Path to services changed

Hi All,

I have an interesting issue. My laptop is running Vista Home Premium and has
had AV installed and kept up to date from day one. Recently (don't know when
it changed) a few, not all, of the services have had a "-" inserted before
the path in the registry. The services affected were things like the Adobe
file manager, Apple Ipod service, Sound card manager, Intel Raid monitor and
Sony Event service. I can go into the registry and change them back by
deleting the - from the beginning of the path, but after a while it returns.
I am quite sure it's not some kind of malware (unless it's by-passed the
AV), but its really annoying! Any ideas? The only thing I can see that they
have in common is that the service's executable resides in c:\progam
files\xxx.

Thanks,

Mark

Mark delta P wrote:
> Hi All,
>
> I have an interesting issue. My laptop is running Vista Home Premium and has
> had AV installed and kept up to date from day one. Recently (don't know when
> it changed) a few, not all, of the services have had a "-" inserted before
> the path in the registry. The services affected were things like the Adobe
> file manager, Apple Ipod service, Sound card manager, Intel Raid monitor and
> Sony Event service. I can go into the registry and change them back by
> deleting the - from the beginning of the path, but after a while it returns.
> I am quite sure it's not some kind of malware (unless it's by-passed the
> AV), but its really annoying! Any ideas? The only thing I can see that they
> have in common is that the service's executable resides in c:\progam
> files\xxx.

Since services' executables do not reside in C:\Program Files, this is a
pretty sure sign your computer is infected.

Go through these general malware removal steps systematically -
http://www.elephantboycomputers.com/...moving_Malware

Include scanning with David Lipman's Multi_AV and follow instructions to
do all scans in Safe Mode. Please see the special Notes regarding using
Multi_AV in Vista.

http://www.elephantboycomputers.com/page2.html#Multi-AV - instructions
http://www.pctipp.ch/downloads/siche...ning_tool.html
- download site

The site is in German but David's tool is in English so don't let that
worry you. Scroll all the way down to almost the bottom of the page and
you'll see a box titled "Infos Zum Download - Multi-AV Scanning Tool".
You'll see "Download von www pctipp.ch" and the live link to download
Multi_AV.

When all else fails, run HijackThis and post your log in one of the
specialty forums listed at the first link above (not here, please).

Not all tools used will work in Vista and you will need to run them
elevated. Since Vista is so new, it will be a while before removal
techniques and tools are developed. If you are unable to remove the
infection by following the general steps, register at one of the
HijackThis forums as suggested.

Standard caveat: If the procedures look too complex - and there is no
shame in admitting this isn't your cup of tea - take the machine to a
professional computer repair shop (not your local version of
BigComputerStore/GeekSquad). Please be aware that not all local shops
are skilled at removing malware and even if they are, your computer may
be so infested that Windows will need to be clean-installed. Have all
your data backed up before you take the machine into a shop.


Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User