Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Alureon Infection [Solved]

Started by ZLynx , May 16 2010 10:42 AM

  • This topic is locked This topic is locked

#16
SweetTech
Posted 16 May 2010 - 01:27 PM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Hello,

ComboFix Script
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

KillAll::
Suspect::[100]
c:\windows\system32\drivers\cwvxzbne.sys

DirLook::
c:\users\Stu\AppData\Roaming\B0433E6A3980760B1B68A51693ADBED1
c:\users\Stu\AppData\Roaming\Metacafe

FileLook::
c:\windows\system32\DRIVERS\ntcdrdrv.sys

DDS::
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



NEXT:



Malwarebytes' Anti-Malware

I see that you have Malwarebytes' Anti-Malware installed on your computer could you please do a scan using these settings:

  • Open Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Check for Updates
  • After the update have been completed, Select the Scanner tab.
  • Select Perform quick scan, then click on Scan
  • Leave the default options as it is and click on Start Scan
  • When done, you will be prompted. Click OK, then click on Show Results
  • Checked (ticked) all items and click on Remove Selected
  • After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT:



ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan

Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.


  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Make sure that the option "Remove found threats" is Unchecked
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin
    scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as
    ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NEXT:



OTL Custom Scan

We need to run an OTL Custom Scan
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following bolded text into the Posted Image textbox.


    netsvcs
    %SYSTEMDRIVE%\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /180

  • Push Posted Image
  • A report will open. Copy and Paste that report in your next reply.



NEXT:


Please make sure you include the following items in your next post:

1. Any comments or questions you may have that you'd like for me to answer in my next post to you.
2. The log that was produced after running the ComboFix scan.
3. The log that was produced after running the updated MalwareBytes' Anti-Malware scan.
4. The log that was produced after running the ESET Online Virus Scanner.
5. The logs that were produced after running the OTL scan.
6. An update on how your computer is currently running.

It would be helpful if you could answer each question in the order asked, as well as numbering your answers.
  • 0

Advertisements

#17
ZLynx
Posted 16 May 2010 - 01:31 PM

ZLynx

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
Okay ill get back to you in a few with the results
  • 0

#18
SweetTech
Posted 16 May 2010 - 01:33 PM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
:)
  • 0

#19
ZLynx
Posted 16 May 2010 - 04:54 PM

ZLynx

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
The ESET scan is taking a little while, 50% after 2 hours...ouch.
Ill get the logs to you as soon as theyre ready

Edited by ZLynx, 16 May 2010 - 04:55 PM.

  • 0

#20
SweetTech
Posted 16 May 2010 - 04:57 PM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Okay. Thanks for letting me know. :)
  • 0

#21
ZLynx
Posted 16 May 2010 - 08:04 PM

ZLynx

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
Alrighty, here we go.
Combofix log:

ComboFix 10-05-16.01 - Stu 05/16/2010 13:40:29.2.1 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1526.764 [GMT -6:00]
Running from: c:\users\Stu\Desktop\ComboFix.exe
Command switches used :: c:\users\Stu\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

file zipped: c:\windows\System32\drivers\cwvxzbne.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\releaseengineer\Application Data\64dlls.exe
c:\documents and settings\releaseengineer\Application Data\intel64.exe
c:\documents and settings\releaseengineer\Application Data\localsys64.exe
c:\documents and settings\releaseengineer\Application Data\ntos.exe
c:\documents and settings\releaseengineer\Application Data\oembios.exe
c:\documents and settings\releaseengineer\Application Data\sdra64.exe
c:\documents and settings\releaseengineer\Application Data\swin32.exe
c:\documents and settings\releaseengineer\Application Data\twex.exe
c:\documents and settings\releaseengineer\Application Data\twext.exe
c:\documents and settings\releaseengineer\Application Data\wsnpoema.exe

----- BITS: Possible infected sites -----

hxxp://liveupdate.symantec.com
hxxp://definitions.symantec.com
.
((((((((((((((((((((((((( Files Created from 2010-04-16 to 2010-05-16 )))))))))))))))))))))))))))))))
.

2010-05-16 19:53 . 2010-05-16 19:55 -------- d-----w- c:\users\Stu\AppData\Local\temp
2010-05-16 19:53 . 2010-05-16 19:53 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-05-16 19:53 . 2010-05-16 19:53 -------- d-----w- c:\users\Guest\AppData\Local\temp
2010-05-16 19:53 . 2010-05-16 19:53 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-16 19:28 . 2010-04-12 23:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-16 17:30 . 2010-05-16 17:30 -------- d-----w- C:\_OTL
2010-05-15 19:16 . 2010-05-15 19:16 -------- d-----w- c:\program files\ERUNT
2010-05-13 09:43 . 2010-05-13 09:43 149480 ----a-w- c:\windows\system32\drivers\cwvxzbne.sys
2010-05-12 21:39 . 2010-05-15 19:08 -------- d-----w- c:\windows\system32\MpEngineStore
2010-05-12 09:59 . 2010-01-29 15:40 738816 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-10 20:01 . 2010-05-10 20:01 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help
2010-05-04 23:40 . 2010-05-06 16:36 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-04 18:59 . 2010-05-04 18:58 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-04 18:50 . 2010-05-04 18:51 -------- d-----w- c:\program files\Lavasoft
2010-04-28 18:43 . 2010-04-28 18:43 -------- d-----w- c:\users\Stu\AppData\Roaming\Malwarebytes
2010-04-28 18:43 . 2010-04-29 21:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-28 18:43 . 2010-05-16 07:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-28 18:43 . 2010-04-29 21:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-26 23:50 . 2010-04-26 23:50 -------- d-----w- c:\users\Stu\AppData\Roaming\Roxio
2010-04-26 23:33 . 2010-04-27 00:48 256 ----a-w- c:\windows\system32\pool.bin
2010-04-26 23:33 . 2010-04-26 23:33 -------- d-----w- c:\users\Stu\AppData\Roaming\Research In Motion
2010-04-26 23:02 . 2010-04-26 23:02 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2010-04-26 23:01 . 2010-04-26 23:01 -------- d-----w- c:\program files\Common Files\Sonic Shared
2010-04-26 23:01 . 2010-04-26 23:02 -------- d-----w- c:\program files\Roxio
2010-04-26 23:00 . 2010-04-26 23:02 -------- d-----w- c:\program files\Common Files\Roxio Shared
2010-04-26 22:44 . 2007-01-18 16:24 26496 ----a-w- c:\windows\system32\drivers\RimSerial.sys
2010-04-26 22:41 . 2010-04-26 22:42 -------- d-----w- c:\program files\Common Files\Research In Motion
2010-04-26 22:41 . 2010-04-26 22:41 -------- d-----w- c:\program files\Research In Motion
2010-04-26 22:37 . 2010-04-26 22:37 -------- d-sh--w- c:\windows\ftpcache
2010-04-23 16:51 . 2010-02-18 14:07 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-23 16:51 . 2010-02-18 14:07 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-23 16:50 . 2009-12-23 11:33 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-23 16:50 . 2010-03-04 17:33 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-04-23 16:50 . 2010-03-09 15:42 834048 ----a-w- c:\windows\system32\wininet.dll
2010-04-23 16:50 . 2010-03-09 16:25 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-04-23 16:49 . 2010-02-23 11:10 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-23 16:49 . 2010-02-23 11:10 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-23 16:49 . 2010-02-23 11:10 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-23 16:49 . 2010-02-18 14:07 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-23 16:49 . 2010-02-18 13:30 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-23 16:49 . 2010-02-18 11:28 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-23 16:47 . 2010-01-13 17:34 98304 ----a-w- c:\windows\system32\cabview.dll
2010-04-21 18:04 . 2010-04-21 18:04 -------- d-----w- c:\program files\NOS
2010-04-19 22:16 . 2010-04-19 22:16 -------- d-----w- c:\users\Stu\AppData\Roaming\B0433E6A3980760B1B68A51693ADBED1

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-16 19:55 . 2009-08-11 05:03 -------- d-----w- c:\program files\Common Files\Akamai
2010-05-16 19:28 . 2008-01-23 03:29 -------- d-----w- c:\program files\Common Files\Java
2010-05-16 19:27 . 2008-01-23 03:35 -------- d-----w- c:\program files\Java
2010-05-16 19:24 . 2008-03-19 17:05 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-16 18:57 . 2009-03-24 03:56 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-05-16 18:57 . 2009-03-24 03:56 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-05-16 18:57 . 2009-03-24 03:56 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-05-16 18:57 . 2009-03-24 03:56 -------- d-----w- c:\program files\Symantec
2010-05-16 16:16 . 2009-02-24 05:40 6756 ----a-w- c:\users\Stu\AppData\Local\d3d9caps.dat
2010-05-12 18:28 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-11 08:24 . 2009-08-11 05:03 -------- d-----w- c:\users\Stu\AppData\Roaming\Metacafe
2010-05-11 01:21 . 2007-12-29 05:17 140608 ----a-w- c:\users\Stu\AppData\Local\GDIPFONTCACHEV1.DAT
2010-05-10 19:45 . 2008-03-03 19:00 -------- d-----w- c:\program files\Microsoft Works
2010-05-04 19:29 . 2008-09-10 20:17 -------- d-----w- c:\program files\iWin Games
2010-04-30 16:20 . 2008-01-23 03:39 -------- d-----w- c:\users\Stu\AppData\Roaming\LimeWire
2010-04-26 23:01 . 2007-08-02 09:53 -------- d-----w- c:\program files\Common Files\InstallShield
2010-03-08 01:05 . 2010-03-08 01:05 64505 ----a-w- c:\users\Stu\AppData\Roaming\NeuLion\AdaptivePlugin\uninst.exe
2010-02-25 18:45 . 2008-03-08 18:31 8224 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2008-06-30 19:44 . 2008-08-31 08:42 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\users\Stu\AppData\Roaming\B0433E6A3980760B1B68A51693ADBED1 ----


---- Directory of c:\users\Stu\AppData\Roaming\Metacafe ----

2010-05-11 07:31 . 2010-05-11 07:43 1181 ----a-w- c:\users\Stu\AppData\Roaming\Metacafe\Data\7782326\MP36f5tDc.dat
2010-05-11 07:31 . 2010-05-11 07:42 1112 ----a-w- c:\users\Stu\AppData\Roaming\Metacafe\Data\7782326\FE19df4t0.dat
2010-05-11 07:31 . 2010-05-11 07:40 702 ----a-w- c:\users\Stu\AppData\Roaming\Metacafe\Data\7782326\IIR602dr2.dat
2010-05-11 07:31 . 2010-05-11 07:43 2248 ----a-w- c:\users\Stu\AppData\Roaming\Metacafe\Data\7782326\VR8fsl23c.dat
2010-05-11 07:31 . 2010-05-11 07:57 1421 ----a-w- c:\users\Stu\AppData\Roaming\Metacafe\Data\7782326\IS4sdfP4.dat
2010-05-11 07:22 . 2010-05-11 07:42 1259 ----a-w- c:\users\Stu\AppData\Roaming\Metacafe\Data\7782326\IE34pccs6.dat
2009-08-11 05:04 . 2010-05-11 07:24 135833 ----a-w- c:\users\Stu\AppData\Roaming\Metacafe\Metacafe.7782326.2.Backup.dat
2009-08-11 05:04 . 2010-05-11 08:24 114648 ----a-w- c:\users\Stu\AppData\Roaming\Metacafe\Metacafe.7782326.2.dat
2009-08-11 05:03 . 2009-08-11 05:03 238 ----a-w- c:\users\Stu\AppData\Roaming\Metacafe\DetailedLog.7782326.2.txt
2009-08-11 05:03 . 2009-08-11 18:44 406837 ----a-w- c:\users\Stu\AppData\Roaming\Metacafe\Log.7782326.2.Archive1.txt
2009-08-11 05:03 . 2009-08-12 22:21 122340 ----a-w- c:\users\Stu\AppData\Roaming\Metacafe\Log.7782326.2.Archive2.txt
2009-08-11 05:03 . 2009-09-05 05:10 103304 ----a-w- c:\users\Stu\AppData\Roaming\Metacafe\Log.7782326.2.Archive3.txt
2009-08-11 05:03 . 2009-12-30 13:28 110028 ----a-w- c:\users\Stu\AppData\Roaming\Metacafe\Log.7782326.2.Archive4.txt
2009-08-11 05:03 . 2010-01-04 23:35 230266 ----a-w- c:\users\Stu\AppData\Roaming\Metacafe\Log.7782326.2.Archive5.txt
2009-08-11 05:03 . 2010-04-28 18:07 122733 ----a-w- c:\users\Stu\AppData\Roaming\Metacafe\Log.7782326.2.Archive6.txt
2009-08-11 05:03 . 2010-05-11 08:24 89600 ----a-w- c:\users\Stu\AppData\Roaming\Metacafe\Log.7782326.2.txt


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\users\Stu\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-04-16 133104]
"SkinClock"="c:\program files\Atomic Alarm Clock\AtomicAlarmClock.exe" [2008-09-30 1739776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"RtHDVCpl"="RtHDVCpl.exe" [2007-07-06 4669440]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-05-09 865840]
"PCMService"="c:\program files\Acer\Acer Arcade\PCMService.exe" [2007-06-22 155648]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-04-25 457216]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2007-07-12 846344]
"Acer Assist Launcher"="c:\program files\Acer Assist\launcher.exe" [2007-02-02 1261568]
"Acer Product Registration"="c:\program files\Acer Registration\ACE1.exe" [2007-02-02 3383296]
"lxddmon.exe"="c:\program files\Lexmark 2500 Series\lxddmon.exe" [2007-05-04 291760]
"lxddamon"="c:\program files\Lexmark 2500 Series\lxddamon.exe" [2007-03-05 20480]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-05-04 312240]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-16 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-16 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-16 150552]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-01-07 1468296]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-01-22 198160]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2008-11-23 615696]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-11-10 236016]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

c:\users\Stu\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):39,0a,fc,b0,44,39,ca,01

R0 ntcdrdrv;ntcdrdrv;c:\windows\system32\DRIVERS\ntcdrdrv.sys [x]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-08-29 102448]
R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\System32\Drivers\N360\0308000.029\SYMNDISV.SYS [x]
S0 OCDE;ZTekWare Original CD Emulator Service;c:\windows\System32\Drivers\OCDE.sys [2007-08-26 30480]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0401000.020\SYMDS.SYS [2010-02-04 328752]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0401000.020\SYMEFA.SYS [2010-02-04 172592]
S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\BASHDefs\20100211.001\BHDrvx86.sys [2010-02-11 536112]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0401000.020\ccHPx86.sys [2010-02-25 501888]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\IPSDefs\20091105.001\IDSVix86.sys [2010-02-04 343088]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0401000.020\Ironx86.SYS [2010-02-27 116784]
S1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\N360\0401000.020\SYMTDIV.SYS [2010-02-04 340016]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2008-01-19 21504]
S2 AtomicAlarmClock;Atomic Alarm Clock Time;c:\program files\Atomic Alarm Clock\timeserv.exe [2008-09-29 415744]
S2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe [2007-04-26 537520]
S2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxddserv.exe [2007-04-26 99248]
S2 N360;Norton 360;c:\program files\Norton 360\Engine\4.1.0.32\ccSvcHst.exe [2010-02-25 126392]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
Akamai REG_MULTI_SZ Akamai
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-05-16 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-24 22:15]

2010-05-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2381161337-1183444262-2068861460-1000Core.job
- c:\users\Stu\AppData\Local\Google\Update\GoogleUpdate.exe [2009-04-16 06:02]

2010-05-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2381161337-1183444262-2068861460-1000UA.job
- c:\users\Stu\AppData\Local\Google\Update\GoogleUpdate.exe [2009-04-16 06:02]

2010-05-16 c:\windows\Tasks\User_Feed_Synchronization-{8CAA04C7-6A35-458B-8BD5-3FC5BD7F1DD3}.job
- c:\windows\system32\msfeedssync.exe [2008-08-20 07:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://en.us.acer.yahoo.com
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\users\Stu\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk
FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-16 13:59
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\4.1.0.32\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\4.1.0.32\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(4640)
c:\windows\system32\MsnChatHook.dll
c:\windows\system32\ShowErrMsg.dll
c:\windows\system32\sysenv.dll
c:\windows\system32\BatchCrypto.dll
c:\windows\system32\CryptoAPI.dll
c:\windows\system32\keyManager.dll
c:\windows\System32\actxprxy.dll
c:\acer\Empowering Technology\EPOWER\SysHook.dll
c:\windows\system32\Wlanapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
c:\program files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
c:\acer\Empowering Technology\eDataSecurity\eDSService.exe
c:\acer\Empowering Technology\eLock\Service\eLockServ.exe
c:\acer\Empowering Technology\eNet\eNet Service.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\spool\DRIVERS\W32X86\3\lxddserv.exe
c:\acer\Mobility Center\MobilityService.exe
c:\nexon\Mabinogi\npkcmsvc.exe
c:\windows\system32\DllHost.exe
c:\windows\RtHDVCpl.exe
c:\program files\Launch Manager\LManager.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\igfxext.exe
c:\acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
c:\acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
c:\acer\Empowering Technology\eRecovery\ERAGENT.EXE
c:\acer\Empowering Technology\ePower\ePowerSvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2010-05-16 14:04:48 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-16 20:04
ComboFix2.txt 2010-05-16 18:28

Pre-Run: 1,765,658,624 bytes free
Post-Run: 1,528,889,344 bytes free

- - End Of File - - 36F89291FDC24B6241B34C8F55B4D792
Upload was successful
  • 0

#22
ZLynx
Posted 16 May 2010 - 08:06 PM

ZLynx

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
MBAM and ESET:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4107

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

5/16/2010 2:23:47 PM
mbam-log-2010-05-16 (14-23-47).txt

Scan type: Quick scan
Objects scanned: 131577
Time elapsed: 9 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Cheat Engine (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

ESET:

C:\_OTL\MovedFiles\05162010_113012\C_Program Files\Data Protection\datext.dll a variant of Win32/Kryptik.EJL trojan
C:\_OTL\MovedFiles\05162010_113012\C_Program Files\Data Protection\dathook.dll a variant of Win32/Kryptik.EJL trojan
C:\_OTL\MovedFiles\05162010_113012\C_Program Files\Data Protection\Uninstall.exe a variant of Win32/Kryptik.EJL trojan
C:\_OTL\MovedFiles\05162010_113012\C_Users\Stu\AppData\Local\Temp\dmadmin.exe a variant of Win32/Kryptik.EJL trojan

Edited by ZLynx, 16 May 2010 - 08:07 PM.

  • 0

#23
ZLynx
Posted 16 May 2010 - 08:07 PM

ZLynx

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
and finally OTL:

OTL logfile created on: 5/16/2010 6:22:00 PM - Run 2
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Users\Stu\Downloads
Windows Vista Home Basic Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6002.18005)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 34.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 69.00% Paging File free
Paging file location(s): [Binary data over 100 bytes]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 32.38 Gb Total Space | 1.28 Gb Free Space | 3.94% Space Free | Partition Type: NTFS
Drive D: | 32.38 Gb Total Space | 2.24 Gb Free Space | 6.93% Space Free | Partition Type: NTFS
Drive E: | 485.22 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: COLLEGECOMP
Current User Name: Stu
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/05/16 14:08:18 | 000,208,896 | ---- | M] (Realtek Semiconductor Corp.) -- C:\Users\Stu\AppData\Local\temp\RtkBtMnt.exe
PRC - [2010/05/16 10:08:25 | 000,571,392 | ---- | M] (OldTimer Tools) -- C:\Users\Stu\Downloads\OTL.exe
PRC - [2010/04/22 14:40:51 | 000,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/02/25 17:21:50 | 000,126,392 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton 360\Engine\4.1.0.32\ccSvcHst.exe
PRC - [2009/04/11 00:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/01/16 10:10:56 | 000,173,080 | ---- | M] (Intel Corporation) -- C:\Windows\System32\igfxext.exe
PRC - [2008/11/22 22:16:08 | 000,615,696 | ---- | M] (Research In Motion Limited) -- C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
PRC - [2008/09/29 14:19:22 | 000,415,744 | ---- | M] () -- C:\Program Files\Atomic Alarm Clock\timeserv.exe
PRC - [2007/08/02 12:33:50 | 000,080,528 | ---- | M] (INCA Internet Co., Ltd.) -- C:\Nexon\Mabinogi\npkcmsvc.exe
PRC - [2007/07/11 20:52:18 | 000,846,344 | ---- | M] (Dritek System Inc.) -- C:\Program Files\Launch Manager\LManager.exe
PRC - [2007/07/06 13:06:00 | 004,669,440 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe
PRC - [2007/07/06 12:07:52 | 000,450,560 | ---- | M] (Acer Inc.) -- C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
PRC - [2007/07/03 11:40:10 | 000,053,248 | ---- | M] (Acer Inc.) -- C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
PRC - [2007/06/28 19:50:52 | 000,024,576 | ---- | M] () -- C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
PRC - [2007/06/21 19:25:46 | 000,118,464 | ---- | M] () -- C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
PRC - [2007/06/21 19:25:44 | 000,257,736 | ---- | M] () -- C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
PRC - [2007/06/21 19:25:22 | 000,155,648 | ---- | M] (CyberLink Corp.) -- C:\Program Files\Acer\Acer Arcade\PCMService.exe
PRC - [2007/06/21 19:24:12 | 001,076,832 | ---- | M] (Cyberlink) -- C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
PRC - [2007/06/13 17:54:36 | 000,135,168 | R--- | M] (Acer Inc.) -- C:\Acer\Empowering Technology\eNet\eNet Service.exe
PRC - [2007/06/13 12:23:54 | 000,167,936 | ---- | M] (acer) -- C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
PRC - [2007/04/25 23:21:42 | 000,099,248 | ---- | M] (Lexmark International, Inc.) -- C:\Windows\System32\spool\drivers\w32x86\3\lxddserv.exe
PRC - [2007/04/25 23:21:22 | 000,537,520 | ---- | M] ( ) -- C:\Windows\System32\lxddcoms.exe
PRC - [2007/04/25 17:34:30 | 000,457,512 | ---- | M] (HiTRSUT) -- C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
PRC - [2007/04/25 17:33:36 | 000,457,216 | ---- | M] (HiTRUST) -- C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe
PRC - [2007/04/25 12:35:56 | 000,323,584 | ---- | M] (Acer Inc.) -- C:\Acer\Empowering Technology\Acer.Empowering.Framework.Supervisor.exe
PRC - [2007/04/23 10:53:48 | 000,024,576 | ---- | M] (Acer Inc.) -- C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
PRC - [2007/03/21 14:00:04 | 000,355,096 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2007/03/21 14:00:00 | 000,174,872 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2007/03/05 01:40:25 | 000,020,480 | ---- | M] (Lexmark) -- C:\Program Files\Lexmark 2500 Series\lxddamon.exe
PRC - [2007/02/09 07:35:54 | 000,397,312 | ---- | M] (Acer Inc.) -- C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
PRC - [2006/11/24 13:57:54 | 000,107,008 | ---- | M] () -- C:\Acer\Mobility Center\MobilityService.exe


========== Modules (SafeList) ==========

MOD - [2010/05/16 10:08:25 | 000,571,392 | ---- | M] (OldTimer Tools) -- C:\Users\Stu\Downloads\OTL.exe
MOD - [2010/05/04 12:51:57 | 000,653,120 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4148_none_5090ab56bcba71c2\msvcr90.dll
MOD - [2010/05/04 12:51:57 | 000,569,664 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4148_none_5090ab56bcba71c2\msvcp90.dll
MOD - [2010/03/26 17:52:36 | 000,415,088 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton 360\Engine\4.1.0.32\asOEHook.dll
MOD - [2009/11/16 21:53:37 | 000,632,656 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4053_none_d08d7da0442a985d\msvcr80.dll
MOD - [2009/11/16 21:53:37 | 000,554,832 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4053_none_d08d7da0442a985d\msvcp80.dll
MOD - [2009/04/11 00:21:38 | 001,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll
MOD - [2008/01/22 16:51:38 | 000,057,344 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_43efccf17831d131\mfc80ENU.dll
MOD - [2008/01/22 16:51:35 | 001,093,120 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_0c178a139ee2a7ed\mfc80u.dll
MOD - [2008/01/19 01:34:02 | 000,798,208 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dbghelp.dll
MOD - [2008/01/19 01:33:00 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msscript.ocx
MOD - [2007/04/25 17:31:00 | 000,028,672 | ---- | M] () -- C:\Windows\System32\BatchCrypto.dll
MOD - [2007/04/25 17:30:44 | 000,063,488 | ---- | M] () -- C:\Windows\System32\ShowErrMsg.dll
MOD - [2007/04/25 17:30:40 | 000,286,720 | ---- | M] (HiTRUST) -- C:\Windows\System32\sysenv.dll
MOD - [2007/03/17 06:19:08 | 000,237,568 | ---- | M] (HiTRSUT) -- C:\Windows\System32\keyManager.dll
MOD - [2007/02/12 17:02:08 | 000,094,208 | ---- | M] (HiTRUST Inc.) -- C:\Windows\System32\MSNChatHook.dll
MOD - [2007/02/07 10:25:00 | 000,208,896 | ---- | M] () -- C:\Acer\Empowering Technology\ePower\SysHook.dll
MOD - [2006/11/29 22:30:18 | 000,401,408 | ---- | M] (HiTRUST) -- C:\Windows\System32\CryptoAPI.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/04/29 23:15:41 | 002,478,640 | ---- | M] () [Auto | Running] -- c:\Program Files\Common Files\Akamai\rswin_3697.dll -- (Akamai)
SRV - [2010/03/29 08:51:54 | 000,068,000 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus®
SRV - [2010/02/25 17:21:50 | 000,126,392 | R--- | M] (Symantec Corporation) [Unknown | Running] -- C:\Program Files\Norton 360\Engine\4.1.0.32\ccSvcHst.exe -- (N360)
SRV - [2009/09/24 19:27:04 | 000,793,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2008/09/29 14:19:22 | 000,415,744 | ---- | M] () [Auto | Running] -- C:\Program Files\Atomic Alarm Clock\timeserv.exe -- (AtomicAlarmClock)
SRV - [2008/05/10 03:27:03 | 000,087,288 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2008/01/19 01:38:24 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/08/02 12:33:50 | 000,080,528 | ---- | M] (INCA Internet Co., Ltd.) [Auto | Running] -- C:\Nexon\Mabinogi\npkcmsvc.exe -- (npkcmsvc)
SRV - [2007/07/03 11:40:10 | 000,053,248 | ---- | M] (Acer Inc.) [Auto | Running] -- C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe -- (eRecoveryService)
SRV - [2007/06/28 19:50:52 | 000,024,576 | ---- | M] () [Auto | Running] -- C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe -- (eSettingsService)
SRV - [2007/06/21 19:25:46 | 000,118,464 | ---- | M] () [Auto | Running] -- C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe -- (CLSched) CyberLink Task Scheduler (CTS)
SRV - [2007/06/21 19:25:44 | 000,257,736 | ---- | M] () [Auto | Running] -- C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe -- (CLCapSvc) CyberLink Background Capture Service (CBCS)
SRV - [2007/06/21 19:24:12 | 001,076,832 | ---- | M] (Cyberlink) [Auto | Running] -- C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe -- (CyberLink Media Library Service)
SRV - [2007/06/13 17:54:36 | 000,135,168 | R--- | M] (Acer Inc.) [Auto | Running] -- C:\Acer\Empowering Technology\eNet\eNet Service.exe -- (eNet Service)
SRV - [2007/06/13 12:23:54 | 000,167,936 | ---- | M] (acer) [Auto | Running] -- C:\Acer\Empowering Technology\ePower\ePowerSvc.exe -- (WMIService)
SRV - [2007/04/25 23:21:42 | 000,099,248 | ---- | M] () [Auto | Running] -- C:\Windows\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe -- (lxddCATSCustConnectService)
SRV - [2007/04/25 23:21:22 | 000,537,520 | ---- | M] ( ) [Auto | Running] -- C:\Windows\System32\lxddcoms.exe -- (lxdd_device)
SRV - [2007/04/25 17:34:30 | 000,457,512 | ---- | M] (HiTRSUT) [Auto | Running] -- C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe -- (eDataSecurity Service)
SRV - [2007/04/23 10:53:48 | 000,024,576 | ---- | M] (Acer Inc.) [Auto | Running] -- C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe -- (eLockService)
SRV - [2007/03/21 14:00:04 | 000,355,096 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel®
SRV - [2006/11/24 13:57:54 | 000,107,008 | ---- | M] () [Auto | Running] -- C:\Acer\Mobility Center\MobilityService.exe -- (MobilityService)


========== Driver Services (SafeList) ==========

DRV - [2010/05/16 12:57:27 | 000,124,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2010/05/15 01:00:00 | 001,347,504 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\VirusDefs\20100515.019\NAVEX15.SYS -- (NAVEX15)
DRV - [2010/05/15 01:00:00 | 000,085,552 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\VirusDefs\20100515.019\NAVENG.SYS -- (NAVENG)
DRV - [2010/04/29 11:44:04 | 000,537,136 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\BASHDefs\20100429.001\BHDrvx86.sys -- (BHDrvx86)
DRV - [2010/02/26 20:23:54 | 000,116,784 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\system32\drivers\N360\0401000.020\Ironx86.SYS -- (SymIRON)
DRV - [2010/02/26 20:23:21 | 000,325,680 | R--- | M] (Symantec Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\Drivers\N360\0401000.020\SRTSP.SYS -- (SRTSP)
DRV - [2010/02/26 20:23:21 | 000,043,696 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\system32\drivers\N360\0401000.020\SRTSPX.SYS -- (SRTSPX) Symantec Real Time Storage Protection (PEL)
DRV - [2010/02/25 17:22:57 | 000,501,888 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\system32\drivers\N360\0401000.020\ccHPx86.sys -- (ccHP)
DRV - [2010/02/03 19:40:52 | 000,340,016 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\system32\drivers\N360\0401000.020\SYMTDIV.SYS -- (SYMTDIv)
DRV - [2010/02/03 19:40:50 | 000,172,592 | R--- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\Windows\system32\drivers\N360\0401000.020\SYMEFA.SYS -- (SymEFA)
DRV - [2010/02/03 19:40:47 | 000,328,752 | R--- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\N360\0401000.020\SYMDS.SYS -- (SymDS)
DRV - [2010/02/03 19:40:07 | 000,343,088 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\IPSDefs\20100505.001\IDSvix86.sys -- (IDSVix86)
DRV - [2009/08/29 02:00:00 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2009/08/29 02:00:00 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2009/01/16 09:53:32 | 004,568,064 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\igdkmd32.sys -- (igfx)
DRV - [2008/12/29 23:57:56 | 000,952,832 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\athr.sys -- (athr)
DRV - [2008/12/19 18:08:28 | 000,030,088 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\point32k.sys -- (Point32)
DRV - [2007/12/06 10:51:00 | 000,298,496 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\yk60x86.sys -- (yukonwlh)
DRV - [2007/08/25 19:27:32 | 000,030,480 | ---- | M] (ZTekWare.) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\OCDE.sys -- (OCDE)
DRV - [2007/08/20 12:22:52 | 000,006,144 | ---- | M] (NewTech Infosystems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NTIDrvr.sys -- (NTIDrvr)
DRV - [2007/07/10 11:59:00 | 001,792,792 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\RTKVHDA.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2007/05/09 15:28:28 | 000,185,392 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SynTP.sys -- (SynTP)
DRV - [2007/04/25 17:34:44 | 000,016,680 | ---- | M] (HiTRUST) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\PSDNServ.sys -- (PSDNServ)
DRV - [2007/04/25 17:34:40 | 000,060,712 | ---- | M] (HiTRUST) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\psdvdisk.sys -- (psdvdisk)
DRV - [2007/04/25 17:34:38 | 000,020,776 | ---- | M] (HiTRUST) [File_System | Boot | Running] -- C:\Windows\system32\DRIVERS\psdfilter.sys -- (PSDFilter)
DRV - [2007/03/21 13:58:56 | 000,304,920 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\iaStor.sys -- (iaStor)
DRV - [2006/12/22 13:50:24 | 000,985,600 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSX_DPV.sys -- (HSF_DPV)
DRV - [2006/12/22 13:49:04 | 000,207,360 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSXHWAZL.sys -- (HSXHWAZL)
DRV - [2006/12/22 13:48:54 | 000,659,968 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSX_CNXT.sys -- (winachsf)
DRV - [2006/12/07 19:12:02 | 000,076,584 | ---- | M] () [Kernel | Auto | Running] -- C:\Acer\Empowering Technology\eRecovery\int15.sys -- (int15)
DRV - [2006/11/28 18:44:52 | 000,008,192 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)
DRV - [2006/11/02 23:29:36 | 000,021,264 | ---- | M] (Dritek System Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\DKbFltr.sys -- (DKbFltr)
DRV - [2006/11/02 03:51:45 | 000,900,712 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300)
DRV - [2006/11/02 03:51:38 | 000,420,968 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx)
DRV - [2006/11/02 03:51:34 | 000,316,520 | ---- | M] (Emulex) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor)
DRV - [2006/11/02 03:51:32 | 000,297,576 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci)
DRV - [2006/11/02 03:51:25 | 000,235,112 | ---- | M] (ULi Electronics Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci)
DRV - [2006/11/02 03:51:25 | 000,232,040 | ---- | M] (Intel Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV)
DRV - [2006/11/02 03:51:00 | 000,147,048 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320)
DRV - [2006/11/02 03:50:45 | 000,115,816 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2)
DRV - [2006/11/02 03:50:41 | 000,112,232 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid)
DRV - [2006/11/02 03:50:35 | 000,106,088 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx)
DRV - [2006/11/02 03:50:35 | 000,098,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata)
DRV - [2006/11/02 03:50:35 | 000,098,408 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m)
DRV - [2006/11/02 03:50:24 | 000,088,680 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid)
DRV - [2006/11/02 03:50:19 | 000,045,160 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960)
DRV - [2006/11/02 03:50:17 | 000,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp)
DRV - [2006/11/02 03:50:16 | 000,071,784 | ---- | M] (Silicon Integrated Systems) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4)
DRV - [2006/11/02 03:50:13 | 000,040,040 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor)
DRV - [2006/11/02 03:50:11 | 000,071,272 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx)
DRV - [2006/11/02 03:50:10 | 000,067,688 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas)
DRV - [2006/11/02 03:50:10 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2006/11/02 03:50:10 | 000,038,504 | ---- | M] (Silicon Integrated Systems Corp.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid2.sys -- (SiSRaid2)
DRV - [2006/11/02 03:50:10 | 000,037,480 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs)
DRV - [2006/11/02 03:50:09 | 000,067,688 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arc.sys -- (arc)
DRV - [2006/11/02 03:50:09 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid)
DRV - [2006/11/02 03:50:07 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi)
DRV - [2006/11/02 03:50:05 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS)
DRV - [2006/11/02 03:50:05 | 000,035,944 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx)
DRV - [2006/11/02 03:50:04 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC)
DRV - [2006/11/02 03:50:03 | 000,034,920 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3)
DRV - [2006/11/02 03:49:59 | 000,033,384 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x)
DRV - [2006/11/02 03:49:56 | 000,031,848 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi)
DRV - [2006/11/02 03:49:53 | 000,028,776 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasas.sys -- (megasas)
DRV - [2006/11/02 03:49:30 | 000,017,512 | ---- | M] (VIA Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\viaide.sys -- (viaide)
DRV - [2006/11/02 03:49:28 | 000,016,488 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide)
DRV - [2006/11/02 03:49:20 | 000,014,952 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\aliide.sys -- (aliide)
DRV - [2006/11/02 02:25:24 | 000,071,808 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2006/11/02 02:24:47 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer)
DRV - [2006/11/02 02:24:46 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp)
DRV - [2006/11/02 02:24:45 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo)
DRV - [2006/11/02 02:24:44 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm)
DRV - [2006/11/02 02:24:44 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm)
DRV - [2006/11/02 01:41:49 | 000,200,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VSTAZL3.SYS -- (HSFHWAZL)
DRV - [2006/11/02 01:36:50 | 000,020,608 | ---- | M] (N-trig Innovative Technologies) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi)
DRV - [2006/11/02 01:30:56 | 000,429,056 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nvm60x32.sys -- (NVENETFD)
DRV - [2006/11/02 01:30:54 | 000,117,760 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\E1G60I32.sys -- (E1G60) Intel®
DRV - [2006/11/02 01:30:53 | 000,464,384 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\BCMWL6.SYS -- (BCM43XV)
DRV - [2002/05/06 12:01:10 | 000,028,320 | ---- | M] (Adaptec) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\aspi32.sys -- (Aspi32)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\{98e34367-8df7-42b4-837b-20b892ff0847}: C:\ProgramData\iWin Games\firefox [2010/05/05 10:07:38 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\IPSFFPlgn\ [2010/05/16 16:10:15 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\coFFPlgn\ [2010/05/16 13:09:55 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/22 14:40:53 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/05/16 13:28:06 | 000,000,000 | ---D | M]

[2010/05/16 14:11:53 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/05/16 13:28:11 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2008/06/30 13:44:08 | 000,324,976 | ---- | M] (Symantec Corporation) -- C:\Program Files\Mozilla Firefox\components\coFFPlgn.dll
[2010/04/12 17:29:19 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2010/05/16 13:55:29 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Yahoo! Toolbar Helper) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\4.1.0.32\CoIEPlg.dll (Symantec Corporation)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\4.1.0.32\IPSBHO.dll (Symantec Corporation)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (&Google) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Acer eDataSecurity Management) - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\System32\eDStoolbar.dll (HiTRUST)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\4.1.0.32\CoIEPlg.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (Acer eDataSecurity Management) - {5CBE3B7C-1E47-477E-A7DD-396DB0476E29} - C:\Windows\System32\eDStoolbar.dll (HiTRUST)
O3 - HKCU\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O4 - HKLM..\Run: [Acer Assist Launcher] C:\Program Files\Acer Assist\launcher.exe ()
O4 - HKLM..\Run: [Acer Product Registration] C:\Program Files\Acer Registration\ACE1.exe (Leader Technologies)
O4 - HKLM..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe (Research In Motion Limited)
O4 - HKLM..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe (HiTRUST)
O4 - HKLM..\Run: [FaxCenterServer] C:\Program Files\Lexmark Fax Solutions\fm3032.exe ()
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe (Intel Corporation)
O4 - HKLM..\Run: [LManager] C:\Program Files\Launch Manager\LManager.exe (Dritek System Inc.)
O4 - HKLM..\Run: [lxddamon] C:\Program Files\Lexmark 2500 Series\lxddamon.exe (Lexmark)
O4 - HKLM..\Run: [lxddmon.exe] C:\Program Files\Lexmark 2500 Series\lxddmon.exe ()
O4 - HKLM..\Run: [PCMService] C:\Program Files\Acer\Acer Arcade\PCMService.exe (CyberLink Corp.)
O4 - HKLM..\Run: [RoxWatchTray] C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe (Sonic Solutions)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [SkinClock] C:\Program Files\Atomic Alarm Clock\AtomicAlarmClock.exe ()
O4 - Startup: C:\Users\Stu\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Users\Stu\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (get_atlcom Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 69.145.248.50 69.145.232.4 69.145.248.4
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\Windows\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Users\Stu\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\Stu\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 15:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2008/12/08 07:43:33 | 000,000,025 | R--- | M] () - E:\Autorun.inf -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias [2008/09/03 14:05:34 | 000,000,000 | ---D | M]
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: Wmi - C:\Windows\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2010/05/16 14:25:09 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/05/16 14:05:29 | 000,000,000 | ---D | C] -- C:\Users\Stu\AppData\Local\temp
[2010/05/16 14:03:36 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2010/05/16 13:53:38 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2010/05/16 13:32:36 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2010/05/16 13:28:45 | 000,000,000 | ---D | C] -- C:\ProgramData\Sun
[2010/05/16 13:28:05 | 000,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\deployJava1.dll
[2010/05/16 13:28:05 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe
[2010/05/16 13:28:05 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe
[2010/05/16 13:28:04 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe
[2010/05/16 11:54:57 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2010/05/16 11:54:57 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2010/05/16 11:54:57 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2010/05/16 11:52:19 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/05/16 11:30:12 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/05/15 13:17:20 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2010/05/15 13:16:43 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/05/13 03:43:07 | 000,149,480 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\drivers\cwvxzbne.sys
[2010/05/12 15:39:43 | 000,000,000 | ---D | C] -- C:\Windows\System32\MpEngineStore
[2010/05/04 17:40:13 | 000,221,568 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\MpSigStub.exe
[2010/05/04 12:59:09 | 000,095,024 | ---- | C] (Sunbelt Software) -- C:\Windows\System32\drivers\SBREDrv.sys
[2010/05/04 12:50:19 | 000,000,000 | ---D | C] -- C:\ProgramData\Lavasoft
[2010/05/04 12:50:19 | 000,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2010/04/28 12:43:40 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/04/28 12:43:35 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/04/28 12:43:34 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/04/28 12:43:34 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/04/26 17:51:00 | 000,000,000 | ---D | C] -- C:\ProgramData\InstallShield
[2010/04/26 17:08:09 | 000,000,000 | ---D | C] -- C:\ProgramData\Sonic
[2010/04/26 17:02:49 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\PX Storage Engine
[2010/04/26 17:01:02 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Sonic Shared
[2010/04/26 17:01:00 | 000,000,000 | ---D | C] -- C:\ProgramData\Roxio
[2010/04/26 17:01:00 | 000,000,000 | ---D | C] -- C:\Program Files\Roxio
[2010/04/26 17:00:33 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Roxio Shared
[2010/04/26 16:41:50 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Research In Motion
[2010/04/26 16:41:41 | 000,000,000 | ---D | C] -- C:\Program Files\Research In Motion
[2010/04/26 16:37:44 | 000,000,000 | -HSD | C] -- C:\Windows\ftpcache
[2010/04/23 10:57:54 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2010/04/23 10:51:11 | 000,220,672 | ---- | C] (Fraunhofer Institut Integrierte Schaltungen IIS) -- C:\Windows\System32\l3codecp.acm
[2010/04/23 10:51:11 | 000,062,464 | ---- | C] (Fraunhofer Institut Integrierte Schaltungen IIS) -- C:\Windows\System32\l3codeca.acm
[2010/04/23 10:51:02 | 003,548,040 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe
[2010/04/23 10:51:01 | 003,600,776 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe
[2010/04/23 10:50:39 | 000,430,080 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\vbscript.dll
[2010/04/23 10:50:05 | 000,180,736 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2010/04/23 10:50:03 | 000,193,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iepeers.dll
[2010/04/23 10:50:03 | 000,078,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieencode.dll
[2010/04/23 10:49:59 | 000,380,928 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieapfltr.dll
[2010/04/21 12:04:06 | 000,000,000 | ---D | C] -- C:\Program Files\NOS
[2008/09/18 16:10:50 | 000,323,584 | ---- | C] ( ) -- C:\Windows\System32\LXDDhcp.dll
[2008/09/18 16:10:49 | 000,413,696 | ---- | C] ( ) -- C:\Windows\System32\lxddinpa.dll
[2008/09/18 16:10:49 | 000,397,312 | ---- | C] ( ) -- C:\Windows\System32\lxddiesc.dll
[2008/09/18 16:10:48 | 001,232,896 | ---- | C] ( ) -- C:\Windows\System32\lxddserv.dll
[2008/09/18 16:10:48 | 000,999,424 | ---- | C] ( ) -- C:\Windows\System32\lxddusb1.dll
[2008/09/18 16:10:48 | 000,643,072 | ---- | C] ( ) -- C:\Windows\System32\lxddpmui.dll
[2008/09/18 16:10:48 | 000,163,840 | ---- | C] ( ) -- C:\Windows\System32\lxddprox.dll
[2008/09/18 16:10:48 | 000,094,208 | ---- | C] ( ) -- C:\Windows\System32\lxddpplc.dll
[2008/09/18 16:10:47 | 000,585,728 | ---- | C] ( ) -- C:\Windows\System32\lxddlmpm.dll
[2008/09/18 16:10:46 | 000,700,416 | ---- | C] ( ) -- C:\Windows\System32\lxddhbn3.dll
[2008/09/18 16:10:45 | 000,684,032 | ---- | C] ( ) -- C:\Windows\System32\lxddcomc.dll
[2008/09/18 16:10:45 | 000,425,984 | ---- | C] ( ) -- C:\Windows\System32\lxddcomm.dll
[2007/08/20 12:50:13 | 000,053,248 | ---- | C] ( ) -- C:\Windows\System32\Interop.Shell32.dll

========== Files - Modified Within 30 Days ==========

[2010/05/16 18:26:29 | 001,927,440 | ---- | M] () -- C:\Windows\System32\drivers\N360\0401000.020\Cat.DB
[2010/05/16 18:26:27 | 004,980,736 | -HS- | M] () -- C:\Users\Stu\ntuser.dat
[2010/05/16 18:07:47 | 000,003,168 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/05/16 18:07:47 | 000,003,168 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/05/16 17:52:05 | 000,000,900 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2381161337-1183444262-2068861460-1000UA.job
[2010/05/16 14:55:14 | 000,000,868 | ---- | M] () -- C:\Windows\tasks\Google Software Updater.job
[2010/05/16 14:13:22 | 000,694,964 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/05/16 14:13:22 | 000,598,588 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/05/16 14:13:22 | 000,102,194 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/05/16 14:07:42 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/05/16 14:07:37 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/05/16 14:06:08 | 000,524,288 | -HS- | M] () -- C:\Users\Stu\NTUSER.DAT{d8932e6d-6a6f-11db-b6ab-a038f15a5785}.TMContainer00000000000000000001.regtrans-ms
[2010/05/16 14:06:08 | 000,065,536 | -HS- | M] () -- C:\Users\Stu\NTUSER.DAT{d8932e6d-6a6f-11db-b6ab-a038f15a5785}.TM.blf
[2010/05/16 14:05:59 | 001,904,779 | -H-- | M] () -- C:\Users\Stu\AppData\Local\IconCache.db
[2010/05/16 13:59:32 | 000,000,414 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{8CAA04C7-6A35-458B-8BD5-3FC5BD7F1DD3}.job
[2010/05/16 13:55:46 | 000,000,215 | ---- | M] () -- C:\Windows\system.ini
[2010/05/16 13:55:29 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2010/05/16 13:24:17 | 000,001,891 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk
[2010/05/16 13:06:13 | 000,000,905 | ---- | M] () -- C:\Users\Stu\Desktop\Norton Installation Files.lnk
[2010/05/16 13:06:06 | 000,002,144 | ---- | M] () -- C:\Users\Public\Desktop\Norton 360.lnk
[2010/05/16 12:57:27 | 000,124,976 | ---- | M] (Symantec Corporation) -- C:\Windows\System32\drivers\SYMEVENT.SYS
[2010/05/16 12:57:27 | 000,007,443 | ---- | M] () -- C:\Windows\System32\drivers\SYMEVENT.CAT
[2010/05/16 12:57:27 | 000,000,805 | ---- | M] () -- C:\Windows\System32\drivers\SYMEVENT.INF
[2010/05/16 11:49:38 | 003,689,722 | R--- | M] () -- C:\Users\Stu\Desktop\ComboFix.exe
[2010/05/16 10:16:18 | 000,006,756 | ---- | M] () -- C:\Users\Stu\AppData\Local\d3d9caps.dat
[2010/05/14 01:52:05 | 000,000,848 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2381161337-1183444262-2068861460-1000Core.job
[2010/05/13 03:43:07 | 000,149,480 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\cwvxzbne.sys
[2010/05/12 12:11:44 | 000,000,171 | ---- | M] () -- C:\Windows\System32\MRT.INI
[2010/05/11 11:28:27 | 000,002,036 | ---- | M] () -- C:\Users\Stu\Desktop\Google Chrome.lnk
[2010/05/11 01:45:39 | 000,040,448 | ---- | M] () -- C:\Users\Stu\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/05/10 19:21:48 | 000,140,608 | ---- | M] () -- C:\Users\Stu\AppData\Local\GDIPFONTCACHEV1.DAT
[2010/05/10 18:40:15 | 000,491,872 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010/05/06 10:36:38 | 000,221,568 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\MpSigStub.exe
[2010/05/04 12:58:42 | 000,095,024 | ---- | M] (Sunbelt Software) -- C:\Windows\System32\drivers\SBREDrv.sys
[2010/05/04 12:57:35 | 000,062,976 | ---- | M] () -- C:\Users\Stu\Desktop\stronglifts-5x5.xls
[2010/05/02 14:30:13 | 000,022,101 | ---- | M] () -- C:\Users\Stu\Documents\RESUME '09.docx
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/04/26 18:48:54 | 000,000,256 | ---- | M] () -- C:\Windows\System32\pool.bin
[2010/04/26 16:42:22 | 000,001,873 | ---- | M] () -- C:\Users\Public\Desktop\Desktop Manager.lnk
[2010/04/26 15:58:12 | 000,256,512 | ---- | M] () -- C:\Windows\PEV.exe
[2010/04/23 10:55:08 | 000,000,455 | ---- | M] () -- C:\Windows\win.ini

========== Files Created - No Company Name ==========

[2010/05/16 13:23:17 | 000,001,891 | ---- | C] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk
[2010/05/16 13:06:06 | 000,002,144 | ---- | C] () -- C:\Users\Public\Desktop\Norton 360.lnk
[2010/05/16 12:54:45 | 000,000,905 | ---- | C] () -- C:\Users\Stu\Desktop\Norton Installation Files.lnk
[2010/05/16 11:54:57 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe
[2010/05/16 11:54:57 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2010/05/16 11:54:57 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2010/05/16 11:54:57 | 000,077,312 | ---- | C] () -- C:\Windows\MBR.exe
[2010/05/16 11:54:57 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2010/05/16 11:49:33 | 003,689,722 | R--- | C] () -- C:\Users\Stu\Desktop\ComboFix.exe
[2010/05/15 17:23:35 | 000,293,376 | ---- | C] () -- C:\Users\Stu\Desktop\gmer.exe
[2010/05/12 12:11:44 | 000,000,171 | ---- | C] () -- C:\Windows\System32\MRT.INI
[2010/05/11 11:28:27 | 000,002,036 | ---- | C] () -- C:\Users\Stu\Desktop\Google Chrome.lnk
[2010/05/10 13:18:16 | 000,000,868 | ---- | C] () -- C:\Windows\tasks\Google Software Updater.job
[2010/05/02 16:14:42 | 000,062,976 | ---- | C] () -- C:\Users\Stu\Desktop\stronglifts-5x5.xls
[2010/04/26 17:33:47 | 000,000,256 | ---- | C] () -- C:\Windows\System32\pool.bin
[2010/04/26 16:42:22 | 000,001,873 | ---- | C] () -- C:\Users\Public\Desktop\Desktop Manager.lnk
[2009/09/17 17:33:08 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/08/12 19:46:28 | 004,762,112 | ---- | C] () -- C:\Windows\System32\NCMedia.dll
[2009/08/12 19:46:28 | 000,383,238 | ---- | C] () -- C:\Windows\System32\libmp3lame-0.dll
[2009/04/11 02:24:45 | 000,000,262 | ---- | C] () -- C:\Windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2009/02/27 14:00:20 | 000,140,288 | ---- | C] () -- C:\Windows\System32\igfxtvcx.dll
[2008/12/18 14:14:16 | 000,010,240 | -H-- | C] () -- C:\Windows\System32\drivers\CrucialSMBusScan.sys
[2008/09/18 16:25:45 | 000,344,064 | ---- | C] () -- C:\Windows\System32\lxddcoin.dll
[2008/09/18 16:18:30 | 000,045,056 | ---- | C] () -- C:\Windows\System32\LXF3PMON.DLL
[2008/09/18 16:18:30 | 000,032,768 | ---- | C] () -- C:\Windows\System32\LXF3FXPU.DLL
[2008/09/18 16:18:08 | 000,036,864 | ---- | C] () -- C:\Windows\System32\lxf3oem.dll
[2008/09/18 16:18:08 | 000,012,288 | ---- | C] () -- C:\Windows\System32\LXF3PMRC.DLL
[2008/09/18 16:13:46 | 000,000,044 | ---- | C] () -- C:\Windows\System32\lxddrwrd.ini
[2008/09/18 16:10:50 | 000,286,720 | ---- | C] () -- C:\Windows\System32\LXDDinst.dll
[2008/09/18 16:10:46 | 000,208,896 | ---- | C] () -- C:\Windows\System32\lxddgrd.dll
[2008/02/11 20:55:18 | 000,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1437.dll
[2008/02/01 16:10:01 | 001,970,176 | ---- | C] () -- C:\Windows\System32\d3dx9.dll
[2008/01/02 17:57:36 | 000,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1409.dll
[2008/01/02 17:47:22 | 001,953,696 | ---- | C] () -- C:\Windows\System32\igklg400.dll
[2008/01/02 17:47:22 | 001,533,360 | ---- | C] () -- C:\Windows\System32\igklg450.dll
[2008/01/02 17:47:22 | 000,104,636 | ---- | C] () -- C:\Windows\System32\igmedcompkrn.dll
[2007/10/19 09:32:58 | 000,910,304 | ---- | C] () -- C:\Windows\System32\igmedkrn.dll
[2007/10/19 09:32:58 | 000,204,800 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1244.dll
[2007/10/19 09:05:32 | 000,076,584 | ---- | C] () -- C:\Windows\System32\drivers\int15.sys
[2007/10/19 09:05:32 | 000,015,656 | ---- | C] () -- C:\Windows\System32\drivers\int15_64.sys
[2007/10/19 09:04:48 | 000,065,536 | ---- | C] () -- C:\Windows\System32\NATTraversal.dll
[2007/08/20 15:27:16 | 000,001,024 | RH-- | C] () -- C:\Windows\System32\NTIBUN4.dll
[2007/08/20 12:50:11 | 000,331,776 | ---- | C] () -- C:\Windows\System32\ScrollBarLib.dll
[2007/08/02 03:54:25 | 000,001,132 | ---- | C] () -- C:\Windows\RtDefLvl.ini
[2007/08/02 03:13:26 | 000,872,448 | ---- | C] () -- C:\Windows\iconv.dll
[2007/08/02 03:13:26 | 000,743,424 | ---- | C] () -- C:\Windows\libxml2.dll
[2007/08/02 03:13:26 | 000,000,042 | ---- | C] () -- C:\Windows\PreLaunch.ini
[2007/08/02 03:13:25 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2007/07/25 16:24:30 | 000,765,952 | ---- | C] () -- C:\Windows\System32\xvidcore.dll
[2007/04/25 17:33:22 | 000,266,240 | ---- | C] () -- C:\Windows\System32\NotesExtmngr.dll
[2007/04/25 17:32:50 | 000,204,800 | ---- | C] () -- C:\Windows\System32\NotesActnMenu.dll
[2007/04/25 17:32:46 | 000,086,016 | ---- | C] () -- C:\Windows\System32\MSNSpook.dll
[2007/04/25 17:31:00 | 000,028,672 | ---- | C] () -- C:\Windows\System32\BatchCrypto.dll
[2007/04/25 17:30:52 | 000,073,728 | ---- | C] () -- C:\Windows\System32\APISlice.dll
[2007/04/25 17:30:44 | 000,063,488 | ---- | C] () -- C:\Windows\System32\ShowErrMsg.dll
[2007/01/23 12:40:03 | 000,065,536 | ---- | C] () -- C:\Windows\System32\lxddcaps.dll
[2007/01/09 10:13:08 | 000,692,224 | ---- | C] () -- C:\Windows\System32\lxdddrs.dll
[2006/12/25 16:44:48 | 000,022,016 | ---- | C] () -- C:\Windows\System32\MailFormat_U.dll
[2006/11/02 01:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/10/06 11:08:04 | 000,069,632 | ---- | C] () -- C:\Windows\System32\lxddcnv4.dll
[2006/05/17 20:47:12 | 000,040,960 | ---- | C] () -- C:\Windows\System32\lxddvs.dll
[2006/02/26 17:08:28 | 000,585,728 | ---- | C] () -- C:\Windows\System32\xvidvfw.dll
[2001/12/26 17:12:30 | 000,065,536 | ---- | C] () -- C:\Windows\System32\multiplex_vcd.dll
[2001/09/04 00:46:38 | 000,110,592 | ---- | C] () -- C:\Windows\System32\Hmpg12.dll
[2001/07/30 17:33:56 | 000,118,784 | ---- | C] () -- C:\Windows\System32\HMPV2_ENC.dll
[2001/07/23 23:04:36 | 000,118,784 | ---- | C] () -- C:\Windows\System32\HMPV2_ENC_MMX.dll

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2007/10/19 09:03:25 | 000,003,380 | ---- | M] () -- C:\-20071019.log
[2010/05/15 13:09:20 | 000,002,904 | ---- | M] () -- C:\aaw7boot.log
[2007/10/19 08:58:02 | 000,000,090 | ---- | M] () -- C:\Arcade.log
[2006/09/18 15:43:36 | 000,000,024 | ---- | M] () -- C:\autoexec.bat
[2009/04/11 00:36:36 | 000,333,257 | RHS- | M] () -- C:\bootmgr
[2006/12/09 20:40:08 | 000,008,192 | R-S- | M] () -- C:\BOOTSECT.BAK
[2010/05/16 14:05:25 | 000,020,485 | ---- | M] () -- C:\ComboFix.txt
[2006/09/18 15:43:37 | 000,000,010 | ---- | M] () -- C:\config.sys
[2009/12/27 22:02:16 | 000,000,079 | ---- | M] () -- C:\DVDPATH.TXT
[2008/10/02 23:15:44 | 000,000,081 | ---- | M] () -- C:\lxdd.log
[2010/05/16 01:18:03 | 000,000,109 | ---- | M] () -- C:\mbam-error.txt
[2010/05/16 14:07:31 | 1562,570,752 | -HS- | M] () -- C:\pagefile.sys
[2007/09/05 12:58:22 | 000,001,586 | -HS- | M] () -- C:\Patch.rev
[2009/08/05 22:32:31 | 000,024,576 | -H-- | M] () -- C:\PCM.db
[2007/08/20 11:56:37 | 000,000,132 | RHS- | M] () -- C:\preload.rev
[2008/04/29 02:09:05 | 000,131,238 | ---- | M] () -- C:\ptcsetup.log
[2009/07/12 20:35:53 | 000,002,006 | ---- | M] () -- C:\tracer.txt
[2009/07/12 20:31:35 | 000,000,000 | ---- | M] () -- C:\tracert.txt
[2007/08/02 03:13:30 | 000,000,004 | ---- | M] () -- C:\wps.dat

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2009/04/11 00:27:47 | 000,241,128 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\rsaenh.dll
[2009/04/11 00:28:23 | 000,228,352 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\SLC.dll

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2006/11/02 04:34:05 | 000,008,192 | ---- | M] () -- C:\Windows\System32\config\COMPONENTS.SAV
[2006/11/02 04:34:05 | 000,020,480 | ---- | M] () -- C:\Windows\System32\config\DEFAULT.SAV
[2006/11/02 04:34:05 | 000,008,192 | ---- | M] () -- C:\Windows\System32\config\SECURITY.SAV
[2006/11/02 04:34:08 | 010,133,504 | ---- | M] () -- C:\Windows\System32\config\SOFTWARE.SAV
[2006/11/02 04:34:08 | 001,826,816 | ---- | M] () -- C:\Windows\System32\config\SYSTEM.SAV

< %systemroot%\system32\drivers\*.sys /180 >
[2010/05/13 03:43:07 | 000,149,480 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\cwvxzbne.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/02/23 05:10:13 | 000,106,496 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\mrxsmb.sys
[2010/02/23 05:10:19 | 000,212,992 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\mrxsmb10.sys
[2010/02/23 05:10:13 | 000,079,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\mrxsmb20.sys
[2010/05/04 12:58:42 | 000,095,024 | ---- | M] (Sunbelt Software) -- C:\Windows\System32\drivers\SBREDrv.sys
[2009/12/11 05:43:30 | 000,302,080 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\srv.sys
[2009/12/11 05:43:11 | 000,098,816 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\srvnet.sys
[2010/05/16 12:57:27 | 000,124,976 | ---- | M] (Symantec Corporation) -- C:\Windows\System32\drivers\SYMEVENT.SYS
[2010/02/18 08:07:16 | 000,904,576 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\tcpip.sys
[2009/12/08 11:26:18 | 000,030,720 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\tcpipreg.sys
[2010/02/18 05:28:13 | 000,025,088 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\tunnel.sys
< End of report >
  • 0

#24
SweetTech
Posted 16 May 2010 - 08:09 PM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts

6. An update on how your computer is currently running.


  • 0

#25
ZLynx
Posted 16 May 2010 - 08:13 PM

ZLynx

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
My computer seems to be running alright. A lot better than it was before starting this process.
During the ESET scan My antivirus kicked in, because i set it to turn back on after 2 hours. When it turned on, it told me it discovered a backdoor.tidserv.i on my computer. Im not sure if any of the scans picked that up or not.

How are we lookin' so far?
  • 0

Advertisements

#26
SweetTech
Posted 17 May 2010 - 08:44 AM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Hello,


ComboFix Script
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

KillAll::
File::
c:\windows\system32\drivers\cwvxzbne.sys

Folder::
c:\users\Stu\AppData\Roaming\B0433E6A3980760B1B68A51693ADBED1

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



NEXT:



We need to remove a program. To do this please do the following:
For Vista Users:
  • Click on Start > Control Panel and double click on Programs and Features.
  • Locate Java™ 6 Update 7 and click on the Uninstall button to uninstall it.
  • Close Control Panel when done.


NEXT:



Update FireFox
While in Firefox go to the Help menu.
Locate Check for Updates.
Allow Firefox to install the latest update. Which is 3.6.3



NEXT:



Update Adobe Reader
Earlier versions of Adobe Reader have known security flaws so it is recommended that you update your copy
  • Go to Start > Control Panel > Add/Remove Programs
  • Remove ALL instances of Adobe Reader
  • Re-boot your computer as required.
  • Once ALL versions of Adobe Reader have been uninstalled, visit: <<here>> and download the latest version of Adobe Reader
Alternative Option: after uninstalling Adobe Reader, you could try installing Foxit Reader from >here< Foxit Reader has fewer add-ons therefore loads more quickly.



NEXT:



Please include the log that was produced after running ComboFix as well as any outstanding issues (if any) that you are still experiencing with your computer.
  • 0

#27
ZLynx
Posted 17 May 2010 - 02:17 PM

ZLynx

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
Good Morning
Alright, heres the combofix log:

ComboFix 10-05-16.02 - Stu 05/17/2010 13:31:43.3.1 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1526.769 [GMT -6:00]
Running from: c:\users\Stu\Desktop\ComboFix.exe
Command switches used :: c:\users\Stu\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point

FILE ::
"c:\windows\system32\drivers\cwvxzbne.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\releaseengineer\Application Data\64dlls.exe
c:\documents and settings\releaseengineer\Application Data\intel64.exe
c:\documents and settings\releaseengineer\Application Data\localsys64.exe
c:\documents and settings\releaseengineer\Application Data\ntos.exe
c:\documents and settings\releaseengineer\Application Data\oembios.exe
c:\documents and settings\releaseengineer\Application Data\sdra64.exe
c:\documents and settings\releaseengineer\Application Data\swin32.exe
c:\documents and settings\releaseengineer\Application Data\twex.exe
c:\documents and settings\releaseengineer\Application Data\twext.exe
c:\documents and settings\releaseengineer\Application Data\wsnpoema.exe
c:\users\Stu\AppData\Roaming\B0433E6A3980760B1B68A51693ADBED1
c:\windows\system32\drivers\cwvxzbne.sys

----- BITS: Possible infected sites -----

hxxp://liveupdate.symantec.com
hxxp://definitions.symantec.com
.
((((((((((((((((((((((((( Files Created from 2010-04-17 to 2010-05-17 )))))))))))))))))))))))))))))))
.

2010-05-17 19:44 . 2010-05-17 19:48 -------- d-----w- c:\users\Stu\AppData\Local\temp
2010-05-17 19:44 . 2010-05-17 19:44 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-05-17 19:44 . 2010-05-17 19:44 -------- d-----w- c:\users\Guest\AppData\Local\temp
2010-05-17 19:44 . 2010-05-17 19:44 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-16 20:25 . 2010-05-16 20:25 -------- d-----w- c:\program files\ESET
2010-05-16 19:28 . 2010-04-12 23:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-16 17:30 . 2010-05-16 17:30 -------- d-----w- C:\_OTL
2010-05-15 19:16 . 2010-05-15 19:16 -------- d-----w- c:\program files\ERUNT
2010-05-12 21:39 . 2010-05-15 19:08 -------- d-----w- c:\windows\system32\MpEngineStore
2010-05-12 09:59 . 2010-01-29 15:40 738816 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-10 20:01 . 2010-05-10 20:01 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help
2010-05-04 23:40 . 2010-05-06 16:36 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-04 18:59 . 2010-05-04 18:58 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-04 18:50 . 2010-05-04 18:51 -------- d-----w- c:\program files\Lavasoft
2010-04-28 18:43 . 2010-04-28 18:43 -------- d-----w- c:\users\Stu\AppData\Roaming\Malwarebytes
2010-04-28 18:43 . 2010-04-29 21:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-28 18:43 . 2010-05-16 07:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-28 18:43 . 2010-04-29 21:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-26 23:50 . 2010-04-26 23:50 -------- d-----w- c:\users\Stu\AppData\Roaming\Roxio
2010-04-26 23:33 . 2010-04-27 00:48 256 ----a-w- c:\windows\system32\pool.bin
2010-04-26 23:33 . 2010-04-26 23:33 -------- d-----w- c:\users\Stu\AppData\Roaming\Research In Motion
2010-04-26 23:02 . 2010-04-26 23:02 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2010-04-26 23:01 . 2010-04-26 23:01 -------- d-----w- c:\program files\Common Files\Sonic Shared
2010-04-26 23:01 . 2010-04-26 23:02 -------- d-----w- c:\program files\Roxio
2010-04-26 23:00 . 2010-04-26 23:02 -------- d-----w- c:\program files\Common Files\Roxio Shared
2010-04-26 22:44 . 2007-01-18 16:24 26496 ----a-w- c:\windows\system32\drivers\RimSerial.sys
2010-04-26 22:41 . 2010-04-26 22:42 -------- d-----w- c:\program files\Common Files\Research In Motion
2010-04-26 22:41 . 2010-04-26 22:41 -------- d-----w- c:\program files\Research In Motion
2010-04-26 22:37 . 2010-04-26 22:37 -------- d-sh--w- c:\windows\ftpcache
2010-04-23 16:51 . 2010-02-18 14:07 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-23 16:51 . 2010-02-18 14:07 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-23 16:50 . 2009-12-23 11:33 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-23 16:50 . 2010-03-04 17:33 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-04-23 16:50 . 2010-03-09 15:42 834048 ----a-w- c:\windows\system32\wininet.dll
2010-04-23 16:50 . 2010-03-09 16:25 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-04-23 16:49 . 2010-02-23 11:10 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-23 16:49 . 2010-02-23 11:10 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-23 16:49 . 2010-02-23 11:10 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-23 16:49 . 2010-02-18 14:07 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-23 16:49 . 2010-02-18 13:30 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-23 16:49 . 2010-02-18 11:28 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-23 16:47 . 2010-01-13 17:34 98304 ----a-w- c:\windows\system32\cabview.dll
2010-04-21 18:04 . 2010-04-21 18:04 -------- d-----w- c:\program files\NOS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-17 19:46 . 2009-08-11 05:03 -------- d-----w- c:\program files\Common Files\Akamai
2010-05-16 19:28 . 2008-01-23 03:29 -------- d-----w- c:\program files\Common Files\Java
2010-05-16 19:27 . 2008-01-23 03:35 -------- d-----w- c:\program files\Java
2010-05-16 19:24 . 2008-03-19 17:05 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-16 18:57 . 2009-03-24 03:56 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-05-16 18:57 . 2009-03-24 03:56 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-05-16 18:57 . 2009-03-24 03:56 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-05-16 18:57 . 2009-03-24 03:56 -------- d-----w- c:\program files\Symantec
2010-05-16 16:16 . 2009-02-24 05:40 6756 ----a-w- c:\users\Stu\AppData\Local\d3d9caps.dat
2010-05-12 18:28 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-11 08:24 . 2009-08-11 05:03 -------- d-----w- c:\users\Stu\AppData\Roaming\Metacafe
2010-05-11 01:21 . 2007-12-29 05:17 140608 ----a-w- c:\users\Stu\AppData\Local\GDIPFONTCACHEV1.DAT
2010-05-10 19:45 . 2008-03-03 19:00 -------- d-----w- c:\program files\Microsoft Works
2010-05-04 19:29 . 2008-09-10 20:17 -------- d-----w- c:\program files\iWin Games
2010-04-30 16:20 . 2008-01-23 03:39 -------- d-----w- c:\users\Stu\AppData\Roaming\LimeWire
2010-04-26 23:01 . 2007-08-02 09:53 -------- d-----w- c:\program files\Common Files\InstallShield
2010-03-08 01:05 . 2010-03-08 01:05 64505 ----a-w- c:\users\Stu\AppData\Roaming\NeuLion\AdaptivePlugin\uninst.exe
2010-02-25 18:45 . 2008-03-08 18:31 8224 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2008-06-30 19:44 . 2008-08-31 08:42 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\users\Stu\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-04-16 133104]
"SkinClock"="c:\program files\Atomic Alarm Clock\AtomicAlarmClock.exe" [2008-09-30 1739776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"RtHDVCpl"="RtHDVCpl.exe" [2007-07-06 4669440]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-05-09 865840]
"PCMService"="c:\program files\Acer\Acer Arcade\PCMService.exe" [2007-06-22 155648]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-04-25 457216]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2007-07-12 846344]
"Acer Assist Launcher"="c:\program files\Acer Assist\launcher.exe" [2007-02-02 1261568]
"Acer Product Registration"="c:\program files\Acer Registration\ACE1.exe" [2007-02-02 3383296]
"lxddmon.exe"="c:\program files\Lexmark 2500 Series\lxddmon.exe" [2007-05-04 291760]
"lxddamon"="c:\program files\Lexmark 2500 Series\lxddamon.exe" [2007-03-05 20480]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-05-04 312240]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-16 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-16 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-16 150552]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-01-07 1468296]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-01-22 198160]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2008-11-23 615696]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-11-10 236016]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

c:\users\Stu\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):39,0a,fc,b0,44,39,ca,01

R0 ntcdrdrv;ntcdrdrv;c:\windows\system32\DRIVERS\ntcdrdrv.sys [x]
R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\System32\Drivers\N360\0308000.029\SYMNDISV.SYS [x]
S0 OCDE;ZTekWare Original CD Emulator Service;c:\windows\System32\Drivers\OCDE.sys [2007-08-26 30480]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0401000.020\SYMDS.SYS [2010-02-04 328752]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0401000.020\SYMEFA.SYS [2010-02-04 172592]
S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\BASHDefs\20100429.001\BHDrvx86.sys [2010-04-29 537136]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0401000.020\ccHPx86.sys [2010-02-25 501888]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\IPSDefs\20100513.002\IDSvix86.sys [2010-02-04 343088]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0401000.020\Ironx86.SYS [2010-02-27 116784]
S1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\N360\0401000.020\SYMTDIV.SYS [2010-02-04 340016]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2008-01-19 21504]
S2 AtomicAlarmClock;Atomic Alarm Clock Time;c:\program files\Atomic Alarm Clock\timeserv.exe [2008-09-29 415744]
S2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe [2007-04-26 537520]
S2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxddserv.exe [2007-04-26 99248]
S2 N360;Norton 360;c:\program files\Norton 360\Engine\4.1.0.32\ccSvcHst.exe [2010-02-25 126392]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-08-29 102448]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
Akamai REG_MULTI_SZ Akamai
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-05-17 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-24 22:15]

2010-05-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2381161337-1183444262-2068861460-1000Core.job
- c:\users\Stu\AppData\Local\Google\Update\GoogleUpdate.exe [2009-04-16 06:02]

2010-05-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2381161337-1183444262-2068861460-1000UA.job
- c:\users\Stu\AppData\Local\Google\Update\GoogleUpdate.exe [2009-04-16 06:02]

2010-05-16 c:\windows\Tasks\User_Feed_Synchronization-{8CAA04C7-6A35-458B-8BD5-3FC5BD7F1DD3}.job
- c:\windows\system32\msfeedssync.exe [2008-08-20 07:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://en.us.acer.yahoo.com
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\users\Stu\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk
FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-17 13:48
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\4.1.0.32\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\4.1.0.32\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
c:\program files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
c:\acer\Empowering Technology\eDataSecurity\eDSService.exe
c:\acer\Empowering Technology\eLock\Service\eLockServ.exe
c:\acer\Empowering Technology\eNet\eNet Service.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\spool\DRIVERS\W32X86\3\lxddserv.exe
c:\acer\Mobility Center\MobilityService.exe
c:\nexon\Mabinogi\npkcmsvc.exe
c:\windows\system32\DllHost.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
c:\acer\Empowering Technology\eRecovery\eRecoveryService.exe
c:\acer\Empowering Technology\eSettings\Service\capuserv.exe
c:\acer\Empowering Technology\ePower\ePowerSvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\RtHDVCpl.exe
c:\program files\Launch Manager\LManager.exe
c:\windows\system32\igfxsrvc.exe
c:\acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
c:\acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
c:\users\Stu\AppData\Local\Temp\RtkBtMnt.exe
c:\acer\Empowering Technology\eRecovery\ERAGENT.EXE
c:\windows\system32\igfxext.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\servicing\TrustedInstaller.exe
c:\windows\system32\PhotoScreensaver.scr
.
**************************************************************************
.
Completion time: 2010-05-17 13:57:27 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-17 19:57
ComboFix2.txt 2010-05-16 20:05
ComboFix3.txt 2010-05-16 18:28

Pre-Run: 1,664,638,976 bytes free
Post-Run: 1,566,019,584 bytes free

- - End Of File - - CD78FCD31DEF95E8181835A781F11262


It seems that the combofix consistently pick out the \releaseengineer\... files as rootkits for every scan it does. I thought it was deleting those?

However as far as I know my computer is running perfectly. Things open and run faster which is very nice. I installed Foxit reader after uninstalling the adobe reader.
  • 0

#28
SweetTech
Posted 17 May 2010 - 02:47 PM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Hello,

Do you currently have a user account named: "releaseengineer" on your computer?


NEXT:


Open notepad and copy/paste the text in the code box below into it:

net user > %userprofile%\desktop\look.txt
start %userprofile%\desktop\look.txt


Save this as look.bat Choose to "Save type as - All Files"

It should look like this: Posted Image

Double click on look.bat & allow it to run. A notepad file will open. Copy that information into your next reply, please.

Cheers,
SweetTech.
  • 0

#29
ZLynx
Posted 17 May 2010 - 02:49 PM

ZLynx

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
User accounts for \\COLLEGECOMP

-------------------------------------------------------------------------------
Administrator Guest Stu
The command completed successfully.
  • 0

#30
SweetTech
Posted 17 May 2010 - 03:03 PM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Open notepad and copy/paste the text in the code box below into it:

set >> %userprofile%\desktop\lookatme.txt
start %userprofile%\desktop\lookatme.txt


Save this as look2.bat Choose to "Save type as - All Files"

It should look like this: Posted Image

Double click on look.bat & allow it to run. A notepad file will open. Copy that information into your next reply, please.

Cheers,
SweetTech.

Edited by SweetTech, 17 May 2010 - 03:04 PM.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP