Is NB_AS_Turorial.exe malware ?

[jjscotman]

Hello

I am a "silver surfer" with limited computer knowledge and would greatly appreciate help.

I recently purchased an Acer Aspire 5920G laptop.

Normally I don't look in the Acer file on my C Drive but today I clicked on it by mistake and noticed what seems to be a very suspicious file at the very bottom of a list of normal looking folders.

It is called:

NB_AS_Turorial.exe

It is an Application of 22,519KB created on 27/04/07.

As I thought it might be an Acer tutorial, I rather foolishly clicked on the folder but immediately cancelled when I saw it wanted to install something on my laptop.

On reflection there are several things which look suspicious (1) it is an application at the bottom of a list of normal folders (2) it says it was created
on 27/04/2007 when I only bought and set up my laptop in July 2008 (3) the apparent mis-spelling of tutorial and (4) the fact it is an .exe

I googled "NB_AS_Turorial.exe" but it only showed several pages in foreign languages which I could not understand.

Adding to my worries, however, is that the pages appear to mention Hijack This which I know specialises in malware removal.

Although I have a firewall, anti-virus and several anti-spyware programs and I am very careful about my surfing/downloading habits, I am now very worried that this is some form of dangerous malware.

Anyone who has knowledge of this, please let me know if this is malware and, if so, how best to remove it completely from my laptop.

I really don't want it hanging around my Acer file on the C drive in case I click on it by mistake and would prefer to delete it completely.

I have the Eraser shredder (Heidi computers) so can I use this to shred it ?

As this is rather worrying to me as a computer newbie, I would appreciate urgent help and comments.

Apologies for the long post.

Many thanks in advance !!

[tetonbob]

Hello -

Check the file properties (right click, select properties) and look for a version tab. See if there's a company name there.

Also, scan the file at VirusTotal

Report the results.

Also, upload it here:

http://www.bleepingcomputer.com/subm...php?channel=28

[jjscotman]

Many thanks for your response.

In properties looking under Signature List under Digital Signatures I can see the name "Acer Incorporated".

Under Details, I see

File Version 11.50.0.42618
Product Name InstallShield
Product Version 11.50
Copyright Macrovision Corp

I have googled these names but unfortunately the results mean little to my computer-illiterate eye.

I have attempted several times to upload the file to VirusTotal and BleedingComputer but unsuccessfully for various reasons - mainly file size "too big" My web based email also does not accept this file due to "size" or "risk".

I await your further comments and advice.

Needless to say I am very grateful for your help.

[tetonbob]

Seems like it would be legit with an Acer digital signature embedded. I wouldn't mind seeing it still.

It's probably too big even to zip it, but see if that works for submitting it to the Bleeping Computer site.

Right click on the file, and select Send To > Compressed (Zipped) Folder.

If still no joy, upload it to this site:

TheSpyKillers forum HERE

Read the first topic for instructions on uploading files then start a new Topic, title it File for tetonbob, and post a link to this thread

[jjscotman]

Compressed(zipped) the file as requested but could not upload to Bleeding Computer.

But succeeded in uploading to Spykiller.

Unfortunately, I rather stupidly did not name the title correctly and gave it same name as in this forum ie. Is NB_AS_Turorial.exe malware ?

Many apologies !! But I did include the link to here.

If the file does have something to do with Acer, perhaps I should also mention in case it is relevant that whenever I run CA Yahoo Anti Spy it always throws up an identification of Bancos IYG Trojan but this cannot be quarantined due to lack of "administrative rights"

At the time I first had this thrown up I googled Bancos IYG and saw discussion that this had something to do with Acer's marketing stuff embedded in the toolbar so I just always ignore it.

All my other anti-virus and anti-spyware scans come up clean.

I don't know if this is relevant but thought it best to mention it.

Look forward to hearing what you think and what action I should take.

Many thanks once again !!

[tetonbob]

• Download RSIT by random/random and save it to your desktop.
• Double click RSIT.exe to start the tool and click Continue at the disclaimer.
• When the scan completes it will open a log named log.txt maximized, and a log named info.txt minimized.
• Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of log.txt here.
  
• Please attach info.txt to your post.

To attach a file to a new post, simply

1. Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
2. copy and paste the following into the "Upload File from your Computer" box:

   C:\rsit\info.txt
   

3. Click Upload.

---------------------------------------------------------------------------------------------

[tetonbob]

Hi -

Having just installed that file on a test machine, I can tell you it is not malicious, and is a series of flash tutorials/adverts for Acer technology, in different languages. There's no reason at all to think it's malicious, but no need to keep it on your machine as far as I can tell.

[jjscotman]

Wow - that's a great relief !!

I downloaded and saved RSIT to my desktop before seeing your last post.

I assume there is no need to run the RSIT scan and that I can just shred RSIT now. Please confirm.

The machine is still very new to me so I'm not very sure whether I can delete the NB_AS_Turoriale.exe file and worry that it may be needed for some function. Will probably therefore just leave it as it does not seem to be doing any harm.

Please confirm I can shred RSIT.

I am really very grateful to you for taking the time and trouble to investigate for me and re-assure a computer newbie.

[tetonbob]

Hi -

Since you mentioned one of your applications finding malicious software, I'd still like to see a set of logs from RSIT.

[jjscotman]

Hello again

Here is log.txt

Logfile of random's system information tool 1.04 (written by random/random)
Run by John Johnstone at 2008-10-07 21:44:34
Microsoft® Windows Vista™ Home Premium Service Pack 1
System drive C: has 46 GB (65%) free of 71 GB
Total RAM: 2046 MB (47% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:44:39, on 07/10/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe
C:\Acer\Empowering Technology\eAudio\eAudio.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\ehome\ehtray.exe
C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE
C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
C:\Windows\System32\rundll32.exe
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Windows\ehome\ehmsas.exe
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Users\JOHNJO~1\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\FeedDemon\FeedDemon.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Free Internet Window Washer\Clearpch.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\John Johnstone\Desktop\RSIT.exe
C:\Program Files\trend micro\John Johnstone.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.com/customize/yco...//uk.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.uk.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.uk.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/yco...//uk.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [eAudio] "C:\Acer\Empowering Technology\eAudio\eAudio.exe"
O4 - HKLM\..\Run: [PLFSet] rundll32.exe C:\Windows\PLFSet.dll,PLFDefSetting
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [IaNvSrv] C:\Program Files\Intel\Intel Matrix Storage Manager\OROM\IaNvSrv\IaNvSrv.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe (User 'Default user')
O4 - Global Startup: Empowering Technology Launcher.lnk = ?
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: eNetHook.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: eDataSecurity Service - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: SbPF.Launcher - Sunbelt Software, Inc. - C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software, Inc. - C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe
O23 - Service: ThreatFire - Unknown owner - C:\Program Files\ThreatFire\TFService.exe (file missing)
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10387 bytes

======Scheduled tasks folder======

C:\Windows\tasks\GoogleUpdateTaskUser.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
&Yahoo! Toolbar Helper - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll [2008-06-25 880880]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22BF413B-C6D2-4d91-82A9-A0F997BA588C}]
Skype add-on (mastermind) - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2008-07-30 1404928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-09-15 1562960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}]
Yahoo! IE Services Button - C:\Program Files\Yahoo!\Common\yiesrvc.dll [2007-12-12 222448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll [2008-10-07 652784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
SingleInstance Class - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll [2008-06-25 160496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - Acer eDataSecurity Management - C:\Windows\system32\eDStoolbar.dll [2007-04-26 151552]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll [2008-06-25 880880]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-19 1008184]
"RtHDVCpl"=C:\Windows\RtHDVCpl.exe [2007-05-10 4468736]
"eDataSecurity Loader"=C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe [2007-04-26 457216]
"eAudio"=C:\Acer\Empowering Technology\eAudio\eAudio.exe [2007-04-27 1286144]
"Acer Tour"= []
"PLFSet"=C:\Windows\PLFSet.dll [2007-03-10 45056]
"IAAnotif"=C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe [2007-04-25 174872]
"IaNvSrv"=C:\Program Files\Intel\Intel Matrix Storage Manager\OROM\IaNvSrv\IaNvSrv.exe [2007-07-24 33304]
"eRecoveryService"= []
"avgnt"=C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe [2008-06-12 266497]
"NvSvc"=C:\Windows\system32\nvsvc.dll [2007-05-04 86016]
"NvCplDaemon"=C:\Windows\system32\NvCpl.dll [2007-05-04 8429568]
"NvMediaCenter"=C:\Windows\system32\NvMcTray.dll [2007-05-04 81920]
"WinPatrol"=C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe [2008-07-04 333120]
"LManager"=C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE [2007-05-04 502544]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2007-05-09 865840]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"=C:\Program Files\Windows Sidebar\sidebar.exe [2008-01-19 1233920]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2008-08-18 1832272]
"ehTray.exe"=C:\Windows\ehome\ehTray.exe [2008-01-19 125952]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Tour Reminder]
C:\Acer\AcerTour\Reminder.exe [2007-02-16 151552]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe [2008-04-09 136472]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe [2008-04-09 909208]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2008-06-12 34672]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
C:\Users\John Johnstone\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-20 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlayMovie]
C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe [2007-05-03 206952]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Taskbar Shuffle]
C:\Program Files\Taskbar Shuffle\taskbarshuffle.exe [2008-04-17 818176]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe [2008-04-09 2595792]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WarReg_PopUp]
C:\Acer\WR_PopUp\WarReg_PopUp.exe [2006-11-06 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Users^John Johnstone^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^WordWeb.lnk]
C:\PROGRA~1\WordWeb\wweb32.exe [2008-06-12 42168]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
Empowering Technology Launcher.lnk - C:\Acer\Empowering Technology\eAPLauncher.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="eNetHook.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
relog_ap

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======List of files/folders created in the last 1 months======

2008-10-07 21:32:35 ----D---- C:\rsit
2008-10-07 21:32:35 ----D---- C:\Program Files\trend micro
2008-10-03 17:47:59 ----D---- C:\Windows\Downloaded Installations
2008-10-02 17:30:32 ----D---- C:\Users\John Johnstone\AppData\Roaming\Samsung
2008-10-02 15:20:26 ----D---- C:\Windows\system32\Samsung_USB_Drivers
2008-10-02 15:20:04 ----D---- C:\Windows\system32\Samsung PC Studio Codecs
2008-10-02 15:19:59 ----D---- C:\Program Files\Samsung
2008-10-02 15:19:59 ----A---- C:\Windows\system32\fun_mp4_enc.dll
2008-10-02 15:19:59 ----A---- C:\Windows\system32\fun_mp4_dec.dll
2008-10-02 15:19:59 ----A---- C:\Windows\system32\fun_avcodec.dll
2008-09-28 23:53:40 ----D---- C:\Program Files\Taskbar Shuffle
2008-09-26 20:12:41 ----D---- C:\Windows\Minidump
2008-09-26 16:03:43 ----D---- C:\Program Files\FeedStation
2008-09-26 15:57:20 ----D---- C:\ProgramData\Google Updater
2008-09-22 15:52:59 ----D---- C:\Users\John Johnstone\AppData\Roaming\PeerNetworking
2008-09-19 17:54:57 ----D---- C:\Users\John Johnstone\AppData\Roaming\Acronis
2008-09-19 17:15:33 ----D---- C:\ProgramData\Acronis
2008-09-19 17:14:41 ----D---- C:\Program Files\Common Files\Acronis
2008-09-19 17:14:41 ----D---- C:\Program Files\Acronis
2008-09-18 21:21:54 ----D---- C:\Program Files\Siber Systems
2008-09-17 11:45:03 ----A---- C:\Windows\system32\wups2.dll
2008-09-17 11:45:03 ----A---- C:\Windows\system32\wucltux.dll
2008-09-17 11:45:03 ----A---- C:\Windows\system32\wuaueng.dll
2008-09-17 11:45:03 ----A---- C:\Windows\system32\wuauclt.exe
2008-09-17 11:44:44 ----A---- C:\Windows\system32\wups.dll
2008-09-17 11:44:44 ----A---- C:\Windows\system32\wudriver.dll
2008-09-17 11:44:44 ----A---- C:\Windows\system32\wuapi.dll
2008-09-15 19:49:32 ----D---- C:\Users\John Johnstone\AppData\Roaming\vlc
2008-09-15 15:07:15 ----D---- C:\Windows\pss
2008-09-09 19:24:10 ----A---- C:\Windows\system32\GameUXLegacyGDFs.dll
2008-09-09 19:24:10 ----A---- C:\Windows\system32\Apphlpdm.dll
2008-09-09 19:23:52 ----A---- C:\Windows\system32\wmpeffects.dll
2008-09-09 19:23:47 ----A---- C:\Windows\system32\emdmgmt.dll
2008-09-09 19:23:47 ----A---- C:\Windows\system32\dataclen.dll
2008-09-09 19:23:46 ----A---- C:\Windows\system32\cdd.dll
2008-09-09 15:57:39 ----D---- C:\Program Files\FeedDemon

======List of files/folders modified in the last 1 months======

2008-10-07 21:44:36 ----D---- C:\Windows\Temp
2008-10-07 21:39:41 ----D---- C:\Windows
2008-10-07 21:32:35 ----RD---- C:\Program Files
2008-10-07 20:18:22 ----D---- C:\Windows\System32
2008-10-07 20:18:22 ----D---- C:\Windows\inf
2008-10-07 20:18:22 ----A---- C:\Windows\system32\PerfStringBackup.INI
2008-10-07 19:11:13 ----D---- C:\Acer
2008-10-06 23:50:42 ----D---- C:\Users\John Johnstone\AppData\Roaming\OpenOffice.org2
2008-10-06 17:23:48 ----D---- C:\Windows\Prefetch
2008-10-05 01:14:18 ----SHD---- C:\System Volume Information
2008-10-05 01:05:57 ----D---- C:\ProgramData\Spybot - Search & Destroy
2008-10-05 00:12:23 ----AD---- C:\ProgramData\TEMP
2008-10-05 00:12:20 ----D---- C:\Program Files\SpywareBlaster
2008-10-03 17:55:33 ----D---- C:\MyWorks
2008-10-03 17:52:52 ----HD---- C:\Program Files\InstallShield Installation Information
2008-10-03 17:49:19 ----RH---- C:\Windows\system32\NTIBUN4.dll
2008-10-03 17:49:04 ----SHD---- C:\Windows\Installer
2008-10-03 17:05:12 ----SD---- C:\Windows\Downloaded Program Files
2008-10-02 17:23:17 ----D---- C:\Windows\system32\drivers
2008-10-02 17:13:12 ----HD---- C:\ProgramData
2008-10-02 15:23:29 ----D---- C:\Windows\system32\catroot2
2008-10-02 15:23:29 ----D---- C:\Windows\system32\catroot
2008-10-02 15:20:20 ----D---- C:\Windows\winsxs
2008-10-01 15:21:55 ----D---- C:\Program Files\Spybot - Search & Destroy
2008-10-01 00:50:34 ----D---- C:\Users\John Johnstone\AppData\Roaming\Skype
2008-10-01 00:02:42 ----D---- C:\Users\John Johnstone\AppData\Roaming\skypePM
2008-09-30 19:27:00 ----D---- C:\Program Files\Mozilla Firefox
2008-09-27 12:11:41 ----D---- C:\Windows\LiveKernelReports
2008-09-26 15:49:42 ----D---- C:\Windows\system32\Msdtc
2008-09-26 15:49:40 ----D---- C:\Windows\system32\wbem
2008-09-26 15:48:56 ----D---- C:\Windows\system32\config
2008-09-26 15:48:43 ----D---- C:\Windows\Tasks
2008-09-26 15:48:43 ----D---- C:\Windows\system32\spool
2008-09-26 15:48:42 ----D---- C:\Program Files\Google
2008-09-26 15:48:41 ----D---- C:\Windows\registration
2008-09-20 15:43:42 ----D---- C:\Windows\system32\Tasks
2008-09-19 17:14:41 ----D---- C:\Program Files\Common Files
2008-09-17 15:00:12 ----D---- C:\Windows\rescache
2008-09-17 12:25:50 ----D---- C:\Windows\system32\en-US
2008-09-14 16:25:53 ----D---- C:\Users\John Johnstone\AppData\Roaming\CyberLink
2008-09-13 15:59:53 ----D---- C:\Users\John Johnstone\AppData\Roaming\Real
2008-09-12 18:15:00 ----D---- C:\Program Files\ThreatFire
2008-09-10 01:26:09 ----D---- C:\Windows\Debug
2008-09-09 19:53:26 ----D---- C:\Windows\AppPatch

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 avgio;avgio; \??\C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgio.sys [2007-02-27 11840]
R1 avipbb;avipbb; C:\Windows\system32\DRIVERS\avipbb.sys [2008-06-27 75072]
R1 SbFw;SbFw; C:\Windows\system32\drivers\SbFw.sys [2008-07-16 269736]
R1 sbhips;Sunbelt HIPS Driver; C:\Windows\system32\drivers\sbhips.sys [2008-06-21 66600]
R1 ssmdrv;ssmdrv; C:\Windows\system32\DRIVERS\ssmdrv.sys [2007-03-01 28352]
R1 StarOpen;StarOpen; C:\Windows\system32\drivers\StarOpen.sys [2008-10-02 5632]
R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}; \??\C:\Program Files\Acer Arcade Deluxe\Play Movie\000.fcl [2006-11-03 13560]
R2 int15;int15; \??\C:\Acer\Empowering Technology\eRecovery\int15.sys [2006-12-08 76584]
R2 mdmxsdk;mdmxsdk; C:\Windows\system32\DRIVERS\mdmxsdk.sys [2007-03-15 12672]
R2 rimsptsk;rimsptsk; C:\Windows\system32\DRIVERS\rimsptsk.sys [2007-01-24 42496]
R2 rismxdp;Ricoh xD-Picture Card Driver; C:\Windows\system32\DRIVERS\rixdptsk.sys [2007-03-22 37376]
R2 tifsfilter;Acronis True Image FS Filter; C:\Windows\system32\DRIVERS\tifsfilt.sys [2008-09-19 44384]
R2 XAudio;XAudio; C:\Windows\system32\DRIVERS\xaudio.sys [2007-03-15 8192]
R3 avgntflt;avgntflt; \??\C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgntflt.sys [2008-05-20 52032]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0; C:\Windows\system32\DRIVERS\b57nd60x.sys [2007-02-08 179712]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\Windows\system32\DRIVERS\CmBatt.sys [2008-01-19 14208]
R3 DKbFltr;Dritek Keyboard Filter Driver; C:\Windows\system32\DRIVERS\DKbFltr.sys [2007-05-04 21264]
R3 HSF_DPV;HSF_DPV; C:\Windows\system32\DRIVERS\HSX_DPV.sys [2007-03-15 985600]
R3 HSXHWAZL;HSXHWAZL; C:\Windows\system32\DRIVERS\HSXHWAZL.sys [2007-03-15 207360]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHDA.sys [2007-05-10 1775712]
R3 NETw4v32;Intel(R) Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit; C:\Windows\system32\DRIVERS\NETw4v32.sys [2007-09-26 2251776]
R3 NTIDrvr;Upper Class Filter Driver; C:\Windows\system32\DRIVERS\NTIDrvr.sys [2007-05-10 6144]
R3 nvlddmkm;nvlddmkm; C:\Windows\system32\DRIVERS\nvlddmkm.sys [2007-05-04 7496256]
R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport; C:\Windows\system32\DRIVERS\sbfwim.sys [2008-06-21 65576]
R3 sdbus;sdbus; C:\Windows\system32\DRIVERS\sdbus.sys [2008-01-19 88576]
R3 SNP2UVC;USB2.0 PC Camera (SNP2UVC); C:\Windows\system32\DRIVERS\snp2uvc.sys [2007-02-08 1729152]
R3 SynTP;Synaptics TouchPad Driver; C:\Windows\system32\DRIVERS\SynTP.sys [2007-05-09 185392]
R3 winachsf;winachsf; C:\Windows\system32\DRIVERS\HSX_CNXT.sys [2007-03-15 659968]
R3 winbondcir;Winbond IR Transceiver; C:\Windows\system32\DRIVERS\winbondcir.sys [2007-04-19 43008]
R3 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\DRIVERS\wmiacpi.sys [2008-01-19 11264]
S2 rimmptsk;rimmptsk; C:\Windows\system32\DRIVERS\rimmptsk.sys [2007-02-24 39936]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-19 5632]
S3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
S3 HSFHWAZL;HSFHWAZL; C:\Windows\system32\DRIVERS\VSTAZL3.SYS [2006-11-02 200704]
S3 Inspect;Comodo Firewall Network Driver; C:\Windows\system32\DRIVERS\inspect.sys []
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-19 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-19 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-19 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-19 6016]
S3 ssm_bus;SAMSUNG Mobile USB Device II 1.0 driver (WDM); C:\Windows\system32\DRIVERS\ssm_bus.sys [2005-08-30 58320]
S3 ssm_mdfl;SAMSUNG Mobile USB Modem II 1.0 Filter; C:\Windows\system32\DRIVERS\ssm_mdfl.sys [2005-08-30 8336]
S3 ssm_mdm;SAMSUNG Mobile USB Modem II 1.0 Drivers; C:\Windows\system32\DRIVERS\ssm_mdm.sys [2005-08-30 94000]
S3 TfNetMon;TfNetMon; \??\C:\Windows\system32\drivers\TfNetMon.sys []
S3 WSVD;WSVD; \??\C:\Windows\system32\drivers\WSVD.sys [2006-09-20 80744]
S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-19 83328]
S4 UIUSys;Conexant Setup API; C:\Windows\system32\DRIVERS\UIUSYS.SYS []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-07-23 611664]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler; C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe [2008-06-12 68865]
R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard; C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe [2008-08-14 149761]
R2 eDataSecurity Service;eDataSecurity Service; C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe [2007-04-26 457512]
R2 eLockService;eLock Service; C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe [2007-03-14 24576]
R2 eNet Service;eNet Service; C:\Acer\Empowering Technology\eNet\eNet Service.exe [2007-05-22 135168]
R2 eRecoveryService;eRecovery Service; C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe [2007-02-13 53248]
R2 eSettingsService;eSettings Service; C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe [2007-05-10 24576]
R2 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-10-07 168432]
R2 IAANTMON;Intel(R) Matrix Storage Event Monitor; C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe [2007-04-25 355096]
R2 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2007-01-17 61440]
R2 MobilityService;MobilityService; C:\Acer\Mobility Center\MobilityService.exe [2006-11-24 107008]
R2 SbPF.Launcher;SbPF.Launcher; C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe [2008-07-30 95528]
R2 SPF4;Sunbelt Personal Firewall 4; C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe [2008-07-30 1361192]
R2 WMIService;ePower Service; C:\Acer\Empowering Technology\ePower\ePowerSvc.exe [2007-05-17 163840]
R2 XAudioService;XAudioService; C:\Windows\system32\DRIVERS\xaudio.exe [2007-03-15 386560]
S2 CLTNetCnService;Symantec Lic NetConnect service; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe /h ccCommon []
S2 ThreatFire;ThreatFire; C:\Program Files\ThreatFire\TFService.exe service []
S4 AcrSch2Svc;Acronis Scheduler2 Service; C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe [2008-04-09 431384]
S4 RichVideo;Cyberlink RichVideo Service(CRVS); C:\Program Files\CyberLink\Shared Files\RichVideo.exe [2006-07-19 262247]
S4 TryAndDecideService;Acronis Try And Decide Service; C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe [2008-04-09 492896]

-----------------EOF-----------------

I have run RSIT twice but each time I cannot see any info.txt minimised. The only one I can see is in the RSIT file so I have attached this.

I hope I have not done something wrong !!

[tetonbob]

Logs seem clean, and the machine seems well protected.

You should be fine. I see many false positive references to Bancos IYG on Acer machines.

[jjscotman]

Really appreciate your re-assurance and the time and trouble you have taken over this.

Its only CA Yahoo Anti Spy that shrows up this Bancos IYG thing. None of my other anti -virus or anti-spyware programs indicate it.

My machine is running very well at moment (touch wood!!)

Can I now shred the RSIT exe and log files ??

[tetonbob]

It's been my pleasure to help you.

Yes, you can shred RSIT, it also places a folder at C:\rsit

Additionally, you may want to uninstall HijackThis, and delete it's folder:

C:\Program Files\trend micro

Surf Safely, and Think Prevention!

Since this issue is resolved, this topic will be archived.