008-12-02 12:03 200,192 ----a-w c:\windows\System32\igfxpph.dll
2008-12-02 12:02 94,208 ----a-w c:\windows\System32\hccutils.dll
2008-12-02 12:02 51,712 ----a-w c:\windows\System32\igfxsrvc.dll
2008-12-02 12:02 5,702,656 ----a-w c:\windows\System32\igfxress.dll
2008-12-02 12:02 210,432 ----a-w c:\windows\System32\igfxdev.dll
2008-12-02 12:02 130,048 ----a-w c:\windows\System32\igfxdo.dll
2008-12-02 12:00 319,456 ----a-w c:\windows\System32\difxapi.dll
2008-04-26 11:07 63,488 ----a-w c:\users\Libby\xobglu16.dll
2008-04-26 11:07 1,072,396 ----a-w c:\users\Libby\xobglu32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"swg"="c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-01-05 171448]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2008-12-02 3882312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-04-25 457216]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2007-06-27 752136]
"PlayMovie"="c:\program files\Acer Arcade Deluxe\Play Movie\PMVService.exe" [2007-05-24 206952]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"Acer Tour Reminder"="c:\acer\AcerTour\Reminder.exe" [2007-05-22 151552]
"WarReg_PopUp"="c:\acer\WR_PopUp\WarReg_PopUp.exe" [2006-11-05 57344]
"eAudio"="c:\acer\Empowering Technology\eAudio\eAudio.exe" [2007-06-11 1286144]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-01-05 185632]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-02-06 177472]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-09 148888]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2009-02-10 159744]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-12-02 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-12-02 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-12-02 150552]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-17 1601304]
"RtHDVCpl"="RtHDVCpl.exe" [2007-07-06 c:\windows\RtHDVCpl.exe]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2007-08-08 535336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll eNetHook.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{3652E95A-13D0-406D-BD67-B11585A532B9}"= c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\Acer Arcade Deluxe.exe:Acer Arcade Deluxe
"{19A5E2DD-5873-4F5F-B880-E512C211D97E}"= c:\program files\Acer Arcade Deluxe\VideoMagician\VideoMagician.exe:VideoMagician
"{29226A04-C324-4418-956C-28C554112675}"= c:\program files\Acer Arcade Deluxe\HomeMedia\HomeMedia.exe:HomeMedia
"{504B06D6-D6FC-479A-B22C-E33C004A55A6}"= c:\program files\Acer Arcade Deluxe\DV Wizard\DV Wizard.exe:DV Wizard
"{770D06D2-6E9E-42E0-9D8F-78644D5452E2}"= c:\program files\Acer Arcade Deluxe\DVDivine\DVDivine.exe:DVDivine
"{97278ED4-9B89-46E7-AE38-33278FF3DEA3}"= c:\program files\Acer Arcade Deluxe\Play Movie\PlayMovie.exe:Play Movie
"{7FF9A90F-C786-4421-8822-70E8AD5CEC20}"= c:\program files\Acer Arcade Deluxe\Play Movie\PMVService.exe:Play Movie Resident Program
"{99DA96D0-89B7-4916-8643-1B9233F76FF0}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{1E59D3C4-43ED-49D6-AC08-7A5E4279D144}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{131CE995-7771-4F88-A631-B21FC862FB6C}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{AE0759E5-0E2F-4043-B1EB-2048F5CA43E7}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{60427CFD-C331-4A81-A69D-357E993EC943}"= c:\program files\AVG\AVG8\avgemc.exe:avgemc.exe
"{49AB2B26-994F-4237-8FC3-25D54539A9E5}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"{72E03570-3976-48F3-BC23-AFFED6D510E6}"= c:\program files\AVG\AVG8\avgnsx.exe:avgnsx.exe
"{639A6C14-BA5E-458E-8858-2326BCADDB2F}"= UDP:c:\users\Libby\AppData\Local\Temp\7zS819D.tmp\SymNRT.exe:Norton Removal Tool
"{CC0DB1E3-99C9-4C59-AF23-08F50E21DFF9}"= TCP:c:\users\Libby\AppData\Local\Temp\7zS819D.tmp\SymNRT.exe:Norton Removal Tool

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [2009-02-17 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [2009-02-17 107272]
R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\Acer Arcade Deluxe\Play Movie\000.fcl [2007-09-22 03:34:41 13560]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-02-17 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-17 298264]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-02-17 1153368]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [2007-08-08 179712]
R3 enecir;ENE CIR Receiver;c:\windows\System32\drivers\enecir.sys [2007-08-08 32256]
S2 ALaunchService;ALaunch Service;c:\acer\ALaunch\ALaunchSvc.exe [2007-08-08 50688]
.
Contents of the 'Scheduled Tasks' folder

2009-03-02 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-11-27 18:55]

2008-12-28 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-11-27 18:55]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Acer Tour Reminder - (no file)
HKLM-Run-ALaunch - c:\acer\ALaunch\AlaunchClient.exe
HKLM-Run-SetPanel - c:\acer\APanel\APanel.cmd
HKLM-Run-Acer Tour - (no file)
HKLM-Run-eRecoveryService - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.stardoll.com/en/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.uk.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-02 16:13:48
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-03-02 16:17:07
ComboFix-quarantined-files.txt 2009-03-02 16:17:04

Pre-Run: 42,931,744,768 bytes free
Post-Run: 42,858,508,288 bytes free

251 --- E O F --- 2009-02-11 10:49:57



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:36:00, on 02/03/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\RtHDVCpl.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Acer\Empowering Technology\eAudio\eAudio.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE
C:\Windows\ehome\ehmsas.exe
C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Program Files\Apoint2K\Apntex.exe
C:\Windows\system32\igfxext.exe
C:\Windows\Explorer.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\trend micro\Libby.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.stardoll.com/en/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.uk.acer.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ycomp/def...://uk.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Windows\system32\ActiveToolBand.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [PlayMovie] "C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe"
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe
O4 - HKLM\..\Run: [WarReg_PopUp] C:\Acer\WR_PopUp\WarReg_PopUp.exe
O4 - HKLM\..\Run: [eAudio] "C:\Acer\Empowering Technology\eAudio\eAudio.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - Global Startup: Empowering Technology Launcher.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD7/JSCDL/jdk/6u1...=javadl.sun.com
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll eNetHook.dll
O23 - Service: ALaunch Service (ALaunchService) - Unknown owner - C:\Acer\ALaunch\ALaunchSvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: eDataSecurity Service - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9252 bytes


Thanks again

Sye

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:29 AM

Posted 02 March 2009 - 01:16 PM

Sye,

Everything looks good, just a few final cleaning.
  • Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below:

    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Windows\system32\ActiveToolBand.dll


    Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

  • Go to start > run and copy and paste or type next command in the field then hit enter:

    ComboFix /u

    Note: There's a space between Combofix and /

    This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.
    It also makes a clean Restore Point and flashes all the old restore points in order to prevent possible reinfection from an old one through system restore.
    The first reboot might be a little slow, the next one will be faster.

  • Your log looks clean. But your computer is still very much susceptible in particular to hacking and intrusion from outside. If you are not behind a router I strongly advise you to install a firewall before surfing. The windows firewall is not good enough. The Windows firewall provides protection from outside threats as long as the malware is not on your system. When the malware gets to your computer Windows firewall is no more effective. You find more information on firewalls below.
    Click for more information on:Understanding and Using Firewalls

    There are several good free programs available like:

    Sunbelt-Kerio
    (Note: You install the Sunbelt trial version but after the trial period it will revert back to free version.)

    Online Armor Free edition

  • I recommend installing this small application for safe surfing: Javacools© SpywareBlaster
    SpywareBlaster will add a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs. Update it manually (if you use the free version) once in 2-3 weeks and enable the restriction.

Please let me know Combofix uninstalled properly.

Happy surfing!

#7 syekidorp

syekidorp
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 02 March 2009 - 08:14 PM

Hi farbar

The pc is running fine, but "MyWay.MyWebSearch" is still present according to Spybot.

Is there anything else I can try?

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:29 AM

Posted 03 March 2009 - 10:59 AM

MyWebsearch is effectively removed from your computer. You may notice it when you don't get redirected or get pop ups. But there are always harmless registry entries.

To make sure:
  • Please use Internet Explorer to perform a BitDefender Online Virus and Malware Scan
    • Click on I Agree.
    • Under SCANNING OPTIONS, under Settings section click click here.
    • Under Action Options:
      • Select Disinfect.
      • Expand Second Option select Delete
      • Click OK.
    • Now Click On Start Scan. Please wait as it might take some time.
    • When it finished click Click here to export the scan report
    • Give the report a name (like scanlog) and save it. The file will be scanlog.HTML
    • Please attach the file to your reply.
    • To attach the file press ADDREPLY, under the reply window press Browse... show the path to the file on your computer.
    • Highlight the file and click Open then press the green UPLOAD button.

  • First tell me if you applied ResetTeaTimer.exe after disabling Teatimer? That was important to remove the entries saved by Teatimer.
    Also run Spybot and let it remove what it finds. Then provide me the log to remove what it can't remove:

    Go into Spybot > Mode > Advanced mode > Tools > View Reports > View Previous reports. Post the copy of the latest report.


#9 syekidorp

syekidorp
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 03 March 2009 - 01:59 PM

Hi farbar

Teatimer was reset as instructed.

here is the spybot log:

03.03.2009 18:30:17 - ##### check started #####
03.03.2009 18:30:17 - ### Version: 1.6.2
03.03.2009 18:30:17 - ### Date: 03/03/2009 18:30:17
03.03.2009 18:30:21 - ##### checking bots #####
03.03.2009 18:33:05 - found: MyWay.MyWebSearch Settings
03.03.2009 18:42:55 - ##### check finished #####

I have also attached the bitdefender log.

Thankyou for your continued help.

Sye

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:29 AM

Posted 03 March 2009 - 09:02 PM

The report doesn't say much other than there are settings related to MyWay.MyWebSearch. There is no reference to any registry entry. Perhaps the reference is there while after the scan you get the option to remove what were found by Spybot.

Let try a few things:
  • If you can not find the following file make sure that you can view all hidden and system files. Instructions on how to do this can be found here: How to see hidden files in Windows

    Click on this link--> virustotal

    Click the browse button and navigate to the file below in bold, then click Send File.

    Windows\System32\drivers\tcpip.sys

    If the file is analyzed before, click Reanalyse File Now button.
    Please copy and paste the results of the scan in your next post.

  • To remove temporary files, disable browser add-ons, and reset all the changed settings:
    • Close all the open windows.
    • Go to start > Control Panel.
    • Open Internet Options.
    • Click the Advanced tab, and then click Reset.
    • Click Reset again and OK.
  • Please use Internet Explorer to perform a BitDefender Online Virus and Malware Scan
    • Click on I Agree.
    • Under SCANNING OPTIONS, under Settings section click click here.
    • Under Action Options:
      • Select Disinfect.
      • Expand Second Option select Delete
      • Click OK.
    • Now Click On Start Scan. Please wait as it might take some time.
    • When it finished click Click here to export the scan report
    • Give the report a name (like scanlog) and save it. The file will be scanlog.HTML
    • Please attach the file to your reply.
    • To attach the file press ADDREPLY, under the reply window press Browse... show the path to the file on your computer.
    • Highlight the file and click Open then press the green UPLOAD button.
  • Run Spybot, after finishing the scan and before removing note down the registry entries found.


#11 syekidorp

syekidorp
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 04 March 2009 - 03:10 PM

hi farbar

here is the virustotal log:

Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.03.04 -
AhnLab-V3 5.0.0.2 2009.02.27 -
AntiVir 7.9.0.98 2009.03.04 -
Authentium 5.1.0.4 2009.03.04 -
Avast 4.8.1335.0 2009.03.04 -
AVG 8.0.0.237 2009.03.04 -
BitDefender 7.2 2009.03.04 -
CAT-QuickHeal 10.00 2009.03.04 -
ClamAV 0.94.1 2009.03.04 -
Comodo 1025 2009.03.04 -
DrWeb 4.44.0.09170 2009.03.04 -
eSafe 7.0.17.0 2009.03.04 -
eTrust-Vet 31.6.6381 2009.03.03 -
F-Prot 4.4.4.56 2009.03.04 -
F-Secure 8.0.14470.0 2009.03.04 -
Fortinet 3.117.0.0 2009.03.04 -
GData 19 2009.03.04 -
Ikarus T3.1.1.45.0 2009.03.04 -
K7AntiVirus 7.10.656 2009.03.03 -
Kaspersky 7.0.0.125 2009.03.04 -
McAfee 5542 2009.03.03 -
McAfee+Artemis 5542 2009.03.03 -
Microsoft 1.4405 2009.03.04 -
NOD32 3907 2009.03.04 -
Norman 6.00.06 2009.03.03 -
nProtect 2009.1.8.0 2009.03.04 -
Panda 10.0.0.10 2009.03.04 -
PCTools 4.4.2.0 2009.03.04 -
Prevx1 V2 2009.03.04 -
Rising 21.19.22.00 2009.03.04 -
SecureWeb-Gateway 6.7.6 2009.03.04 -
Sophos 4.39.0 2009.03.04 -
Sunbelt 3.2.1858.2 2009.03.02 -
Symantec 10 2009.03.04 -
TheHacker 6.3.2.7.271 2009.03.03 -
TrendMicro 8.700.0.1004 2009.03.04 -
VBA32 3.12.10.1 2009.03.03 suspected of Win32.BrokenEmbeddedSignature (paranoid heuristics)
ViRobot 2009.3.4.1634 2009.03.04 -
VirusBuster 4.5.11.0 2009.03.03 -
Additional information
File size: 891448 bytes
MD5...: 82e266bee5f0167e41c6ecfdd2a79c02
SHA1..: f633629656e43452aa08611f0f72d24a46e7441c
SHA256: 1f462e882a662b2a133df035c435001b2ef6364f49a9ed6a6d98bd643093b666
SHA512: 68d9b06394cbedac12e7f7614e869a23d19e1b192d7073b54da9b52dce107b0a
a3728e42daadb142012dbe75c99c8804c3546d3d06b9cb37d10ba7548051e565
ssdeep: 24576:AU8e8jAyOLkAnwNfH7QijBpVptQ9xtoYA8pk2NoahI/9+6lG:XBmpExtUG
zh

PEiD..: -
TrID..: File type identification
Win64 Executable Generic (87.2%)
Win32 Executable Generic (8.6%)
Generic Win/DOS Executable (2.0%)
DOS Executable Generic (2.0%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0xdb1b9
timedatestamp.....: 0x4812c4f1 (Sat Apr 26 06:00:17 2008)
machinetype.......: 0x14c (I386)

( 9 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xb845a 0xb8600 6.56 00a1233fe9746187447652d7dc3ffbc6
.rdata 0xba000 0xa624 0xa800 5.96 493d852e4c61e97ecccb7c0f9ef00453
.data 0xc5000 0x127bc 0x8200 0.73 4b04e70641bc018f3bb3ecfe21d14085
PAGE 0xd8000 0x998 0xa00 6.24 adb86400cc1779d55c23b4541ed877a5
.edata 0xd9000 0x49 0x200 0.85 bc4f6499041f7ae6ccd4f9bc34c9a0a6
PAGECONS 0xda000 0x78 0x200 1.25 c38c1652cc4ccd80c9fa5a4b7fd44dce
INIT 0xdb000 0x3e4a 0x4000 5.86 ae6a9304fa92558ccc9e7b58b71aea61
.rsrc 0xdf000 0x3e0 0x400 3.35 26021db0eb5acfd57a42b734b5c2a9bd
.reloc 0xe0000 0x6b2c 0x6c00 6.77 652655dbea4ffa2f4b600805faa41e67

( 8 imports )
> ntoskrnl.exe: MmUserProbeAddress, PsGetCurrentProcessId, ExAcquireResourceExclusiveLite, KeEnterCriticalRegion, KeLeaveCriticalRegion, ExReleaseResourceLite, ExDeleteResourceLite, ExInitializeResourceLite, RtlUnwind, RtlAnsiCharToUnicodeChar, MmProbeAndLockPages, RtlInitializeBitMap, RtlSetBit, RtlSetBits, ExInitializeLookasideListEx, ExDeleteLookasideListEx, KeBugCheckEx, DbgPrint, RtlEqualSid, RtlSubAuthoritySid, SeQueryInformationToken, ObOpenObjectByPointer, ZwQueryInformationToken, ExGetPreviousMode, ExUuidCreate, ExAllocatePoolWithQuotaTag, KeTickCount, IoGetCurrentProcess, KeInitializeMutex, KeBugCheck, KeDelayExecutionThread, SeSetAuditParameter, SeReportSecurityEventWithSubCategory, DbgBreakPoint, MmSizeOfMdl, MmUnmapLockedPages, ObLogSecurityDescriptor, SeCaptureSubjectContextEx, SeLockSubjectContext, IoGetFileObjectGenericMapping, SeAccessCheck, SeUnlockSubjectContext, SeReleaseSubjectContext, RtlCreateSecurityDescriptor, SeExports, RtlLengthSid, RtlCreateAcl, RtlAddAccessAllowedAceEx, RtlSetDaclSecurityDescriptor, ExInterlockedFlushSList, KeInitializeSemaphore, ExAllocatePoolWithTagPriority, MmUnlockPages, RtlVerifyVersionInfo, KeInitializeTimerEx, ExGetCurrentProcessorCounts, KeSetTimerEx, KeQueryActiveProcessors, KeQueryInterruptTime, KeFlushQueuedDpcs, KeCancelTimer, KeInitializeDpc, KeSetTargetProcessorDpc, KeSetImportanceDpc, KeWaitForMultipleObjects, KeInsertQueueDpc, IoAllocateWorkItem, IoQueueWorkItem, IoFreeWorkItem, MmBuildMdlForNonPagedPool, KeQueryMaximumProcessorCount, RtlInitializeGenericTableAvl, RtlGetVersion, KeQuerySystemTime, RtlLookupElementGenericTableFullAvl, ObDereferenceSecurityDescriptor, IoAllocateErrorLogEntry, IoWriteErrorLogEntry, ExNotifyCallback, KeIsExecutingDpc, PsGetProcessSessionId, InterlockedPushEntrySList, InterlockedPopEntrySList, KefAcquireSpinLockAtDpcLevel, IoAllocateMdl, IoBuildPartialMdl, KefReleaseSpinLockFromDpcLevel, IoFreeMdl, PsGetProcessId, MmMapLockedPagesSpecifyCache, ZwQuerySystemInformation, KeTestSpinLock, KeAcquireInStackQueuedSpinLockAtDpcLevel, KeReleaseInStackQueuedSpinLockFromDpcLevel, ObReferenceSecurityDescriptor, KeReleaseSemaphore, ExCreateCallback, IoBuildDeviceIoControlRequest, IoGetDeviceObjectPointer, ObfReferenceObject, PsGetCurrentProcess, PsIsSystemThread, PsGetThreadProcess, KeGetCurrentThread, KeInitializeEvent, KeSetEvent, RtlEnumerateGenericTableLikeADirectory, RtlIpv4AddressToStringExW, RtlIpv6AddressToStringExW, RtlTimeToTimeFields, ExDeleteNPagedLookasideList, ExInitializeNPagedLookasideList, RtlLengthRequiredSid, RtlInitializeSid, RtlAddAccessAllowedAce, ObSetSecurityObjectByPointer, IoCreateDevice, IoDeleteDevice, KeWaitForSingleObject, KeQueryActiveProcessorCount, KeReleaseMutex, ZwOpenEvent, ObReferenceObjectByHandle, ZwClose, ObfDereferenceObject, KeReadStateEvent, IofCompleteRequest, IofCallDriver, IoWMIRegistrationControl, RtlCompareMemory, RtlInitUnicodeString, MmGetSystemRoutineAddress, RtlValidSid, RtlCopySid, ZwEnumerateKey, ObCloseHandle, RtlIpv4StringToAddressW, RtlIpv6StringToAddressW, RtlIntegerToUnicodeString, RtlConvertSidToUnicodeString, RtlFreeUnicodeString, ZwQueryValueKey, RtlUnicodeStringToInteger, ZwOpenKey, RtlCompareUnicodeString, PsSetCreateProcessNotifyRoutineEx, SeLocateProcessImageName, ZwCreateFile, RtlDowncaseUnicodeString, ZwOpenProcess, KeStackAttachProcess, ZwDuplicateToken, KeUnstackDetachProcess, IoDeleteSymbolicLink, IoCreateSymbolicLink, KeQueryTimeIncrement, PsReferenceImpersonationToken, PsDereferencePrimaryToken, PsReferencePrimaryToken, VerSetConditionMask, RtlFindSetBits, RtlAreBitsClear, RtlFindClearBits, RtlClearBits, ExAcquireResourceSharedLite, RtlClearBit, RtlClearAllBits, SeOpenObjectAuditAlarmForNonObObject, RtlTestBit, PsDereferenceImpersonationToken, RtlQueryRegistryValues, memset, memcpy, ExAllocatePoolWithTag, IoWMIWriteEvent, RtlSubAuthorityCountSid, ExFreePoolWithTag
> NETIO.SYS: FsbAllocateAtDpcLevel, RtlInitializeTimerWheelEntry, NetioShutdownWorkQueue, RtlComputeToeplitzHash, RtlLookupEntryHashTable, RtlGetNextEntryHashTable, RtlInsertEntryHashTable, RtlRemoveEntryHashTable, RtlCleanupTimerWheelEntry, RtlReturnTimerWheelEntry, RtlGetNextExpiredTimerWheelEntry, RtlDeleteElementGenericTableBasicAvl, NetioInitializeWorkQueue, RtlInsertElementGenericTableBasicAvl, FsbAllocate, NetioAdvanceToLocationInNetBuffer, RtlCopyMdlToMdlIndirect, RtlUpdateCurrentTimerWheelTick, RtlEndTimerWheelEnumeration, RtlEnumerateNextTimerWheelEntry, RtlInitializeTimerWheelEnumeration, RtlCleanupTimerWheel, RtlDeleteHashTable, RtlCreateHashTable, RtlInitializeTimerWheel, RtlContractHashTable, RtlExpandHashTable, RtlEndEnumerationHashTable, RtlEnumerateEntryHashTable, RtlInitEnumerationHashTable, NetioFreeOpaquePerProcessorContext, NetioAllocateOpaquePerProcessorContext, TlDefaultRequestQueryDispatchEndpoint, TlDefaultRequestMessage, TlDefaultRequestQueryDispatch, RtlEndWeakEnumerationHashTable, RtlWeaklyEnumerateEntryHashTable, RtlInitWeakEnumerationHashTable, NsiSetAllParameters, RtlCopyMdlToBuffer, NetioFreeNetBufferAndNetBufferList, NetioAllocateAndReferenceNetBufferAndNetBufferList, RtlCopyBufferToMdl, NmrWaitForClientDeregisterComplete, NmrDeregisterClient, NmrClientDetachProviderComplete, NmrClientAttachProvider, NmrRegisterClient, NmrProviderDetachClientComplete, NmrRegisterProvider, NmrWaitForProviderDeregisterComplete, NmrDeregisterProvider, NetioRetreatNetBufferList, NetioAllocateAndReferenceCopyNetBufferListEx, NetioCompleteCopyNetBufferListChain, NetioFreeCopyNetBufferList, NetioInitializeNetBufferListContext, TlDefaultRequestCancel, TlDefaultRequestConnect, TlDefaultRequestListen, NetioReferenceNetBufferList, TlDefaultRequestIoControl, NetioDereferenceNetBufferListChain, NetioAllocateNetBufferMdlAndData, NetioAllocateAndReferenceNetBufferListNetBufferMdlAndData, NetioDereferenceNetBufferList, NetioFreeNetBuffer, NetioExtendNetBuffer, NetioFreeNetBufferList, FsbFree, RtlIndicateTimerWheelEntryTimerStart, NetioFreeMdl, NetioFreeNetBufferListNetBufferMdlAndDataPool, NetioAllocateNetBufferMdlAndDataPool, NetioAllocateNetBufferListNetBufferMdlAndDataPool, NetioFreeNetBufferMdlAndDataPool, RtlCleanupToeplitzHash, RtlInitializeToeplitzHash, WfpStartStreamShim, NetioAllocateMdl, NetioInsertWorkQueue, WfpStreamInspectRemoteDisconnect, WfpStreamInspectReceive, WfpStreamInspectDisconnect, WfpStreamInspectSend, WfpStreamEndpointCleanupBegin, NetioInitializeNetBufferListAndFirstNetBufferContext, NsiEnumerateObjectsAllParameters, NsiReferenceDefaultObjectSecurity, NsiDeregisterChangeNotification, NsiRegisterChangeNotification, NetioCompleteNetBufferListChain, RtlCopyMdlToMdl, NetioAllocateAndReferenceFragmentNetBufferList, SetWfpDeviceObject, IoctlKfdBatchUpdate, IoctlKfdDeleteIndex, IoctlKfdAddIndex, IoctlKfdAddCache, IoctlKfdResetState, IoctlKfdQueryLayerStatistics, IoctlKfdAbortTransaction, IoctlKfdCommitTransaction, IoctlKfdDeleteCache, KfdIsActiveCallout, HfCreateFactory, HfDestroyFactory, NsiSetObjectSecurity, NetioAllocateNetBuffer, NetioAllocateAndReferenceNetBufferList, PtGetNumNodes, PtCreateTable, PtDestroyTable, PtDeleteEntry, PtInsertEntry, PtGetExactMatch, PtEnumOverTable, PtGetLongestMatch, PtGetNextShorterMatch, RtlCompute37Hash, PtGetKey, PtSetData, PtGetData, NsiSetParameter, NsiAllocateAndGetTable, NsiFreeTable, NetioCompleteNetBufferAndNetBufferListChain, NetioQueryNetBufferListTrafficClass, NetioAllocateAndReferenceVacantNetBufferList, NetioAllocateAndReferenceCloneNetBufferListEx, NetioExpandNetBuffer, NetioUpdateNetBufferListContext, NetioAllocateAndReferenceCloneNetBufferList, NetioFreeCloneNetBufferList, NsiGetParameter, KfdCheckAcceptBypass, KfdCheckAndCacheAcceptBypass, KfdCheckConnectBypass, KfdCheckAndCacheConnectBypass, KfdGetLayerActionFromEnumTemplate, KfdEnumLayer, KfdGetNextFilter, KfdDerefFilterContext, KfdFreeEnumHandle, WfpScavangeLeastRecentlyUsedList, KfdAleInitializeFlowTable, WfpSetBucketsToEmptyLru, WfpExpireEntryLru, WfpInsertEntryLru, WfpDeleteEntryLru, WfpStreamIsFilterPresent, KfdToggleFilterActivation, NsiGetAllParameters, WfpInitializeLeastRecentlyUsedList, KfdAleNotifyFlowDeletion, FwppStreamDeleteDpcQueue, WfpUninitializeLeastRecentlyUsedList, KfdAleUninitializeFlowHandles, KfdAleInitializeFlowHandles, KfdGetOffloadEpoch, KfdIsLsoOffloadPossibleV6, KfdIsLsoOffloadPossibleV4, KfdIsV6InTransportFastEmpty, KfdIsV4InTransportFastEmpty, KfdIsV6OutTransportFastEmpty, KfdIsV4OutTransportFastEmpty, WfpRefreshEntryLru, NetioAdvanceNetBufferList, KfdCheckClassifyNeededAndUpdateEpoch, KfdAleAcquireFlowHandleForFlow, KfdClassify, KfdAleReleaseFlowHandleForFlow, KfdGetLayerCacheEpoch, KfdIsLayerEmpty, FwppStreamInject, FwppStreamContinue, FwppCopyStreamDataToBuffer, FwppAdvanceStreamDataPastOffset, FwppTruncateStreamDataAfterOffset, NetioUnRegisterProcessorAddCallback, NetioUnInitializeNetBufferListLibrary, NetioInitializeNetBufferListLibrary, NetioRegisterProcessorAddCallback, RtlInvokeStartRoutines, RtlInvokeStopRoutines, FsbDestroyPool, WfpStopStreamShim, FsbCreatePool, NsiGetParameterEx
> NDIS.SYS: NdisDeregisterProtocolDriver, NdisRegisterProtocolDriver, NdisInitiateOffload, NdisInitializeTimer, NdisAcquireReadWriteLock, NdisGetSessionToCompartmentMappingEpochAndZero, NdisTerminateOffload, NdisUpdateOffload, NdisInvalidateOffload, NdisQueryOffloadState, NdisOidRequest, NdisDirectOidRequest, NdisCompleteNetPnPEvent, NdisCloseAdapterEx, NdisOpenAdapterEx, NdisSetTimer, NdisInitializeReadWriteLock, NdisCancelTimer, NdisCancelSendNetBufferLists, NdisSendNetBufferLists, NdisReleaseReadWriteLock, NdisReturnNetBufferLists, NdisOffloadTcpSend, NdisOffloadTcpReceive, NdisOffloadTcpReceiveReturn, NdisOffloadTcpDisconnect, NdisSetOptionalHandlers, NdisOffloadTcpForward, NdisGetDataBuffer, NetDmaRegisterClient, NetDmaDeregisterClient, NetDmaFreeChannel, NetDmaAllocateChannel, NdisGetProcessorInformation, NdisFreeNetBufferList, NetDmaNullTransfer, NetDmaIsDmaCopyComplete, NdisGetThreadObjectCompartmentId, NdisGetSessionCompartmentId, NdisAdjustNetBufferCurrentMdl, NdisAdvanceNetBufferDataStart, NdisRetreatNetBufferDataStart
> FLTMGR.SYS: FltGetFileNameInformationUnsafe, FltReleaseFileNameInformation
> fwpkclnt.sys: FwpsCalloutUnregisterByKey0, FwpmBfeStateSubscribeChangesWithoutDevice0, FwpmBfeStateUnsubscribeChanges0, FwpsClassifyOptionSet0, FwpmEngineClose0, FwpmEngineOpen0, FwpmSecureSocketDeleteByKeyAsync0, FwpmSecureSocketAddAsync0, FwpmEventProviderIsNetEventTypeEnabled0, FwpsRequestEndpointDeleteNotification0, FwppDispatchDevCtl0, IPsecDriverExpire, IPsecDriverInitiateAcquire, FwpmEventProviderFireNetEvent0, FwpsTcpIpDispatchTableClear0, FwpmEventProviderDestroy0, FwpmEventProviderCreate0, FwpsTcpIpDispatchTableSet0, FwpsCalloutRegisterWithoutDevice0
> HAL.dll: KeGetCurrentIrql, KfReleaseSpinLock, KfLowerIrql, KfAcquireSpinLock, KeAcquireInStackQueuedSpinLock, KeReleaseInStackQueuedSpinLock, KeRaiseIrqlToDpcLevel, ExReleaseFastMutex, ExAcquireFastMutex, KfRaiseIrql, KeQueryPerformanceCounter
> ksecdd.sys: BCryptDestroyHash, BCryptDecrypt, BCryptCloseAlgorithmProvider, BCryptOpenAlgorithmProvider, BCryptSetProperty, BCryptGetProperty, BCryptGenRandom, BCryptHashData, BCryptEncrypt, BCryptGenerateSymmetricKey, BCryptDestroyKey, BCryptFinishHash, BCryptCreateHash
> msrpc.sys: NdrMesTypeDecode2, MesHandleFree, I_RpcExceptionFilter, MesDecodeBufferHandleCreate

( 1 exports )
EQoSTestHook


Here is the Spybot report:

--- Report generated: 2009-03-04 18:59 ---

MyWay.MyWebSearch: [SBI $205CC8F2] Settings (Registry key, fixing failed)
HKEY_USERS\S-1-5-21-2172623895-1235483766-726587420-1000\Software\FunWebProducts

DoubleClick: Tracking cookie (Internet Explorer: Libby) (Cookie, fixed)



--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SDWinSec.exe (1.0.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-01-26 TeaTimer.exe (1.6.4.26)
2009-02-17 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-01-26 advcheck.dll (1.6.2.15)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2009-01-22 Includes\Adware.sbi (*)
2009-01-22 Includes\AdwareC.sbi (*)
2009-01-22 Includes\Cookies.sbi (*)
2009-01-06 Includes\Dialer.sbi (*)
2009-01-22 Includes\DialerC.sbi (*)
2009-01-22 Includes\HeavyDuty.sbi (*)
2009-02-10 Includes\Hijackers.sbi (*)
2009-02-10 Includes\HijackersC.sbi (*)
2008-12-09 Includes\Keyloggers.sbi (*)
2009-02-03 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-11-18 Includes\Malware.sbi (*)
2009-02-10 Includes\MalwareC.sbi (*)
2008-12-16 Includes\PUPS.sbi (*)
2009-02-10 Includes\PUPSC.sbi (*)
2009-01-22 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2009-02-10 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-01-28 Includes\Spyware.sbi (*)
2009-01-28 Includes\SpywareC.sbi (*)
2008-06-03 Includes\Tracks.uti
2009-02-03 Includes\Trojans.sbi (*)
2009-02-10 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll


Bit defender found nothing so I didn't attach

Thanks for sticking with me.

Cheers

Sye

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:29 AM

Posted 05 March 2009 - 11:33 AM

Good job.

We need Combofix once more:
  • Download ComboFix from one of these locations and save it to your desktop but don't run it:

    Link 1
    Link 2
    Link 3

  • Close any open browsers.

    Open notepad and copy/paste the text in the code box below into it:

    Reglock::
    [HKEY_USERS\S-1-5-21-2172623895-1235483766-726587420-1000\Software\FunWebProducts]
    Registry::
    [-HKEY_USERS\S-1-5-21-2172623895-1235483766-726587420-1000\Software\FunWebProducts]

    Save this as CFScript.txt, in the same location as ComboFix.exe


    Posted Image

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall


  • Now run Spybot S&D and tell me if there is any leftover.


#13 syekidorp

syekidorp
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 05 March 2009 - 12:42 PM

Hi farbar

Sucess!

Spybot reports the pc is clear.

here is the combofix report as requested:

ComboFix 09-03-04.01 - Libby 2009-03-05 17:10:38.3 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1013.275 [GMT 0:00]
Running from: c:\users\Libby\Desktop\ComboFix.exe
Command switches used :: c:\users\Libby\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-02-05 to 2009-03-05 )))))))))))))))))))))))))))))))
.

2009-03-03 16:11 . 2009-03-04 15:07 <DIR> d-------- c:\windows\BDOSCAN8
2009-03-02 15:55 . 2009-03-02 15:55 <DIR> d-------- c:\users\All Users\NortonInstaller
2009-03-02 15:55 . 2009-03-02 15:55 <DIR> d-------- c:\programdata\NortonInstaller
2009-03-01 18:37 . 2009-03-01 18:38 <DIR> d-------- C:\rsit
2009-03-01 18:37 . 2009-03-02 20:07 <DIR> d-------- c:\program files\trend micro
2009-02-17 20:35 . 2009-02-17 20:35 <DIR> d-------- c:\temp\rootalyz-0.2.1.35
2009-02-17 20:34 . 2009-02-17 20:35 1,039,963 --a------ c:\temp\rootalyz-0.2.1.35.zip
2009-02-17 16:44 . 2009-02-17 16:51 <DIR> d-------- c:\users\All Users\Spybot - Search & Destroy
2009-02-17 16:44 . 2009-02-17 16:51 <DIR> d-------- c:\programdata\Spybot - Search & Destroy
2009-02-17 16:44 . 2009-02-17 16:45 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-17 16:37 . 2009-03-05 13:29 <DIR> d-------- c:\windows\System32\drivers\Avg
2009-02-17 16:37 . 2009-02-17 16:37 325,128 --a------ c:\windows\System32\drivers\avgldx86.sys
2009-02-17 16:37 . 2009-02-17 16:37 107,272 --a------ c:\windows\System32\drivers\avgtdix.sys
2009-02-17 16:37 . 2009-02-17 16:37 10,520 --a------ c:\windows\System32\avgrsstx.dll
2009-02-17 16:36 . 2009-02-17 16:36 <DIR> d-------- c:\users\All Users\avg8
2009-02-17 16:36 . 2009-02-17 16:36 <DIR> d-------- c:\programdata\avg8
2009-02-17 16:36 . 2009-02-17 16:36 <DIR> d-------- c:\program files\AVG
2009-02-17 16:33 . 2009-02-17 16:33 16,409,960 --a------ c:\temp\spybotsd162.exe
2009-02-17 16:02 . 2009-02-17 16:02 59,981,528 --a------ c:\temp\avg_free_stf_en_8_233a1415.exe
2009-02-13 15:48 . 2009-02-13 15:48 <DIR> d-------- c:\users\Libby\DoctorWeb
2009-02-13 14:39 . 2009-02-13 14:39 <DIR> d-------- c:\users\All Users\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-02-13 14:39 . 2009-02-13 14:39 <DIR> d-------- c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-02-13 14:39 . 2009-02-13 14:39 <DIR> d-------- c:\program files\iTunes
2009-02-13 14:39 . 2009-02-13 14:39 <DIR> d-------- c:\program files\iPod
2009-02-13 14:36 . 2009-02-13 14:37 <DIR> d-------- c:\program files\QuickTime
2009-02-13 14:31 . 2009-02-13 14:31 <DIR> d-------- c:\program files\Bonjour
2009-02-12 22:05 . 2009-02-12 22:05 <DIR> d-------- c:\users\All Users\SUPERAntiSpyware.com
2009-02-12 22:05 . 2009-02-12 22:05 <DIR> d-------- c:\programdata\SUPERAntiSpyware.com
2009-02-12 22:03 . 2009-02-17 16:08 <DIR> d-------- c:\users\Libby\AppData\Roaming\SUPERAntiSpyware.com
2009-02-12 22:03 . 2009-02-17 16:08 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-02-12 17:41 . 2008-12-02 12:04 398,336 --a------ c:\windows\System32\TVWizudlg.exe
2009-02-12 17:41 . 2008-12-02 12:03 140,288 --a------ c:\windows\System32\igfxtvcx.dll
2009-02-12 17:23 . 2009-02-12 17:23 21,879,664 --a------ c:\temp\winvista_15121.exe
2009-02-12 17:21 . 2009-02-12 17:21 <DIR> d-------- c:\program files\SystemRequirementsLab
2009-02-12 16:26 . 2009-02-12 16:26 <DIR> d-------- c:\program files\Apoint2K
2009-02-11 19:50 . 2009-02-11 19:50 <DIR> d-------- c:\users\Libby\AppData\Roaming\Malwarebytes
2009-02-11 19:49 . 2009-02-11 19:49 <DIR> d-------- c:\users\All Users\Malwarebytes
2009-02-11 19:49 . 2009-02-11 19:49 <DIR> d-------- c:\programdata\Malwarebytes
2009-02-11 10:49 . 2009-02-11 10:49 118 --a------ c:\windows\System32\MRT.INI
2009-02-11 10:43 . 2008-12-05 04:32 428,544 --a------ c:\windows\System32\EncDec.dll
2009-02-11 10:43 . 2008-12-05 04:32 293,376 --a------ c:\windows\System32\psisdecd.dll
2009-02-11 10:43 . 2008-12-05 04:31 217,088 --a------ c:\windows\System32\psisrndr.ax
2009-02-11 10:43 . 2008-12-05 04:31 177,664 --a------ c:\windows\System32\mpg2splt.ax
2009-02-11 10:43 . 2008-12-05 04:31 80,896 --a------ c:\windows\System32\MSNP.ax
2009-02-11 10:36 . 2009-01-15 06:11 827,392 --a------ c:\windows\System32\wininet.dll
2009-02-11 10:35 . 2009-01-15 03:36 1,383,424 --a------ c:\windows\System32\mshtml.tlb
2009-02-10 18:07 . 2009-02-10 18:08 <DIR> d-------- c:\temp\Audio_Realtek_v6.0.1.5477_Vistax32
2009-02-10 17:42 . 2009-02-10 17:43 39,686,587 --a------ c:\temp\Audio_Realtek_v6.0.1.5477_Vistax32.zip
2009-02-10 13:13 . 2009-02-10 13:13 <DIR> d-------- c:\temp\TouchPadDriver_Alps&Synaptics_v7.0.1101.17&v10.0.15_Vistax32
2009-02-09 17:08 . 2009-02-09 17:08 <DIR> d-------- c:\program files\Java
2009-02-09 17:08 . 2009-02-09 17:08 410,984 --a------ c:\windows\System32\deploytk.dll
2009-02-09 16:14 . 2009-02-10 13:12 54,065,146 --a------ c:\temp\TouchPadDriver_Alps&Synaptics_v7.0.1101.17&v10.0.15_Vistax32.zip
2009-02-09 15:48 . 2009-02-09 15:48 5,292,032 --a------ c:\temp\WLANdriver_Intel_4965&3495_v11.5.0.34_Vistax32.zip
2009-02-09 13:37 . 2008-04-26 08:26 891,448 --a------ c:\windows\System32\drivers\tcpip.sys
2009-02-09 13:04 . 2009-02-09 13:04 <DIR> d-------- C:\PerfLogs
2009-02-09 12:31 . 2009-02-09 12:32 <DIR> d-------- C:\c65d66b16543a52d73d1df6ff320d8
2009-02-09 11:36 . 2008-06-20 01:18 781,344 --a------ c:\windows\System32\PresentationNative_v0300.dll
2009-02-09 11:36 . 2008-06-20 01:17 622,080 --a------ c:\windows\System32\icardagt.exe
2009-02-09 11:36 . 2008-06-20 01:18 326,160 --a------ c:\windows\System32\PresentationHost.exe
2009-02-09 11:36 . 2008-06-20 01:18 105,016 --a------ c:\windows\System32\PresentationCFFRasterizerNative_v0300.dll
2009-02-09 11:36 . 2008-06-20 01:17 97,800 --a------ c:\windows\System32\infocardapi.dll
2009-02-09 11:36 . 2008-06-20 01:18 43,544 --a------ c:\windows\System32\PresentationHostProxy.dll
2009-02-09 11:36 . 2008-06-20 01:17 37,384 --a------ c:\windows\System32\infocardcpl.cpl
2009-02-09 11:36 . 2008-06-20 01:17 11,264 --a------ c:\windows\System32\icardres.dll
2009-02-09 11:33 . 2009-02-09 11:36 44,990,464 --a------ c:\windows\ocsetup_install_NetFx3.etl
2009-02-09 11:33 . 2009-02-09 11:36 49,152 --a------ c:\windows\ocsetup_cbs_install_NetFx3.perf
2009-02-09 11:33 . 2009-02-09 11:36 16,384 --a------ c:\windows\ocsetup_cbs_install_NetFx3.dpx
2009-02-09 11:27 . 2008-07-27 18:00 282,112 --a------ c:\windows\System32\mscoree.dll
2009-02-09 11:27 . 2008-07-27 18:00 96,760 --a------ c:\windows\System32\dfshim.dll
2009-02-09 11:27 . 2008-07-27 18:00 41,984 --a------ c:\windows\System32\netfxperf.dll
2009-02-09 11:26 . 2008-07-27 18:00 158,720 --a------ c:\windows\System32\mscorier.dll
2009-02-09 11:26 . 2008-07-27 18:00 83,968 --a------ c:\windows\System32\mscories.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-02 15:56 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-17 21:26 --------- d-----w c:\programdata\Microsoft Help
2009-02-17 21:25 --------- d-----w c:\program files\Microsoft Works
2009-02-13 14:41 --------- d-----w c:\program files\Safari
2009-02-13 14:39 --------- d-----w c:\program files\Common Files\Apple
2009-02-12 17:41 --------- d-----w c:\program files\Intel
2009-02-11 10:44 --------- d-----w c:\program files\Windows Mail
2009-02-10 13:20 100,418 ----a-w c:\windows\System32\Vxdif.dll
2009-02-10 13:14 163,376 ----a-w c:\windows\system32\drivers\Apfiltr.sys
2009-02-09 13:17 174 --sha-w c:\program files\desktop.ini
2009-02-09 13:08 --------- d-----w c:\program files\Windows Sidebar
2009-02-09 13:08 --------- d-----w c:\program files\Windows Photo Gallery
2009-02-09 13:08 --------- d-----w c:\program files\Windows Journal
2009-02-09 13:08 --------- d-----w c:\program files\Windows Defender
2009-02-09 13:08 --------- d-----w c:\program files\Windows Collaboration
2009-02-09 13:08 --------- d-----w c:\program files\Windows Calendar
2009-02-09 12:45 82,432 ----a-w c:\windows\System32\axaltocm.dll
2009-02-09 12:45 101,888 ----a-w c:\windows\System32\ifxcardm.dll
2009-01-28 16:23 --------- d-----w c:\program files\Microsoft CAPICOM 2.1.0.2
2009-01-26 16:13 --------- d-----w c:\program files\Windows Live
2009-01-25 17:38 --------- d-----w c:\program files\Windows Live SkyDrive
2009-01-25 17:38 --------- d-----w c:\program files\Microsoft
2009-01-25 17:17 --------- d-----w c:\program files\Common Files\Windows Live
2008-12-17 16:49 3,328 ----a-w c:\users\Libby\AppData\Roaming\wklnhst.dat
2008-12-16 11:27 993,816 ----a-w c:\windows\System32\igxpun.exe
2008-12-12 11:18 87,336 ----a-w c:\windows\System32\dns-sd.exe
2008-12-12 11:11 61,440 ----a-w c:\windows\System32\dnssd.dll
2008-04-26 11:07 63,488 ----a-w c:\users\Libby\xobglu16.dll
2008-04-26 11:07 1,072,396 ----a-w c:\users\Libby\xobglu32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"swg"="c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-01-05 171448]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2008-12-02 3882312]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-04-25 457216]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2007-06-27 752136]
"PlayMovie"="c:\program files\Acer Arcade Deluxe\Play Movie\PMVService.exe" [2007-05-24 206952]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"Acer Tour Reminder"="c:\acer\AcerTour\Reminder.exe" [2007-05-22 151552]
"WarReg_PopUp"="c:\acer\WR_PopUp\WarReg_PopUp.exe" [2006-11-05 57344]
"eAudio"="c:\acer\Empowering Technology\eAudio\eAudio.exe" [2007-06-11 1286144]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-01-05 185632]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-02-06 177472]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-09 148888]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2009-02-10 159744]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-12-02 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-12-02 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-12-02 150552]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-17 1601304]
"RtHDVCpl"="RtHDVCpl.exe" [2007-07-06 c:\windows\RtHDVCpl.exe]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2007-08-08 535336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll eNetHook.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{3652E95A-13D0-406D-BD67-B11585A532B9}"= c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\Acer Arcade Deluxe.exe:Acer Arcade Deluxe
"{19A5E2DD-5873-4F5F-B880-E512C211D97E}"= c:\program files\Acer Arcade Deluxe\VideoMagician\VideoMagician.exe:VideoMagician
"{29226A04-C324-4418-956C-28C554112675}"= c:\program files\Acer Arcade Deluxe\HomeMedia\HomeMedia.exe:HomeMedia
"{504B06D6-D6FC-479A-B22C-E33C004A55A6}"= c:\program files\Acer Arcade Deluxe\DV Wizard\DV Wizard.exe:DV Wizard
"{770D06D2-6E9E-42E0-9D8F-78644D5452E2}"= c:\program files\Acer Arcade Deluxe\DVDivine\DVDivine.exe:DVDivine
"{97278ED4-9B89-46E7-AE38-33278FF3DEA3}"= c:\program files\Acer Arcade Deluxe\Play Movie\PlayMovie.exe:Play Movie
"{7FF9A90F-C786-4421-8822-70E8AD5CEC20}"= c:\program files\Acer Arcade Deluxe\Play Movie\PMVService.exe:Play Movie Resident Program
"{99DA96D0-89B7-4916-8643-1B9233F76FF0}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{1E59D3C4-43ED-49D6-AC08-7A5E4279D144}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{131CE995-7771-4F88-A631-B21FC862FB6C}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{AE0759E5-0E2F-4043-B1EB-2048F5CA43E7}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{60427CFD-C331-4A81-A69D-357E993EC943}"= c:\program files\AVG\AVG8\avgemc.exe:avgemc.exe
"{49AB2B26-994F-4237-8FC3-25D54539A9E5}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"{72E03570-3976-48F3-BC23-AFFED6D510E6}"= c:\program files\AVG\AVG8\avgnsx.exe:avgnsx.exe
"{639A6C14-BA5E-458E-8858-2326BCADDB2F}"= UDP:c:\users\Libby\AppData\Local\Temp\7zS819D.tmp\SymNRT.exe:Norton Removal Tool
"{CC0DB1E3-99C9-4C59-AF23-08F50E21DFF9}"= TCP:c:\users\Libby\AppData\Local\Temp\7zS819D.tmp\SymNRT.exe:Norton Removal Tool

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [2009-02-17 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [2009-02-17 107272]
R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\Acer Arcade Deluxe\Play Movie\000.fcl [2007-09-22 03:34:41 13560]
R2 ALaunchService;ALaunch Service;c:\acer\ALaunch\ALaunchSvc.exe [2007-08-08 50688]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-02-17 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-17 298264]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-02-17 1153368]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [2007-08-08 179712]
R3 enecir;ENE CIR Receiver;c:\windows\System32\drivers\enecir.sys [2007-08-08 32256]
.
Contents of the 'Scheduled Tasks' folder

2009-03-05 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-11-27 18:55]

2008-12-28 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-11-27 18:55]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Acer Tour Reminder - (no file)


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Settings,ProxyOverride = *.local
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-05 17:14:37
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(1336)
c:\windows\system32\MsnChatHook.dll
c:\windows\system32\ShowErrMsg.dll
c:\windows\system32\sysenv.dll
c:\windows\system32\BatchCrypto.dll
c:\windows\system32\CryptoAPI.dll
c:\windows\system32\keyManager.dll
.
Completion time: 2009-03-05 17:16:59
ComboFix-quarantined-files.txt 2009-03-05 17:16:53
ComboFix2.txt 2009-03-02 16:34:58

Pre-Run: 39,752,392,704 bytes free
Post-Run: 39,619,608,576 bytes free

224 --- E O F --- 2009-02-11 10:49:57


regards

Sye

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:29 AM

Posted 05 March 2009 - 12:59 PM

Good news. Now uninstall Combofix:

Go to start > run and copy and paste or type next command in the field then hit enter:

ComboFix /u


Happy surfing Sye!

#15 syekidorp

syekidorp
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 05 March 2009 - 01:36 PM

Thanks for all your help farbar. Great job.

I think we can call this resolved now.

Cheers.

Sye




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users