Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Windows Vista Recovery virus

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Windows Vista Recovery virus

Unread postby forza » May 27th, 2011, 10:56 am

hi, my computer has just been infected by "Windows Vista Recovery Virus". As a result, most of my files are hidden and there is no item in the Start Menu folders. And i think the registry files are also infected.

Attach.txt log:

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-05-19.01)
.
Microsoft® Windows Vista™ Home Basic
Boot Device: \Device\HarddiskVolume2
Install Date: 9/7/2009 4:18:23 AM
System Uptime: 5/27/2011 10:12:46 AM (0 hours ago)
.
Motherboard: Acer, Inc. | | Grasmoor
Processor: AMD Turion(tm) X2 Dual-Core Mobile RM-70 | Socket M2/S1G1 | 2000/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 70 GiB total, 10.106 GiB free.
D: is FIXED (NTFS) - 70 GiB total, 48.877 GiB free.
E: is CDROM ()
F: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP1095: 5/22/2011 9:35:42 AM - Windows Update
RP1096: 5/23/2011 12:00:01 AM - Scheduled Checkpoint
RP1097: 5/24/2011 12:00:01 AM - Scheduled Checkpoint
RP1098: 5/24/2011 7:12:06 AM - Windows Update
RP1099: 5/25/2011 10:25:03 AM - Removed Pro Evolution Soccer 2010.
RP1101: 5/25/2011 10:29:46 AM - Removed Counter-Strike 1.6
RP1102: 5/25/2011 11:02:13 AM - Windows Update
RP1103: 5/25/2011 11:14:32 AM - Windows Update
RP1104: 5/26/2011 4:41:22 AM - Scheduled Checkpoint
RP1105: 5/26/2011 10:43:02 PM - Windows Update
.
==== Installed Programs ======================
.
Update for Microsoft Office 2007 (KB2508958)
Acer Arcade Deluxe
Acer Assist
Acer eDataSecurity Management
Acer Empowering Technology
Acer ePower Management
Acer eRecovery Management
Acer eSettings Management
Acer GameZone Console 2.0.1.1
Acer GridVista
Acer Mobility Center Plug-In
Acer Registration
Acer ScreenSaver
Activation Assistant for the 2007 Microsoft Office suites
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.4.4
Adobe Shockwave Player
Amazon Unbox Video
Apple Application Support
Athan Basic 3.8
CCleaner
CDDRV_Installer
EA Download Manager
EA SPORTS online 2008
erLT
ERUNT 1.1j
eSobi v2
FIFA 11 Demo
HDAUDIO Soft Data Fax Modem with SmartCP
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
ImgBurn
Java Auto Updater
Java(TM) 6 Update 20
K-Lite Mega Codec Pack 3.6.5
KhalInstallWrapper
Launch Manager
LightScribe 1.4.142.1
Logitech SetPoint
Madden NFL 08
Malwarebytes' Anti-Malware
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Security Client
Microsoft Security Essentials
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
Microsoft Works
Move Media Player
Mozilla Firefox 4.0.1 (x86 en-US)
MSVCRT
MSXML 4.0 SP2 (KB954430)
NHL® 09
NTI Backup Now 5
NTI Backup Now Standard
NTI Media Maker 8
NVIDIA Drivers
NYKO Gamepad Mapping Tools 2.0.0
OGA Notifier 2.0.0048.0
Orion
Panda ActiveScan 2.0
PhotoNow!
PowerDirector
Quran in Ms Word
R for Windows 2.12.1
Realtek High Definition Audio Driver
Realtek USB 2.0 Card Reader
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2466156)
Security Update for 2007 Microsoft Office System (KB2509488)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2464583)
Security Update for Microsoft Office Groove 2007 (KB2494047)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
Security Update for Microsoft Office Publisher 2007 (KB2284697)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
SiSoftware Sandra Lite 2010c
Skype™ 4.1
SpywareBlaster 4.3
Synaptics Pointing Device Driver
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 (KB2509470)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (KB2536413)
Veetle TV 0.9.17
WIDCOMM Bluetooth Software 6.0.1.6400
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Upload Tool
Windows Media Player Firefox Plugin
WinRAR archiver
Yahoo! Messenger
YouTube Downloader 2.6.2
.
==== Event Viewer Messages From Past Week ========
.
5/27/2011 10:13:26 AM, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
5/26/2011 11:18:16 PM, Error: Service Control Manager [7022] - The Windows Update service hung on starting.
5/26/2011 11:12:07 PM, Error: EventLog [6008] - The previous system shutdown at 11:03:13 PM on 5/26/2011 was unexpected.
5/25/2011 4:14:31 AM, Error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
5/25/2011 11:02:36 AM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.105.365.0 Update Source: Microsoft Update Server Update Stage: Install Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6903.0 Error code: 0x8024001e Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
5/25/2011 10:51:03 AM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.105.365.0 Update Source: Microsoft Update Server Update Stage: Download Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6903.0 Error code: 0x8024001e Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
5/25/2011 10:51:03 AM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.105.365.0 Update Source: Microsoft Update Server Update Stage: Download Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6903.0 Error code: 0x8024001e Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
5/21/2011 2:10:27 AM, Error: EventLog [6008] - The previous system shutdown at 11:32:29 PM on 5/20/2011 was unexpected.
5/20/2011 5:51:09 AM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Windows Internet Explorer 9 for Windows Vista.
5/20/2011 5:39:32 AM, Error: EventLog [6008] - The previous system shutdown at 5:38:22 AM on 5/20/2011 was unexpected.
5/20/2011 2:58:05 AM, Error: Service Control Manager [7031] - The Microsoft Antimalware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 15000 milliseconds: Restart the service.
5/20/2011 11:05:28 PM, Error: EventLog [6008] - The previous system shutdown at 5:29:59 PM on 5/20/2011 was unexpected.
.
==== End Of File ===========================




DDS.txt log:


.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_20
Run by @k3yM at 10:51:57 on 2011-05-27
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.2813.1489 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\Explorer.EXE
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
C:\Program Files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Acer\Mobility Center\MobilityService.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Acer\Empowering Technology\NotificationCenter\Framework.NotificationCenter.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\explorer.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\@k3yM\Desktop\MalwareRemoval\dds.scr
C:\Windows\system32\WSCRIPT.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.bigseekpro.com/tempcleaner/{87DEC4D9-D6DC-45E3-8D74-F1C1D0E0996F}
uSearch Page =
uSearch Bar =
mStart Page = hxxp://www.bigseekpro.com/tempcleaner/{87DEC4D9-D6DC-45E3-8D74-F1C1D0E0996F}
mSearchAssistant =
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: ShowBarObj Class: {83a2f9b1-01a2-4aa5-87d1-45b6b8505e96} - c:\program files\acer\empowering technology\edatasecurity\x86\ActiveToolBand.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\program files\acer\empowering technology\edatasecurity\x86\eDStoolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
uRun: [AlcoholAutomount] "c:\program files\alcohol soft\alcohol 120\AxAutoMntSrv.exe" -automount
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
StartupFolder: c:\users\@k3ym\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\amazon~1.lnk - c:\program files\amazon\amazon unbox video\ADVWindowsClientSystemTray.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-be ... canner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\@k3ym\appdata\roaming\mozilla\firefox\profiles\pb9px39p.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.soccernet.com/
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
FF - plugin: c:\users\@k3ym\appdata\local\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\users\@k3ym\appdata\roaming\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\users\@k3ym\appdata\roaming\move networks\plugins\npqmp071705000014.dll
.
============= SERVICES / DRIVERS ===============
.
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-6-12 28552]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 165264]
R1 MpKsl8265f775;MpKsl8265f775;c:\programdata\microsoft\microsoft antimalware\definition updates\{c4fb42fd-898f-4fbd-9ccd-073ce03d5769}\MpKsl8265f775.sys [2011-5-27 28752]
R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\acer arcade deluxe\playmovie\000.fcl [2009-9-7 61424]
R2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\newtech infosystems\nti backup now 5\client\Agentsvc.exe [2008-3-3 16384]
R2 CLHNService;CLHNService;c:\program files\acer arcade deluxe\homemedia\kernel\dmp\CLHNService.exe [2009-9-7 81504]
R2 ETService;Empowering Technology Service;c:\program files\acer\empowering technology\service\ETService.exe [2008-5-22 24576]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\newtech infosystems\nti backup now 5\BackupSvc.exe [2008-4-26 45056]
R2 NTIPPKernel;NTIPPKernel;c:\program files\acer arcade deluxe\homemedia\kernel\dmp\NTIPPKernel.sys [2009-9-7 122368]
R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\newtech infosystems\nti backup now 5\SchedulerSvc.exe [2008-4-26 131072]
R2 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindServiceAE.exe [2009-12-23 370688]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2008-5-22 210432]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-3-25 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 54144]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2010-11-11 206360]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\sisoftware\sisoftware sandra lite 2010c\RpcAgentSrv.exe [2010-5-15 93336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-05-27 14:13:20 28752 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{c4fb42fd-898f-4fbd-9ccd-073ce03d5769}\MpKsl8265f775.sys
2011-05-27 11:31:16 6962000 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{c4fb42fd-898f-4fbd-9ccd-073ce03d5769}\mpengine.dll
2011-05-21 03:17:47 439632 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{442fb6f0-6751-4352-a5f8-c357fe200cb5}\gapaengine.dll
2011-05-20 09:51:58 -------- d-----w- c:\users\@k3ym\appdata\local\Windows Live
2011-05-20 09:51:11 754688 ----a-w- c:\windows\system32\webservices.dll
2011-05-19 20:39:31 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-10 18:28:16 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2011-05-06 20:31:09 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2011-05-06 20:29:55 -------- d-----w- c:\users\@k3ym\appdata\local\Electronic Arts
2011-05-06 10:50:23 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-05-06 10:50:23 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-05-06 10:50:23 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-05-06 10:50:22 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-05-06 10:50:22 465880 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-05-06 10:50:22 1892184 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll
2011-05-06 10:50:22 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-05-06 10:50:21 1974616 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll
2011-04-27 15:57:42 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2011-04-27 15:57:42 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2011-04-27 15:57:29 876032 ----a-w- c:\windows\system32\XpsPrint.dll
.
==================== Find3M ====================
.
2011-03-10 17:03:51 1162240 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-10 17:03:51 1136640 ----a-w- c:\windows\system32\mfc42.dll
2011-03-03 15:42:03 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-03 15:40:07 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2011-03-03 15:40:05 542720 ----a-w- c:\windows\apppatch\AcLayers.dll
2011-03-03 15:40:05 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2011-03-03 15:40:04 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll
2011-03-03 13:25:11 2041856 ----a-w- c:\windows\system32\win32k.sys
2011-03-02 15:44:27 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
.
============= FINISH: 10:52:56.97 ===============
forza
Regular Member
 
Posts: 103
Joined: June 2nd, 2010, 1:05 pm
Advertisement
Register to Remove

Re: Windows Vista Recovery virus

Unread postby Carolyn » May 30th, 2011, 8:11 am

I am reviewing your logs and will post back shortly.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: Windows Vista Recovery virus

Unread postby Carolyn » May 30th, 2011, 8:42 am

Hello and Welcome to the forums!

My name is Carolyn and I'll be glad to help you with your computer problems.

Please do not run any other tool until instructed to do so!
Please reply to this thread, do not start another!
Please tell me about any problems that have occurred during the fix.
Please tell me of any other symptoms you may be having as these can help also.
Please try as much as possible not to run anything while executing a fix.

If you follow these instructions, everything should go smoothly.

=============================

Before we begin: Please be aware that removing Malware is a hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start.

=============================

Vista/Windows 7 Advice
As you're using Vista or Windows7, it will be necessary to right click all tools we use and select "Run as Administrator".

=============================

Remove outdated programs
You can install current versions of Java and Adobe Reader after your computer is clean.
  • Go to start > control panel > programs and features.
  • Right click on each instance of:

    Adobe Reader 9.4.4
    Java Auto Updater
    Java(TM) 6 Update 20
    Microsoft Antimalware
    SpywareBlaster


  • Click Uninstall & then follow the prompts to remove them.

=============================

Create a System Restore Point
  1. Right-click on Computer ... select Properties.
  2. In the left pane under Tasks ... click System protection.
    If UAC prompts for an administrator password or approval, type the password or give your "permission to continue".
  3. Select System Protection ...then choose Create.
  4. In the System Restore dialog box, type a description for the restore point ... click Create, again.
    A window will pop up with "The Restore Point was created successfully" confirmation message.
  5. Click OK ...then close the System Restore dialog.

=============================

Rkill
Note: If your security software warns about Rkill, ignore & allow the download to continue.
Download RKill by Grinler from Here & save it to your Desktop.
Alternate download links:
Two
Three
Four
  • Double click Rkill to run it
  • A command window will open then disappear upon completion, this is normal
    • If this does not happen... delete the file, then download & use the next link provided
    • If it does not work, repeat the process & attempt to use one of the remaining links until the tool runs
  • Do not reboot your machine until asked to do so. If no version of Rkill would run, please let me know
  • When finished, Notepad will open with a log file, automatically saved at C:\rkill.log
  • Copy/paste the contents of the rkill.log file in your next reply
  • Leave Rkill on the Desktop unless instructed otherwise
Note: If you get an alert that Rkill is infected, ignore it. The alert is a fake warning given by rogue software, trying to "protect" itself from being terminated or removed. If you see such a warning, leave the warning on the screen, then run Rkill again. By not closing the warning, this sometimes allows you to bypass the malware's attempt to protect itself, so that Rkill can perform its routine.


=============================

I see you already have Malwarebytes Anti-Malware installed:

  • Launch the application, select the Updates tab and click Check for Updates
  • Select the Scanner tab, choose Perform Full Scan then click Scan
  • When the scan is complete, click OK, then Show Results to view the results.
  • Check all items except items in the C:\System Volume Information folder... and click Remove Selected.
    Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

=============================
Unhide
Please download Unhide.exe (http://download.bleepingcomputer.com/grinler/unhide.exe) (by Grinler)

Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run."

=============================

Please include the following logs in your next reply (post all logs as text, no attachments please):
  • The Rkill log
  • The Malwarebytes' log
  • A fresh set of DDS logs
  • A description of how your computer is now behaving.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: Windows Vista Recovery virus

Unread postby forza » May 30th, 2011, 12:34 pm

Remove outdated programs:
The following programs are not listed in the Control Panel:

Java Auto Updater
Microsoft Antimalware


Rkill: Successfully run.
Rkill log:


This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 05/30/2011 at 9:37:15.
Operating System: Windows Vista (TM) Home Basic


Processes terminated by Rkill or while it was running:

C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Users\@k3yM\Desktop\MalwareRemoval\rkill.com


Rkill completed on 05/30/2011 at 9:38:15.



MBAM log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6722

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

5/30/2011 12:07:01 PM
mbam-log-2011-05-30 (12-07-01).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 306110
Time elapsed: 1 hour(s), 52 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\@k3yM\AppData\Local\microsoft\Windows\temporary internet files\Content.IE5\JM15H1SQ\windows-update-sp2-kb82150-setup[1].exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
c:\Users\@k3yM\AppData\Roaming\Adobe\plugs\mmc88011552.txt (Trojan.FakeMS) -> Quarantined and deleted successfully.
d:\documents and settings\installer\ACAD07\autodesk autocad 2006\Crack\Keymaker.exe (Malware.Gen) -> Quarantined and deleted successfully.
d:\documents and settings\installer\ACAD07\autodesk autocad electrical 2006\KeyGen\Keymaker.exe (Malware.Gen) -> Quarantined and deleted successfully.
d:\documents and settings\installer\ACAD07\autodesk mechanical desktop 2006\Crack\Keymaker.exe (Malware.Gen) -> Quarantined and deleted successfully.
d:\documents and settings\installer\msoff\! installer !\b. web & graphic tools\coreldraw graphics suite x3\keygen.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
d:\documents and settings\installer\msoff\! installer !\c. antivirus and security tools\bitdefender antivirus plus v10 + keygen core + patch\CORE10k.EXE (Dont.Steal.Our.Software) -> Quarantined and deleted successfully.
d:\documents and settings\installer\msoff\! installer !\c. antivirus and security tools\bitdefender internet security v10.0 incl.keymaker-core\CORE10k.EXE (Dont.Steal.Our.Software) -> Quarantined and deleted successfully.
d:\documents and settings\installer\msoff\! installer !\d. burning tools\ahead nero v 7.6\Crack\keygen.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
c:\Users\@k3yM\AppData\Roaming\Adobe\shed\thr1.chm (Malware.Trace) -> Quarantined and deleted successfully.
c:\Users\@k3yM\AppData\Roaming\Adobe\plugs\mmc95.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.




Unhide: Successfully run.



DDS.txt log:


.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 7.0.6002.18005
Run by @k3yM at 12:23:44 on 2011-05-30
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.2813.1676 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
C:\Program Files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Acer\Mobility Center\MobilityService.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\wuauclt.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\explorer.exe
C:\Program Files\Acer\Empowering Technology\NotificationCenter\Framework.NotificationCenter.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\WerCon.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\@k3yM\Desktop\MalwareRemoval\dds.scr
C:\Windows\system32\WSCRIPT.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.bigseekpro.com/tempcleaner/{87DEC4D9-D6DC-45E3-8D74-F1C1D0E0996F}
uSearch Page =
uSearch Bar =
mStart Page = hxxp://www.bigseekpro.com/tempcleaner/{87DEC4D9-D6DC-45E3-8D74-F1C1D0E0996F}
mSearchAssistant =
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: ShowBarObj Class: {83a2f9b1-01a2-4aa5-87d1-45b6b8505e96} - c:\program files\acer\empowering technology\edatasecurity\x86\ActiveToolBand.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\program files\acer\empowering technology\edatasecurity\x86\eDStoolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
uRun: [AlcoholAutomount] "c:\program files\alcohol soft\alcohol 120\AxAutoMntSrv.exe" -automount
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\users\@k3ym\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\amazon~1.lnk - c:\program files\amazon\amazon unbox video\ADVWindowsClientSystemTray.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-be ... canner.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\@k3ym\appdata\roaming\mozilla\firefox\profiles\pb9px39p.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.soccernet.com/
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
FF - plugin: c:\users\@k3ym\appdata\local\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\users\@k3ym\appdata\roaming\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\users\@k3ym\appdata\roaming\move networks\plugins\npqmp071705000014.dll
.
============= SERVICES / DRIVERS ===============
.
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-6-12 28552]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 165264]
R1 MpKsl6234e1c2;MpKsl6234e1c2;c:\programdata\microsoft\microsoft antimalware\definition updates\{2656ab6b-0b97-4eee-806b-a316e1287dd2}\MpKsl6234e1c2.sys [2011-5-30 28752]
R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\acer arcade deluxe\playmovie\000.fcl [2009-9-7 61424]
R2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\newtech infosystems\nti backup now 5\client\Agentsvc.exe [2008-3-3 16384]
R2 CLHNService;CLHNService;c:\program files\acer arcade deluxe\homemedia\kernel\dmp\CLHNService.exe [2009-9-7 81504]
R2 ETService;Empowering Technology Service;c:\program files\acer\empowering technology\service\ETService.exe [2008-5-22 24576]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\newtech infosystems\nti backup now 5\BackupSvc.exe [2008-4-26 45056]
R2 NTIPPKernel;NTIPPKernel;c:\program files\acer arcade deluxe\homemedia\kernel\dmp\NTIPPKernel.sys [2009-9-7 122368]
R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\newtech infosystems\nti backup now 5\SchedulerSvc.exe [2008-4-26 131072]
R2 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindServiceAE.exe [2009-12-23 370688]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2008-5-22 210432]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-3-25 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 54144]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2010-11-11 206360]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\sisoftware\sisoftware sandra lite 2010c\RpcAgentSrv.exe [2010-5-15 93336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-05-30 16:10:46 28752 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{2656ab6b-0b97-4eee-806b-a316e1287dd2}\MpKsl6234e1c2.sys
2011-05-30 14:21:31 6962000 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{2656ab6b-0b97-4eee-806b-a316e1287dd2}\mpengine.dll
2011-05-21 03:17:47 439632 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{442fb6f0-6751-4352-a5f8-c357fe200cb5}\gapaengine.dll
2011-05-20 09:51:58 -------- d-----w- c:\users\@k3ym\appdata\local\Windows Live
2011-05-20 09:51:11 754688 ----a-w- c:\windows\system32\webservices.dll
2011-05-19 20:39:31 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-10 18:28:16 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2011-05-06 20:31:09 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2011-05-06 20:29:55 -------- d-----w- c:\users\@k3ym\appdata\local\Electronic Arts
2011-05-06 10:50:23 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-05-06 10:50:23 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-05-06 10:50:23 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-05-06 10:50:22 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-05-06 10:50:22 465880 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-05-06 10:50:22 1892184 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll
2011-05-06 10:50:22 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-05-06 10:50:21 1974616 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll
.
==================== Find3M ====================
.
2011-03-12 21:55:52 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-03-10 17:03:51 1162240 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-10 17:03:51 1136640 ----a-w- c:\windows\system32\mfc42.dll
2011-03-03 15:42:03 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-03 15:40:13 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2011-03-03 15:40:07 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2011-03-03 15:40:05 542720 ----a-w- c:\windows\apppatch\AcLayers.dll
2011-03-03 15:40:05 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2011-03-03 15:40:04 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll
2011-03-03 13:35:36 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2011-03-03 13:25:11 2041856 ----a-w- c:\windows\system32\win32k.sys
2011-03-02 15:44:27 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
.
============= FINISH: 12:24:46.25 ===============




Attach.txt log:


.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-05-19.01)
.
Microsoft® Windows Vista™ Home Basic
Boot Device: \Device\HarddiskVolume2
Install Date: 9/7/2009 4:18:23 AM
System Uptime: 5/30/2011 12:10:13 PM (0 hours ago)
.
Motherboard: Acer, Inc. | | Grasmoor
Processor: AMD Turion(tm) X2 Dual-Core Mobile RM-70 | Socket M2/S1G1 | 2000/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 70 GiB total, 13.41 GiB free.
D: is FIXED (NTFS) - 70 GiB total, 48.872 GiB free.
E: is CDROM ()
F: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
Update for Microsoft Office 2007 (KB2508958)
Acer Arcade Deluxe
Acer Assist
Acer eDataSecurity Management
Acer Empowering Technology
Acer ePower Management
Acer eRecovery Management
Acer eSettings Management
Acer GameZone Console 2.0.1.1
Acer GridVista
Acer Mobility Center Plug-In
Acer Registration
Acer ScreenSaver
Activation Assistant for the 2007 Microsoft Office suites
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Shockwave Player
Amazon Unbox Video
Apple Application Support
Athan Basic 3.8
CCleaner
CDDRV_Installer
EA Download Manager
EA SPORTS online 2008
erLT
ERUNT 1.1j
eSobi v2
FIFA 11 Demo
HDAUDIO Soft Data Fax Modem with SmartCP
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
ImgBurn
K-Lite Mega Codec Pack 3.6.5
KhalInstallWrapper
Launch Manager
LightScribe 1.4.142.1
Logitech SetPoint
Madden NFL 08
Malwarebytes' Anti-Malware
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Security Client
Microsoft Security Essentials
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
Microsoft Works
Move Media Player
Mozilla Firefox 4.0.1 (x86 en-US)
MSVCRT
MSXML 4.0 SP2 (KB954430)
NHL® 09
NTI Backup Now 5
NTI Backup Now Standard
NTI Media Maker 8
NVIDIA Drivers
NYKO Gamepad Mapping Tools 2.0.0
OGA Notifier 2.0.0048.0
Orion
Panda ActiveScan 2.0
PhotoNow!
PowerDirector
Quran in Ms Word
R for Windows 2.12.1
Realtek High Definition Audio Driver
Realtek USB 2.0 Card Reader
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2466156)
Security Update for 2007 Microsoft Office System (KB2509488)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2464583)
Security Update for Microsoft Office Groove 2007 (KB2494047)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
Security Update for Microsoft Office Publisher 2007 (KB2284697)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
SiSoftware Sandra Lite 2010c
Skype™ 4.1
Synaptics Pointing Device Driver
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 (KB2509470)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (KB2536413)
Veetle TV 0.9.17
WIDCOMM Bluetooth Software 6.0.1.6400
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Upload Tool
Windows Media Player Firefox Plugin
WinRAR archiver
Yahoo! Messenger
YouTube Downloader 2.6.2
.
==== Event Viewer Messages From Past Week ========
.
5/30/2011 9:30:28 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Search service to connect.
5/30/2011 9:30:28 AM, Error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/30/2011 9:30:28 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
5/30/2011 12:10:59 PM, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
5/26/2011 11:18:16 PM, Error: Service Control Manager [7022] - The Windows Update service hung on starting.
5/26/2011 11:12:07 PM, Error: EventLog [6008] - The previous system shutdown at 11:03:13 PM on 5/26/2011 was unexpected.
5/25/2011 4:14:31 AM, Error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
5/25/2011 11:02:36 AM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.105.365.0 Update Source: Microsoft Update Server Update Stage: Install Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6903.0 Error code: 0x8024001e Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
5/25/2011 10:51:03 AM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.105.365.0 Update Source: Microsoft Update Server Update Stage: Download Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6903.0 Error code: 0x8024001e Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
5/25/2011 10:51:03 AM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.105.365.0 Update Source: Microsoft Update Server Update Stage: Download Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6903.0 Error code: 0x8024001e Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
.
==== End Of File ===========================




There is still no item in the Start Menu folders. There is no item in the Quick Launch.

Every time I restart my computer, I got many warnings:

"Error saving file
C:\Windows\ERDNT\AutoBackup\5-30-2011\Security
Continue to the next file?
[RegCreateKeyEx:5-Access is denied] "

Everytime I click YES, I got another "error saving file" warning for another file. So I just click NO.
forza
Regular Member
 
Posts: 103
Joined: June 2nd, 2010, 1:05 pm

Re: Windows Vista Recovery virus

Unread postby Carolyn » May 30th, 2011, 2:07 pm

Download CKScanner from here
Important - Save it to your desktop.
Doubleclick CKScanner.exe and click Search For Files.
After a very short time, when the cursor hourglass disappears, click Save List To File.
A message box will verify the file saved.
Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: Windows Vista Recovery virus

Unread postby forza » May 30th, 2011, 2:34 pm

CKScanner - Additional Security Risks - These are not necessarily bad
scanner sequence 3.RP.11
----- EOF -----
forza
Regular Member
 
Posts: 103
Joined: June 2nd, 2010, 1:05 pm

Re: Windows Vista Recovery virus

Unread postby Carolyn » May 31st, 2011, 7:00 am

Hello again,

Every time I restart my computer, I got many warnings:

"Error saving file
C:\Windows\ERDNT\AutoBackup\5-30-2011\Security
Continue to the next file?
[RegCreateKeyEx:5-Access is denied] "


Please uninstall ERUNT That is the program causing those error messages.

=================================

I see that you have CCleaner installed. Have you removed any temporary files recently?

=================================

Create a System Restore Point
  1. Right-click on Computer ... select Properties.
  2. In the left pane under Tasks ... click System protection.
    If UAC prompts for an administrator password or approval, type the password or give your "permission to continue".
  3. Select System Protection ...then choose Create.
  4. In the System Restore dialog box, type a description for the restore point ... click Create, again.
    A window will pop up with "The Restore Point was created successfully" confirmation message.
  5. Click OK ...then close the System Restore dialog.

=================================

ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista/Windows 7 users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go here to run the scan.
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • Select the option YES, I accept the Terms of Use then click on: Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

=================================

Download and run OTL

Download OTL by Old Timer and save it to your Desktop.
  • Right click on OTL.exe and select "Run as administrator" to run it.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized
  • Please post the contents of these 2 Notepad files in your next reply.

Please post the following:
  • The anaswer to my question regarding temporary files
  • The ESET logfile
  • The OTL.txt logfile
  • The Extras.txt logfile
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: Windows Vista Recovery virus

Unread postby forza » May 31st, 2011, 3:35 pm

The last time I removed temporary files was about one or tow weeks ago.

EST logfile:


ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6427
# api_version=3.0.2
# EOSSerial=97fd995e3286ed4784a1a7cd0003f64e
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-05-31 04:29:23
# local_time=2011-05-31 12:29:23 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 29521562 29521562 0 0
# compatibility_mode=5892 16776574 100 100 25760600 143454839 0 0
# compatibility_mode=8192 67108863 100 0 29735258 29735258 0 0
# scanned=165226
# found=0
# cleaned=0
# scan_time=12096




OTL.txt logfile:



OTL logfile created on: 5/31/2011 3:16:53 PM - Run 1
OTL by OldTimer - Version 3.2.23.0 Folder = C:\Users\@k3yM\Desktop\MalwareRemoval
Windows Vista Home Basic Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6002.18005)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.75 Gb Total Physical Memory | 1.13 Gb Available Physical Memory | 41.21% Memory free
5.73 Gb Paging File | 4.22 Gb Available in Paging File | 73.59% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 69.52 Gb Total Space | 12.18 Gb Free Space | 17.52% Space Free | Partition Type: NTFS
Drive D: | 69.52 Gb Total Space | 48.87 Gb Free Space | 70.30% Space Free | Partition Type: NTFS
Drive G: | 3.72 Gb Total Space | 3.00 Gb Free Space | 80.70% Space Free | Partition Type: FAT32

Computer Name: AK3YMS | User Name: @k3yM | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/05/31 15:15:56 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Users\@k3yM\Desktop\MalwareRemoval\OTL.exe
PRC - [2011/05/06 06:50:22 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/11/30 14:20:36 | 000,997,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2010/11/11 13:26:42 | 000,206,360 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
PRC - [2010/11/11 13:26:40 | 000,011,736 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
PRC - [2010/04/01 05:16:20 | 000,357,696 | ---- | M] (DT Soft Ltd) -- C:\Program Files\DAEMON Tools Lite\DTLite.exe
PRC - [2009/12/23 17:34:20 | 000,370,688 | ---- | M] (StarWind Software) -- C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
PRC - [2009/05/26 21:06:32 | 004,351,216 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
PRC - [2009/04/11 02:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/03/21 16:22:52 | 000,024,576 | ---- | M] () -- C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
PRC - [2008/03/21 16:22:32 | 000,376,832 | ---- | M] (acer) -- C:\Program Files\Acer\Empowering Technology\NotificationCenter\Framework.NotificationCenter.exe
PRC - [2008/03/05 02:38:34 | 000,500,784 | ---- | M] (Egis Incorporated) -- C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
PRC - [2008/01/16 18:35:02 | 000,081,504 | ---- | M] () -- C:\Program Files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe
PRC - [2007/12/06 19:15:28 | 000,110,592 | ---- | M] () -- C:\ACER\Mobility Center\MobilityService.exe


========== Modules (SafeList) ==========

MOD - [2011/05/31 15:15:56 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Users\@k3yM\Desktop\MalwareRemoval\OTL.exe
MOD - [2010/08/31 11:43:52 | 001,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18305_none_5cb72f2a088b0ed3\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/11/11 13:26:42 | 000,206,360 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe -- (NisSrv)
SRV - [2010/11/11 13:26:40 | 000,011,736 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV - [2010/09/13 12:48:12 | 000,025,704 | R--- | M] (Amazon.com) [Auto | Stopped] -- C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe -- (ADVService)
SRV - [2009/12/23 17:34:20 | 000,370,688 | ---- | M] (StarWind Software) [Auto | Running] -- C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe -- (StarWindServiceAE)
SRV - [2009/08/24 17:19:18 | 000,093,336 | ---- | M] (SiSoftware) [On_Demand | Stopped] -- C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2010c\RpcAgentSrv.exe -- (SandraAgentSrv)
SRV - [2009/07/20 12:28:10 | 000,121,360 | ---- | M] (Logitech, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe -- (LBTServ)
SRV - [2008/03/21 16:22:52 | 000,024,576 | ---- | M] () [Auto | Running] -- C:\Program Files\Acer\Empowering Technology\Service\ETService.exe -- (ETService)
SRV - [2008/03/05 02:38:34 | 000,500,784 | ---- | M] (Egis Incorporated) [Auto | Running] -- C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe -- (eDataSecurity Service)
SRV - [2008/01/20 22:33:00 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2008/01/16 18:35:02 | 000,081,504 | ---- | M] () [Auto | Running] -- C:\Program Files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe -- (CLHNService)
SRV - [2007/12/06 19:15:28 | 000,110,592 | ---- | M] () [Auto | Running] -- C:\Acer\Mobility Center\MobilityService.exe -- (MobilityService)


========== Driver Services (SafeList) ==========

DRV - [2011/05/31 15:03:11 | 000,028,752 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{05447389-3D8F-4683-8EBF-1456192D9E7B}\MpKsl6f735418.sys -- (MpKsl6f735418)
DRV - [2010/10/24 22:25:38 | 000,054,144 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NisDrvWFP.sys -- (NisDrv)
DRV - [2010/10/24 22:25:38 | 000,043,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\MpNWMon.sys -- (MpNWMon)
DRV - [2010/10/08 22:58:42 | 000,281,760 | ---- | M] () [Kernel | Auto | Running] -- C:\Windows\System32\drivers\atksgt.sys -- (atksgt)
DRV - [2010/10/08 22:58:41 | 000,025,888 | ---- | M] () [Kernel | Auto | Running] -- C:\Windows\System32\drivers\lirsgt.sys -- (lirsgt)
DRV - [2010/05/08 05:43:19 | 000,691,696 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\sptd.sys -- (sptd)
DRV - [2009/08/07 23:46:56 | 000,023,112 | ---- | M] (SiSoftware) [Kernel | On_Demand | Stopped] -- C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2010c\WNt500x86\sandra.sys -- (SANDRA)
DRV - [2009/06/30 09:37:16 | 000,028,552 | ---- | M] (Panda Security, S.L.) [File_System | Boot | Running] -- C:\Windows\system32\drivers\pavboot.sys -- (pavboot)
DRV - [2009/06/17 12:56:32 | 000,028,560 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\LUsbFilt.sys -- (LUsbFilt)
DRV - [2009/06/17 12:56:16 | 000,037,392 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\LMouFilt.Sys -- (LMouFilt)
DRV - [2009/06/17 12:56:06 | 000,035,472 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\LHidFilt.Sys -- (LHidFilt)
DRV - [2008/05/18 23:00:00 | 007,446,656 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2008/05/18 22:59:00 | 000,761,856 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\athr.sys -- (athr)
DRV - [2008/05/09 12:03:58 | 000,061,424 | ---- | M] (Cyberlink Corp.) [Kernel | Auto | Running] -- C:\Program Files\Acer Arcade Deluxe\PlayMovie\000.fcl -- ({49DE1C67-83F8-4102-99E0-C16DCC7EEC796})
DRV - [2008/05/06 02:12:00 | 000,014,848 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvsmu.sys -- (nvsmu)
DRV - [2008/05/05 04:15:00 | 000,008,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)
DRV - [2008/03/21 13:48:24 | 000,015,392 | ---- | M] (Acer, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\int15.sys -- (int15)
DRV - [2008/01/16 18:35:08 | 000,122,368 | ---- | M] (Cyberlink Corp.) [Kernel | Auto | Running] -- C:\Program Files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\NTIPPKernel.sys -- (NTIPPKernel)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bigseekpro.com/tempcleaner/{87DEC4D9-D6DC-45E3-8D74-F1C1D0E0996F}
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant =


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2506131056-3247040052-1697288011-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://global.acer.com [binary data]
IE - HKU\S-1-5-21-2506131056-3247040052-1697288011-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page =
IE - HKU\S-1-5-21-2506131056-3247040052-1697288011-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bigseekpro.com/tempcleaner/{87DEC4D9-D6DC-45E3-8D74-F1C1D0E0996F}
IE - HKU\S-1-5-21-2506131056-3247040052-1697288011-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-2506131056-3247040052-1697288011-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.soccernet.com/"
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:7
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20

FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/05/06 06:50:29 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/05/30 09:30:28 | 000,000,000 | ---D | M]

[2010/05/07 03:48:34 | 000,000,000 | ---D | M] (No name found) -- C:\Users\@k3yM\AppData\Roaming\mozilla\Extensions
[2011/05/27 10:12:09 | 000,000,000 | ---D | M] (No name found) -- C:\Users\@k3yM\AppData\Roaming\mozilla\Firefox\Profiles\pb9px39p.default\extensions
[2010/05/12 03:06:16 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\@k3yM\AppData\Roaming\mozilla\Firefox\Profiles\pb9px39p.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/05/30 09:32:55 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
File not found (No name found) --
[2010/01/04 20:24:22 | 000,000,000 | ---D | M] (Move Media Player) -- C:\USERS\@K3YM\APPDATA\ROAMING\MOVE NETWORKS
[2011/05/06 06:50:22 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browsercomps.dll
[2010/06/11 16:29:31 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2011/05/06 06:50:25 | 000,002,252 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing.xml

O1 HOSTS File: ([2006/09/18 17:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (ShowBarObj Class) - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\ActiveToolBand.dll (Egis)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - File not found
O3 - HKLM\..\Toolbar: (Acer eDataSecurity Management) - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll (Egis Incorporated.)
O3 - HKU\S-1-5-21-2506131056-3247040052-1697288011-1000\..\Toolbar\ShellBrowser: (Acer eDataSecurity Management) - {5CBE3B7C-1E47-477E-A7DD-396DB0476E29} - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll (Egis Incorporated.)
O4 - HKLM..\Run: [Kernel and Hardware Abstraction Layer] C:\Windows\KHALMNPR.Exe (Logitech, Inc.)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-2506131056-3247040052-1697288011-1000..\Run: [AlcoholAutomount] C:\Program Files\Alcohol Soft\Alcohol 120\AxAutoMntSrv.exe (Alcohol Soft Development Team)
O4 - HKU\S-1-5-21-2506131056-3247040052-1697288011-1000..\Run: [DAEMON Tools Lite] C:\Program Files\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-21-2506131056-3247040052-1697288011-1000\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-21-2506131056-3247040052-1697288011-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos-be ... canner.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\livecall - No CLSID value found
O18 - Protocol\Handler\msnim - No CLSID value found
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\@k3yM\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\@k3yM\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 17:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2009/07/12 15:22:44 | 000,000,000 | ---D | M] - G:\autorun.inf -- [ FAT32 ]
O33 - MountPoints2\{707ddbac-c1e1-11de-9f6d-001e68912613}\Shell - "" = AutoRun
O33 - MountPoints2\{707ddbac-c1e1-11de-9f6d-001e68912613}\Shell\AutoRun\command - "" = F:\autorun.exe
O33 - MountPoints2\{ac4839c2-a485-11df-a52e-001e68912613}\Shell\AutoRun\command - "" = G:\sources\sperr32.exe x64
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/05/30 09:30:21 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2011/05/27 10:05:29 | 000,000,000 | ---D | C] -- C:\Users\@k3yM\Desktop\MalwareRemoval
[2011/05/27 07:23:37 | 000,000,000 | ---D | C] -- D:\Documents and Settings\DriverPerformer
[2011/05/26 23:14:00 | 000,000,000 | ---D | C] -- C:\Users\@k3yM\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Vista Recovery
[2011/05/20 05:51:58 | 000,000,000 | ---D | C] -- C:\Users\@k3yM\AppData\Local\Windows Live
[2011/05/20 05:51:11 | 000,754,688 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\webservices.dll
[2011/05/19 16:39:31 | 000,404,640 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2011/05/15 20:45:12 | 000,000,000 | ---D | C] -- C:\Users\@k3yM\Desktop\EAS 375
[2011/05/06 16:31:09 | 000,107,888 | ---- | C] (Sony DADC Austria AG.) -- C:\Windows\System32\CmdLineExt.dll
[2011/05/06 16:29:55 | 000,000,000 | ---D | C] -- C:\Users\@k3yM\AppData\Local\Electronic Arts
[2011/05/06 16:29:02 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Electronic Arts
[2010/01/28 22:48:12 | 000,172,032 | ---- | C] ( ) -- C:\Windows\System32\rsnp2uvc.dll
[7 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
[7 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/05/31 14:10:41 | 000,003,216 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/05/31 14:10:41 | 000,003,216 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/05/31 10:24:56 | 000,606,602 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/05/31 10:24:56 | 000,105,170 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/05/31 04:07:56 | 000,137,085 | ---- | M] () -- C:\Users\@k3yM\Desktop\result spring 2011.jpg
[2011/05/30 14:32:40 | 000,453,632 | ---- | M] () -- C:\Users\@k3yM\Desktop\CKScanner.exe
[2011/05/30 12:11:00 | 000,000,000 | ---- | M] () -- C:\Windows\System32\LogConfigTemp.xml
[2011/05/30 12:10:35 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/05/30 12:10:30 | 2951,073,792 | -HS- | M] () -- C:\hiberfil.sys
[2011/05/30 12:09:36 | 000,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat
[2011/05/26 23:14:01 | 000,000,599 | ---- | M] () -- C:\Users\@k3yM\Desktop\Windows Vista Recovery.lnk
[2011/05/26 22:02:17 | 000,000,117 | ---- | M] () -- C:\Users\@k3yM\webct_upload_applet.properties
[2011/05/25 11:05:02 | 000,387,288 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2011/05/20 02:55:38 | 000,010,512 | -HS- | M] () -- C:\Users\@k3yM\AppData\Local\7hn5e2f7f5qufoh8wiu4258
[2011/05/20 02:55:38 | 000,010,512 | -HS- | M] () -- C:\ProgramData\7hn5e2f7f5qufoh8wiu4258
[2011/05/19 16:39:31 | 000,404,640 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2011/05/06 16:31:09 | 000,107,888 | ---- | M] (Sony DADC Austria AG.) -- C:\Windows\System32\CmdLineExt.dll
[7 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
[7 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/05/31 04:07:56 | 000,137,085 | ---- | C] () -- C:\Users\@k3yM\Desktop\result spring 2011.jpg
[2011/05/30 14:32:39 | 000,453,632 | ---- | C] () -- C:\Users\@k3yM\Desktop\CKScanner.exe
[2011/05/26 23:14:01 | 000,000,599 | ---- | C] () -- C:\Users\@k3yM\Desktop\Windows Vista Recovery.lnk
[2011/05/20 02:36:29 | 000,010,512 | -HS- | C] () -- C:\Users\@k3yM\AppData\Local\7hn5e2f7f5qufoh8wiu4258
[2011/05/20 02:36:29 | 000,010,512 | -HS- | C] () -- C:\ProgramData\7hn5e2f7f5qufoh8wiu4258
[2010/10/08 22:58:42 | 000,281,760 | ---- | C] () -- C:\Windows\System32\drivers\atksgt.sys
[2010/10/08 22:58:41 | 000,025,888 | ---- | C] () -- C:\Windows\System32\drivers\lirsgt.sys
[2010/09/06 14:42:14 | 000,000,600 | ---- | C] () -- C:\Users\@k3yM\AppData\Local\PUTTY.RND
[2010/05/15 15:37:54 | 012,427,264 | ---- | C] () -- C:\ProgramData\sandra.mda
[2010/04/09 01:40:05 | 000,000,680 | ---- | C] () -- C:\Users\@k3yM\AppData\Local\d3d9caps.dat
[2010/03/05 23:16:20 | 000,004,096 | ---- | C] () -- C:\Windows\d3dx.dat
[2010/03/01 19:49:52 | 000,000,238 | ---- | C] () -- C:\Windows\mafosav.INI
[2010/01/28 22:48:13 | 001,749,376 | ---- | C] () -- C:\Windows\System32\snp2uvc.sys
[2010/01/28 22:48:12 | 000,028,032 | ---- | C] () -- C:\Windows\System32\sncduvc.sys
[2010/01/28 22:48:12 | 000,000,131 | ---- | C] () -- C:\Windows\System32\PidList.ini
[2010/01/28 21:34:51 | 000,000,048 | ---- | C] () -- C:\ProgramData\ezsidmv.dat
[2010/01/04 20:22:25 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat
[2009/10/07 20:37:37 | 000,000,012 | ---- | C] () -- C:\Windows\bthservsdp.dat
[2009/09/23 18:38:06 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2009/09/23 18:38:05 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/09/15 08:28:06 | 000,028,672 | ---- | C] () -- C:\Users\@k3yM\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/09/12 03:04:34 | 000,164,352 | ---- | C] () -- C:\Windows\System32\unrar.dll
[2009/09/12 03:04:06 | 003,596,288 | ---- | C] () -- C:\Windows\System32\qt-dx331.dll
[2009/09/12 03:04:00 | 000,007,680 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll
[2009/09/07 12:46:30 | 000,000,062 | ---- | C] () -- C:\Windows\wininit.ini
[2009/09/07 03:08:00 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/08/03 16:07:42 | 000,230,768 | ---- | C] () -- C:\Windows\System32\OGAEXEC.exe
[2008/05/22 23:54:27 | 000,001,024 | R--- | C] () -- C:\Windows\System32\NTIOFM4.dll
[2008/05/22 23:54:27 | 000,001,024 | R--- | C] () -- C:\Windows\System32\NTIBUN5.dll
[2008/05/22 23:34:45 | 000,749,568 | ---- | C] () -- C:\Windows\AcerStore.exe
[2008/05/22 23:33:36 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2008/05/22 23:14:12 | 000,204,800 | ---- | C] () -- C:\Windows\System32\SysHook.dll
[2008/05/22 23:09:39 | 000,487,424 | ---- | C] () -- C:\Windows\System32\INT15.dll
[2008/05/22 22:56:29 | 000,001,694 | ---- | C] () -- C:\Windows\RtDefLvl.ini
[2008/05/22 22:56:29 | 000,000,520 | ---- | C] () -- C:\Windows\System32\drivers\RTEQEX1.dat
[2008/05/22 22:56:29 | 000,000,520 | ---- | C] () -- C:\Windows\System32\drivers\RTEQEX0.dat
[2008/05/22 22:56:29 | 000,000,008 | ---- | C] () -- C:\Windows\System32\drivers\rtkhdaud.dat
[2006/11/02 08:53:49 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 08:44:53 | 000,387,288 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 06:33:01 | 000,606,602 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 06:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 06:33:01 | 000,105,170 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 06:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 06:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 04:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 04:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 03:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 03:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2001/12/26 19:12:30 | 000,065,536 | ---- | C] () -- C:\Windows\System32\multiplex_vcd.dll
[2001/11/14 13:56:00 | 001,802,240 | ---- | C] () -- C:\Windows\System32\lcppn21.dll
[2001/09/04 02:46:38 | 000,110,592 | ---- | C] () -- C:\Windows\System32\Hmpg12.dll
[2001/07/30 19:33:56 | 000,118,784 | ---- | C] () -- C:\Windows\System32\HMPV2_ENC.dll
[2001/07/24 01:04:36 | 000,118,784 | ---- | C] () -- C:\Windows\System32\HMPV2_ENC_MMX.dll

< End of report >




Extras.txt logfile:



OTL Extras logfile created on: 5/31/2011 3:16:53 PM - Run 1
OTL by OldTimer - Version 3.2.23.0 Folder = C:\Users\@k3yM\Desktop\MalwareRemoval
Windows Vista Home Basic Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6002.18005)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.75 Gb Total Physical Memory | 1.13 Gb Available Physical Memory | 41.21% Memory free
5.73 Gb Paging File | 4.22 Gb Available in Paging File | 73.59% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 69.52 Gb Total Space | 12.18 Gb Free Space | 17.52% Space Free | Partition Type: NTFS
Drive D: | 69.52 Gb Total Space | 48.87 Gb Free Space | 70.30% Space Free | Partition Type: NTFS
Drive G: | 3.72 Gb Total Space | 3.00 Gb Free Space | 80.70% Space Free | Partition Type: FAT32

Computer Name: AK3YMS | User Name: @k3yM | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

[HKEY_USERS\S-1-5-21-2506131056-3247040052-1697288011-1000\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{14737F1F-749F-4D4E-AFD9-A032107C5EA9}" = lport=139 | protocol=6 | dir=in | app=system |
"{14D44008-4876-4DBB-9B85-E8BFC4407DE3}" = lport=rpc | protocol=6 | dir=in | app=c:\program files\sisoftware\sisoftware sandra lite 2010c\wnt500x86\rpcsandrasrv.exe |
"{377AB6D8-A5B2-41D9-9CAE-61CA872DD87F}" = rport=138 | protocol=17 | dir=out | app=system |
"{446FB42C-502D-4AF5-9A46-5E13BDDC7CEF}" = lport=138 | protocol=17 | dir=in | app=system |
"{5186507F-A2CB-41A1-B925-49F01437A94C}" = rport=139 | protocol=6 | dir=out | app=system |
"{6DC5D09A-B347-4AF9-A6BF-E1F32F734BD2}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{83485807-C051-44F7-BFD0-63DB54623A00}" = lport=rpc | protocol=6 | dir=in | app=c:\program files\sisoftware\sisoftware sandra lite 2010c\rpcagentsrv.exe |
"{ADB23263-DC69-4D96-AA3D-FA386655F354}" = rport=445 | protocol=6 | dir=out | app=system |
"{BE8EABF4-D25A-471D-AD70-8C8F8B649B34}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{CF96A000-9495-465F-98B6-7CDADCBD5F11}" = lport=137 | protocol=17 | dir=in | app=system |
"{D2DA48FE-77AD-42DD-9FD3-CE8A86468341}" = lport=rpc | protocol=6 | dir=in | app=c:\program files\sisoftware\sisoftware sandra lite 2010c\wnt500x86\rpcsandrasrv.exe |
"{E204F86D-6D67-4526-81B3-4403E8A3AA78}" = lport=6004 | protocol=17 | dir=in | app=c:\program files\microsoft office\office12\outlook.exe |
"{E38E168F-D866-4B5D-81ED-3ADD61104F45}" = lport=445 | protocol=6 | dir=in | app=system |
"{E99F5308-E413-4EDD-896B-4FCC45BC70DE}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |
"{ECA8C499-91A0-4129-BABE-288C6D67D94A}" = lport=2869 | protocol=6 | dir=in | app=system |
"{ED3A0DA0-8BF3-4C88-BA10-BAF434359D09}" = rport=137 | protocol=17 | dir=out | app=system |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{098F63AD-D441-459C-8910-65C895C3D071}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{0EA7FADA-E4E7-41F6-A812-AB5A9BBF3936}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\groove.exe |
"{1FCC4AA9-06EA-428F-8422-03FCC0F23C48}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{210A549A-7FF7-4F59-A960-604C12E4F6D0}" = protocol=6 | dir=in | app=c:\program files\steam\steam.exe |
"{30168C5A-8BDD-4847-9ACD-9FF00386BFD0}" = dir=in | app=c:\program files\windows live\messenger\wlcsdk.exe |
"{3421E92E-9581-4F44-A94C-522E0B1322C6}" = protocol=17 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |
"{367E36D2-DCCA-42F1-9D99-58C24DD04A49}" = protocol=1 | dir=in | app=c:\program files\sisoftware\sisoftware sandra lite 2010c\wnt500x86\rpcsandrasrv.exe |
"{3DF26E3E-A5C0-4621-99D9-D59F6A9FAC78}" = protocol=6 | dir=in | app=c:\program files\sports interactive\football manager 2009\fm.exe |
"{432CBF54-983E-4D8D-85EB-BFA142742928}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{4A3DBFD7-5E0F-4578-9AEF-4C8294B8CCC8}" = dir=in | app=c:\program files\acer arcade deluxe\homemedia\homemedia.exe |
"{50C72C87-D85B-46C8-9551-0F401ED518D8}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\groove.exe |
"{55D8AB30-E270-4209-A40E-E1AB6C39BE08}" = protocol=6 | dir=in | app=c:\program files\newtech infosystems\nti backup now 5\schedulersvc.exe |
"{57295501-B742-4641-B692-F5E73438AE0C}" = protocol=6 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |
"{62F4C103-625B-4F2A-8F3E-1ED074FD67D4}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe |
"{64F3C2B1-378B-446B-B40A-138FBEE46285}" = protocol=17 | dir=in | app=c:\program files\sports interactive\football manager 2009\fm.exe |
"{681A8CD3-3D9D-4519-9A7E-AB4CAF648393}" = protocol=17 | dir=in | app=c:\program files\newtech infosystems\nti backup now 5\schedulersvc.exe |
"{77059593-8CAF-4706-BA15-5C3F12576BBC}" = protocol=17 | dir=in | app=c:\program files\newtech infosystems\nti backup now 5\client\agentsvc.exe |
"{79C1B608-9AAF-4C7D-9ECC-2B9870796C70}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{7D76BF94-8907-4A0A-88E9-7564AD8898EC}" = protocol=1 | dir=in | app=c:\program files\sisoftware\sisoftware sandra lite 2010c\rpcagentsrv.exe |
"{882E3C6A-C1C4-4E26-B59D-52E6D1864F5A}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{88C8EE2E-A941-4024-A034-E06F42A1362A}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{891D4E99-2EAF-408D-A732-E45C6B96E133}" = protocol=6 | dir=in | app=c:\program files\newtech infosystems\nti backup now 5\client\agentsvc.exe |
"{8C15B218-D10D-4FA0-9B37-B5AA828CABDF}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{8F11D27C-FB82-48D3-ACB5-20C3F2A0F7CA}" = protocol=1 | dir=in | app=c:\program files\sisoftware\sisoftware sandra lite 2010c\wnt500x86\rpcsandrasrv.exe |
"{969CB21D-C89E-4CF4-9BAF-917260A85D01}" = protocol=17 | dir=in | app=c:\program files\steam\steam.exe |
"{B199E240-2197-4E9B-AB2E-4A8C14BA6648}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{B3123D82-D8AE-483C-800B-BA0389AADA03}" = dir=in | app=c:\program files\cyberlink\powerdirector\pdr.exe |
"{C72102D2-4E62-4600-AAF1-BE268D7544E1}" = dir=in | app=c:\program files\acer arcade deluxe\playmovie\playmovie.exe |
"{C9D0D467-BDCB-49B7-8CCA-5DAF53A0B993}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{D3025A53-7A60-4349-97F8-AD9F270579F7}" = dir=in | app=c:\program files\acer arcade deluxe\acer arcade deluxe\acer arcade deluxe.exe |
"{D699AF43-C2A0-486C-976E-01E3D32272B1}" = protocol=17 | dir=in | app=c:\program files\newtech infosystems\nti backup now 5\backupsvc.exe |
"{E72791FD-D875-4231-839A-5558D77C703E}" = protocol=6 | dir=in | app=c:\program files\newtech infosystems\nti backup now 5\backupsvc.exe |
"{F6CE7CEF-6839-4D1A-9807-7B808B50BC74}" = dir=in | app=c:\program files\acer arcade deluxe\playmovie\pmvservice.exe |
"{F7AE7553-50C3-46CE-BEFB-846BCAD19506}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\groove.exe |
"{FC2082A0-C2D3-404B-AC24-69CDABC1A7E0}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\groove.exe |
"TCP Query User{5498B74F-0CF3-47F4-9865-DA70DD5430CA}C:\program files\valve\hl.exe" = protocol=6 | dir=in | app=c:\program files\valve\hl.exe |
"TCP Query User{6CE16F0B-69DB-4B4C-9C2B-AF69A4350CC2}D:\pes2010 installed\pes2010.exe" = protocol=6 | dir=in | app=d:\pes2010 installed\pes2010.exe |
"TCP Query User{BCDD7723-152F-4A39-8D08-2B83B475F6B8}C:\program files\yahoo!\messenger\yahoomessenger.exe" = protocol=6 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |
"TCP Query User{C2557A2F-24A0-4A5B-95B8-C179CF88103E}C:\program files\ea sports\fifa 11 demo\game\fifa.exe" = protocol=6 | dir=in | app=c:\program files\ea sports\fifa 11 demo\game\fifa.exe |
"TCP Query User{FC41D4A7-155C-4C65-AB7C-2DB009D6E51F}C:\program files\mozilla firefox\firefox.exe" = protocol=6 | dir=in | app=c:\program files\mozilla firefox\firefox.exe |
"UDP Query User{208FF257-E9A2-4B6B-9F71-EFE0642D4458}C:\program files\ea sports\fifa 11 demo\game\fifa.exe" = protocol=17 | dir=in | app=c:\program files\ea sports\fifa 11 demo\game\fifa.exe |
"UDP Query User{230363BD-AB76-4C39-B82B-4115672499E8}C:\program files\yahoo!\messenger\yahoomessenger.exe" = protocol=17 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |
"UDP Query User{AD4F0C60-6F7F-42D1-8809-FD42A599B38E}C:\program files\mozilla firefox\firefox.exe" = protocol=17 | dir=in | app=c:\program files\mozilla firefox\firefox.exe |
"UDP Query User{D3B66564-76F8-4AF3-8B77-6A5598FBDD0C}C:\program files\valve\hl.exe" = protocol=17 | dir=in | app=c:\program files\valve\hl.exe |
"UDP Query User{DA16C1AA-D0C1-4457-AB24-FCA66BDE03C0}D:\pes2010 installed\pes2010.exe" = protocol=17 | dir=in | app=d:\pes2010 installed\pes2010.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{03D1988F-469F-4843-8E6E-E5FE9D17889D}" = WIDCOMM Bluetooth Software 6.0.1.6400
"{0C826C5B-B131-423A-A229-C71B3CACCD6A}" = CDDRV_Installer
"{11316260-6666-467B-AC34-183FCB5D4335}" = Acer Mobility Center Plug-In
"{12EFA1A4-AC3B-443C-8143-237EDE760403}" = NTI Backup Now Standard
"{13D85C14-2B85-419F-AC41-C7F21E68B25D}" = Acer eSettings Management
"{15D967B5-A4BE-42AE-9E84-64CD062B25AA}" = eSobi v2
"{196BB40D-1578-3D01-B289-BEFC77A11A1E}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
"{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}" = YouTube Downloader 2.6.2
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2413930C-8309-47A6-BC61-5EF27A4222BC}" = NTI Media Maker 8
"{2637C347-9DAD-11D6-9EA2-00055D0CA761}" = Acer Arcade Deluxe
"{3101CB58-3482-4D21-AF1A-7057FC935355}" = KhalInstallWrapper
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{4650F3BF-F9ED-45AB-00A3-C927351E177F}" = Madden NFL 08
"{4AE5C6C0-37AF-11DD-AE16-0800200C9A66}" = NHL® 09
"{54A4839E-87F8-4BD1-9682-A349E9943F0A}" = Amazon Unbox Video
"{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support
"{58E5844B-7CE2-413D-83D1-99294BF6C74F}" = Acer ePower Management
"{5B63A470-9334-44D1-AF61-6CE2DB565AE9}" = Orion
"{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{774088D4-0777-4D78-904D-E435B318F5D2}" = Microsoft Antimalware
"{77A776C4-D10F-416D-88F0-53F2D9DCD9B3}" = Microsoft Security Client
"{79DD56FC-DB8B-47F5-9C80-78B62E05F9BC}" = Acer ScreenSaver
"{7F811A54-5A09-4579-90E1-C93498E230D9}" = Acer eRecovery Management
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{8F1B6239-FEA0-450A-A950-B05276CE177C}" = Acer Empowering Technology
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISER_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISER_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISER_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISER_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISER_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{91120000-0030-0000-0000-0000000FF1CE}_ENTERPRISER_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0030-0000-0000-0000000FF1CE}_ENTERPRISER_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A498D9EB-927B-459B-85D6-DD6EF8C2C564}" = erLT
"{A5633652-3795-4829-BB0B-644F0279E279}" = Acer eDataSecurity Management
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{B194272D-1F92-46DF-99EB-8D5CE91CB4EC}" = Adobe AIR
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{C3113E55-7BCB-4de3-8EBF-60E6CE6B2296}_is1" = SiSoftware Sandra Lite 2010c
"{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = PowerDirector
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CE386A4E-D0DA-4208-8235-BCE43275C694}" = LightScribe 1.4.142.1
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.1
"{D36DD326-7280-11D8-97C8-000129760CBE}" = PhotoNow!
"{DC158DF7-6B36-4C6F-BC91-109014297994}" = FIFA 11 Demo
"{DC24971E-1946-445D-8A82-CE685433FA7D}" = Realtek USB 2.0 Card Reader
"{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F29B21BD-CAA6-445F-8EF7-A7E2B9D8B14E}" = Logitech SetPoint
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"82A44D22-9452-49FB-00FB-CEC7DCAF7E23" = EA SPORTS online 2008
"Acer Assist" = Acer Assist
"Acer GameZone Console_is1" = Acer GameZone Console 2.0.1.1
"Acer Registration" = Acer Registration
"Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites
"ActiveScan 2.0" = Panda ActiveScan 2.0
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player
"Athan" = Athan Basic 3.8
"CCleaner" = CCleaner
"CNXT_MODEM_HDA_HSF" = HDAUDIO Soft Data Fax Modem with SmartCP
"EADM" = EA Download Manager
"ENTERPRISER" = Microsoft Office Enterprise 2007
"GridVista" = Acer GridVista
"ImgBurn" = ImgBurn
"InstallShield_{12EFA1A4-AC3B-443C-8143-237EDE760403}" = NTI Backup Now 5
"InstallShield_{15D967B5-A4BE-42AE-9E84-64CD062B25AA}" = eSobi v2
"InstallShield_{2413930C-8309-47A6-BC61-5EF27A4222BC}" = NTI Media Maker 8
"InstallShield_{2637C347-9DAD-11D6-9EA2-00055D0CA761}" = Acer Arcade Deluxe
"InstallShield_{54A4839E-87F8-4BD1-9682-A349E9943F0A}" = Amazon Unbox Video
"InstallShield_{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = PowerDirector
"KLiteCodecPack_is1" = K-Lite Mega Codec Pack 3.6.5
"LManager" = Launch Manager
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft Security Client" = Microsoft Security Essentials
"Mozilla Firefox 4.0.1 (x86 en-US)" = Mozilla Firefox 4.0.1 (x86 en-US)
"NVIDIA Drivers" = NVIDIA Drivers
"NYKO Gamepad Mapping Tools_is1" = NYKO Gamepad Mapping Tools 2.0.0
"Quran in Ms Word_is1" = Quran in Ms Word
"R for Windows 2.12.1_is1" = R for Windows 2.12.1
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"Veetle TV" = Veetle TV 0.9.17
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"Yahoo! Messenger" = Yahoo! Messenger

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-2506131056-3247040052-1697288011-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Move Media Player" = Move Media Player

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 8/11/2010 4:00:18 PM | Computer Name = Ak3yMs | Source = WinMgmt | ID = 10
Description =

Error - 8/12/2010 3:01:40 AM | Computer Name = Ak3yMs | Source = MsiInstaller | ID = 11606
Description =

Error - 8/12/2010 3:01:40 AM | Computer Name = Ak3yMs | Source = MsiInstaller | ID = 11606
Description =

Error - 8/12/2010 3:01:40 AM | Computer Name = Ak3yMs | Source = MsiInstaller | ID = 1024
Description =

Error - 8/12/2010 3:02:23 AM | Computer Name = Ak3yMs | Source = MsiInstaller | ID = 11606
Description =

Error - 8/12/2010 3:02:23 AM | Computer Name = Ak3yMs | Source = MsiInstaller | ID = 11606
Description =

Error - 8/12/2010 3:02:23 AM | Computer Name = Ak3yMs | Source = MsiInstaller | ID = 1024
Description =

Error - 8/12/2010 3:07:16 AM | Computer Name = Ak3yMs | Source = MsiInstaller | ID = 11606
Description =

Error - 8/12/2010 3:07:16 AM | Computer Name = Ak3yMs | Source = MsiInstaller | ID = 11606
Description =

Error - 8/12/2010 3:07:16 AM | Computer Name = Ak3yMs | Source = MsiInstaller | ID = 1024
Description =

[ OSession Events ]
Error - 12/7/2009 8:39:17 AM | Computer Name = Ak3yMs | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6331.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 5132
seconds with 180 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 5/26/2011 11:12:55 PM | Computer Name = Ak3yMs | Source = Service Control Manager | ID = 7000
Description =

Error - 5/26/2011 11:18:16 PM | Computer Name = Ak3yMs | Source = Service Control Manager | ID = 7022
Description =

Error - 5/26/2011 11:35:11 PM | Computer Name = Ak3yMs | Source = Service Control Manager | ID = 7000
Description =

Error - 5/27/2011 7:15:21 AM | Computer Name = Ak3yMs | Source = Service Control Manager | ID = 7000
Description =

Error - 5/27/2011 7:47:21 AM | Computer Name = Ak3yMs | Source = Service Control Manager | ID = 7000
Description =

Error - 5/27/2011 10:13:26 AM | Computer Name = Ak3yMs | Source = Service Control Manager | ID = 7000
Description =

Error - 5/30/2011 9:30:28 AM | Computer Name = Ak3yMs | Source = DCOM | ID = 10005
Description =

Error - 5/30/2011 9:30:28 AM | Computer Name = Ak3yMs | Source = Service Control Manager | ID = 7009
Description =

Error - 5/30/2011 9:30:28 AM | Computer Name = Ak3yMs | Source = Service Control Manager | ID = 7000
Description =

Error - 5/30/2011 12:10:59 PM | Computer Name = Ak3yMs | Source = Service Control Manager | ID = 7000
Description =


< End of report >
forza
Regular Member
 
Posts: 103
Joined: June 2nd, 2010, 1:05 pm

Re: Windows Vista Recovery virus

Unread postby Carolyn » June 1st, 2011, 10:29 am

Hi,

I have not had a chance to review the OTL logs as of yet. Let's see if we can take care of the Start Menu issue, we can deal with any of the OTL results later.

Create a System Restore Point
  • Go to Start, then type System Restore (do not hit enter!)
  • Select Create a restore point
  • Click Create
  • Type a description in the window that opened, then click Create again.

TakeOwnership
  • Download TakeOwnership.zip and save it to your desktop.
  • Right-click on TakeOwnership.zip and select "Extract all". Extract the contents of the zip file to your desktop.
  • Double-click the InstallTakeOwnership.reg file and click through the prompts.

Next,

Set Your Computer to Show All Files/Folders.
  • Click Start.
  • Open Computer.
  • Press the ALT key.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.

Take Ownership of the Start Menu Folder and run Unhide again
  • Click Start.
  • Open Computer.
  • Double-click the folder ProgramData.
  • Right-click the folder Start Menu and select Take Ownership.
  • Double-click Unhide to run the program.

============================

Please go to the Start Menu. Let me know if the folders have been restored.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: Windows Vista Recovery virus

Unread postby forza » June 1st, 2011, 6:29 pm

I was desperately in need to read an pdf file, so I just installed adobe reader. Should I uninstall it first before doing the steps above?
forza
Regular Member
 
Posts: 103
Joined: June 2nd, 2010, 1:05 pm

Re: Windows Vista Recovery virus

Unread postby Carolyn » June 1st, 2011, 6:38 pm

No need to uninstall Adobe Reader. It's fine that you installed it, so long as it is the current version. :)
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: Windows Vista Recovery virus

Unread postby forza » June 2nd, 2011, 10:57 am

There are still no folders in the Start Menu
forza
Regular Member
 
Posts: 103
Joined: June 2nd, 2010, 1:05 pm

Re: Windows Vista Recovery virus

Unread postby Carolyn » June 3rd, 2011, 7:41 am

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Right-click SystemLook.exe and select "Run as adminstrator" to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: Select all
    :dir
    %Temp%\smtmp\1 /s
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found at on your Desktop entitled SystemLook.txt
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: Windows Vista Recovery virus

Unread postby forza » June 3rd, 2011, 8:59 pm

SystemLook.txt log:


SystemLook 04.09.10 by jpshortstuff
Log created at 20:58 on 03/06/2011 by @k3yM
Administrator - Elevation successful

========== dir ==========

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1 - Parameters: "/s"

---Files---
None found.

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\Accessories d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\Accessories\Accessibility d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\Accessories\Media Center d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\Accessories\Media Center\Media Center Programs d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\Accessories\System Tools d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\Accessories\Windows PowerShell d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\Acer d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\Acer\Empowering Technology d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\Acer Arcade Deluxe d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\Acer Arcade Deluxe\Acer Arcade Deluxe d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\Acer Crystal Eye webcam d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\Acer GameZone d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\Acer GameZone\Agatha Christie Death on the Nile d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\Acer GameZone\Alice Greenfingers d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\Acer GameZone\Azada d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\Acer GameZone\Backspin Billiards d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\Acer GameZone\Big Kahuna Reef d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\Acer GameZone\Bookworm Deluxe d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\Acer GameZone\Bricks of Egypt d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\Acer GameZone\Cake Mania d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\Acer GameZone\Chicken Invaders 3 d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\Acer GameZone\Chuzzle d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\Acer GameZone\Diner Dash Flo on the Go d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\Acer GameZone\Flip Words 2 d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\Acer GameZone\Jewel Quest Solitaire d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\Acer GameZone\Kick N Rush d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\Acer GameZone\Mahjong Escape Ancient China d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\Acer GameZone\Mahjongg Artifacts d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\Acer GameZone\Mystery Case Files - Huntsville d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\Acer GameZone\Mystery Solitaire - Secret Island d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\Acer GameZone\Turbo Pizza d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\Acer GridVista d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\AcerSystem d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\Administrative Tools d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\Alcohol 120% d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\Amazon d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\Amazon\Amazon Unbox Video d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\Athan d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\Canon MP210 series Manual d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\EA Sports d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\EA Sports\Madden NFL 08 d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\Electronic Arts d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\Electronic Arts\Electronic Arts d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\Electronic Arts\Electronic Arts\EA Download Manager d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\ERUNT d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\eSobi v2 d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\Extras and Upgrades d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\GameHouse d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\Games d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\K-Lite Codec Pack d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\K-Lite Codec Pack\Configuration d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\K-Lite Codec Pack\Help d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\K-Lite Codec Pack\Tools d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\K-Lite Codec Pack\Uninstall d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\Launch Manager d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\Logitech d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\Logitech\Mouse and Keyboard d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\Logitech\Unifying d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\MagicISO d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\Maintenance d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\Malwarebytes' Anti-Malware d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\Microsoft Office d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\Microsoft Office\Microsoft Office Tools d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\Microsoft Works d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\NTI Backup Now 5 d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\NTI Media Maker 8 d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\NYKO d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\NYKO\Gamepad Mapping Tools d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\SiSoftware d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\SiSoftware\Database Schemas d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\SiSoftware\Example Scripts d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\SiSoftware\Internet Links d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\SiSoftware\Sample Reports d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\Skype d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\SpywareBlaster d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\Startup d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\Windows Live d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\Windows PowerShell 1.0 d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\WinRAR d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\Yahoo! Messenger d------ [03:13 27/05/2011]

C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\Programs\YouTube Downloader d------ [03:13 27/05/2011]

-= EOF =-
forza
Regular Member
 
Posts: 103
Joined: June 2nd, 2010, 1:05 pm

Re: Windows Vista Recovery virus

Unread postby Carolyn » June 4th, 2011, 1:21 pm

Disable Microsoft Security Essentials

  • Open MSE and go to Settings > Real Time Protection.
  • Then uncheck "Turn on real time protection".
  • Exit MSE when done.
  • Note: Don't forget to Re-enable it after the below fix.

==================================

Run a Custom OTL Script
  • Right-click OTL.exe and select "Run as administrator" to start the program.
  • Copy and Paste the following code into the Image textbox. Do not include the word Code
    Code: Select all
    :processes
    killallprocesses
    
    :OTL
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
    O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - File not found
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos-be ... canner.cab (Reg Error: Key error.)
    O18 - Protocol\Handler\livecall - No CLSID value found
    O18 - Protocol\Handler\msnim - No CLSID value found
    C:\Users\@k3yM\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Vista Recovery
    C:\Users\@k3yM\AppData\Local\7hn5e2f7f5qufoh8wiu4258
    C:\ProgramData\7hn5e2f7f5qufoh8wiu4258
    
    :Files
    C:\Program Data\Start Menu\*.*|C:\Users\@k3yM\AppData\Local\Temp\smtmp\1\*.* /replace
    
    :Commands
    [CREATERESTOREPOINT]
    

  • Then click the Run Fix button at the top.
  • Click Image.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

Have the programs in the Start Menu been restored?
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 286 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware