|
Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs |
![]() |
|
Topic Tools |
#1
|
|||
|
|||
Need help removing malware (HJT + malwarebytes antimalware logs inside)
Hello all, it has been a few years since I have been on here. I have a new virus that I am having trouble getting rid of and hopefully one of you can help me. Here is what is going on:
It started last night with an error message saying some sort of windows service could not start and each time I restarted more error messages would appear. I ran a full scan of malware anti bytes and removed the entries twice, once just from my desktop and once in safemode. After running it in safemode and removing the entries I tried to start windows and windows (vista) said that it could not be activated and partial functionality was restored, meaning I had a web browser and nothing else. I got back to regular windows by loading last known good configuration. So any help is appreciated. Also when I scanned with malware antibytes this time it didn't show up, but last time backdoor.bot was also one of the listed infections. If you require more info don't hesitate to ask. Any help or suggestions are appreciated. Malware antibyes log Malwarebytes' Anti-Malware 1.40 Database version: 2701 Windows 6.0.6001 Service Pack 1 26/08/2009 3:03:48 PM mbam-log-2009-08-26 (15-03-38).txt Scan type: Quick Scan Objects scanned: 86140 Time elapsed: 8 minute(s), 23 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 1 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 11 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Trojan.Agent) -> No action taken. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Windows\Temp\VRT25E7.tmp (Trojan.Agent) -> No action taken. C:\Windows\Temp\VRT2EFB.tmp (Trojan.Agent) -> No action taken. C:\Windows\Temp\VRT336E.tmp (Trojan.Agent) -> No action taken. C:\Windows\Temp\VRT3CE0.tmp (Trojan.Agent) -> No action taken. C:\Windows\Temp\VRT7BC4.tmp (Trojan.Agent) -> No action taken. C:\Windows\Temp\VRT8A17.tmp (Trojan.Agent) -> No action taken. C:\Windows\Temp\VRT973F.tmp (Trojan.Agent) -> No action taken. C:\Windows\Temp\VRT9B06.tmp (Trojan.Agent) -> No action taken. C:\Windows\Temp\VRTAE57.tmp (Trojan.Agent) -> No action taken. C:\Windows\Temp\VRTE8A9.tmp (Trojan.Agent) -> No action taken. C:\Windows\Temp\VRTF890.tmp (Trojan.Agent) -> No action taken. HIJACKTHIS Log Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:05:34 PM, on 26/08/2009 Platform: Windows Vista SP1 (WinNT 6.00.1905) MSIE: Internet Explorer v7.00 (7.00.6001.18294) Boot mode: Normal Running processes: C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\system32\taskeng.exe C:\Windows\system32\wermgr.exe C:\Windows\PLFSetL.exe C:\Windows\PLFSetI.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe C:\Program Files\Launch Manager\LManager.exe C:\Program Files\Java\jre6\bin\jusched.exe D:\Microsoft Office\Office12\GrooveMonitor.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Wallpaper Master\Wallpaper.exe C:\Users\Owner\AppData\Local\Google\Update\GoogleU pdate.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Windows\System32\SLUI.exe C:\Windows\System32\SLLUA.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe C:\Users\Owner\AppData\Local\Temp\710.exe C:\Users\Owner\AppData\Local\Temp\940.exe C:\Windows\system32\WerFault.exe C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE C:\Windows\system32\WerFault.exe C:\Windows\system32\WerFault.exe C:\Windows\system32\wbem\unsecapp.exe C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE C:\Windows\system32\WerFault.exe C:\Windows\system32\WerFault.exe C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EX E C:\Windows\system32\WerFault.exe C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\Users\Owner\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.ca.acer.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.ca.acer.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.ca.acer.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file) O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Microsoft Office\Office12\GrooveShellExtensions.dll O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Acer\Empowering Technology\eDataSecurity\x86\ActiveToolBand.dll O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file) O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe O4 - HKLM\..\Run: [PLFSetL] C:\Windows\PLFSetL.exe O4 - HKLM\..\Run: [PLFSetI] C:\Windows\PLFSetI.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe O4 - HKLM\..\Run: [Acer Product Registration] "C:\Program Files\Acer\Acer Registration\ACE1.exe" /startup O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [Redemption] "\RunRedem.exe" /STARTUP O4 - HKLM\..\Run: [GrooveMonitor] "D:\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [UVS12 Preload] C:\Program Files\Corel\Corel VideoStudio 12\uvPL.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun O4 - HKLM\..\Run: [WallpaperChanger] C:\Program Files\Wallpaper Master\Wallpaper.exe -startup O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe O4 - HKCU\..\Run: [Google Update] "C:\Users\Owner\AppData\Local\Google\Update\Google Update.exe" /c O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE') O4 - Global Startup: Empowering Technology Launcher.lnk = ? O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200 O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~1\Office12\EXCEL.EXE/3000 O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\MICROS~1\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\MICROS~1\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\Office12\REFIEBAR.DLL O13 - Gopher Prefix: O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Microsoft Office\Office12\GrooveSystemServices.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: AWinNotifyVitaKey MC3000 - C:\Windows\ O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: eDataSecurity Service - Egis Incorporated - C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPAHelper.exe - Unknown owner - C:\Program Files\iPod Access for Windows\iPAHelper.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe - Also, in case this helps, the error messages i am getting upon startup this time are as follows (They have been different each time though): acer empowering techonology (in the error message technology is spelled that way) framework launcher has stopped working acer epower management dmc has stopped working acer enet tray has stopped working 940.exe has stopped working 710.exe has stopped working catalyst control center monitoring program has stopped working eRecoveryService stopped working and was closed windows activation error A problem occurred when windows tried to activate Error code 0x80070426 |
#2
|
||||
|
||||
Hello sadgoat,
Infection is showing here. Let's get more details and then start some repairs. To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs. Open HijackThis, and choose None of the above, just start the program. Click Config – Misc Tools – Open process manager. From the list, click each of the following if it is present, and Kill Process. Close HijackThis. C:\Windows\system32\wermgr.exe C:\Users\Owner\AppData\Local\Temp\710.exe C:\Users\Owner\AppData\Local\Temp\940.exe C:\Windows\system32\WerFault.exe ------------- Download RSIT (random's system information tool) from here to your desktop, then click on the RSIT.exe to start the scan. If necessary allow it to locate or download a copy of HijackThis as needed. Once the scan completes a textbox will open - copy/paste those contents here for review please. The log can also be found at C:\rsit\log.txt. RSIT will also create a second log, info.txt, which will be minimized to your taskbar. Post that here as well please (it will also be stored at C:\rsit\info.txt). You can break logs into parts and use separate posts here when replying and posting the log files, if needed. -------------- Also click here and download the installer for Gmer to your desktop, then click that file to run Gmer. If on it's opening scan Gmer locates items shown in red or indicates "hidden" or "rootkit", stop there, and click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please. We don't want any crashes just from taking an initial look at things. If not, then click on Scan (before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan). When completed, click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please. |
#3
|
|||
|
|||
RSIT LOG Part 1
Logfile of random's system information tool 1.06 (written by random/random) Run by Owner at 2009-08-26 17:33:22 Microsoft® Windows Vista™ Home Premium Service Pack 1 System drive C: has 2 GB (4%) free of 52 GB Total RAM: 1789 MB (53% free) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 5:33:41 PM, on 26/08/2009 Platform: Windows Vista SP1 (WinNT 6.00.1905) MSIE: Internet Explorer v7.00 (7.00.6001.18294) Boot mode: Normal Running processes: C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\system32\taskeng.exe C:\Windows\PLFSetL.exe C:\Windows\PLFSetI.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe C:\Program Files\Launch Manager\LManager.exe C:\Program Files\Java\jre6\bin\jusched.exe D:\Microsoft Office\Office12\GrooveMonitor.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Wallpaper Master\Wallpaper.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Windows\system32\wbem\unsecapp.exe C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Skype\Plugin Manager\skypePM.exe C:\Users\Owner\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe C:\Windows\system32\SearchFilterHost.exe C:\Users\Owner\Desktop\RSIT.exe C:\Program Files\Trend Micro\HijackThis\Owner.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.ca.acer.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.ca.acer.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.ca.acer.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file) O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Microsoft Office\Office12\GrooveShellExtensions.dll O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Acer\Empowering Technology\eDataSecurity\x86\ActiveToolBand.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file) O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe O4 - HKLM\..\Run: [PLFSetL] C:\Windows\PLFSetL.exe O4 - HKLM\..\Run: [PLFSetI] C:\Windows\PLFSetI.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe O4 - HKLM\..\Run: [Acer Product Registration] "C:\Program Files\Acer\Acer Registration\ACE1.exe" /startup O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [Redemption] "\RunRedem.exe" /STARTUP O4 - HKLM\..\Run: [GrooveMonitor] "D:\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [UVS12 Preload] C:\Program Files\Corel\Corel VideoStudio 12\uvPL.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun O4 - HKLM\..\Run: [WallpaperChanger] C:\Program Files\Wallpaper Master\Wallpaper.exe -startup O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe O4 - HKCU\..\Run: [Google Update] "C:\Users\Owner\AppData\Local\Google\Update\Google Update.exe" /c O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE') O4 - Global Startup: Empowering Technology Launcher.lnk = ? O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200 O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~1\Office12\EXCEL.EXE/3000 O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\MICROS~1\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\MICROS~1\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\Office12\REFIEBAR.DLL O13 - Gopher Prefix: O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Microsoft Office\Office12\GrooveSystemServices.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: AWinNotifyVitaKey MC3000 - C:\Windows\ O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: eDataSecurity Service - Egis Incorporated - C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPAHelper.exe - Unknown owner - C:\Program Files\iPod Access for Windows\iPAHelper.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe -- End of file - 8966 bytes ======Scheduled tasks folder====== C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1898056314-479382875-1797869004-1003Core.job C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1898056314-479382875-1797869004-1003UA.job C:\Windows\tasks\User_Feed_Synchronization-{08CA360A-E904-4060-934E-9F41279305AF}.job ======Registry dump====== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}] Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}] Groove GFS Browser Helper - D:\Microsoft Office\Office12\GrooveShellExtensions.dll [2007-08-24 2212224] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}] Java(tm) Plug-In SSV Helper - C:\Program Files\Java\jre6\bin\ssv.dll [2008-09-29 320920] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{83A2F9B1-01A2-4AA5-87D1-45B6B8505E96}] ShowBarObj Class - C:\Acer\Empowering Technology\eDataSecurity\x86\ActiveToolBand.dll [2008-01-03 312368] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}] Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2008-09-29 34816] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] {0BF43445-2F28-4351-9252-17FE6E806AA0} {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - Acer eDataSecurity Management - C:\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll [2008-01-03 155184] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run] "RtHDVCpl"=C:\Windows\RtHDVCpl.exe [2008-01-07 4874240] "PLFSetL"=C:\Windows\PLFSetL.exe [2007-07-05 114688] "PLFSetI"=C:\Windows\PLFSetI.exe [2007-10-23 221184] "RemoteControl"=C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2008-01-22 102400] "eDataSecurity Loader"=C:\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe [2008-01-03 521776] "eRecoveryService"= [] "LManager"=C:\PROGRA~1\LAUNCH~1\LManager.exe [2008-01-07 858632] "Acer Product Registration"=C:\Program Files\Acer\Acer Registration\ACE1.exe [2007-11-26 3407872] "amd_dc_opt"=C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe [2007-07-23 98304] "SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2008-09-29 144792] "AppleSyncNotifier"=C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [2009-05-13 177472] "Redemption"=\RunRedem.exe /STARTUP [] "GrooveMonitor"=D:\Microsoft Office\Office12\GrooveMonitor.exe [2007-08-24 33648] "Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-10-14 39792] "UVS12 Preload"=C:\Program Files\Corel\Corel VideoStudio 12\uvPL.exe [2008-06-09 397456] "QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2009-05-26 434176] "iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2009-07-13 292128] "StartCCC"=C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [2009-04-27 81920] "WallpaperChanger"=C:\Program Files\Wallpaper Master\Wallpaper.exe [2007-11-24 668672] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\RunOnce] "Malwarebytes' Anti-Malware"=C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe [2009-08-03 419088] [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run] "ehTray.exe"=C:\Windows\ehome\ehTray.exe [2008-01-20 142848] "Google Update"=C:\Users\Owner\AppData\Local\Google\Update \GoogleUpdate.exe [2008-09-04 133104] "WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe [2008-01-20 219136] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe [2008-01-20 1008184] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup Empowering Technology Launcher.lnk - C:\Acer\Empowering Technology\eAPLauncher.exe [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AWinNotifyVitaKe y MC3000] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\explorer\SharedTaskScheduler] Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll [2008-03-18 233888] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks] "{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=D:\Microsoft Office\Office12\GrooveShellExtensions.dll [2007-08-24 2212224] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Policies\System] "EnableLUA"=0 "dontdisplaylastusername"=0 "legalnoticecaption"= "legalnoticetext"= "shutdownwithoutlogon"=1 "undockwithoutlogon"=1 "EnableUIADesktopToggle"=0 [HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\standard profile\authorizedapplications\list] "C:\Windows\system32\winlogon.exe"="C:\Windows\sys tem32\winlogon.exe:*:enabled:@shell32.dll,-1" "C:\Windows\system32\wininit.exe"="C:\Windows\syst em32\wininit.exe:*:enabled:@shell32.dll,-1" [HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\domainpr ofile\authorizedapplications\list] [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\G] shell\AutoRun\command - G:\Onspclap.exe [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{28a8fe09-8b5f-11dd-9693-001d72228e40}] shell\AutoRun\command - H:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{64ae2e60-6b8b-11de-9493-001d72228e40}] shell\AutoRun\command - E:\.\Docs\print.exe shell\explore\command - E:\.\\\\Docs/print.exe shell\open\command - E:\Docs////print.exe [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{be243637-52de-11dd-85d3-000000000000}] shell\AutoRun\command - G:\Onspclap.exe |
#4
|
|||
|
|||
RSIT Log part 2
======List of files/folders created in the last 1 months====== 2009-08-26 17:33:22 ----D---- C:\rsit 2009-08-26 10:06:54 ----D---- C:\ProgramData\Windows Genuine Advantage 2009-08-26 09:48:55 ----D---- C:\Program Files\Trend Micro 2009-08-26 00:16:43 ----A---- C:\Windows\ntbtlog.txt 2009-08-26 00:00:50 ----D---- C:\Program Files\ATI 2009-08-25 23:36:37 ----D---- C:\Program Files\ATI Technologies 2009-08-25 23:35:14 ----D---- C:\Program Files\Driver Sweeper 2009-08-25 23:00:46 ----RSHD---- C:\RECYCLER 2009-08-25 22:50:53 ----A---- C:\Windows\system32\Apphlpdm.dll 2009-08-25 22:50:50 ----A---- C:\Windows\system32\GameUXLegacyGDFs.dll 2009-08-22 17:15:31 ----D---- C:\Windows\system32\IOSUBSYS 2009-08-22 17:15:17 ----D---- C:\Program Files\Google 2009-08-19 15:12:35 ----D---- C:\Great Big Sea 2009-08-11 21:30:40 ----A---- C:\Windows\system32\atl.dll 2009-08-11 21:30:35 ----A---- C:\Windows\system32\avifil32.dll 2009-08-11 21:30:28 ----A---- C:\Windows\system32\mstscax.dll 2009-08-11 21:30:22 ----A---- C:\Windows\system32\wkssvc.dll 2009-08-11 21:30:02 ----A---- C:\Windows\system32\wmp.dll 2009-08-11 21:30:01 ----A---- C:\Windows\system32\wmpdxm.dll 2009-08-11 21:30:00 ----A---- C:\Windows\system32\spwmp.dll 2009-08-11 21:29:59 ----A---- C:\Windows\system32\dxmasf.dll 2009-08-11 21:29:57 ----A---- C:\Windows\system32\wmploc.DLL 2009-08-08 11:06:33 ----D---- C:\Ali Farka Toure & Toumani Diabate - In the Heart of the Moon [2005] 2009-08-02 10:51:55 ----D---- C:\Coeur de pirate - Coeur de pirate (2008) 2009-07-30 14:47:46 ----D---- C:\Program Files\iPod 2009-07-30 14:47:40 ----D---- C:\Program Files\iTunes 2009-07-30 14:44:19 ----D---- C:\Program Files\QuickTime 2009-07-28 16:49:17 ----A---- C:\Windows\system32\mshtml.dll 2009-07-28 16:49:16 ----A---- C:\Windows\system32\occache.dll 2009-07-28 16:49:14 ----A---- C:\Windows\system32\ieframe.dll 2009-07-28 16:49:12 ----A---- C:\Windows\system32\urlmon.dll 2009-07-28 16:49:11 ----A---- C:\Windows\system32\wininet.dll 2009-07-28 16:49:11 ----A---- C:\Windows\system32\iertutil.dll 2009-07-28 16:49:10 ----A---- C:\Windows\system32\msfeeds.dll 2009-07-28 16:49:10 ----A---- C:\Windows\system32\iedkcs32.dll 2009-07-28 16:49:10 ----A---- C:\Windows\system32\ieaksie.dll 2009-07-28 16:49:09 ----A---- C:\Windows\system32\ieUnatt.exe 2009-07-28 16:49:09 ----A---- C:\Windows\system32\ieencode.dll 2009-07-28 16:49:08 ----A---- C:\Windows\system32\mstime.dll 2009-07-28 16:49:07 ----A---- C:\Windows\system32\jsproxy.dll ======List of files/folders modified in the last 1 months====== 2009-08-26 17:33:34 ----D---- C:\Windows\Prefetch 2009-08-26 17:33:26 ----D---- C:\Windows\Temp 2009-08-26 17:16:22 ----D---- C:\Users\Owner\AppData\Roaming\Skype 2009-08-26 16:03:17 ----D---- C:\Users\Owner\AppData\Roaming\skypePM 2009-08-26 14:53:31 ----D---- C:\Program Files\Malwarebytes' Anti-Malware 2009-08-26 14:53:27 ----D---- C:\Windows\system32\drivers 2009-08-26 14:43:57 ----D---- C:\Windows\System32 2009-08-26 14:43:57 ----D---- C:\Windows\inf 2009-08-26 14:43:57 ----A---- C:\Windows\system32\PerfStringBackup.INI 2009-08-26 14:40:48 ----D---- C:\Program Files\Mozilla Firefox 2009-08-26 11:51:39 ----SHD---- C:\System Volume Information 2009-08-26 10:06:54 ----HD---- C:\ProgramData 2009-08-26 10:06:30 ----SD---- C:\Windows\Downloaded Program Files 2009-08-26 09:58:30 ----D---- C:\Windows\AppPatch 2009-08-26 09:52:34 ----D---- C:\Windows\winsxs 2009-08-26 09:51:29 ----D---- C:\Windows\system32\catroot 2009-08-26 09:48:55 ----RD---- C:\Program Files 2009-08-26 09:43:04 ----D---- C:\Windows 2009-08-26 00:12:29 ----D---- C:\Windows\system32\catroot2 2009-08-26 00:08:09 ----SHD---- C:\Windows\Installer 2009-08-26 00:08:07 ----RSD---- C:\Windows\assembly 2009-08-26 00:03:26 ----D---- C:\Windows\Debug 2009-08-25 23:21:01 ----SD---- C:\Users\Owner\AppData\Roaming\Microsoft 2009-08-25 23:02:28 ----D---- C:\Users\Owner\AppData\Roaming\uTorrent 2009-08-23 14:23:09 ----D---- C:\Users\Owner\AppData\Roaming\Mozilla 2009-08-23 13:26:29 ----D---- C:\Program Files\Acer 2009-08-22 21:44:56 ----A---- C:\Windows\avisplitter.INI 2009-08-22 17:26:56 ----D---- C:\Program Files\Microsoft Games 2009-08-22 17:15:55 ----D---- C:\Program Files\Common Files\PX Storage Engine 2009-08-19 11:10:27 ----A---- C:\Windows\win.ini 2009-08-12 03:11:36 ----D---- C:\Program Files\Windows Media Player 2009-08-12 03:05:15 ----D---- C:\ProgramData\Microsoft Help 2009-08-12 03:04:00 ----D---- C:\Program Files\Windows Mail 2009-08-09 13:05:42 ----D---- C:\Windows\Microsoft.NET 2009-08-09 11:45:01 ----HD---- C:\Program Files\InstallShield Installation Information 2009-07-30 14:53:39 ----D---- C:\ProgramData\Apple 2009-07-30 14:47:44 ----D---- C:\Program Files\Common Files\Apple 2009-07-29 17:49:14 ----A---- C:\Windows\system32\mrt.exe 2009-07-29 09:34:32 ----D---- C:\Program Files\Internet Explorer ======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R2 Int15;int15; \??\C:\Acer\Empowering Technology\eRecovery\int15.sys [2007-07-03 15392] R2 irda;IrDA Protocol; C:\Windows\system32\DRIVERS\irda.sys [2008-01-20 95744] R2 mdmxsdk;mdmxsdk; C:\Windows\system32\DRIVERS\mdmxsdk.sys [2006-06-19 12672] R2 PSDNServ;PSDNServ; C:\Windows\system32\DRIVERS\PSDNServ.sys [2008-01-03 16432] R2 psdvdisk;PSDVdisk; C:\Windows\system32\DRIVERS\PSDVdisk.sys [2008-01-03 59952] R2 RMCAST;RMCAST (Pgm) Protocol Driver; C:\Windows\system32\DRIVERS\RMCAST.sys [2008-05-09 113664] R2 XAudio;XAudio; C:\Windows\system32\DRIVERS\xaudio.sys [2006-11-28 8192] R3 AmdLLD;AMD Low Level Device Driver; C:\Windows\system32\DRIVERS\AmdLLD.sys [2007-06-29 34304] R3 atikmdag;atikmdag; C:\Windows\system32\DRIVERS\atikmdag.sys [2009-04-27 4387840] R3 ATSWPDRV;AuthenTec TruePrint USB Driver (SwipeSensor); C:\Windows\system32\DRIVERS\ATSwpDrv.sys [2008-02-18 146824] R3 BCM43XX;Broadcom 802.11 Network Adapter Driver; C:\Windows\system32\DRIVERS\bcmwl6.sys [2007-10-26 1044984] R3 CmBatt;Microsoft AC Adapter Driver; C:\Windows\system32\DRIVERS\CmBatt.sys [2008-01-20 14208] R3 DKbFltr;Dritek Keyboard Filter Driver; C:\Windows\system32\DRIVERS\DKbFltr.sys [2006-11-02 21264] R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\Windows\System32\Drivers\GEARAspiWDM.sys [2009-03-19 23400] R3 HSF_DPV;HSF_DPV; C:\Windows\system32\DRIVERS\HSX_DPV.sys [2006-12-22 985600] R3 HSXHWAZL;HSXHWAZL; C:\Windows\system32\DRIVERS\HSXHWAZL.sys [2006-12-22 207360] R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHDA.sys [2008-01-08 2044896] R3 MBAMSwissArmy;MBAMSwissArmy; \??\C:\Windows\system32\drivers\mbamswissarmy.sys [2009-08-03 38160] R3 NSCIRDA;NSC Infrared Device Driver; C:\Windows\system32\DRIVERS\nscirda.sys [2008-01-20 30720] R3 NTIDrvr;Upper Class Filter Driver; C:\Windows\system32\DRIVERS\NTIDrvr.sys [2008-03-29 6144] R3 SNP2UVC;USB2.0 PC Camera (SNP2UVC); C:\Windows\system32\DRIVERS\snp2uvc.sys [2007-10-01 1769984] R3 SynTP;Synaptics TouchPad Driver; C:\Windows\system32\DRIVERS\SynTP.sys [2007-09-07 192816] R3 winachsf;winachsf; C:\Windows\system32\DRIVERS\HSX_CNXT.sys [2006-12-22 659968] R3 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\DRIVERS\wmiacpi.sys [2008-01-20 11264] R3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller; C:\Windows\system32\DRIVERS\yk60x86.sys [2007-12-06 298496] S3 abaprer8;abaprer8; C:\Windows\system32\drivers\abaprer8.sys [] S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0; C:\Windows\system32\DRIVERS\b57nd60x.sys [2008-01-20 179712] S3 dot4;MS IEEE-1284.4 Driver; C:\Windows\system32\DRIVERS\Dot4.sys [2008-01-20 131584] S3 Dot4Print;Print Class Driver for IEEE-1284.4; C:\Windows\system32\DRIVERS\Dot4Prt.sys [2008-01-20 16384] S3 dot4usb;Dot4USB Filter Dot4USB Filter; C:\Windows\system32\DRIVERS\dot4usb.sys [2008-01-20 36864] S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-20 5632] S3 hamachi;Hamachi Network Interface; C:\Windows\system32\DRIVERS\hamachi.sys [2008-07-03 25280] S3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520] S3 HSFHWAZL;HSFHWAZL; C:\Windows\system32\DRIVERS\VSTAZL3.SYS [2008-01-20 200704] S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-20 8192] S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-20 5888] S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-20 5504] S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-20 6016] S3 REFILERW;REFILERW; \??\C:\Windows\system32\Drivers\REFILERW.SYS [2007-04-30 4224] S3 sdbus;sdbus; C:\Windows\system32\DRIVERS\sdbus.sys [2008-01-20 88576] S3 SRS_SSCFilter;SRS Labs Audio Sandbox (WDM); C:\Windows\system32\drivers\srs_sscfilter_i386.sys [2007-07-26 39808] S3 USBAAPL;Apple Mobile USB Driver; C:\Windows\System32\Drivers\usbaapl.sys [2009-07-09 39424] S3 usbscan;USB Scanner Driver; C:\Windows\system32\DRIVERS\usbscan.sys [2008-01-20 35328] S3 usbvideo;USB Video Device (WDM); C:\Windows\System32\Drivers\usbvideo.sys [2008-01-20 134016] S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2008-01-20 39936] S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-20 83328] S4 ErrDev;Microsoft Hardware Error Device Driver; C:\Windows\system32\drivers\errdev.sys [2008-01-20 6656] S4 MegaSR;MegaSR; C:\Windows\system32\drivers\megasr.sys [2008-01-20 386616] ======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-07-09 144712] R2 Ati External Event Utility;Ati External Event Utility; C:\Windows\system32\Ati2evxx.exe [2009-04-27 753664] R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888] R2 eDataSecurity Service;eDataSecurity Service; C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe [2008-01-03 506416] R2 iPAHelper.exe;iPAHelper.exe; C:\Program Files\iPod Access for Windows\iPAHelper.exe [2007-04-05 1543614] R2 Irmon;@%SystemRoot%\System32\irmon.dll,-2000; C:\Windows\system32\svchost.exe [2008-01-20 21504] R2 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2007-01-17 81920] R2 SBSDWSCService;SBSD Security Center Service; C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368] R2 XAudioService;XAudioService; C:\Windows\system32\DRIVERS\xaudio.exe [2006-11-28 403456] R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-07-13 542496] S2 eLockService;eLock Service; C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe [2007-10-01 45056] S2 eNet Service;eNet Service; C:\Acer\Empowering Technology\eNet\eNet Service.exe [2007-12-20 151552] S2 eRecoveryService;eRecovery Service; C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe [2007-09-10 77824] S2 eSettingsService;eSettings Service; C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe [2007-12-19 45056] S2 MobilityService;MobilityService; C:\Acer\Mobility Center\MobilityService.exe [2007-11-27 128000] S2 WMIService;ePower Service; C:\Acer\Empowering Technology\ePower\ePowerSvc.exe [2007-09-20 188416] S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2008-10-16 672256] S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-11-20 136120] S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 94208] S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; D:\Microsoft Office\Office12\GrooveAuditService.exe [2007-08-24 68464] S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2007-08-24 443776] S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184] S3 Steam Client Service;Steam Client Service; C:\Program Files\Common Files\Steam\SteamService.exe [2008-11-12 99576] S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328] S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 283136] -----------------EOF----------------- |
#5
|
|||
|
|||
RSIT INFO Part 1
info.txt logfile of random's system information tool 1.06 2009-08-26 17:33:49 ======Uninstall list====== -->"C:\Program Files\InstallShield Installation Information\{BB8AE808-F003-4C7F-B56B-8C80EEAFFE23}\setup.exe" --u:{BB8AE808-F003-4C7F-B56B-8C80EEAFFE23} 2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59} 2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59} 2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59} 2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59} 2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59} 2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59} 2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173} 2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C} 2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1} 2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419} 2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0044-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59} 2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85} 2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59} 2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-00BA-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59} 2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0114-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59} 2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85} 2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0117-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59} Acer Crystal Eye Webcam Video Class Camera -->C:\Program Files\InstallShield Installation Information\{399C37FB-08AF-493B-BFED-20FBD85EDF7F}\setup.exe -runfromtemp -l0x0009 -removeonly -u Acer Crystal Eye Webcam-->C:\Program Files\InstallShield Installation Information\{A77255C4-AFCB-44A3-BF0F-2091A71FFD9E}\setup.exe -runfromtemp -l0x0009 -removeonly Acer eDataSecurity Management-->C:\Acer\Empowering Technology\eDataSecurity\x86\eDSnstHelper.exe -Operation UNINSTALL Acer eLock Management-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\ 50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{116FF17B-1A30-4FC2-9B01-5BC5BD46B0B3}\setup.exe" -l0x9 -removeonly Acer Empowering Technology-->"C:\Program Files\InstallShield Installation Information\{AB6097D9-D722-4987-BD9E-A076E2848EE2}\setup.exe" -runfromtemp -l0x0009 -removeonly Acer eNet Management-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\ 50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C06554A1-2C1E-4D20-B613-EE62C79927CC}\setup.exe" -l0x9 -removeonly Acer ePower Management-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\ 50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{58E5844B-7CE2-413D-83D1-99294BF6C74F}\setup.exe" -l0x9 -removeonly Acer ePresentation Management-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\ 50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BF839132-BD43-4056-ACBF-4377F4A88E2A}\setup.exe" -l0x9 -removeonly Acer eSettings Management-->"C:\Program Files\InstallShield Installation Information\{CE65A9A0-9686-45C6-9098-3C9543A412F0}\setup.exe" -runfromtemp -l0x0009 -removeonly Acer GridVista-->C:\Windows\GVUni.exe GridV.UNI Acer Mobility Center Plug-In-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\ 50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{11316260-6666-467B-AC34-183FCB5D4335}\setup.exe" -l0x9 -removeonly Acer Registration-->C:\Program Files\Acer\Acer Registration\uninstall.exe Adobe Anchor Service CS3-->MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95} Adobe Asset Services CS3-->MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61} Adobe Bridge CS3-->MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394} Adobe Bridge Start Meeting-->MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23} Adobe Camera Raw 4.0-->MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C} Adobe CMaps-->MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C} Adobe Color - Photoshop Specific-->MsiExec.exe /I{A2D81E70-2A98-4A08-A628-94388B063C5E} Adobe Color Common Settings-->C:\Program Files\Common Files\Adobe\Installers\6c8e2cb4fd241c55406016127a6 ab2e\Setup.exe Adobe Color Common Settings-->MsiExec.exe /I{6D4AC5A4-4CF9-4F90-8111-B9B53CE257BF} Adobe Color EU Extra Settings-->MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8} Adobe Color JA Extra Settings-->MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029} Adobe Color NA Recommended Settings-->MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5} Adobe Default Language CS3-->MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D} Adobe Device Central CS3-->MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD} Adobe ExtendScript Toolkit 2-->C:\Program Files\Common Files\Adobe\Installers\3e054d2218e7aa282c2369d939e 58ff\Setup.exe Adobe ExtendScript Toolkit 2-->MsiExec.exe /I{24D7346D-D4B4-45E8-98EA-75EC14B42DD8} Adobe Flash Player 10 Plugin-->C:\Windows\system32\Macromed\Flash\uninstall_plug in.exe Adobe Flash Player ActiveX-->C:\Windows\system32\Macromed\Flash\uninstall_acti veX.exe Adobe Fonts All-->MsiExec.exe /I{6ABE0BEE-D572-4FE8-B434-9E72A289431B} Adobe Help Viewer CS3-->MsiExec.exe /I{04AF207D-9A77-465A-8B76-991F6AB66245} Adobe Illustrator CS3-->C:\Program Files\Common Files\Adobe\Installers\a04a925a57548091300ada36823 5fc6\Setup.exe Adobe Illustrator CS3-->MsiExec.exe /I{F08E8D2E-F132-4742-9C87-D5FF223A016A} Adobe Linguistics CS3-->MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078} Adobe PDF Library Files-->MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C} Adobe Photoshop CS3-->C:\Program Files\Common Files\Adobe\Installers\2ac78060bc5856b0c1cf873bb91 9b58\Setup.exe Adobe Photoshop CS3-->MsiExec.exe /I{0046FA01-C5B9-4985-BACB-398DC480FC05} Adobe Reader 8.1.3-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81300000003} Adobe Setup-->MsiExec.exe /I{4F3E17F8-F1C8-4A4B-9EB8-1EE2D190CDA9} Adobe Setup-->MsiExec.exe /I{64C1FA9A-FA94-4B6E-B3E4-8573738E4AD1} Adobe Setup-->MsiExec.exe /I{B3C02EC1-A7B0-4987-9A43-8789426AAA7D} Adobe Setup-->MsiExec.exe /I{D1BB4446-AE9C-4256-9A7F-4D46604D2462} Adobe Stock Photos CS3-->MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183} Adobe Type Support-->MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312} Adobe Update Manager CS3-->MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8} Adobe Version Cue CS3 Client-->MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5} Adobe WinSoft Linguistics Plugin-->MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6} Adobe XMP Panels CS3-->MsiExec.exe /I{802771A9-A856-4A41-ACF7-1450E523C923} Alarm Clock v1.0-->"C:\Program Files\Alarm Clock\unins000.exe" Apple Mobile Device Support-->MsiExec.exe /I{C337BDAF-CB4E-47E2-BE1A-CB31BB7DD0E3} Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033} Armadillo Run 1.0.3-->"C:\Program Files\Armadillo Run\unins000.exe" AuthenTec Fingerprint Sensor Minimum Install-->MsiExec.exe /I{64BDD01B-70CA-4844-9D2F-38C56FB31E03} Bonjour-->MsiExec.exe /I{07287123-B8AC-41CE-8346-3D777245C35B} Catalyst Control Center - Branding-->MsiExec.exe /I{D3B1C799-CB73-42DE-BA0F-2344793A095C} CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe" Comical 0.8-->"C:\Program Files\Comical\unins000.exe" Corel VideoStudio 12-->C:\Program Files\InstallShield Installation Information\{F0FDF9C9-1DDC-401F-B638-36F1CAE8A875}\setup.exe -runfromtemp -l0x0409 Driver Sweeper 2.0.5-->"C:\Program Files\Driver Sweeper\unins000.exe" Dual-Core Optimizer-->MsiExec.exe /X{FF3D660E-E5CC-47FD-8050-1B4DE3BA81A9} File Recover 7.0-->"G:\Becca\File Recover\unins000.exe" Free WMV to AVI MPEG Converter v1.2-->"C:\Program Files\Free WMV to AVI MPEG Converter\unins000.exe" Google Earth Pro 4.2-->"C:\Windows\Google Earth Pro 4.2\uninstall.exe" "/U:C:\Program Files\Google Earth Pro 4.2\Uninstall\uninstall.xml" Google Talk Plugin-->MsiExec.exe /I{BBC783B7-8725-3B1C-B49A-BA7F09391251} Hamachi 1.0.3.0-->C:\Program Files\Hamachi\uninstall.exe HDAUDIO Soft Data Fax Modem with SmartCP-->C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BF AOR2C06_118\UIU32m.exe -U -Ic:\Release\Foxconn\51338\AcrZUn32z.inf HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT="" Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT="" InFlac 1.1.1-->"C:\Program Files\Winamp\InFlac-Uninstall.exe" iPod Access for Windows v4.2.2-->"C:\Program Files\iPod Access for Windows\unins000.exe" iTunes-->MsiExec.exe /I{99ECF41F-5CCA-42BD-B8B8-A8333E2E2944} Java(TM) 6 Update 10-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216010FF} Java(TM) 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070} K-Lite Codec Pack 3.9.5 (Standard)-->"C:\Program Files\K-Lite Codec Pack\unins000.exe" Launch Manager-->C:\Windows\UnInst32.exe LManager.UNI Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe" Microsoft .NET Framework 3.5 SP1-->C:\Windows\Microsoft.NET\Framework\v3.5\Microso ft .NET Framework 3.5 SP1\setup.exe Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} Microsoft Office Access MUI (English) 2007-->MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE} Microsoft Office Access Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE} Microsoft Office Enterprise 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL Microsoft Office Enterprise 2007-->MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE} Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE} Microsoft Office Groove MUI (English) 2007-->MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE} Microsoft Office Groove Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE} Microsoft Office InfoPath MUI (English) 2007-->MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE} Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE} Microsoft Office Outlook MUI (English) 2007-->MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE} Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE} Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE} Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE} Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE} Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE} Microsoft Office Publisher MUI (English) 2007-->MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE} Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE} Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE} Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE} Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053-->MsiExec.exe /X{770657D0-A123-3C07-8E44-1C83EC895118} Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d} Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148-->MsiExec.exe /X{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C} Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729-->MsiExec.exe /X{3C3D696B-0DB7-3C6D-A356-3DB8CE541918} MobileMe Control Panel-->MsiExec.exe /I{DDBB28C8-B2AA-45A1-8DCE-059A798509FB} Mozilla Firefox (3.0.13)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71} NTI Backup NOW! 4.7-->C:\Program Files\InstallShield Installation Information\{1598034D-7147-432C-8CA8-888E0632D124}\setup.exe -runfromtemp -l0x0409 NTI CD & DVD-Maker-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\I Driver.exe /M{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2} /l1033 CDM7 NTI Shadow-->"C:\Program Files\InstallShield Installation Information\{6F7EA6CA-79F4-44A0-A370-8E82BB16534A}\setup.exe" -removeonly NTI Shadow-->C:\Program Files\InstallShield Installation Information\{6F7EA6CA-79F4-44A0-A370-8E82BB16534A}\setup.exe -runfromtemp -l0x0409 oggcodecs 0.71.0946-->C:\Program Files\illiminable\oggcodecs\uninst.exe Opera 9.52-->MsiExec.exe /X{775EA80D-E368-4310-97B6-3D47EB9BB3F1} PDF Settings-->MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5} Picasa 3-->"C:\Program Files\Google\Picasa3\Uninstall.exe" PowerDVD-->"C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall QuickTime-->MsiExec.exe /I{C78EAC6F-7A73-452E-8134-DBB2165C5A68} Railroad Tycoon 3-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\070 1\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DE29025A-091F-4998-AD2D-24C84421190F}\setup.exe" -l0x9 Realtek High Definition Audio Driver-->RtlUpd.exe -r -m Replay Music-->"C:\Windows\Replay Music\uninstall.exe" "/U:C:\Program Files\Replay Music 3\Uninstall\uninstall.xml" Security Update for 2007 Microsoft Office System (KB951550)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {B243E9A5-ED77-4F1B-B338-2486FD82DC85} Security Update for 2007 Microsoft Office System (KB951944)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {797AE457-BA17-4BBC-B501-25FB3A0103C7} Security Update for 2007 Microsoft Office System (KB969559)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {69F52148-9BF6-4CDC-BF76-103DEAF3DD08} Security Update for 2007 Microsoft Office System (KB969679)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {C66E4A6C-6E07-4C63-8CCD-2493B5087C73} Security Update for Microsoft Office Excel 2007 (KB969682)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {C03803BD-745A-46F8-8557-817DED578780} Security Update for Microsoft Office OneNote 2007 (KB950130)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {F1B2401C-B610-4BF2-AA1C-52C55827A8F4} Security Update for Microsoft Office PowerPoint 2007 (KB957789)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {7559E742-FF9F-4FAE-B279-008ED296CB4D} Security Update for Microsoft Office Publisher 2007 (KB969693)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {7BE67088-1EB3-4569-8E75-DDAFBF61BC4E} Security Update for Microsoft Office system 2007 (KB954326)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {5F7F6FFF-395D-480E-8450-64F385D82C5F} Security Update for Microsoft Office system 2007 (KB969613)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {5ECEB317-CBE9-4E08-AB10-756CB6F0FB6C} Security Update for Microsoft Office Word 2007 (KB969604)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {CF3D6499-709C-43D0-8908-BC5652656050} Sid Meier's Civilization 4-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\ 00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CFBCE791-2D53-4FCE-B3FB-D6E01F4112E8}\setup.exe" -l0x9 -removeonly Simplify Media-->MsiExec.exe /X{A3AF1E4E-C220-4690-8812-10D0C666405B} Skype™ 3.8-->MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82} Soldat 1.4.2-->"C:\Soldat\unins000.exe" Soldat 1.5.0-->"C:\Soldat\unins001.exe" |
#6
|
|||
|
|||
Info Part 2
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe" Steam-->MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3} Synaptics Pointing Device Driver-->rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUnin stall TeamSpeak 2 RC2-->"C:\Program Files\Teamspeak2_RC2\unins000.exe" Update for 2007 Microsoft Office System (KB967642)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {C444285D-5E4F-48A4-91DD-47AAAA68E92D} Update for Microsoft Office 2007 Help for Common Features (KB963673)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {AB365889-0395-4FAD-B702-CA5985D53D42} Update for Microsoft Office Access 2007 Help (KB963663)-->msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {6B76A18A-AA1E-42AB-A7AD-6C84BBB43987} Update for Microsoft Office Excel 2007 Help (KB963678)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {199DF7B6-169C-448C-B511-1054101BE9C9} Update for Microsoft Office Infopath 2007 Help (KB963662)-->msiexec /package {90120000-0044-0409-0000-0000000FF1CE} /uninstall {716B81B8-B13C-41DF-8EAC-7A2F656CAB63} Update for Microsoft Office OneNote 2007 Help (KB963670)-->msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {2744EF05-38E1-4D5D-B333-E021EDAEA245} Update for Microsoft Office Outlook 2007 (KB969907)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {74F98B24-AFBD-4800-9BD6-87D349B5C462} Update for Microsoft Office Outlook 2007 Help (KB963677)-->msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {0451F231-E3E3-4943-AB9F-58EB96171784} Update for Microsoft Office Powerpoint 2007 Help (KB963669)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {397B1D4F-ED7B-4ACA-A637-43B670843876} Update for Microsoft Office Publisher 2007 Help (KB963667)-->msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {2E40DE55-B289-4C8B-8901-5D369B16814F} Update for Microsoft Office Script Editor Help (KB963671)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {CD11C6A2-FFC6-4271-8EAB-79C3582F505C} Update for Microsoft Office Word 2007 Help (KB963665)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {80E762AA-C921-4839-9D7D-DB62A72C0726} Update for Outlook 2007 Junk Email Filter (kb972691)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {AA020E6E-E2FB-45EF-B732-2400E2296742} Uplink-->C:\Windows\IsUninst.exe -f"C:\Program Files\Uplink\Uninst.isu" VideoLAN VLC media player 0.8.6h-->C:\Program Files\VideoLAN\VLC\uninstall.exe Wallpaper Master Pro v1.52-->"C:\Program Files\Wallpaper Master\unins000.exe" Winamp-->"C:\Program Files\Winamp\UninstWA.exe" Windows Live installer-->MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320} Windows Live Messenger-->MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0} WinRAR-->"C:\Windows\WinRAR\uninstall.exe" "/U:C:\Program Files\WinRAR\Uninstall\uninstall.xml" YouTube Uploader for CASIO-->MsiExec.exe /X{F1B330B2-7882-4A8C-9BBF-D1109180ED8F} ======Hosts File====== 127.0.0.1 www.007guard.com 127.0.0.1 007guard.com 127.0.0.1 008i.com 127.0.0.1 www.008k.com 127.0.0.1 008k.com 127.0.0.1 www.00hq.com 127.0.0.1 00hq.com 127.0.0.1 010402.com 127.0.0.1 www.032439.com 127.0.0.1 032439.com ======Security center information====== AS: Spybot - Search and Destroy (disabled) (outdated) AS: Windows Defender ======System event log====== Computer Name: Owner-PC Event Code: 7009 Message: A timeout was reached (30000 milliseconds) while waiting for the eRecovery Service service to connect. Record Number: 156256 Source Name: Service Control Manager Time Written: 20090826213804.000000-000 Event Type: Error User: Computer Name: Owner-PC Event Code: 7000 Message: The eRecovery Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion. Record Number: 156257 Source Name: Service Control Manager Time Written: 20090826213804.000000-000 Event Type: Error User: Computer Name: Owner-PC Event Code: 7009 Message: A timeout was reached (30000 milliseconds) while waiting for the eSettings Service service to connect. Record Number: 156258 Source Name: Service Control Manager Time Written: 20090826213804.000000-000 Event Type: Error User: Computer Name: Owner-PC Event Code: 7000 Message: The eSettings Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion. Record Number: 156259 Source Name: Service Control Manager Time Written: 20090826213804.000000-000 Event Type: Error User: Computer Name: Owner-PC Event Code: 7009 Message: A timeout was reached (30000 milliseconds) while waiting for the ePower Service service to connect. Record Number: 156265 Source Name: Service Control Manager Time Written: 20090826213813.000000-000 Event Type: Error User: =====Application event log===== Computer Name: Owner-PC Event Code: 1000 Message: Faulting application 710.exe, version 0.0.0.0, time stamp 0x4a9295b0, faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception code 0xc0000005, fault offset 0x00c0420b, process id 0x880, application start time 0x01ca26958983952e. Record Number: 23623 Source Name: Application Error Time Written: 20090826213828.000000-000 Event Type: Error User: Computer Name: Owner-PC Event Code: 1000 Message: Faulting application 940.exe, version 0.0.0.0, time stamp 0x4a929569, faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception code 0xc0000005, fault offset 0x00c041cd, process id 0x868, application start time 0x01ca269589b5920e. Record Number: 23624 Source Name: Application Error Time Written: 20090826213828.000000-000 Event Type: Error User: Computer Name: Owner-PC Event Code: 1000 Message: Faulting application ENMTRAY.EXE, version 2.6.4.303, time stamp 0x4769e278, faulting module ntdll.dll, version 6.0.6001.18000, time stamp 0x4791a7a6, exception code 0xc000007b, fault offset 0x00009cac, process id 0x3d4, application start time 0x01ca26958a84a9ae. Record Number: 23626 Source Name: Application Error Time Written: 20090826213832.000000-000 Event Type: Error User: Computer Name: Owner-PC Event Code: 1000 Message: Faulting application EPOWER_DMC.EXE, version 2.5.4309.0, time stamp 0x47a8a11d, faulting module ntdll.dll, version 6.0.6001.18000, time stamp 0x4791a7a6, exception code 0xc000007b, fault offset 0x00009cac, process id 0xad4, application start time 0x01ca26958edead2e. Record Number: 23627 Source Name: Application Error Time Written: 20090826213834.000000-000 Event Type: Error User: Computer Name: Owner-PC Event Code: 1000 Message: Faulting application ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE, version 2.5.4301.0, time stamp 0x4784a54e, faulting module ntdll.dll, version 6.0.6001.18000, time stamp 0x4791a7a6, exception code 0xc000007b, fault offset 0x00009cac, process id 0xb28, application start time 0x01ca26958ffeb38e. Record Number: 23628 Source Name: Application Error Time Written: 20090826213834.000000-000 Event Type: Error User: =====Security event log===== Computer Name: Owner-PC Event Code: 4648 Message: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: OWNER-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: SYSTEM Account Domain: NT AUTHORITY Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x27c Process Name: C:\Windows\System32\services.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. Record Number: 35044 Source Name: Microsoft-Windows-Security-Auditing Time Written: 20090826233228.013703-000 Event Type: Audit Success User: Computer Name: Owner-PC Event Code: 4624 Message: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: OWNER-PC$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x27c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. Record Number: 35045 Source Name: Microsoft-Windows-Security-Auditing Time Written: 20090826233228.013703-000 Event Type: Audit Success User: Computer Name: Owner-PC Event Code: 4672 Message: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege Record Number: 35046 Source Name: Microsoft-Windows-Security-Auditing Time Written: 20090826233228.013703-000 Event Type: Audit Success User: Computer Name: Owner-PC Event Code: 4616 Message: The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 0x5b8 Name: C:\Windows\System32\svchost.exe Previous Time: 4:35:00 PM 26/08/2009 New Time: 4:35:13 PM 26/08/2009 This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer. Record Number: 35047 Source Name: Microsoft-Windows-Security-Auditing Time Written: 20090826233513.753000-000 Event Type: Audit Success User: Computer Name: Owner-PC Event Code: 4616 Message: The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 0x5b8 Name: C:\Windows\System32\svchost.exe Previous Time: 4:35:13 PM 26/08/2009 New Time: 4:35:13 PM 26/08/2009 This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer. Record Number: 35048 Source Name: Microsoft-Windows-Security-Auditing Time Written: 20090826233513.753000-000 Event Type: Audit Success User: ======Environment variables====== "ComSpec"=%SystemRoot%\system32\cmd.exe "FP_NO_HOST_CHECK"=NO "OS"=Windows_NT "Path"=%SystemRoot%\system32;%SystemRoot%;%SystemR oot%\System32\Wbem;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static;C:\Acer\Empowering Technology\eDataSecurity\;C:\Acer\Empowering Technology\eDataSecurity\x86;C:\Acer\Empowering Technology\eDataSecurity\x64;C:\Program Files\Common Files\Ulead Systems\MPEG;C:\Program Files\QuickTime\QTSystem\ "PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;. WSF;.WSH;.MSC "PROCESSOR_ARCHITECTURE"=x86 "TEMP"=%SystemRoot%\TEMP "TMP"=%SystemRoot%\TEMP "USERNAME"=SYSTEM "windir"=%SystemRoot% "PROCESSOR_LEVEL"=15 "PROCESSOR_IDENTIFIER"=x86 Family 15 Model 104 Stepping 2, AuthenticAMD "PROCESSOR_REVISION"=6802 "NUMBER_OF_PROCESSORS"=2 "TRACE_FORMAT_SEARCH_PATH"=\\NTREL202.ntdev.corp.m icrosoft.com\4F18C3A5-CA09-4DBD-B6FC-219FDD4C6BE0\TraceFormat "DFSTRACINGON"=FALSE "CLASSPATH"=.;C:\Program Files\Java\jre6\lib\ext\QTJava.zip "QTJAVA"=C:\Program Files\Java\jre6\lib\ext\QTJava.zip -----------------EOF----------------- |
#7
|
|||
|
|||
GMER Log
GMER 1.0.15.15077 [95x02ndi.exe] - http://www.gmer.net Rootkit quick scan 2009-08-26 17:52:12 Windows 6.0.6001 Service Pack 1 ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 84E571F8 Device \FileSystem\fastfat \Fat 8638A1F8 AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation) AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation) ---- EOF - GMER 1.0.15 ---- PS: Just in case it matters None of the processes you told me to stop with HJT were there. |
#8
|
|||
|
|||
EDIT: Also, I still have malwarebytes antimalware open. Should I tell it to quarantine the infected files it found again? Or just leave them. These are the files that I have quarantined twice with this program and they have come back both times.
|
#9
|
||||
|
||||
Try to refrain from making any changes/running any scans there in between these posted steps. If we follow some set routines for removal we will get to the "all clean" goal, given time. The logs show some autorun worm malware involvement, and these suggest bootup malware issues as well:
Message: Faulting application 710.exe Message: Faulting application 940.exe The malware has included an autorun type component, so if any external drives have been used on this computer recently be sure to install them now, and leave them installed until ALL repairs on it are completed. If not, they will remain infected and can re-infect the computer (or others). To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs. Go here, fill out the basic info they ask for (carefully, since it includes offers of email notices), and download Panda's USB Vaccine tool. Unzip that download, and click the USBVaccine.exe file to open the display. For now go ahead and click the option to "Vaccinate computer", which will disable autorun for CD drives and USB drives. Also use the USB drive Vaccination option dropdown to "Vaccinate" all attached USB drives there. Then just close that display when done. ------------ Download OTM.exe by OldTimer to your desktop. Then click OTM.exe to run it (Vista users, please right click on OTM.exe and select "Run as an Administrator"). Copy the file path(s) below (inside the Code box) to the clipboard by highlighting ALL of them and pressing CTRL + C, or right-click and choose Copy): Code:
:reg [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{64ae2e60-6b8b-11de-9493-001d72228e40}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{be243637-52de-11dd-85d3-000000000000}] [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "C:\\Windows\\system32\\winlogon.exe"=- "C:\\Windows\\system32\\wininit.exe"=- A log of files and folders moved will be created in the c:\_OTM\MovedFiles folder, in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply. If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose "Yes". ----------- Download ComboFix.exe from here to your C drive folder, but I would like you to rename the file as you download it (do not download it directly without renaming it - use right click "Save Target/Link As" ). For this, rename the downloading file to alg.exe, so it should then be C:\alg.exe. Then click the renamed alg.exe to run that scan. Be sure to install the Recovery Console if you are asked to do so. When the scan completes, a text window with your log will open. Please copy and paste that log back here. A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt. Post that and the OTM log please. |
#10
|
|||
|
|||
I vaccinated my computer using usb vaccine, but could not vaccinate my portable hard drive or thumb drive because it only supports FAT file systems.
Here is the log from OTM ========== REGISTRY ========== Registry key HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\G\ deleted successfully. Registry key HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{64ae2e60-6b8b-11de-9493-001d72228e40}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{64ae2e6 0-6b8b-11de-9493-001d72228e40}\ not found. Registry key HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{be243637-52de-11dd-85d3-000000000000}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{be24363 7-52de-11dd-85d3-000000000000}\ not found. Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\standard profile\authorizedapplications\list\\C:\\Windows\\ system32\\winlogon.exe not found. Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\standard profile\authorizedapplications\list\\C:\\Windows\\ system32\\wininit.exe not found. OTM by OldTimer - Version 3.0.0.6 log created on 08262009_184417 I renamed combofix to alg.exe and saved it to my C drive but Combofix came up with an error when I ran it saying: !! Alert !! It is NOT SAFE to continue! The contents of the ComboFix has been compromised, Please download a fresh copy from: http://www.bleepingcomputer.com/comb...o-use-combofix Note: You may be infected with a file patching virus 'Virut' |
#11
|
||||
|
||||
Hmmm- Panda was supposed to have corrected for that issue. But this Virut warning is not a very good thing - see here. That really does mean everything. See if you can get in a scan to check that.
To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs. Then Go here and run the Kaspersky online scan, and post back the log it creates. To use the scan, accept the agreement and make sure you allow the ActiveX object to download and install (check the "yellow bar" at the top if needed to allow this). Once the Database download is completed, under Scan in the left column click My Computer to start the scan. This may take a very long time, so allow the scan to run and perhaps find something else to do. When the scan completes click View Scan Report. Then click Save Report As, and using the dropdown box save the report as "Files of Type: -> Text file (.txt)" to a location where you can find it again. Use any name you wish for the log. Then locate that log and copy/paste those contents back here please. The scan requires a good bit of database downloading and can take quite a while to complete. However, if Virut is there it will mean likely a very long log file of finds, so if that turns out to be the case, just inform me of that in your next reply. |
#12
|
|||
|
|||
Yes, it is a very long log file, all files infected with virut (about 1600 of them).
From your last reply I got the impression that you don't need the log file if it is very big? If not I can post it. Also during the night when this was scanning a whole bunch of errors with different numbers have come up (eg 918, 870, etc). Also, would it help at all to remove all of the entries that kaspersky finds? One more question: I think I received this virus from my brothers portable hard drive. Is it safe to connect the hard drive to any other computers? Kaspersky found infected files on the hard drive. |
#13
|
||||
|
||||
All I have when it comes to Virut infection issues is all bad news sadgoat. Any drive where Virut altered files have been found needs to be completely reformatted. Likely wipe the drive first using the still infected computer, leaving no files on it, then reformat the computer's drive as well. Virut is a "start-all-over-again" situation.
|
#14
|
|||
|
|||
Well, thank you for all the help Jintan. I suppose I will reformat. I do have two more questions.
Can the virut virus be transferred through an ipod? And can the virus be transferred to an apple computer? |
#15
|
||||
|
||||
No for the Apple question, do the difference in file formatting used. I am not aware of any Virut having altered any files on iPods. One way to test this is to reinstall, but before you place too much effort into reinstalling softwares etc., connect the iPod and run that Kaspersky scan again.
You can also Go here and download and click to run Everest. Though you don't dare save any driver files themselves, this can be used for you to record any devices and drivers you will need after reinstalling. |
![]() |
Bookmarks |
«
Previous Topic
|
Next Topic
»
|
|
![]() |
||||
Topic | Topic Starter | Forum | Replies | Last Post |
Malwarebytes Anti-Malware Shortcut issue.... | Ensign Tzap | Applications | 17 | August 28th, 2012 09:51 PM |
Can Malwarebytes Anti Malware actually get rid of malware such as Windows System? | dwilliams1578 | Malware Removal | 2 | June 4th, 2011 09:39 AM |
Malwarebytes AntiMalware | shkhaslam | Malware Removal | 4 | November 19th, 2009 04:18 AM |
Malware? Virus? Trojan? (HJT, ewido logs inside) | AlphaShadow | Malware Removal | 4 | June 8th, 2006 02:59 AM |
Searchem.net Problem (popups... logs inside) | ShhBeqQuiet9772 | Malware Removal | 3 | May 12th, 2005 01:11 PM |
All times are GMT +1. The time now is 03:23 AM.