Hi everyone!
My laptop does not boot normally. It wouldnt even boot to safe mode before it restarts. I have to press F8 and select 'last good known configuration' for it to go to safe mode. I've tried installing Mcafee VS and ran it, it found some cookies, restarted, and still same problem.
Computer specs:
HP Pavilion
Intel Pentium Dual CPU T2330 @ 1.60 GHz
RAM: 2038 MB
32 Bit Operating System
Windows Vista Home Premium
Hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 5:43:13 AM, on 5/3/2007
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Running processes:
C:\Windows\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Mario Arroyo\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\FlashUtil9e.exe
O4 - Startup: MEMonitor.lnk = C:\Program Files\Sprint music manager\MEMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/...NPUplden-us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: igfxcui - C:\Windows\SYSTEM32\igfxdev.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe (file missing)
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe (file missing)
O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe (file missing)
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: GearSecurity - GEAR Software - C:\Windows\system32\gearsec.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: My Web Search Service (MyWebSearchService) - Unknown owner - C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: SpywareStop Scanning Engine (SpywareStopSrv) - Unknown owner - C:\Program Files\SpywareStop\SpywareStop.srv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)
Hope you can help, do i have to re=install vista because i dont even have a re=install cd or dvd. Thanks in advance.
Full Version: Vista 32 Bit Does Not Boot!
Suggest A Fix PC Support Forums > Security > Malicious Code: Viruses, Trojans, Spyware and Browser HiJacking
Hi Jerry...you need to get a newer version of HijackThis and post a fresh log. Instructions and link here. You can burn HijackThis.exe to a CD and run it from there, if needs be. Please note that HijackThis.exe needs to be renamed to Hcheck.exe before running it.
What's the make and model of your computer? There must be a Restore partition on it for situations like this when it looks like a format and reinstall is the best option.
What's the make and model of your computer? There must be a Restore partition on it for situations like this when it looks like a format and reinstall is the best option.
QUOTE(HKEd @ Jun 6 2008, 11:31 PM) 
Hi Jerry...you need to get a newer version of HijackThis and post a fresh log. Instructions and link here. You can burn HijackThis.exe to a CD and run it from there, if needs be. Please note that HijackThis.exe needs to be renamed to Hcheck.exe before running it.
What's the make and model of your computer? There must be a Restore partition on it for situations like this when it looks like a format and reinstall is the best option.
It's a HP Pavilion Entertainment PC
I could only access safe mode. I couldnt tell where i can find the restore partition.
Hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:49:30 PM, on 5/4/2007
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Safe mode with network support
Running processes:
C:\Windows\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\Hcheck.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\FlashUtil9e.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [*LogMeInRescue_3778374671] "C:\Windows\LMI7367.tmp\lmi_rescue.exe" -runonce -gui (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [*LogMeInRescue_3778374671] "C:\Windows\LMI7367.tmp\lmi_rescue.exe" -runonce -gui (User 'Default user')
O4 - Startup: MEMonitor.lnk = C:\Program Files\Sprint music manager\MEMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O13 - Gopher Prefix:
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/...NPUplden-us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe (file missing)
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe (file missing)
O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe (file missing)
O23 - Service: GearSecurity - GEAR Software - C:\Windows\system32\gearsec.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: My Web Search Service (MyWebSearchService) - Unknown owner - C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: SpywareStop Scanning Engine (SpywareStopSrv) - Unknown owner - C:\Program Files\SpywareStop\SpywareStop.srv.exe (file missing)
--
End of file - 5038 bytes
There is a hidden partition on HPs that allow you to return to system to its original condition. No CD is needed - I think it's a combination of keys at startup, but have yet to find the procedure. Did a manual come with the computer? You will lose all data though, so we'll do our best to save the system as it is. The good news is that the newer version of HijackThis shows much less of a mess than the older version showed.
Click on Start, go to Programs -> Accessories, right click on Command Prompt and choose Run as administrator. You’ll be prompted to approve the action. In the command window that opens type the following, pressing Enter after each line:
sc stop SpywareStopSrv
sc delete SpywareStopSrv
exit
See if you can get to normal mode.
Did you install LogMeInRescue? It didn't show in your previous log.
Click on Start, go to Programs -> Accessories, right click on Command Prompt and choose Run as administrator. You’ll be prompted to approve the action. In the command window that opens type the following, pressing Enter after each line:
sc stop SpywareStopSrv
sc delete SpywareStopSrv
exit
See if you can get to normal mode.
Did you install LogMeInRescue? It didn't show in your previous log.
QUOTE(HKEd @ Jun 7 2008, 11:04 PM)
There is a hidden partition on HPs that allow you to return to system to its original condition. No CD is needed - I think it's a combination of keys at startup, but have yet to find the procedure. Did a manual come with the computer? You will lose all data though, so we'll do our best to save the system as it is. The good news is that the newer version of HijackThis shows much less of a mess than the older version showed.
Click on Start, go to Programs -> Accessories, right click on Command Prompt and choose Run as administrator. You’ll be prompted to approve the action. In the command window that opens type the following, pressing Enter after each line:
sc stop SpywareStopSrv
sc delete SpywareStopSrv
exit
See if you can get to normal mode.
Did you install LogMeInRescue? It didn't show in your previous log.
i've done that, i restarted and it goes directly to safe mode. I've even tried pressing F8 at startup, chose start windows normally, and it still goes to safe mode. Please tell me what you just did?
I didnt install LogMeInRescue. I dont even know what it is.
I still want to find the restore partition, i dont care about any data i lose.
this might start restore:
press f10 repeatedly during bootup
or
hold down the control key and repeatedly press F11 on boot up.
press f10 repeatedly during bootup
or
hold down the control key and repeatedly press F11 on boot up.
QUOTE(Wes @ Jun 9 2008, 01:00 PM)
this might start restore:
hold down the control key and repeatedly press F11 on boot up.
It does not let me go to recovery mode. It goes straight to Safe Mode. I've tried F11 alone, and holding CTRL and tried pressing F11 repeatedly, nothing.
QUOTE
Please tell me what you just did?
I just stopped and deleted a malicious service, nothing else.
Try this:
How To Start HP Recovery in Vista
QUOTE(HKEd @ Jun 9 2008, 07:26 PM)
I just stopped and deleted a malicious service, nothing else.
Try this:
How To Start HP Recovery in Vista
wow, thanx, that's an easy to read article but there's only one problem. I clicked 'start', 'all programs' and after that i couldnt find 'PC Help and Tools'.
Also, i'm still in 'safe mode' and i cannot boot to normal mode.
I've tried looking everywhere for 'pc help and tools', under 'maintenance', 'accessories', no where. I think the malware disabled the option or from letting it show in the program link or shortcut.
Is there any way I could run the 'recovery manager' from command prompt or something?
I appreciate all your help right now, and thanx for giving me your support right now.
I don't know of a way to run the recovery manager from a command prompt. Wes may know if it's possible.
Without access to the recovery manager and no Vista CD/DVD, you'll likely need to contact HP to get a recovery disk.
Wes advised this, and I know you've tried, but it may be worth trying again:
Without access to the recovery manager and no Vista CD/DVD, you'll likely need to contact HP to get a recovery disk.
Wes advised this, and I know you've tried, but it may be worth trying again:
QUOTE
Starting the recovery from power up
If Windows Vista cannot open and if the Recovery partition on the hard disk drive is functioning properly, you can perform a System Recovery by performing the following procedure:
1. Turn off the computer.
2. Disconnect all connected devices (such as the Personal Media Drive, USB drives, printer, and fax), remove media from drives, and remove any recently added internal hardware. Do not disconnect the monitor, keyboard, mouse, and power cord.
3. Turn on the computer.
4. Do one of the following actions depending on how Windows Vista was installed:
* If Windows Vista came pre-installed on your computer, press the F11 key repeatedly when the first screen opens (the logo screen), until Recovery Manager program opens on the screen.
* If your computer was upgraded from Windows XP to Windows Vista, press the F10 key repeatedly when the first screen opens (the logo screen) until Recovery Manager program opens on the screen.
If Recovery Manager does not open, a set of recovery discs is needed to perform a System Recovery.
If Windows Vista cannot open and if the Recovery partition on the hard disk drive is functioning properly, you can perform a System Recovery by performing the following procedure:
1. Turn off the computer.
2. Disconnect all connected devices (such as the Personal Media Drive, USB drives, printer, and fax), remove media from drives, and remove any recently added internal hardware. Do not disconnect the monitor, keyboard, mouse, and power cord.
3. Turn on the computer.
4. Do one of the following actions depending on how Windows Vista was installed:
* If Windows Vista came pre-installed on your computer, press the F11 key repeatedly when the first screen opens (the logo screen), until Recovery Manager program opens on the screen.
* If your computer was upgraded from Windows XP to Windows Vista, press the F10 key repeatedly when the first screen opens (the logo screen) until Recovery Manager program opens on the screen.
If Recovery Manager does not open, a set of recovery discs is needed to perform a System Recovery.
If the above doesn't work, download Deckard's System Scanner to the desktop (the download link is in the centre, about 2/3rds of the way down the page). Run Dss.exe and post the log it generates. It may provide a clue as to what's going on.
You can copy Dss.exe to a CD and transfer it over.
You can copy Dss.exe to a CD and transfer it over.
QUOTE(HKEd @ Jun 9 2008, 11:42 PM)
If the above doesn't work, download Deckard's System Scanner to the desktop (the download link is in the centre, about 2/3rds of the way down the page). Run Dss.exe and post the log it generates. It may provide a clue as to what's going on.
You can copy Dss.exe to a CD and transfer it over.
log is as follows:
Deckard's System Scanner v20071014.68
Run by Mario Arroyo on 2007-05-07 04:27:19
Computer is in Safe Mode with Networking.
--------------------------------------------------------------------------------
Backed up registry hives.
Performed disk cleanup.
-- HijackThis (run as Mario Arroyo.exe) ----------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:28:39 AM, on 5/7/2007
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Safe mode with network support
Running processes:
C:\Windows\Explorer.EXE
C:\Temporary Internet Files\Content.IE5\RNHXMEAP\dss[1].exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Mario Arroyo.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\FlashUtil9e.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [*LogMeInRescue_3778374671] "C:\Windows\LMI7367.tmp\lmi_rescue.exe" -runonce -gui (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [*LogMeInRescue_3778374671] "C:\Windows\LMI7367.tmp\lmi_rescue.exe" -runonce -gui (User 'Default user')
O4 - Startup: MEMonitor.lnk = C:\Program Files\Sprint music manager\MEMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O13 - Gopher Prefix:
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/...NPUplden-us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe (file missing)
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe (file missing)
O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe (file missing)
O23 - Service: GearSecurity - GEAR Software - C:\Windows\system32\gearsec.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: My Web Search Service (MyWebSearchService) - Unknown owner - C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: SpywareStop Scanning Engine (SpywareStopSrv) - Unknown owner - C:\Program Files\SpywareStop\SpywareStop.srv.exe (file missing)
--
End of file - 5094 bytes
-- File Associations -----------------------------------------------------------
All associations okay.
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
All drivers whitelisted.
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
S2 Avg7Alrt (AVG7 Alert Manager Server) - c:\progra~1\grisoft\avg7\avgamsvr.exe (file missing)
S2 Avg7UpdSvc (AVG7 Update Service) - c:\progra~1\grisoft\avg7\avgupsvc.exe (file missing)
S2 AvgCoreSvc (AVG7 Resident Shield Service) - c:\progra~1\grisoft\avg7\avgrssvc.exe (file missing)
S2 AVGEMS (AVG E-mail Scanner) - c:\progra~1\grisoft\avg7\avgemc.exe (file missing)
S2 GearSecurity - system32\gearsec.exe <Not Verified; GEAR Software; gearsec>
S2 MyWebSearchService (My Web Search Service) - c:\progra~1\mywebs~1\bar\1.bin\mwssvc.exe (file missing)
S2 SpywareStopSrv (SpywareStop Scanning Engine) - "c:\program files\spywarestop\spywarestop.srv.exe" (file missing)
S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe
S3 NMIndexingService - "c:\program files\common files\ahead\lib\nmindexingservice.exe" <Not Verified; Nero AG; Nero Home>
-- Device Manager: Disabled ----------------------------------------------------
No disabled devices found.
-- Scheduled Tasks -------------------------------------------------------------
2007-05-03 04:14:09 364 --a------ C:\Windows\Tasks\McDefragTask.job
2007-05-03 04:14:08 366 --a------ C:\Windows\Tasks\McQcTask.job
-- Files created between 2007-04-07 and 2007-05-07 -----------------------------
2008-05-28 22:29:57 0 d-------- C:\Program Files\CleanUp
2008-05-28 22:29:37 0 d-------- C:\Tempclean
2008-05-28 22:28:16 0 d-------- C:\Users\All Users\Avg7
2008-05-28 22:22:10 0 d-------- C:\Users\All Users\Windows Genuine Advantage
2008-05-28 22:18:24 0 d-------- C:\TechDL
2008-05-28 21:47:52 0 d-------- C:\Windows\LMI7367.tmp
2008-05-28 21:47:15 0 d-------- C:\Program Files\HiWired
2008-05-28 21:46:53 0 d-------- C:\Users\All Users\HiWired
2008-05-20 03:38:02 0 d-------- C:\Program Files\YAMAHA
2008-05-12 23:27:55 0 d-------- C:\Program Files\Samsung
2008-05-12 23:27:20 0 d-------- C:\Windows\Downloaded Installations
2008-05-03 21:33:57 0 d-------- C:\Program Files\Sprint music manager
2008-04-30 04:08:02 0 d------c- C:\Windows\system32\DRVSTORE
2008-04-26 19:49:51 0 d--hs---- C:\Temporary Internet Files
2008-04-26 14:41:12 62910 --a------ C:\Program Files\Uninstall.exe <Not Verified; $PROGRAMNAME; $PROGRAMNAME>
2008-04-26 14:41:12 0 --a------ C:\Program Files\uninstall.dat
2008-04-22 18:04:36 0 dr------- C:\Users\Guest\Searches
2008-04-22 18:04:22 0 dr------- C:\Users\Guest\Contacts
2008-04-22 18:04:13 0 dr------- C:\Users\Guest\Videos
2008-04-22 18:04:13 0 d--hs---- C:\Users\Guest\Templates
2008-04-22 18:04:13 0 d--hs---- C:\Users\Guest\Start Menu
2008-04-22 18:04:13 0 d--hs---- C:\Users\Guest\SendTo
2008-04-22 18:04:13 0 dr------- C:\Users\Guest\Saved Games
2008-04-22 18:04:13 0 d--hs---- C:\Users\Guest\Recent
2008-04-22 18:04:13 0 d--hs---- C:\Users\Guest\PrintHood
2008-04-22 18:04:13 0 dr------- C:\Users\Guest\Pictures
2008-04-22 18:04:13 2883584 --a------ C:\Users\Guest\NTUSER.DAT
2008-04-22 18:04:13 0 d--hs---- C:\Users\Guest\NetHood
2008-04-22 18:04:13 0 d--hs---- C:\Users\Guest\My Documents
2008-04-22 18:04:13 0 dr------- C:\Users\Guest\Music
2008-04-22 18:04:13 0 d--hs---- C:\Users\Guest\Local Settings
2008-04-22 18:04:13 0 dr------- C:\Users\Guest\Links
2008-04-22 18:04:13 0 dr------- C:\Users\Guest\Favorites
2008-04-22 18:04:13 0 dr------- C:\Users\Guest\Downloads
2008-04-22 18:04:13 0 dr------- C:\Users\Guest\Desktop
2008-04-22 18:04:13 0 d--hs---- C:\Users\Guest\Cookies
2008-04-22 18:04:13 0 d--hs---- C:\Users\Guest\Application Data
2008-04-22 18:04:13 0 d--h----- C:\Users\Guest\AppData
2008-04-18 14:54:11 0 d-------- C:\Windows\PCHEALTH
2008-04-18 14:48:15 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-18 14:47:57 0 d-------- C:\Program Files\Windows Live
2008-04-18 14:47:23 0 d-------- C:\Users\All Users\WLInstaller
2008-03-10 22:51:34 0 -rahs---- C:\MSDOS.SYS
2008-03-10 22:51:34 0 -rahs---- C:\IO.SYS
2008-03-03 23:42:07 0 d-------- C:\Users\All Users\Lavasoft
2008-03-03 23:42:07 0 d-------- C:\Program Files\Lavasoft
2008-03-03 23:41:21 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-20 00:50:42 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-02-20 00:50:42 0 d-------- C:\Program Files\GuitarVision
2008-02-20 00:37:02 0 d-------- C:\Windows\system32\Macromed
2008-02-20 00:29:26 0 d-------- C:\Users\All Users\Google
2008-02-20 00:29:22 0 d-------- C:\Program Files\Google
2008-02-18 18:37:19 0 d-------- C:\Users\All Users\eGames
2008-02-18 18:37:09 0 d-------- C:\Users\All Users\Trymedia
2008-02-18 18:37:00 0 d-------- C:\Program Files\Bejeweled 2 Deluxe
2008-02-17 16:22:40 305566 --a------ C:\FlipWords2.dat
2008-02-11 17:45:33 1523536 --a------ C:\Users\Mario Arroyo\FP_AX_CAB_INSTALLER.exe
2008-02-11 17:16:15 0 d-------- C:\Program Files\Common Files\InstallShield
2008-02-11 11:31:58 0 d-------- C:\Users\All Users\HipSoft
2008-02-11 11:31:57 0 d-a------ C:\Users\All Users\TEMP
2008-02-11 11:23:09 0 d-------- C:\Users\All Users\Adobe
2008-02-11 11:22:58 0 d-------- C:\Program Files\Common Files\Adobe
2008-02-11 11:20:49 0 d-------- C:\Program Files\HipSoft
2008-02-06 04:36:26 0 d--h----- C:\Windows\PIF
2008-02-03 01:14:04 0 d-------- C:\Users\All Users\LightScribe
2008-02-03 00:51:30 0 d-------- C:\Program Files\Native Instruments
2008-02-03 00:46:35 0 d-------- C:\Program Files\HPQ
2008-02-03 00:46:30 0 d-------- C:\Program Files\Common Files\LightScribe
2008-02-03 00:46:26 0 d-------- C:\SWSETUP
2008-02-02 02:52:06 0 d-------- C:\Program Files\Synaptics
2008-02-02 02:47:54 0 d-------- C:\Intel
2008-02-02 02:26:04 0 d-------- C:\Windows\system32\x64
2008-02-02 01:31:11 0 d-------- C:\Program Files\MusicLab
2008-02-02 01:16:43 63488 --a------ C:\Windows\system32\MMREGOCX.EXE <Not Verified; SwiftSoft; MMTOOLSX OCX>
2008-02-02 01:16:43 61440 --a------ C:\Windows\system32\gearsec.exe <Not Verified; GEAR Software; gearsec>
2008-02-02 01:16:43 65536 --a------ C:\Windows\system32\GEARASPI.DLL <Not Verified; GEAR Software Inc.; GEAR Software GEARAspi>
2008-02-02 01:16:43 9184 --a------ C:\Windows\system32\drivers\GEARAspiWDM.SYS <Not Verified; GEAR Software; GEARAspi>
2008-02-02 01:16:43 700416 --a------ C:\Windows\system32\cddbui.dll <Not Verified; Gracenote; CDDBUIControl Module>
2008-02-02 01:16:43 569344 --a------ C:\Windows\system32\cddbcontrol.dll <Not Verified; Gracenote (formerly CDDB, Inc.); CDDBControl Core Module>
2008-02-02 01:09:26 0 d-------- C:\Users\All Users\Nero
2008-02-02 01:09:26 0 d-------- C:\Program Files\Nero
2008-02-02 01:09:26 0 d-------- C:\Program Files\Common Files\Ahead
2008-02-02 00:57:24 118784 --a------ C:\Windows\dsdxirmv.exe
2008-02-02 00:57:24 0 d-------- C:\Users\All Users\Identities
2008-02-02 00:48:47 233472 --a------ C:\Windows\system32\REX Shared Library.dll <Not Verified; Propellerhead Software AB; REX>
2008-02-02 00:48:44 368640 --a------ C:\Windows\system32\ReWire.dll <Not Verified; Propellerhead Software AB; ReWire>
2008-02-02 00:48:05 0 d--hs---- C:\Windows\Installer
2008-02-02 00:47:58 0 d-------- C:\Users\All Users\Cakewalk
2008-02-02 00:47:58 0 d-------- C:\Program Files\Cakewalk
2008-02-02 00:47:58 0 d-------- C:\Cakewalk Projects
2008-02-02 00:07:00 0 dr------- C:\Users\Mario Arroyo\Searches
2008-02-02 00:06:50 0 dr------- C:\Users\Mario Arroyo\Contacts
2008-02-02 00:06:45 0 d--hs---- C:\Users\Mario Arroyo\Templates
2008-02-02 00:06:45 0 d--hs---- C:\Users\Mario Arroyo\Start Menu
2008-02-02 00:06:45 0 d--hs---- C:\Users\Mario Arroyo\SendTo
2008-02-02 00:06:45 0 d--hs---- C:\Users\Mario Arroyo\Recent
2008-02-02 00:06:45 0 d--hs---- C:\Users\Mario Arroyo\PrintHood
2008-02-02 00:06:45 0 d--hs---- C:\Users\Mario Arroyo\NetHood
2008-02-02 00:06:45 0 d--hs---- C:\Users\Mario Arroyo\My Documents
2008-02-02 00:06:45 0 d--hs---- C:\Users\Mario Arroyo\Local Settings
2008-02-02 00:06:45 0 d--hs---- C:\Users\Mario Arroyo\Cookies
2008-02-02 00:06:45 0 d--hs---- C:\Users\Mario Arroyo\Application Data
2008-02-02 00:06:44 0 dr------- C:\Users\Mario Arroyo\Videos
2008-02-02 00:06:44 0 dr------- C:\Users\Mario Arroyo\Saved Games
2008-02-02 00:06:44 0 dr------- C:\Users\Mario Arroyo\Pictures
2008-02-02 00:06:44 3670016 --ahs---- C:\Users\Mario Arroyo\NTUSER.DAT
2008-02-02 00:06:44 0 dr------- C:\Users\Mario Arroyo\Music
2008-02-02 00:06:44 0 dr------- C:\Users\Mario Arroyo\Links
2008-02-02 00:06:44 0 dr------- C:\Users\Mario Arroyo\Favorites
2008-02-02 00:06:44 0 dr------- C:\Users\Mario Arroyo\Downloads
2008-02-02 00:06:44 0 dr------- C:\Users\Mario Arroyo\Documents
2008-02-02 00:06:44 0 dr------- C:\Users\Mario Arroyo\Desktop
2008-02-02 00:06:44 0 d--h----- C:\Users\Mario Arroyo\AppData
2008-02-02 00:00:41 0 d-------- C:\Windows\SoftwareDistribution
2008-02-01 23:59:41 0 d-------- C:\Windows\Debug
2008-02-01 23:58:12 0 d-------- C:\Windows\Prefetch
2008-02-01 23:57:59 0 d--hs---- C:\System Volume Information
2008-02-01 23:57:00 0 d-------- C:\Windows\Panther
2008-02-01 23:56:43 0 d--hs---- C:\Boot
2007-08-07 13:58:08 8320 --a------ C:\Windows\system32\drivers\AWRTRD.sys <Not Verified; Lavasoft AB; Ad-Watch Registry Protection>
2007-08-07 13:56:58 9344 --a------ C:\Windows\system32\drivers\NSDriver.sys <Not Verified; Lavasoft AB; Ad-Watch Connections>
2007-07-11 14:37:26 6272 --a------ C:\Windows\system32\drivers\AWRTPD.sys <Not Verified; Lavasoft AB; Ad-Watch Beta>
2007-05-04 23:41:42 0 d-------- C:\Program Files\Trend Micro
2007-05-03 05:23:56 0 d-------- C:\Program Files\CCleaner
2007-05-03 04:14:02 0 d-------- C:\Program Files\McAfee.com
2007-05-03 04:14:00 0 d-------- C:\Program Files\Common Files\McAfee
2007-05-03 04:13:59 0 d-------- C:\Program Files\McAfee
2007-05-03 04:09:32 0 d-------- C:\Users\All Users\McAfee
2007-05-02 23:54:04 0 d-------- C:\Users\All Users\Spybot - Search & Destroy
-- Find3M Report ---------------------------------------------------------------
2008-05-14 01:28:17 0 d-------- C:\Program Files\Windows Mail
2008-02-20 01:39:36 0 d-------- C:\Users\Mario Arroyo\AppData\Roaming\Macromedia
2008-02-20 01:39:36 0 d-------- C:\Users\Mario Arroyo\AppData\Roaming\Adobe
2008-02-20 00:53:19 0 d-------- C:\Users\Mario Arroyo\AppData\Roaming\Ahead
2008-02-20 00:41:22 0 d-------- C:\Users\Mario Arroyo\AppData\Roaming\Google
2008-02-02 02:47:17 174 --ahs---- C:\Program Files\desktop.ini
2008-02-02 02:42:59 0 d-------- C:\Program Files\Windows Calendar
2008-02-02 02:42:55 0 d-------- C:\Program Files\Windows Defender
2008-02-02 02:42:46 0 d-------- C:\Program Files\Windows Sidebar
2008-02-02 00:58:04 0 d-------- C:\Users\Mario Arroyo\AppData\Roaming\Cakewalk
2008-02-02 00:06:51 0 d-------- C:\Users\Mario Arroyo\AppData\Roaming\Identities
2007-05-03 04:14:00 0 d-------- C:\Program Files\Common Files
2007-05-03 00:17:34 0 d-------- C:\Users\Mario Arroyo\AppData\Roaming\AntispywareBot
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [02/02/2008 02:24 AM]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [09/15/2007 05:29 AM]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [01/02/2008 06:07 PM]
"Persistence"="C:\Windows\system32\igfxpers.exe" [01/02/2008 06:07 PM]
"MSConfig"="C:\Windows\system32\msconfig.exe" [11/02/2006 04:45 AM]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe" [08/23/2007 08:36 PM]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [11/02/2006 07:35 AM]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"FlashPlayerUpdate"=C:\Windows\system32\Macromed\Flash\FlashUtil9e.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"Spybot - Search & Destroy"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"*LogMeInRescue_3778374671"="C:\Windows\LMI7367.tmp\lmi_rescue.exe" -runonce -gui
C:\Users\Mario Arroyo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MEMonitor.lnk - C:\Program Files\Sprint music manager\MEMonitor.exe [5/3/2008 9:34:10 PM]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)
"DisableRegistryTools"=0 (0x0)
"DisableTaskMgr"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoWindowsUpdate"=0 (0x0)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Plugin]
rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\M3PLUGIN.DLL,UPF
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI
-- Hosts -----------------------------------------------------------------------
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
8713 more entries in hosts file.
-- End of Deckard's System Scanner: finished at 2007-05-07 04:30:09 ------------
extra log:
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------
-- System Information ----------------------------------------------------------
Microsoft® Windows Vista™ Home Premium (build 6000)
Architecture: X86; Language: English
CPU 0: Intel® Pentium® Dual CPU T2330 @ 1.60GHz
Percentage of Memory in Use: 18%
Physical Memory (total/avail): 2037.81 MiB / 1657.29 MiB
Pagefile Memory (total/avail): 4289.67 MiB / 4024.73 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1911.25 MiB
C: is Fixed (NTFS) - 224.6 GiB total, 205.18 GiB free.
D: is CDROM (No Media)
\\.\PHYSICALDRIVE0 - WDC WD2500BEVS-60UST0 ATA Device - 232.88 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 224.6 GiB - C:
-- Security Center -------------------------------------------------------------
AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.
AS: AntispywareBot v ()
AS: Spybot - Search and Destroy v1.0.0.5 (Safer Networking Ltd.) Disabled
AS: Windows Defender v1.1.1505.0 (Microsoft Corporation) Disabled
AS: SpywareStop v ()
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
-- Environment Variables -------------------------------------------------------
ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\Mario Arroyo\AppData\Roaming
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=MARIOARROYO-PC
ComSpec=C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\Mario Arroyo
LOCALAPPDATA=C:\Users\Mario Arroyo\AppData\Local
LOGONSERVER=\\MARIOARROYO-PC
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Program Files\Internet Explorer;;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 13, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f0d
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
SAFEBOOT_OPTION=NETWORK
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\MARIOA~1\AppData\Local\Temp
TMP=C:\Users\MARIOA~1\AppData\Local\Temp
USERDOMAIN=MarioArroyo-PC
USERNAME=Mario Arroyo
USERPROFILE=C:\Users\Mario Arroyo
windir=C:\Windows
-- User Profiles ---------------------------------------------------------------
Mario Arroyo (admin)
Guest (guest)
-- Add/Remove Programs ---------------------------------------------------------
--> C:\Program Files\Nero\Nero 7\\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\Windows\UNNeroBackItUp.exe /UNINSTALL
--> C:\Windows\UNNeroMediaHome.exe /UNINSTALL
--> C:\Windows\UNNeroShowTime.exe /UNINSTALL
--> C:\Windows\UNNeroVision.exe /UNINSTALL
--> C:\Windows\UNRecode.exe /UNINSTALL
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player ActiveX --> C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player --> C:\Windows\System32\Macromed\SHOCKW~1\UNWISE.EXE C:\Windows\System32\Macromed\SHOCKW~1\Install.log
Bejeweled 2 Deluxe (remove only) --> "C:\Program Files\Bejeweled 2 Deluxe\Uninstall.exe"
Cakewalk Pyro 2003 --> C:\PROGRA~1\Cakewalk\CAKEWA~1\UNWISE.EXE C:\PROGRA~1\Cakewalk\CAKEWA~1\INSTALL.LOG
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
DreamStation DXi2 --> C:\WINDOWS\DSDXIRMV.EXE C:\PROGRAM FILES\CAKEWALK\SHARED DXI\AUDIO SIMULATION\DREAMSTATION DXI2
Flip Words 2 v1.1 --> "C:\Program Files\HipSoft\Flip Words 2\unins000.exe"
Flip Words v2.3 --> "C:\Program Files\HipSoft\Flip Words\unins000.exe"
HijackThis 2.0.2 --> "C:\PROGRA~1\TRENDM~1\HIJACK~1\HijackThis.exe" /uninstall
Intel® Graphics Media Accelerator Driver --> C:\Windows\system32\igxpun.exe -uninstall
McAfee SecurityCenter --> C:\Program Files\McAfee\MSC\mcuninst.exe
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
MusicLab Fill-in Drummer --> "C:\Program Files\MusicLab\FillinDrummer\Uninstall.exe" "C:\Program Files\MusicLab\FillinDrummer\install.log"
MusicLab SlicyDrummer --> "C:\Program Files\MusicLab\SlicyDrummer\Uninstall.exe" "C:\Program Files\MusicLab\SlicyDrummer\install.log"
Native Instruments Guitar Rig v1.1.2 --> C:\PROGRA~1\NATIVE~1\GUITAR~1\UNWISE.EXE C:\PROGRA~1\NATIVE~1\GUITAR~1\INSTALL.LOG
Nero 7 Ultra Edition --> MsiExec.exe /I{FC98FBE9-E931-494C-8717-497185371033}
PC Check & Connect --> "C:\Program Files\HiWired\PC Check & Connect\LKI\HiWired.Client.Bootstrap.exe" -maintenance
SONAR 7 Producer Edition --> "C:\Program Files\Cakewalk\SONAR 7 Producer Edition\unins000.exe"
Sprint music manager --> C:\PROGRA~1\SPRINT~1\Setup.exe /remove /q0
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareStop --> MsiExec.exe /X{7525CD29-0884-43AA-8A0C-C05DF104D475}
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Yamaha ASIO DirectKS Driver --> MsiExec.exe /I{7115B683-477D-4D59-9AB3-0D7A409C2C81}
-- Application Event Log -------------------------------------------------------
Event Record #/Type9646 / Error
Event Submitted/Written: 05/07/2007 04:28:55 AM
Event ID/Source: 11 / Microsoft-Windows-CAPI2
Event Description:
http://www.download.windowsupdate.com/msdo...uthrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
Event Record #/Type9645 / Error
Event Submitted/Written: 05/07/2007 04:28:55 AM
Event ID/Source: 11 / Microsoft-Windows-CAPI2
Event Description:
http://www.download.windowsupdate.com/msdo...uthrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
Event Record #/Type9644 / Error
Event Submitted/Written: 05/07/2007 04:28:49 AM
Event ID/Source: 11 / Microsoft-Windows-CAPI2
Event Description:
http://www.download.windowsupdate.com/msdo...uthrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
Event Record #/Type9643 / Error
Event Submitted/Written: 05/07/2007 04:28:49 AM
Event ID/Source: 11 / Microsoft-Windows-CAPI2
Event Description:
http://www.download.windowsupdate.com/msdo...uthrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
Event Record #/Type9642 / Error
Event Submitted/Written: 05/07/2007 04:28:49 AM
Event ID/Source: 11 / Microsoft-Windows-CAPI2
Event Description:
http://www.download.windowsupdate.com/msdo...uthrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
-- Security Event Log ----------------------------------------------------------
No Errors/Warnings found.
-- System Event Log ------------------------------------------------------------
Event Record #/Type45913 / Error
Event Submitted/Written: 05/07/2007 04:23:29 AM
Event ID/Source: 7026 / Service Control Manager
Event Description:
AvgClean
AvgMfx86
spldr
spywarestop
Wanarpv6
Event Record #/Type45904 / Error
Event Submitted/Written: 05/07/2007 04:23:29 AM
Event ID/Source: 7001 / Service Control Manager
Event Description:
Computer BrowserServer%%1068
Event Record #/Type45885 / Error
Event Submitted/Written: 05/07/2007 04:22:48 AM
Event ID/Source: 10005 / DCOM
Event Description:
1084WSearch{9E175B6D-F52A-11D8-B9A5-505054503030}
Event Record #/Type45884 / Error
Event Submitted/Written: 05/07/2007 04:22:48 AM
Event ID/Source: 10005 / DCOM
Event Description:
1084WSearch{7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
Event Record #/Type45882 / Error
Event Submitted/Written: 05/07/2007 04:22:46 AM
Event ID/Source: 10005 / DCOM
Event Description:
1084EventSystem{1BE1F766-5536-11D1-B726-00C04FB926AF}
-- End of Deckard's System Scanner: finished at 2007-05-07 04:30:09 ------------
hope this helps.
There is a file showing in the log that has been identified as malicious - C:\Windows\dsdxirmv.exe. However, I can't imagine it could be responsible for the problem. Ya never know though, so go ahead and delete it. If you don't see it in the Windows folder, make all files and folders visible - instructions here.
Uninstall LogMeInRescue from Add/Remove Programs.
If it won't go to normal mode, either there's a hardware/driver problem or system files have been damaged. You may have to call HP after all.
Uninstall LogMeInRescue from Add/Remove Programs.
If it won't go to normal mode, either there's a hardware/driver problem or system files have been damaged. You may have to call HP after all.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.