Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Alureon Infection [Solved]

Started by ZLynx , May 16 2010 10:42 AM

Page 3 of 5
1
2
3
4
5

This topic is locked

#31
ZLynx

Posted 17 May 2010 - 04:10 PM

Member

Topic Starter
Member
38 posts

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\Stu\AppData\Roaming
CLASSPATH=.;C:\Program Files\Java\jre6\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=COLLEGECOMP
ComSpec=C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\Stu
LOCALAPPDATA=C:\Users\Stu\AppData\Local
LOGONSERVER=\\COLLEGECOMP
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\system32\wbem;C:\Program Files\QuickTime\QTSystem;C:\Program Files\Common Files\Roxio Shared\DLLShared;C:\Program Files\Common Files\Roxio Shared\9.0\DLLShared
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 22 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=1601
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
QTJAVA=C:\Program Files\Java\jre6\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\Stu\AppData\Local\Temp
TMP=C:\Users\Stu\AppData\Local\Temp
USERDOMAIN=CollegeComp
USERNAME=Stu
USERPROFILE=C:\Users\Stu
windir=C:\Windows

#32
SweetTech

Posted 17 May 2010 - 05:21 PM

Sir SpamAlot

Retired Staff
7,671 posts

Hello,

ComboFix Script

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

KillAll::
DirLook::
c:\documents and settings\releaseengineer\
Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folder\]
"AppData"="C:\Users\Stu\AppData\Roaming"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folder\]
"AppData"="%USERPROFILE%\AppData\Roaming"
[HKEY_CURRENT_USER\Volatile Environment\]
"AppData"="C:\Users\Stu\AppData\Roaming"

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you.
Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

#33
ZLynx

Posted 17 May 2010 - 06:30 PM

Member

Topic Starter
Member
38 posts

The latest combofix log,
ComboFix 10-05-16.02 - Stu 05/17/2010 17:41:58.4.1 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1526.761 [GMT -6:00]
Running from: c:\users\Stu\Desktop\ComboFix.exe
Command switches used :: c:\users\Stu\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\releaseengineer\Application Data\64dlls.exe
c:\documents and settings\releaseengineer\Application Data\intel64.exe
c:\documents and settings\releaseengineer\Application Data\localsys64.exe
c:\documents and settings\releaseengineer\Application Data\ntos.exe
c:\documents and settings\releaseengineer\Application Data\oembios.exe
c:\documents and settings\releaseengineer\Application Data\sdra64.exe
c:\documents and settings\releaseengineer\Application Data\swin32.exe
c:\documents and settings\releaseengineer\Application Data\twex.exe
c:\documents and settings\releaseengineer\Application Data\twext.exe
c:\documents and settings\releaseengineer\Application Data\wsnpoema.exe

----- BITS: Possible infected sites -----

hxxp://liveupdate.symantec.com
hxxp://definitions.symantec.com
.
((((((((((((((((((((((((( Files Created from 2010-04-18 to 2010-05-18 )))))))))))))))))))))))))))))))
.

2010-05-17 23:53 . 2010-05-18 00:18 -------- d-----w- c:\users\Stu\AppData\Local\temp
2010-05-17 23:53 . 2010-05-17 23:53 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-05-17 23:53 . 2010-05-17 23:53 -------- d-----w- c:\users\Guest\AppData\Local\temp
2010-05-17 23:53 . 2010-05-17 23:53 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-17 20:13 . 2010-05-17 20:13 -------- d-----w- c:\program files\Foxit Software
2010-05-16 20:25 . 2010-05-16 20:25 -------- d-----w- c:\program files\ESET
2010-05-16 19:28 . 2010-04-12 23:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-16 17:30 . 2010-05-16 17:30 -------- d-----w- C:\_OTL
2010-05-15 19:16 . 2010-05-15 19:16 -------- d-----w- c:\program files\ERUNT
2010-05-12 21:39 . 2010-05-15 19:08 -------- d-----w- c:\windows\system32\MpEngineStore
2010-05-12 09:59 . 2010-01-29 15:40 738816 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-10 20:01 . 2010-05-10 20:01 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help
2010-05-04 23:40 . 2010-05-06 16:36 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-04 18:59 . 2010-05-04 18:58 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-04 18:50 . 2010-05-04 18:51 -------- d-----w- c:\program files\Lavasoft
2010-04-28 18:43 . 2010-04-28 18:43 -------- d-----w- c:\users\Stu\AppData\Roaming\Malwarebytes
2010-04-28 18:43 . 2010-04-29 21:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-28 18:43 . 2010-05-16 07:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-28 18:43 . 2010-04-29 21:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-26 23:50 . 2010-04-26 23:50 -------- d-----w- c:\users\Stu\AppData\Roaming\Roxio
2010-04-26 23:33 . 2010-04-27 00:48 256 ----a-w- c:\windows\system32\pool.bin
2010-04-26 23:33 . 2010-04-26 23:33 -------- d-----w- c:\users\Stu\AppData\Roaming\Research In Motion
2010-04-26 23:02 . 2010-04-26 23:02 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2010-04-26 23:01 . 2010-04-26 23:01 -------- d-----w- c:\program files\Common Files\Sonic Shared
2010-04-26 23:01 . 2010-04-26 23:02 -------- d-----w- c:\program files\Roxio
2010-04-26 23:00 . 2010-04-26 23:02 -------- d-----w- c:\program files\Common Files\Roxio Shared
2010-04-26 22:44 . 2007-01-18 16:24 26496 ----a-w- c:\windows\system32\drivers\RimSerial.sys
2010-04-26 22:41 . 2010-04-26 22:42 -------- d-----w- c:\program files\Common Files\Research In Motion
2010-04-26 22:41 . 2010-04-26 22:41 -------- d-----w- c:\program files\Research In Motion
2010-04-26 22:37 . 2010-04-26 22:37 -------- d-sh--w- c:\windows\ftpcache
2010-04-23 16:51 . 2010-02-18 14:07 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-23 16:51 . 2010-02-18 14:07 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-23 16:50 . 2009-12-23 11:33 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-23 16:50 . 2010-03-04 17:33 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-04-23 16:50 . 2010-03-09 15:42 834048 ----a-w- c:\windows\system32\wininet.dll
2010-04-23 16:50 . 2010-03-09 16:25 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-04-23 16:49 . 2010-02-23 11:10 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-23 16:49 . 2010-02-23 11:10 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-23 16:49 . 2010-02-23 11:10 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-23 16:49 . 2010-02-18 14:07 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-23 16:49 . 2010-02-18 13:30 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-23 16:49 . 2010-02-18 11:28 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-23 16:47 . 2010-01-13 17:34 98304 ----a-w- c:\windows\system32\cabview.dll
2010-04-21 18:04 . 2010-04-21 18:04 -------- d-----w- c:\program files\NOS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-17 23:55 . 2009-08-11 05:03 -------- d-----w- c:\program files\Common Files\Akamai
2010-05-17 20:11 . 2008-03-19 17:05 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-17 20:08 . 2008-01-23 03:35 -------- d-----w- c:\program files\Java
2010-05-16 19:28 . 2008-01-23 03:29 -------- d-----w- c:\program files\Common Files\Java
2010-05-16 18:57 . 2009-03-24 03:56 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-05-16 18:57 . 2009-03-24 03:56 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-05-16 18:57 . 2009-03-24 03:56 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-05-16 18:57 . 2009-03-24 03:56 -------- d-----w- c:\program files\Symantec
2010-05-16 16:16 . 2009-02-24 05:40 6756 ----a-w- c:\users\Stu\AppData\Local\d3d9caps.dat
2010-05-12 18:28 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-11 08:24 . 2009-08-11 05:03 -------- d-----w- c:\users\Stu\AppData\Roaming\Metacafe
2010-05-11 01:21 . 2007-12-29 05:17 140608 ----a-w- c:\users\Stu\AppData\Local\GDIPFONTCACHEV1.DAT
2010-05-10 19:45 . 2008-03-03 19:00 -------- d-----w- c:\program files\Microsoft Works
2010-05-04 19:29 . 2008-09-10 20:17 -------- d-----w- c:\program files\iWin Games
2010-04-30 16:20 . 2008-01-23 03:39 -------- d-----w- c:\users\Stu\AppData\Roaming\LimeWire
2010-04-26 23:01 . 2007-08-02 09:53 -------- d-----w- c:\program files\Common Files\InstallShield
2010-03-08 01:05 . 2010-03-08 01:05 64505 ----a-w- c:\users\Stu\AppData\Roaming\NeuLion\AdaptivePlugin\uninst.exe
2010-02-25 18:45 . 2008-03-08 18:31 8224 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2008-06-30 19:44 . 2008-08-31 08:42 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\releaseengineer\ ----

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\users\Stu\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-04-16 133104]
"SkinClock"="c:\program files\Atomic Alarm Clock\AtomicAlarmClock.exe" [2008-09-30 1739776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"RtHDVCpl"="RtHDVCpl.exe" [2007-07-06 4669440]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-05-09 865840]
"PCMService"="c:\program files\Acer\Acer Arcade\PCMService.exe" [2007-06-22 155648]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-04-25 457216]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2007-07-12 846344]
"Acer Assist Launcher"="c:\program files\Acer Assist\launcher.exe" [2007-02-02 1261568]
"Acer Product Registration"="c:\program files\Acer Registration\ACE1.exe" [2007-02-02 3383296]
"lxddmon.exe"="c:\program files\Lexmark 2500 Series\lxddmon.exe" [2007-05-04 291760]
"lxddamon"="c:\program files\Lexmark 2500 Series\lxddamon.exe" [2007-03-05 20480]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-05-04 312240]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-16 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-16 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-16 150552]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-01-07 1468296]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-01-22 198160]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2008-11-23 615696]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-11-10 236016]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]

c:\users\Stu\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):39,0a,fc,b0,44,39,ca,01

R0 ntcdrdrv;ntcdrdrv;c:\windows\system32\DRIVERS\ntcdrdrv.sys [x]
R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\System32\Drivers\N360\0308000.029\SYMNDISV.SYS [x]
S0 OCDE;ZTekWare Original CD Emulator Service;c:\windows\System32\Drivers\OCDE.sys [2007-08-26 30480]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0401000.020\SYMDS.SYS [2010-02-04 328752]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0401000.020\SYMEFA.SYS [2010-02-04 172592]
S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\BASHDefs\20100429.001\BHDrvx86.sys [2010-04-29 537136]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0401000.020\ccHPx86.sys [2010-02-25 501888]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\IPSDefs\20100513.002\IDSvix86.sys [2010-02-04 343088]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0401000.020\Ironx86.SYS [2010-02-27 116784]
S1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\N360\0401000.020\SYMTDIV.SYS [2010-02-04 340016]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2008-01-19 21504]
S2 AtomicAlarmClock;Atomic Alarm Clock Time;c:\program files\Atomic Alarm Clock\timeserv.exe [2008-09-29 415744]
S2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe [2007-04-26 537520]
S2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxddserv.exe [2007-04-26 99248]
S2 N360;Norton 360;c:\program files\Norton 360\Engine\4.1.0.32\ccSvcHst.exe [2010-02-25 126392]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-08-29 102448]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
Akamai REG_MULTI_SZ Akamai
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-05-17 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-24 22:15]

2010-05-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2381161337-1183444262-2068861460-1000Core.job
- c:\users\Stu\AppData\Local\Google\Update\GoogleUpdate.exe [2009-04-16 06:02]

2010-05-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2381161337-1183444262-2068861460-1000UA.job
- c:\users\Stu\AppData\Local\Google\Update\GoogleUpdate.exe [2009-04-16 06:02]

2010-05-17 c:\windows\Tasks\User_Feed_Synchronization-{8CAA04C7-6A35-458B-8BD5-3FC5BD7F1DD3}.job
- c:\windows\system32\msfeedssync.exe [2008-08-20 07:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://en.us.acer.yahoo.com
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\users\Stu\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk
FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\4.1.0.32\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\4.1.0.32\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(2896)
c:\windows\system32\MsnChatHook.dll
c:\windows\system32\ShowErrMsg.dll
c:\windows\system32\sysenv.dll
c:\windows\system32\BatchCrypto.dll
c:\windows\system32\CryptoAPI.dll
c:\windows\system32\keyManager.dll
c:\windows\System32\NLSData0009.dll
c:\acer\Empowering Technology\EPOWER\SysHook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
c:\program files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
c:\acer\Empowering Technology\eDataSecurity\eDSService.exe
c:\acer\Empowering Technology\eLock\Service\eLockServ.exe
c:\acer\Empowering Technology\eNet\eNet Service.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\spool\DRIVERS\W32X86\3\lxddserv.exe
c:\acer\Mobility Center\MobilityService.exe
c:\nexon\Mabinogi\npkcmsvc.exe
c:\windows\system32\DllHost.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
c:\acer\Empowering Technology\eRecovery\eRecoveryService.exe
c:\acer\Empowering Technology\eSettings\Service\capuserv.exe
c:\acer\Empowering Technology\ePower\ePowerSvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\RtHDVCpl.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Launch Manager\LManager.exe
c:\acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
c:\acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
c:\acer\Empowering Technology\eRecovery\ERAGENT.EXE
c:\windows\system32\igfxext.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-05-17 18:25:20 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-18 00:25
ComboFix2.txt 2010-05-17 19:57
ComboFix3.txt 2010-05-16 20:05
ComboFix4.txt 2010-05-16 18:28

Pre-Run: 1,509,064,704 bytes free
Post-Run: 2,476,531,712 bytes free

- - End Of File - - C50326B508504FBD3DC94B1F90C8F8AA

#34
SweetTech

Posted 17 May 2010 - 06:45 PM

Sir SpamAlot

Retired Staff
7,671 posts

Hello again,

Please delete the current version of ComboFix that you have on your desktop and download a fresh copy using the link provided below.

Please download ComboFix from: Here to your Desktop.

After downloading the latest version of ComboFix please run a fresh scan normally. Ensure that your security programs are still disabled.

Cheers,
SweetTech.

#35
SweetTech

Posted 19 May 2010 - 08:30 AM

Sir SpamAlot

Retired Staff
7,671 posts

Do you still need help with your machine?

If the instructions are unclear or something isn't working, please let me know before proceeding.

#36
ZLynx

Posted 19 May 2010 - 10:00 PM

Member

Topic Starter
Member
38 posts

Hey SweetTech sorry about that.
I was out all day today, heres the latest combofix log,
ComboFix 10-05-17.01 - Stu 05/18/2010 18:20:08.6.1 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1526.735 [GMT -6:00]
Running from: c:\users\Stu\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\releaseengineer\Application Data\64dlls.exe
c:\documents and settings\releaseengineer\Application Data\intel64.exe
c:\documents and settings\releaseengineer\Application Data\localsys64.exe
c:\documents and settings\releaseengineer\Application Data\ntos.exe
c:\documents and settings\releaseengineer\Application Data\oembios.exe
c:\documents and settings\releaseengineer\Application Data\sdra64.exe
c:\documents and settings\releaseengineer\Application Data\swin32.exe
c:\documents and settings\releaseengineer\Application Data\twex.exe
c:\documents and settings\releaseengineer\Application Data\twext.exe
c:\documents and settings\releaseengineer\Application Data\wsnpoema.exe

.
((((((((((((((((((((((((( Files Created from 2010-04-19 to 2010-05-19 )))))))))))))))))))))))))))))))
.

2010-05-19 00:30 . 2010-05-19 00:31 -------- d-----w- c:\users\Stu\AppData\Local\temp
2010-05-19 00:30 . 2010-05-19 00:30 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-05-19 00:30 . 2010-05-19 00:30 -------- d-----w- c:\users\Guest\AppData\Local\temp
2010-05-19 00:30 . 2010-05-19 00:30 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-18 18:53 . 2010-05-18 18:53 -------- d-----w- c:\users\Stu\Office Genuine Advantage
2010-05-18 17:17 . 2010-05-18 17:17 -------- d-----w- c:\users\Stu\AppData\Local\Yahoo!
2010-05-17 20:13 . 2010-05-17 20:13 -------- d-----w- c:\program files\Foxit Software
2010-05-16 20:25 . 2010-05-16 20:25 -------- d-----w- c:\program files\ESET
2010-05-16 19:28 . 2010-04-12 23:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-16 17:30 . 2010-05-16 17:30 -------- d-----w- C:\_OTL
2010-05-15 19:16 . 2010-05-15 19:16 -------- d-----w- c:\program files\ERUNT
2010-05-12 21:39 . 2010-05-15 19:08 -------- d-----w- c:\windows\system32\MpEngineStore
2010-05-12 09:59 . 2010-01-29 15:40 738816 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-10 20:01 . 2010-05-10 20:01 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help
2010-05-04 23:40 . 2010-05-06 16:36 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-04 18:59 . 2010-05-04 18:58 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-04 18:50 . 2010-05-04 18:51 -------- d-----w- c:\program files\Lavasoft
2010-04-28 18:43 . 2010-04-28 18:43 -------- d-----w- c:\users\Stu\AppData\Roaming\Malwarebytes
2010-04-28 18:43 . 2010-04-29 21:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-28 18:43 . 2010-05-16 07:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-28 18:43 . 2010-04-29 21:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-26 23:50 . 2010-04-26 23:50 -------- d-----w- c:\users\Stu\AppData\Roaming\Roxio
2010-04-26 23:33 . 2010-04-27 00:48 256 ----a-w- c:\windows\system32\pool.bin
2010-04-26 23:33 . 2010-04-26 23:33 -------- d-----w- c:\users\Stu\AppData\Roaming\Research In Motion
2010-04-26 23:02 . 2010-04-26 23:02 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2010-04-26 23:01 . 2010-04-26 23:01 -------- d-----w- c:\program files\Common Files\Sonic Shared
2010-04-26 23:01 . 2010-04-26 23:02 -------- d-----w- c:\program files\Roxio
2010-04-26 23:00 . 2010-04-26 23:02 -------- d-----w- c:\program files\Common Files\Roxio Shared
2010-04-26 22:44 . 2007-01-18 16:24 26496 ----a-w- c:\windows\system32\drivers\RimSerial.sys
2010-04-26 22:41 . 2010-04-26 22:42 -------- d-----w- c:\program files\Common Files\Research In Motion
2010-04-26 22:41 . 2010-04-26 22:41 -------- d-----w- c:\program files\Research In Motion
2010-04-26 22:37 . 2010-04-26 22:37 -------- d-sh--w- c:\windows\ftpcache
2010-04-23 16:51 . 2010-02-18 14:07 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-23 16:51 . 2010-02-18 14:07 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-23 16:50 . 2009-12-23 11:33 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-23 16:50 . 2010-03-04 17:33 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-04-23 16:50 . 2010-03-09 15:42 834048 ----a-w- c:\windows\system32\wininet.dll
2010-04-23 16:50 . 2010-03-09 16:25 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-04-23 16:49 . 2010-02-23 11:10 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-23 16:49 . 2010-02-23 11:10 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-23 16:49 . 2010-02-23 11:10 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-23 16:49 . 2010-02-18 14:07 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-23 16:49 . 2010-02-18 13:30 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-23 16:49 . 2010-02-18 11:28 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-23 16:47 . 2010-01-13 17:34 98304 ----a-w- c:\windows\system32\cabview.dll
2010-04-21 18:04 . 2010-04-21 18:04 -------- d-----w- c:\program files\NOS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-19 00:31 . 2009-08-11 05:03 -------- d-----w- c:\program files\Common Files\Akamai
2010-05-17 20:11 . 2008-03-19 17:05 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-17 20:08 . 2008-01-23 03:35 -------- d-----w- c:\program files\Java
2010-05-16 19:28 . 2008-01-23 03:29 -------- d-----w- c:\program files\Common Files\Java
2010-05-16 18:57 . 2009-03-24 03:56 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-05-16 18:57 . 2009-03-24 03:56 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-05-16 18:57 . 2009-03-24 03:56 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-05-16 18:57 . 2009-03-24 03:56 -------- d-----w- c:\program files\Symantec
2010-05-16 16:16 . 2009-02-24 05:40 6756 ----a-w- c:\users\Stu\AppData\Local\d3d9caps.dat
2010-05-12 18:28 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-11 08:24 . 2009-08-11 05:03 -------- d-----w- c:\users\Stu\AppData\Roaming\Metacafe
2010-05-11 01:21 . 2007-12-29 05:17 140608 ----a-w- c:\users\Stu\AppData\Local\GDIPFONTCACHEV1.DAT
2010-05-10 19:45 . 2008-03-03 19:00 -------- d-----w- c:\program files\Microsoft Works
2010-05-04 19:29 . 2008-09-10 20:17 -------- d-----w- c:\program files\iWin Games
2010-04-30 16:20 . 2008-01-23 03:39 -------- d-----w- c:\users\Stu\AppData\Roaming\LimeWire
2010-04-26 23:01 . 2007-08-02 09:53 -------- d-----w- c:\program files\Common Files\InstallShield
2010-03-08 01:05 . 2010-03-08 01:05 64505 ----a-w- c:\users\Stu\AppData\Roaming\NeuLion\AdaptivePlugin\uninst.exe
2010-02-25 18:45 . 2008-03-08 18:31 8224 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2008-06-30 19:44 . 2008-08-31 08:42 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\users\Stu\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-04-16 133104]
"SkinClock"="c:\program files\Atomic Alarm Clock\AtomicAlarmClock.exe" [2008-09-30 1739776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"RtHDVCpl"="RtHDVCpl.exe" [2007-07-06 4669440]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-05-09 865840]
"PCMService"="c:\program files\Acer\Acer Arcade\PCMService.exe" [2007-06-22 155648]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-04-25 457216]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2007-07-12 846344]
"Acer Assist Launcher"="c:\program files\Acer Assist\launcher.exe" [2007-02-02 1261568]
"Acer Product Registration"="c:\program files\Acer Registration\ACE1.exe" [2007-02-02 3383296]
"lxddmon.exe"="c:\program files\Lexmark 2500 Series\lxddmon.exe" [2007-05-04 291760]
"lxddamon"="c:\program files\Lexmark 2500 Series\lxddamon.exe" [2007-03-05 20480]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-05-04 312240]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-16 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-16 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-16 150552]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-01-07 1468296]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-01-22 198160]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2008-11-23 615696]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-11-10 236016]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]

c:\users\Stu\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):39,0a,fc,b0,44,39,ca,01

R0 ntcdrdrv;ntcdrdrv;c:\windows\system32\DRIVERS\ntcdrdrv.sys [x]
R2 AtomicAlarmClock;Atomic Alarm Clock Time;c:\program files\Atomic Alarm Clock\timeserv.exe [2008-09-29 415744]
R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\System32\Drivers\N360\0308000.029\SYMNDISV.SYS [x]
S0 OCDE;ZTekWare Original CD Emulator Service;c:\windows\System32\Drivers\OCDE.sys [2007-08-26 30480]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0401000.020\SYMDS.SYS [2010-02-04 328752]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0401000.020\SYMEFA.SYS [2010-02-04 172592]
S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\BASHDefs\20100429.001\BHDrvx86.sys [2010-04-29 537136]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0401000.020\ccHPx86.sys [2010-02-25 501888]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\IPSDefs\20100513.002\IDSvix86.sys [2010-02-04 343088]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0401000.020\Ironx86.SYS [2010-02-27 116784]
S1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\N360\0401000.020\SYMTDIV.SYS [2010-02-04 340016]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2008-01-19 21504]
S2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe [2007-04-26 537520]
S2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxddserv.exe [2007-04-26 99248]
S2 N360;Norton 360;c:\program files\Norton 360\Engine\4.1.0.32\ccSvcHst.exe [2010-02-25 126392]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-08-29 102448]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
Akamai REG_MULTI_SZ Akamai
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-05-19 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-24 22:15]

2010-05-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2381161337-1183444262-2068861460-1000Core.job
- c:\users\Stu\AppData\Local\Google\Update\GoogleUpdate.exe [2009-04-16 06:02]

2010-05-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2381161337-1183444262-2068861460-1000UA.job
- c:\users\Stu\AppData\Local\Google\Update\GoogleUpdate.exe [2009-04-16 06:02]

2010-05-18 c:\windows\Tasks\User_Feed_Synchronization-{8CAA04C7-6A35-458B-8BD5-3FC5BD7F1DD3}.job
- c:\windows\system32\msfeedssync.exe [2008-08-20 07:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://en.us.acer.yahoo.com
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\users\Stu\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk
FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-18 18:31
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\4.1.0.32\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\4.1.0.32\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-05-18 18:37:51
ComboFix-quarantined-files.txt 2010-05-19 00:37
ComboFix2.txt 2010-05-18 02:20
ComboFix3.txt 2010-05-18 00:25
ComboFix4.txt 2010-05-17 19:57
ComboFix5.txt 2010-05-19 00:11

Pre-Run: 1,686,536,192 bytes free
Post-Run: 1,544,732,672 bytes free

- - End Of File - - 4EBF33FF2390D7D9292AB17BCA78A4EF

#37
SweetTech

Posted 20 May 2010 - 10:11 AM

Sir SpamAlot

Retired Staff
7,671 posts

ComboFix Script

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

KillAll::
DirLook::
c:\documents and settings\releaseengineer

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you.
Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

#38
SweetTech

Posted 23 May 2010 - 09:08 AM

Sir SpamAlot

Retired Staff
7,671 posts

Do you still need help with your machine?

If the instructions are unclear or something isn't working, please let me know before proceeding.

#39
ZLynx

Posted 23 May 2010 - 01:12 PM

Member

Topic Starter
Member
38 posts

Hey sorry about that, Ill be here all day today to try and fix this.
Heres the log

ComboFix 10-05-22.03 - Stu 05/23/2010 12:35:14.7.1 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1526.799 [GMT -6:00]
Running from: c:\users\Stu\Desktop\ComboFix.exe
Command switches used :: c:\users\Stu\Desktop\cfscript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\releaseengineer\Application Data\64dlls.exe
c:\documents and settings\releaseengineer\Application Data\intel64.exe
c:\documents and settings\releaseengineer\Application Data\localsys64.exe
c:\documents and settings\releaseengineer\Application Data\ntos.exe
c:\documents and settings\releaseengineer\Application Data\oembios.exe
c:\documents and settings\releaseengineer\Application Data\sdra64.exe
c:\documents and settings\releaseengineer\Application Data\sdra73.exe
c:\documents and settings\releaseengineer\Application Data\swin32.exe
c:\documents and settings\releaseengineer\Application Data\twex.exe
c:\documents and settings\releaseengineer\Application Data\twext.exe
c:\documents and settings\releaseengineer\Application Data\wsnpoema.exe
c:\users\Stu\AppData\Roaming\Microsoft\HTML Help\hh.dat

.
((((((((((((((((((((((((( Files Created from 2010-04-23 to 2010-05-23 )))))))))))))))))))))))))))))))
.

2010-05-23 18:47 . 2010-05-23 18:55 -------- d-----w- c:\users\Stu\AppData\Local\temp
2010-05-23 18:47 . 2010-05-23 18:47 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-05-23 18:47 . 2010-05-23 18:47 -------- d-----w- c:\users\Guest\AppData\Local\temp
2010-05-23 18:47 . 2010-05-23 18:47 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-23 18:22 . 2010-05-23 18:23 -------- d-----w- C:\32788R22FWJFW
2010-05-21 15:50 . 2010-05-23 02:09 -------- d-----w- c:\users\Stu\AppData\Local\CrashDumps
2010-05-18 18:53 . 2010-05-18 18:53 -------- d-----w- c:\users\Stu\Office Genuine Advantage
2010-05-18 17:17 . 2010-05-18 17:17 -------- d-----w- c:\users\Stu\AppData\Local\Yahoo!
2010-05-17 20:13 . 2010-05-17 20:13 -------- d-----w- c:\program files\Foxit Software
2010-05-16 20:25 . 2010-05-16 20:25 -------- d-----w- c:\program files\ESET
2010-05-16 19:28 . 2010-04-12 23:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-16 17:30 . 2010-05-16 17:30 -------- d-----w- C:\_OTL
2010-05-15 19:16 . 2010-05-15 19:16 -------- d-----w- c:\program files\ERUNT
2010-05-12 21:39 . 2010-05-15 19:08 -------- d-----w- c:\windows\system32\MpEngineStore
2010-05-12 09:59 . 2010-01-29 15:40 738816 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-10 20:01 . 2010-05-10 20:01 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help
2010-05-04 23:40 . 2010-05-06 16:36 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-04 18:59 . 2010-05-04 18:58 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-04 18:50 . 2010-05-04 18:51 -------- d-----w- c:\program files\Lavasoft
2010-04-28 18:43 . 2010-04-28 18:43 -------- d-----w- c:\users\Stu\AppData\Roaming\Malwarebytes
2010-04-28 18:43 . 2010-04-29 21:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-28 18:43 . 2010-05-16 07:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-28 18:43 . 2010-04-29 21:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-26 23:50 . 2010-04-26 23:50 -------- d-----w- c:\users\Stu\AppData\Roaming\Roxio
2010-04-26 23:33 . 2010-04-27 00:48 256 ----a-w- c:\windows\system32\pool.bin
2010-04-26 23:33 . 2010-04-26 23:33 -------- d-----w- c:\users\Stu\AppData\Roaming\Research In Motion
2010-04-26 23:02 . 2010-04-26 23:02 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2010-04-26 23:01 . 2010-04-26 23:01 -------- d-----w- c:\program files\Common Files\Sonic Shared
2010-04-26 23:01 . 2010-04-26 23:02 -------- d-----w- c:\program files\Roxio
2010-04-26 23:00 . 2010-04-26 23:02 -------- d-----w- c:\program files\Common Files\Roxio Shared
2010-04-26 22:44 . 2007-01-18 16:24 26496 ----a-w- c:\windows\system32\drivers\RimSerial.sys
2010-04-26 22:41 . 2010-04-26 22:42 -------- d-----w- c:\program files\Common Files\Research In Motion
2010-04-26 22:41 . 2010-04-26 22:41 -------- d-----w- c:\program files\Research In Motion
2010-04-26 22:37 . 2010-04-26 22:37 -------- d-sh--w- c:\windows\ftpcache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-23 18:51 . 2009-08-11 05:03 -------- d-----w- c:\program files\Common Files\Akamai
2010-05-23 02:05 . 2009-02-24 05:40 6756 ----a-w- c:\users\Stu\AppData\Local\d3d9caps.dat
2010-05-17 20:11 . 2008-03-19 17:05 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-17 20:08 . 2008-01-23 03:35 -------- d-----w- c:\program files\Java
2010-05-16 19:28 . 2008-01-23 03:29 -------- d-----w- c:\program files\Common Files\Java
2010-05-16 18:57 . 2009-03-24 03:56 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-05-16 18:57 . 2009-03-24 03:56 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-05-16 18:57 . 2009-03-24 03:56 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-05-16 18:57 . 2009-03-24 03:56 -------- d-----w- c:\program files\Symantec
2010-05-12 18:28 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-11 08:24 . 2009-08-11 05:03 -------- d-----w- c:\users\Stu\AppData\Roaming\Metacafe
2010-05-11 01:21 . 2007-12-29 05:17 140608 ----a-w- c:\users\Stu\AppData\Local\GDIPFONTCACHEV1.DAT
2010-05-10 19:45 . 2008-03-03 19:00 -------- d-----w- c:\program files\Microsoft Works
2010-05-04 19:29 . 2008-09-10 20:17 -------- d-----w- c:\program files\iWin Games
2010-04-30 16:20 . 2008-01-23 03:39 -------- d-----w- c:\users\Stu\AppData\Roaming\LimeWire
2010-04-26 23:01 . 2007-08-02 09:53 -------- d-----w- c:\program files\Common Files\InstallShield
2010-04-21 18:04 . 2010-04-21 18:04 -------- d-----w- c:\program files\NOS
2010-03-09 16:25 . 2010-04-23 16:50 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-09 15:42 . 2010-04-23 16:50 834048 ----a-w- c:\windows\system32\wininet.dll
2010-03-08 01:05 . 2010-03-08 01:05 64505 ----a-w- c:\users\Stu\AppData\Roaming\NeuLion\AdaptivePlugin\uninst.exe
2010-03-04 17:33 . 2010-04-23 16:50 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 18:45 . 2008-03-08 18:31 8224 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2010-02-23 11:10 . 2010-04-23 16:49 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-02-23 11:10 . 2010-04-23 16:49 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-02-23 11:10 . 2010-04-23 16:49 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2008-06-30 19:44 . 2008-08-31 08:42 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\releaseengineer ----

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\users\Stu\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-04-16 133104]
"SkinClock"="c:\program files\Atomic Alarm Clock\AtomicAlarmClock.exe" [2008-09-30 1739776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"RtHDVCpl"="RtHDVCpl.exe" [2007-07-06 4669440]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-05-09 865840]
"PCMService"="c:\program files\Acer\Acer Arcade\PCMService.exe" [2007-06-22 155648]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-04-25 457216]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2007-07-12 846344]
"Acer Assist Launcher"="c:\program files\Acer Assist\launcher.exe" [2007-02-02 1261568]
"Acer Product Registration"="c:\program files\Acer Registration\ACE1.exe" [2007-02-02 3383296]
"lxddmon.exe"="c:\program files\Lexmark 2500 Series\lxddmon.exe" [2007-05-04 291760]
"lxddamon"="c:\program files\Lexmark 2500 Series\lxddamon.exe" [2007-03-05 20480]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-05-04 312240]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-16 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-16 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-16 150552]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-01-07 1468296]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-01-22 198160]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2008-11-23 615696]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-11-10 236016]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]

c:\users\Stu\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):39,0a,fc,b0,44,39,ca,01

R0 ntcdrdrv;ntcdrdrv;c:\windows\system32\DRIVERS\ntcdrdrv.sys [x]
R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\System32\Drivers\N360\0308000.029\SYMNDISV.SYS [x]
S0 OCDE;ZTekWare Original CD Emulator Service;c:\windows\System32\Drivers\OCDE.sys [2007-08-26 30480]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0402000.00C\SYMDS.SYS [2010-02-04 328752]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0402000.00C\SYMEFA.SYS [2010-04-22 173104]
S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\BASHDefs\20100429.001\BHDrvx86.sys [2010-04-29 537136]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0402000.00C\ccHPx86.sys [2010-02-26 501888]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\IPSDefs\20100513.002\IDSvix86.sys [2010-02-04 343088]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0402000.00C\Ironx86.SYS [2010-04-29 116784]
S1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\System32\Drivers\N360\0402000.00C\SYMTDIV.SYS [2010-05-06 339504]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2008-01-19 21504]
S2 AtomicAlarmClock;Atomic Alarm Clock Time;c:\program files\Atomic Alarm Clock\timeserv.exe [2008-09-29 415744]
S2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe [2007-04-26 537520]
S2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxddserv.exe [2007-04-26 99248]
S2 N360;Norton 360;c:\program files\Norton 360\Engine\4.2.0.12\ccSvcHst.exe [2010-02-26 126392]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-08-29 102448]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
Akamai REG_MULTI_SZ Akamai
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-05-23 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-24 22:15]

2010-05-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2381161337-1183444262-2068861460-1000Core.job
- c:\users\Stu\AppData\Local\Google\Update\GoogleUpdate.exe [2009-04-16 06:02]

2010-05-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2381161337-1183444262-2068861460-1000UA.job
- c:\users\Stu\AppData\Local\Google\Update\GoogleUpdate.exe [2009-04-16 06:02]

2010-05-23 c:\windows\Tasks\User_Feed_Synchronization-{8CAA04C7-6A35-458B-8BD5-3FC5BD7F1DD3}.job
- c:\windows\system32\msfeedssync.exe [2008-08-20 07:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://en.us.acer.yahoo.com
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\users\Stu\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk
FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr
ef", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-23 12:55
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\4.2.0.12\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\4.2.0.12\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(2348)
c:\windows\system32\MsnChatHook.dll
c:\windows\system32\ShowErrMsg.dll
c:\windows\system32\sysenv.dll
c:\windows\system32\BatchCrypto.dll
c:\windows\system32\CryptoAPI.dll
c:\windows\system32\keyManager.dll
c:\windows\System32\NLSData0009.dll
c:\windows\System32\NLSLexicons0009.dll
c:\acer\Empowering Technology\EPOWER\SysHook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
c:\program files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
c:\acer\Empowering Technology\eDataSecurity\eDSService.exe
c:\acer\Empowering Technology\eLock\Service\eLockServ.exe
c:\acer\Empowering Technology\eNet\eNet Service.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\spool\DRIVERS\W32X86\3\lxddserv.exe
c:\acer\Mobility Center\MobilityService.exe
c:\nexon\Mabinogi\npkcmsvc.exe
c:\windows\system32\DllHost.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
c:\acer\Empowering Technology\eRecovery\eRecoveryService.exe
c:\acer\Empowering Technology\eSettings\Service\capuserv.exe
c:\acer\Empowering Technology\ePower\ePowerSvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\RtHDVCpl.exe
c:\program files\Launch Manager\LManager.exe
c:\windows\system32\igfxsrvc.exe
c:\acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
c:\program files\Windows Media Player\wmpnetwk.exe
c:\acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
c:\acer\Empowering Technology\eRecovery\ERAGENT.EXE
c:\windows\system32\igfxext.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2010-05-23 13:02:18 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-23 19:02
ComboFix2.txt 2010-05-19 00:37
ComboFix3.txt 2010-05-18 02:20
ComboFix4.txt 2010-05-18 00:25
ComboFix5.txt 2010-05-23 18:24

Pre-Run: 1,102,417,920 bytes free
Post-Run: 994,566,144 bytes free

- - End Of File - - 7EE1D13F98E4F4865A9052F32CAC42A1

#40
SweetTech

Posted 23 May 2010 - 01:49 PM

Sir SpamAlot

Retired Staff
7,671 posts

Hello,

This is a stubborn little bugger. There is something that is allowing those files to re-spawn. Lets try this tool below:

Download TDSSKiller and save it to your Desktop.

Extract the file and run it.

Once completed it will create a log in your C:\ drive called TDSSKiller_* (* denotes version & date)

Please post the content of that log TDSSKiller

NEXT:

FileLister
1. Go HERE and download FileLister.

Save it to your Desktop
Right Click ->> Extract all ->> And extract it to your Desktop
Additional help on extracting zip files can be found HERE
Open the File Lister Folder.
Note: Leave the FileLister.vbe file in the folder and run it from there.

Right Click FileLister.vbe ->>Select Open Then Open to confirm.
When the program is fnished it will produce a log for you Files.txt
Which will be located in the default location from which FileLister was run(the FileLister folder)

Copy and paste the contents of that log in your reply.

NEXT:

The log that is produced after running the TDSSKiller scan, as well as the FileLister log.

#41
ZLynx

Posted 23 May 2010 - 02:02 PM

Member

Topic Starter
Member
38 posts

The TDSSKiller log,

13:51:41:409 6108 TDSS rootkit removing tool 2.3.0.0 May 12 2010 18:11:17
13:51:41:409 6108 ================================================================================
13:51:41:409 6108 SystemInfo:

13:51:41:409 6108 OS Version: 6.0.6002 ServicePack: 2.0
13:51:41:409 6108 Product type: Workstation
13:51:41:410 6108 ComputerName: COLLEGECOMP
13:51:41:410 6108 UserName: Stu
13:51:41:410 6108 Windows directory: C:\Windows
13:51:41:411 6108 Processor architecture: Intel x86
13:51:41:411 6108 Number of processors: 1
13:51:41:411 6108 Page size: 0x1000
13:51:41:416 6108 Boot type: Normal boot
13:51:41:416 6108 ================================================================================
13:51:41:423 6108 UnloadDriverW: NtUnloadDriver error 2
13:51:41:423 6108 ForceUnloadDriverW: UnloadDriverW(klmd23) error 2
13:52:14:897 6108 wfopen_ex: Trying to open file C:\Windows\system32\config\system
13:52:14:898 6108 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
13:52:14:898 6108 wfopen_ex: Trying to KLMD file open
13:52:14:898 6108 wfopen_ex: File opened ok (Flags 2)
13:52:14:970 6108 wfopen_ex: Trying to open file C:\Windows\system32\config\software
13:52:14:970 6108 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
13:52:14:970 6108 wfopen_ex: Trying to KLMD file open
13:52:14:970 6108 wfopen_ex: File opened ok (Flags 2)
13:52:14:971 6108 KLAVA engine initialized
13:52:16:720 6108 Initialize success
13:52:16:720 6108
13:52:16:721 6108 Scanning Services ...
13:52:21:140 6108 Raw services enum returned 466 services
13:52:21:155 6108
13:52:21:157 6108 Scanning Drivers ...
13:52:21:756 6108 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
13:52:22:130 6108 adp94xx (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys
13:52:22:487 6108 adpahci (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys
13:52:22:859 6108 adpu160m (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys
13:52:23:015 6108 adpu320 (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys
13:52:23:271 6108 AFD (a201207363aa900abf1a388468688570) C:\Windows\system32\drivers\afd.sys
13:52:23:550 6108 agp440 (ef23439cdd587f64c2c1b8825cead7d8) C:\Windows\system32\drivers\agp440.sys
13:52:24:026 6108 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
13:52:24:268 6108 aliide (90395b64600ebb4552e26e178c94b2e4) C:\Windows\system32\drivers\aliide.sys
13:52:24:734 6108 amdagp (2b13e304c9dfdfa5eb582f6a149fa2c7) C:\Windows\system32\drivers\amdagp.sys
13:52:24:861 6108 amdide (0577df1d323fe75a739c787893d300ea) C:\Windows\system32\drivers\amdide.sys
13:52:24:933 6108 AmdK7 (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys
13:52:24:968 6108 AmdK8 (0ca0071da4315b00fc1328ca86b425da) C:\Windows\system32\DRIVERS\amdk8.sys
13:52:25:134 6108 arc (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys
13:52:25:286 6108 arcsas (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys
13:52:25:813 6108 Aspi32 (4984e50ea8a399b66a9545708595fb75) C:\Windows\system32\drivers\aspi32.sys
13:52:26:172 6108 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
13:52:26:351 6108 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
13:52:26:480 6108 athr (acdb46b1a467752a2f280c68c8461556) C:\Windows\system32\DRIVERS\athr.sys
13:52:26:624 6108 BCM43XV (cf6a67c90951e3e763d2135dede44b85) C:\Windows\system32\DRIVERS\bcmwl6.sys
13:52:26:732 6108 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
13:52:26:934 6108 BHDrvx86 (42c9ab61989e29953ce2d266f891ea50) C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\BASHDefs\20100429.001\BHDrvx86.sys
13:52:27:109 6108 bowser (74b442b2be1260b7588c136177ceac66) C:\Windows\system32\DRIVERS\bowser.sys
13:52:27:150 6108 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
13:52:27:176 6108 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
13:52:27:213 6108 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
13:52:27:367 6108 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
13:52:27:406 6108 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
13:52:27:444 6108 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
13:52:27:477 6108 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
13:52:27:724 6108 ccHP (e941e709847fa00e0dd6d58d2b8fb5e1) C:\Windows\system32\drivers\N360\0402000.00C\ccHPx86.sys
13:52:28:022 6108 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
13:52:28:073 6108 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
13:52:28:180 6108 circlass (da8e0afc7baa226c538ef53ac2f90897) C:\Windows\system32\drivers\circlass.sys
13:52:28:265 6108 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
13:52:28:383 6108 CmBatt (99afc3795b58cc478fbbbcdc658fcb56) C:\Windows\system32\DRIVERS\CmBatt.sys
13:52:28:510 6108 cmdide (45201046c776ffdaf3fc8a0029c581c8) C:\Windows\system32\drivers\cmdide.sys
13:52:28:568 6108 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\DRIVERS\compbatt.sys
13:52:28:608 6108 crcdisk (2a213ae086bbec5e937553c7d9a2b22c) C:\Windows\system32\drivers\crcdisk.sys
13:52:28:735 6108 Crusoe (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys
13:52:28:837 6108 DfsC (218d8ae46c88e82014f5d73d0236d9b2) C:\Windows\system32\Drivers\dfsc.sys
13:52:28:972 6108 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
13:52:29:036 6108 DKbFltr (73baf270d24fe726b9cd7f80bb17a23d) C:\Windows\system32\DRIVERS\DKbFltr.sys
13:52:29:185 6108 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
13:52:29:272 6108 DXGKrnl (5c7e2097b91d689ded7a6ff90f0f3a25) C:\Windows\System32\drivers\dxgkrnl.sys
13:52:29:482 6108 E1G60 (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys
13:52:29:539 6108 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
13:52:29:672 6108 eeCtrl (96bcd90ed9235a21629effde5e941fb1) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
13:52:29:844 6108 elxstor (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys
13:52:29:985 6108 EraserUtilRebootDrv (392c86f6b45c0bc696c32c27f51e749f) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
13:52:30:145 6108 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
13:52:30:207 6108 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
13:52:30:324 6108 fdc (63bdada84951b9c03e641800e176898a) C:\Windows\system32\DRIVERS\fdc.sys
13:52:30:373 6108 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
13:52:30:428 6108 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
13:52:30:482 6108 flpydisk (6603957eff5ec62d25075ea8ac27de68) C:\Windows\system32\DRIVERS\flpydisk.sys
13:52:30:657 6108 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
13:52:30:740 6108 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
13:52:30:947 6108 gagp30kx (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\drivers\gagp30kx.sys
13:52:30:995 6108 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\Drivers\GEARAspiWDM.sys
13:52:31:110 6108 HdAudAddService (cb04c744be0a61b1d648faed182c3b59) C:\Windows\system32\drivers\HdAudio.sys
13:52:31:222 6108 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
13:52:31:345 6108 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
13:52:31:410 6108 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
13:52:31:465 6108 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
13:52:31:506 6108 HpCISSs (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys
13:52:31:624 6108 HSFHWAZL (46d67209550973257601a533e2ac5785) C:\Windows\system32\DRIVERS\VSTAZL3.SYS
13:52:31:732 6108 HSF_DPV (7bc42c65b5c6281777c1a7605b253ba8) C:\Windows\system32\DRIVERS\HSX_DPV.sys
13:52:31:877 6108 HSXHWAZL (9ebf2d102ccbb6bcdfbf1b7922f8ba2e) C:\Windows\system32\DRIVERS\HSXHWAZL.sys
13:52:31:945 6108 HTTP (0eeeca26c8d4bde2a4664db058a81937) C:\Windows\system32\drivers\HTTP.sys
13:52:32:062 6108 i2omp (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys
13:52:32:135 6108 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
13:52:32:171 6108 iaStor (997e8f5939f2d12cd9f2e6b395724c16) C:\Windows\system32\DRIVERS\iaStor.sys
13:52:32:284 6108 iaStorV (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys
13:52:32:512 6108 IDSVix86 (785b0ab77d977445d58b02ea63c11fb2) C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\IPSDefs\20100513.002\IDSvix86.sys
13:52:32:918 6108 igfx (938753888eaddb29d4b3754139ec19e8) C:\Windows\system32\DRIVERS\igdkmd32.sys
13:52:33:221 6108 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
13:52:33:315 6108 int15 (9d64201c9e5ac8d1f088762ba00ff3ab) C:\Acer\Empowering Technology\eRecovery\int15.sys
13:52:33:513 6108 IntcAzAudAddService (90a10b39896040b3154613c11c932aeb) C:\Windows\system32\drivers\RTKVHDA.sys
13:52:33:696 6108 intelide (83aa759f3189e6370c30de5dc5590718) C:\Windows\system32\drivers\intelide.sys
13:52:33:756 6108 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
13:52:33:813 6108 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
13:52:33:969 6108 IPMIDRV (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys
13:52:34:013 6108 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
13:52:34:061 6108 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
13:52:34:491 6108 isapnp (350fca7e73cf65bcef43fae1e4e91293) C:\Windows\system32\drivers\isapnp.sys
13:52:34:752 6108 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
13:52:34:814 6108 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
13:52:34:977 6108 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
13:52:35:035 6108 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
13:52:35:064 6108 kbdhid (ede59ec70e25c24581add1fbec7325f7) C:\Windows\system32\DRIVERS\kbdhid.sys
13:52:35:143 6108 klmd23 (f736ee0d4da5b9bcc2c8539c8add06e2) C:\Windows\system32\drivers\klmd.sys
13:52:35:307 6108 KSecDD (86165728af9bf72d6442a894fdfb4f8b) C:\Windows\system32\Drivers\ksecdd.sys
13:52:35:379 6108 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
13:52:35:559 6108 LSI_FC (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys
13:52:35:660 6108 LSI_SAS (30d73327d390f72a62f32c103daf1d6d) C:\Windows\system32\drivers\lsi_sas.sys
13:52:35:782 6108 LSI_SCSI (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys
13:52:35:850 6108 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
13:52:35:955 6108 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\Windows\system32\DRIVERS\mdmxsdk.sys
13:52:36:027 6108 megasas (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys
13:52:36:083 6108 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
13:52:36:203 6108 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
13:52:36:269 6108 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
13:52:36:321 6108 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
13:52:36:423 6108 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
13:52:36:523 6108 mpio (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys
13:52:36:586 6108 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
13:52:36:727 6108 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
13:52:36:790 6108 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
13:52:36:888 6108 mrxsmb (454341e652bdf5e01b0f2140232b073e) C:\Windows\system32\DRIVERS\mrxsmb.sys
13:52:36:949 6108 mrxsmb10 (2a4901aff069944fa945ed5bbf4dcde3) C:\Windows\system32\DRIVERS\mrxsmb10.sys
13:52:37:010 6108 mrxsmb20 (28b3f1ab44bdd4432c041581412f17d9) C:\Windows\system32\DRIVERS\mrxsmb20.sys
13:52:37:118 6108 msahci (742aed7939e734c36b7e8d6228ce26b7) C:\Windows\system32\drivers\msahci.sys
13:52:37:183 6108 msdsm (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys
13:52:37:234 6108 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
13:52:37:278 6108 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
13:52:37:395 6108 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
13:52:37:538 6108 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
13:52:37:665 6108 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
13:52:37:718 6108 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
13:52:37:809 6108 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
13:52:37:956 6108 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
13:52:38:008 6108 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
13:52:38:093 6108 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
13:52:38:266 6108 NAVENG (83518e6cc82bdc3c3db0c12d1c9a2275) C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\VirusDefs\20100523.004\NAVENG.SYS
13:52:38:338 6108 NAVEX15 (85cf37740fe06c7a2eaa7f6c81f0819c) C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\VirusDefs\20100523.004\NAVEX15.SYS
13:52:38:552 6108 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
13:52:38:621 6108 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
13:52:38:765 6108 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
13:52:38:818 6108 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
13:52:38:870 6108 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
13:52:38:981 6108 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
13:52:39:033 6108 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
13:52:39:084 6108 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
13:52:39:134 6108 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
13:52:39:331 6108 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
13:52:39:453 6108 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
13:52:39:629 6108 NTIDrvr (7f1c1f78d709c4a54cbb46ede7e0b48d) C:\Windows\system32\DRIVERS\NTIDrvr.sys
13:52:39:670 6108 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
13:52:39:701 6108 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
13:52:39:743 6108 NVENETFD (1657f3fbd9061526c14ff37e79306f98) C:\Windows\system32\DRIVERS\nvm60x32.sys
13:52:39:909 6108 nvraid (e69e946f80c1c31c53003bfbf50cbb7c) C:\Windows\system32\drivers\nvraid.sys
13:52:39:945 6108 nvstor (9e0ba19a28c498a6d323d065db76dffc) C:\Windows\system32\drivers\nvstor.sys
13:52:39:984 6108 nv_agp (07c186427eb8fcc3d8d7927187f260f7) C:\Windows\system32\drivers\nv_agp.sys
13:52:40:165 6108 OCDE (735c6df58bc99fc9ea41b1b4d2ff3eea) C:\Windows\system32\Drivers\OCDE.sys
13:52:40:221 6108 ohci1394 (be32da025a0be1878f0ee8d6d9386cd5) C:\Windows\system32\drivers\ohci1394.sys
13:52:40:332 6108 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
13:52:40:401 6108 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
13:52:40:454 6108 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
13:52:40:514 6108 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
13:52:40:642 6108 pciide (3b1901e401473e03eb8c874271e50c26) C:\Windows\system32\drivers\pciide.sys
13:52:40:692 6108 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\DRIVERS\pcmcia.sys
13:52:40:764 6108 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
13:52:40:930 6108 Point32 (e56e57cfb75b1ee2bb001ad036c27fbb) C:\Windows\system32\DRIVERS\point32k.sys
13:52:40:991 6108 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
13:52:41:046 6108 Processor (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys
13:52:41:191 6108 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
13:52:41:224 6108 PSDFilter (e801d5cc24e1cf18fa87d24d7074b876) C:\Windows\system32\DRIVERS\psdfilter.sys
13:52:41:265 6108 PSDNServ (24b5e3429f7f0e779fc2e6e36a0a5f73) C:\Windows\system32\drivers\PSDNServ.sys
13:52:41:315 6108 psdvdisk (01cbfd08c0e8a6106bb26fcda297154e) C:\Windows\system32\drivers\psdvdisk.sys
13:52:41:449 6108 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\Windows\system32\Drivers\PxHelp20.sys
13:52:41:549 6108 ql2300 (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys
13:52:41:736 6108 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
13:52:41:793 6108 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
13:52:41:900 6108 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
13:52:41:984 6108 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
13:52:42:039 6108 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
13:52:42:160 6108 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
13:52:42:236 6108 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
13:52:42:283 6108 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
13:52:42:398 6108 rdpdr (e8bd98d46f2ed77132ba927fccb47d8b) C:\Windows\system32\drivers\rdpdr.sys
13:52:42:469 6108 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
13:52:42:538 6108 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys
13:52:42:747 6108 RimUsb (f17713d108aca124a139fde877eef68a) C:\Windows\system32\Drivers\RimUsb.sys
13:52:42:799 6108 RimVSerPort (d9b34325ee5df78b8f28a3de9f577c7d) C:\Windows\system32\DRIVERS\RimSerial.sys
13:52:42:856 6108 ROOTMODEM (75e8a6bfa7374aba833ae92bf41ae4e6) C:\Windows\system32\Drivers\RootMdm.sys
13:52:42:992 6108 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
13:52:43:046 6108 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
13:52:43:098 6108 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
13:52:43:233 6108 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys
13:52:43:272 6108 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
13:52:43:339 6108 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
13:52:43:475 6108 sffdisk (103b79418da647736ee95645f305f68a) C:\Windows\system32\drivers\sffdisk.sys
13:52:43:513 6108 sffp_mmc (8fd08a310645fe872eeec6e08c6bf3ee) C:\Windows\system32\drivers\sffp_mmc.sys
13:52:43:612 6108 sffp_sd (9cfa05fcfcb7124e69cfc812b72f9614) C:\Windows\system32\drivers\sffp_sd.sys
13:52:43:642 6108 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
13:52:43:778 6108 sisagp (d2a595d6eebeeaf4334f8e50efbc9931) C:\Windows\system32\drivers\sisagp.sys
13:52:43:833 6108 SiSRaid2 (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys
13:52:43:872 6108 SiSRaid4 (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys
13:52:44:002 6108 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
13:52:44:058 6108 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
13:52:44:233 6108 SRTSP (ec5c3c6260f4019b03dfaa03ec8cbf6a) C:\Windows\System32\Drivers\N360\0402000.00C\SRTSP.SYS
13:52:44:342 6108 SRTSPX (55d5c37ed41231e3ac2063d16df50840) C:\Windows\system32\drivers\N360\0402000.00C\SRTSPX.SYS
13:52:44:437 6108 srv (0debafcc0e3591fca34f077cab62f7f7) C:\Windows\system32\DRIVERS\srv.sys
13:52:44:518 6108 srv2 (6b6f3658e0a58c6c50c5f7fbdf3df633) C:\Windows\system32\DRIVERS\srv2.sys
13:52:44:658 6108 srvnet (0c5ab1892ae0fa504218db094bf6d041) C:\Windows\system32\DRIVERS\srvnet.sys
13:52:44:748 6108 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
13:52:44:799 6108 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
13:52:44:999 6108 SymDS (56890bf9d9204b93042089d4b45ae671) C:\Windows\system32\drivers\N360\0402000.00C\SYMDS.SYS
13:52:45:215 6108 SymEFA (1c91df5188150510a6f0cf78f7d94b69) C:\Windows\system32\drivers\N360\0402000.00C\SYMEFA.SYS
13:52:45:390 6108 SymEvent (961b48b86f94d4cc8ceb483f8aa89374) C:\Windows\system32\Drivers\SYMEVENT.SYS
13:52:45:539 6108 SymIRON (dc80fbf0a348e54853ef82eed4e11e35) C:\Windows\system32\drivers\N360\0402000.00C\Ironx86.SYS
13:52:45:824 6108 SYMTDIv (bf610335eda8d9026e45b4ac73d0de58) C:\Windows\System32\Drivers\N360\0402000.00C\SYMTDIV.SYS
13:52:45:976 6108 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
13:52:46:011 6108 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
13:52:46:053 6108 SynTP (5d6e865780aae258aba1a1484782cfec) C:\Windows\system32\DRIVERS\SynTP.sys
13:52:46:220 6108 Tcpip (48cbe6d53632d0067c2d6b20f90d84ca) C:\Windows\system32\drivers\tcpip.sys
13:52:46:284 6108 Tcpip6 (48cbe6d53632d0067c2d6b20f90d84ca) C:\Windows\system32\DRIVERS\tcpip.sys
13:52:46:340 6108 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys
13:52:46:467 6108 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
13:52:46:536 6108 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
13:52:46:590 6108 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
13:52:46:691 6108 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
13:52:46:748 6108 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
13:52:46:812 6108 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
13:52:46:929 6108 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
13:52:46:979 6108 uagp35 (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\drivers\uagp35.sys
13:52:47:102 6108 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
13:52:47:183 6108 uliagpkx (75e6890ebfce0841d3291b02e7a8bdb0) C:\Windows\system32\drivers\uliagpkx.sys
13:52:47:317 6108 uliahci (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys
13:52:47:364 6108 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
13:52:47:436 6108 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
13:52:47:561 6108 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
13:52:47:635 6108 USBAAPL (1df89c499bf45d878b87ebd4421d462d) C:\Windows\system32\Drivers\usbaapl.sys
13:52:47:689 6108 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
13:52:47:757 6108 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
13:52:47:893 6108 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
13:52:47:953 6108 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
13:52:48:067 6108 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\DRIVERS\usbohci.sys
13:52:48:186 6108 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
13:52:48:242 6108 usbscan (a508c9bd8724980512136b039bba65e9) C:\Windows\system32\DRIVERS\usbscan.sys
13:52:48:302 6108 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
13:52:48:386 6108 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
13:52:48:520 6108 usbvideo (0a6b81f01bc86399482e27e6fda7b33b) C:\Windows\system32\Drivers\usbvideo.sys
13:52:48:557 6108 vga (7d92be0028ecdedec74617009084b5ef) C:\Windows\system32\DRIVERS\vgapnp.sys
13:52:48:628 6108 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
13:52:48:733 6108 viaagp (045d9961e591cf0674a920b6ba3ba5cb) C:\Windows\system32\drivers\viaagp.sys
13:52:48:766 6108 ViaC7 (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys
13:52:48:832 6108 viaide (fd2e3175fcada350c7ab4521dca187ec) C:\Windows\system32\drivers\viaide.sys
13:52:48:952 6108 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
13:52:49:000 6108 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
13:52:49:072 6108 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
13:52:49:190 6108 vsmraid (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys
13:52:49:222 6108 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
13:52:49:294 6108 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
13:52:49:299 6108 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
13:52:49:427 6108 Wd (afc5ad65b991c1e205cf25cfdbf7a6f4) C:\Windows\system32\drivers\wd.sys
13:52:49:539 6108 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
13:52:49:644 6108 winachsf (5a77ac34a0ffb70ce8b35b524fede9ba) C:\Windows\system32\DRIVERS\HSX_CNXT.sys
13:52:49:775 6108 WmiAcpi (2e7255d172df0b8283cdfb7b433b864e) C:\Windows\system32\DRIVERS\wmiacpi.sys
13:52:49:845 6108 WpdUsb (de9d36f91a4df3d911626643debf11ea) C:\Windows\system32\DRIVERS\wpdusb.sys
13:52:49:892 6108 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
13:52:50:018 6108 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
13:52:50:066 6108 XAudio (88af537264f2b818da15479ceeaf5d7c) C:\Windows\system32\DRIVERS\xaudio.sys
13:52:50:157 6108 yukonwlh (04e268adfc81964c49dc0c082d520f7e) C:\Windows\system32\DRIVERS\yk60x86.sys
13:52:50:165 6108
13:52:50:165 6108 Completed
13:52:50:165 6108
13:52:50:165 6108 Results:
13:52:50:166 6108 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
13:52:50:166 6108 File objects infected / cured / cured on reboot: 0 / 0 / 0
13:52:50:166 6108
13:52:50:167 6108 fclose_ex: Trying to close file C:\Windows\system32\config\system
13:52:50:167 6108 fclose_ex: Trying to close file C:\Windows\system32\config\software
13:52:50:193 6108 KLMD(ARK) unloaded successfully

#42
ZLynx

Posted 23 May 2010 - 02:04 PM

Member

Topic Starter
Member
38 posts

The FileLister log,

+++++++++++++++++++++++++++
+ File Lister Version 1.1.4 +
+ +
+ By bamajim / SpywareHammer.com +
+++++++++++++++++++++++++++

Report ran on --->>> 5/23/2010 1:55:20 PM

====== Running Processes ======

C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Atomic Alarm Clock\timeserv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
C:\Acer\Empowering Technology\eNet\eNet Service.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\spool\DRIVERS\W32X86\3\lxddserv.exe
C:\Windows\system32\lxddcoms.exe
C:\Acer\Mobility Center\MobilityService.exe
C:\Program Files\Norton 360\Engine\4.2.0.12\ccSvcHst.exe
C:\Nexon\Mabinogi\npkcmsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Norton 360\Engine\4.2.0.12\ccSvcHst.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Acer\Acer Arcade\PCMService.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\Lexmark 2500 Series\lxddamon.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Windows\system32\igfxext.exe
C:\Users\Stu\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\System32\WScript.exe
C:\Program Files\Internet Explorer\iexplore.exe

====== BHO's ======
BHO: (NO NAME) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

BHO: (NO NAME) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\4.2.0.12\coIEPlg.dll

BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\4.2.0.12\IPSBHO.DLL

BHO: (NO NAME) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

BHO: (NO NAME) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

BHO: (NO NAME) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll

BHO: (NO NAME) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

====== System Keys (some whitelisted items will not be shown)======

Winlogon\Userinit = C:\Windows\system32\userinit.exe,
Winlogon\Shell = Explorer.exe

====== HKLM\~\Run Keys ======

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

[Windows Defender] = %ProgramFiles%\Windows Defender\MSASCui.exe -hide
[IAAnotif] = "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
[RtHDVCpl] = RtHDVCpl.exe
[SynTPEnh] = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
[PCMService] = "C:\Program Files\Acer\Acer Arcade\PCMService.exe"
[eDataSecurity Loader] = C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
[LManager] = C:\PROGRA~1\LAUNCH~1\LManager.exe
[Acer Assist Launcher] = C:\Program Files\Acer Assist\launcher.exe
[Acer Product Registration] = "C:\Program Files\Acer Registration\ACE1.exe" /startup
[lxddmon.exe] = "C:\Program Files\Lexmark 2500 Series\lxddmon.exe"
[lxddamon] = "C:\Program Files\Lexmark 2500 Series\lxddamon.exe"
[FaxCenterServer] = "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
[IgfxTray] = C:\Windows\system32\igfxtray.exe
[HotKeysCmds] = C:\Windows\system32\hkcmd.exe
[Persistence] = C:\Windows\system32\igfxpers.exe
[IntelliPoint] = "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
[TkBellExe] = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
[BlackBerryAutoUpdate] = C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
[RoxWatchTray] = "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
[iTunesHelper] = "C:\Program Files\iTunes\iTunesHelper.exe"
[QuickTime Task] = "C:\Program Files\QuickTime\QTTask.exe" -atboottime

====== HKCU\~\Run Keys ======

[Google Update] = "C:\Users\Stu\AppData\Local\Google\Update\GoogleUpdate.exe" /c
[SkinClock] = C:\Program Files\Atomic Alarm Clock\AtomicAlarmClock.exe

====== DNS Info (List may be empty) ======

ICSDomain = mshome.net
SyncDomainWithMembership = 1
NV Hostname = CollegeComp
DataBasePath = %SystemRoot%\System32\drivers\etc
ForwardBroadcasts = 0
IPEnableRouter = 0
Hostname = CollegeComp
UseDomainNameDevolution = 1
DeadGWDetectDefault = 1
DontAddDefaultGatewayDefault = 0
DnsOutstandingQueriesCount = 1000
EnableWsd = 1
QualifyingDestinationThreshold = 3
DhcpDomain = hosts.bc1.bresnan.net
DhcpNameServer = 69.145.248.50 69.145.232.4 69.145.248.4

====== Folders and Files from "%\" and "%\Windows" Created Last 60 Days ======

5/23/2010 1:01:11 PM 952627 C:\$RECYCLE.BIN
5/23/2010 1:01:11 PM 952627 C:\$RECYCLE.BIN\S-1-5-21-2381161337-1183444262-2068861460-1000
5/23/2010 12:22:59 PM 0 C:\32788R22FWJFW
5/23/2010 12:22:59 PM 0 C:\32788R22FWJFW\License
4/23/2010 10:57:54 AM 20240 C:\Config.Msi
5/16/2010 11:52:19 AM 955649 C:\Qoobox
5/23/2010 12:33:24 PM 0 C:\Qoobox\BackEnv
5/16/2010 11:52:19 AM 833078 C:\Qoobox\Quarantine
5/16/2010 11:57:15 AM 677120 C:\Qoobox\Quarantine\C
5/16/2010 12:17:05 PM 21808 C:\Qoobox\Quarantine\C\Users
5/16/2010 12:17:05 PM 21808 C:\Qoobox\Quarantine\C\Users\Stu
5/16/2010 12:17:05 PM 21808 C:\Qoobox\Quarantine\C\Users\Stu\AppData
5/16/2010 12:17:05 PM 21808 C:\Qoobox\Quarantine\C\Users\Stu\AppData\Roaming
5/16/2010 12:17:05 PM 21808 C:\Qoobox\Quarantine\C\Users\Stu\AppData\Roaming\Microsoft
5/23/2010 12:46:20 PM 8854 C:\Qoobox\Quarantine\C\Users\Stu\AppData\Roaming\Microsoft\HTML Help
5/16/2010 12:17:05 PM 12954 C:\Qoobox\Quarantine\C\Users\Stu\AppData\Roaming\Microsoft\Windows
5/16/2010 12:17:05 PM 12954 C:\Qoobox\Quarantine\C\Users\Stu\AppData\Roaming\Microsoft\Windows\Start Menu
5/16/2010 12:17:05 PM 12954 C:\Qoobox\Quarantine\C\Users\Stu\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
5/16/2010 12:17:05 PM 12954 C:\Qoobox\Quarantine\C\Users\Stu\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Data Protection
5/16/2010 11:58:04 AM 655312 C:\Qoobox\Quarantine\C\Windows
5/16/2010 11:58:04 AM 298960 C:\Qoobox\Quarantine\C\Windows\system32
5/16/2010 11:58:04 AM 298960 C:\Qoobox\Quarantine\C\Windows\system32\Drivers
5/16/2010 11:52:19 AM 27871 C:\Qoobox\Quarantine\Registry_backups
5/16/2010 11:30:12 AM 9285095 C:\_OTL
5/16/2010 11:30:12 AM 9285095 C:\_OTL\MovedFiles
5/16/2010 11:30:12 AM 9274259 C:\_OTL\MovedFiles\05162010_113012
5/16/2010 11:30:12 AM 8763252 C:\_OTL\MovedFiles\05162010_113012\C_Program Files
5/16/2010 1:06:21 AM 8763252 C:\_OTL\MovedFiles\05162010_113012\C_Program Files\Data Protection
5/16/2010 11:30:24 AM 69395 C:\_OTL\MovedFiles\05162010_113012\C_ProgramData
5/16/2010 11:30:13 AM 440320 C:\_OTL\MovedFiles\05162010_113012\C_Users
5/16/2010 11:30:13 AM 440320 C:\_OTL\MovedFiles\05162010_113012\C_Users\Stu
5/16/2010 11:30:13 AM 439504 C:\_OTL\MovedFiles\05162010_113012\C_Users\Stu\AppData
5/16/2010 11:30:13 AM 439504 C:\_OTL\MovedFiles\05162010_113012\C_Users\Stu\AppData\Local
5/16/2010 11:30:13 AM 388608 C:\_OTL\MovedFiles\05162010_113012\C_Users\Stu\AppData\Local\Temp
5/16/2010 11:30:24 AM 816 C:\_OTL\MovedFiles\05162010_113012\C_Users\Stu\Desktop
5/16/2010 11:30:13 AM 1292 C:\_OTL\MovedFiles\05162010_113012\C_Windows
5/16/2010 11:30:13 AM 1292 C:\_OTL\MovedFiles\05162010_113012\C_Windows\Downloaded Program Files
5/16/2010 11:30:13 AM 0 C:\_OTL\MovedFiles\05162010_113012\E_
5/4/2010 1:33:06 PM 2904 32 C:\aaw7boot.log
5/23/2010 1:02:19 PM 18820 32 C:\ComboFix.txt
5/15/2010 1:23:29 PM 109 32 C:\mbam-error.txt
5/23/2010 1:51:41 PM 61072 32 C:\TDSSKiller.2.3.0.0_23.05.2010_13.51.41_log.txt
5/15/2010 1:17:20 PM 339505938 C:\Windows\ERDNT
5/15/2010 1:17:20 PM 102657210 C:\Windows\ERDNT\5-15-2010
5/15/2010 1:17:40 PM 7852032 C:\Windows\ERDNT\5-15-2010\Users
5/15/2010 1:17:40 PM 4722688 C:\Windows\ERDNT\5-15-2010\Users\00000001
5/15/2010 1:17:45 PM 3129344 C:\Windows\ERDNT\5-15-2010\Users\00000002
5/16/2010 12:27:00 PM 27691736 C:\Windows\ERDNT\cache
5/16/2010 11:54:38 AM 103378313 C:\Windows\ERDNT\Hiv-backup
5/23/2010 12:33:21 PM 8359936 C:\Windows\ERDNT\Hiv-backup\Users
5/23/2010 12:33:21 PM 159744 C:\Windows\ERDNT\Hiv-backup\Users\00000001
5/23/2010 12:33:21 PM 167936 C:\Windows\ERDNT\Hiv-backup\Users\00000002
5/23/2010 12:33:21 PM 4857856 C:\Windows\ERDNT\Hiv-backup\Users\00000003
5/23/2010 12:33:21 PM 3174400 C:\Windows\ERDNT\Hiv-backup\Users\00000004
5/16/2010 12:17:57 PM 105778569 C:\Windows\ERDNT\subs
5/16/2010 12:18:01 PM 8179712 C:\Windows\ERDNT\subs\Users
5/16/2010 12:18:01 PM 159744 C:\Windows\ERDNT\subs\Users\00000001
5/16/2010 12:18:01 PM 167936 C:\Windows\ERDNT\subs\Users\00000002
5/16/2010 12:18:01 PM 4722688 C:\Windows\ERDNT\subs\Users\00000003
5/16/2010 12:18:02 PM 3129344 C:\Windows\ERDNT\subs\Users\00000004
4/26/2010 4:37:44 PM 0 C:\Windows\ftpcache
5/23/2010 12:47:23 PM 0 C:\Windows\temp
5/16/2010 11:54:57 AM 80412 32 C:\Windows\grep.exe
5/16/2010 11:54:57 AM 77312 32 C:\Windows\MBR.exe
5/16/2010 11:54:57 AM 31232 32 C:\Windows\NIRCMD.exe
4/28/2010 11:58:52 AM 396614 32 C:\Windows\ntbtlog.txt
5/16/2010 11:54:57 AM 256512 32 C:\Windows\PEV.exe
5/16/2010 11:54:57 AM 98816 32 C:\Windows\sed.exe
4/19/2010 4:15:59 PM 12 32 C:\Windows\srun.log
5/16/2010 11:54:57 AM 161792 32 C:\Windows\SWREG.exe
5/16/2010 11:54:57 AM 136704 32 C:\Windows\SWSC.exe
5/23/2010 12:23:06 PM 212480 32 C:\Windows\SWXCACLS.exe
5/16/2010 11:54:57 AM 68096 32 C:\Windows\zip.exe
5/12/2010 3:39:43 PM 242 C:\Windows\System32\MpEngineStore
5/13/2010 3:43:09 AM 242 C:\Windows\System32\MpEngineStore\History
5/13/2010 3:43:09 AM 242 C:\Windows\System32\MpEngineStore\History\Reboot
4/23/2010 10:47:48 AM 98304 32 C:\Windows\System32\cabview.dll
5/16/2010 1:28:05 PM 411368 32 C:\Windows\System32\deployJava1.dll
4/23/2010 10:49:59 AM 380928 32 C:\Windows\System32\ieapfltr.dll
4/23/2010 10:50:03 AM 78336 32 C:\Windows\System32\ieencode.dll
4/23/2010 10:50:07 AM 6080000 32 C:\Windows\System32\ieframe.dll
4/23/2010 10:50:03 AM 193024 32 C:\Windows\System32\iepeers.dll
4/23/2010 10:50:05 AM 180736 32 C:\Windows\System32\ieui.dll
5/12/2010 3:59:12 AM 738816 32 C:\Windows\System32\inetcomm.dll
4/23/2010 10:49:05 AM 200704 32 C:\Windows\System32\iphlpsvc.dll
5/16/2010 1:28:04 PM 145184 32 C:\Windows\System32\java.exe
5/16/2010 1:28:05 PM 145184 32 C:\Windows\System32\javaw.exe
5/16/2010 1:28:05 PM 153376 32 C:\Windows\System32\javaws.exe
5/16/2010 1:26:07 PM 5176 32 C:\Windows\System32\jupdate-1.6.0_20-b02.log
4/23/2010 10:51:11 AM 62464 32 C:\Windows\System32\l3codeca.acm
4/23/2010 10:51:11 AM 220672 32 C:\Windows\System32\l3codecp.acm
5/4/2010 5:40:13 PM 221568 0 C:\Windows\System32\MpSigStub.exe
5/12/2010 12:11:44 PM 171 32 C:\Windows\System32\MRT.INI
4/23/2010 10:50:10 AM 3601920 32 C:\Windows\System32\mshtml.dll
4/23/2010 10:50:05 AM 477184 32 C:\Windows\System32\mshtmled.dll
4/23/2010 10:51:01 AM 3600776 32 C:\Windows\System32\ntkrnlpa.exe
4/23/2010 10:51:02 AM 3548040 32 C:\Windows\System32\ntoskrnl.exe
4/26/2010 5:33:47 PM 256 32 C:\Windows\System32\pool.bin
4/23/2010 10:50:09 AM 1176064 32 C:\Windows\System32\urlmon.dll
4/23/2010 10:50:39 AM 430080 32 C:\Windows\System32\vbscript.dll
4/23/2010 10:50:09 AM 834048 32 C:\Windows\System32\wininet.dll
4/23/2010 10:50:47 AM 172032 32 C:\Windows\System32\wintrust.dll

====== "\Administrator & All Users\Startup" Last 60 Days======

====== "\Program Files" Last 60 Days======

5/15/2010 1:16:43 PM 668845 C:\Program Files\ERUNT
5/16/2010 2:25:09 PM 101268028 C:\Program Files\ESET
5/17/2010 2:13:43 PM 11154703 C:\Program Files\Foxit Software
5/4/2010 12:50:19 PM 672294 C:\Program Files\Lavasoft
4/28/2010 12:43:34 PM 3981914 C:\Program Files\Malwarebytes' Anti-Malware
4/21/2010 12:04:06 PM 418704 C:\Program Files\NOS
4/26/2010 4:41:41 PM 68569744 C:\Program Files\Research In Motion
4/26/2010 5:01:00 PM 138131786 C:\Program Files\Roxio

======"Drivers" Modified Last 60 Days======

4/28/2010 12:43:34 PM 20952 32 C:\Windows\System32\drivers\mbam.sys
4/28/2010 12:43:40 PM 38224 32 C:\Windows\System32\drivers\mbamswissarmy.sys
5/4/2010 12:59:09 PM 95024 32 C:\Windows\System32\drivers\SBREDrv.sys
3/23/2009 9:56:24 PM 7443 32 C:\Windows\System32\drivers\SYMEVENT.CAT
3/23/2009 9:56:24 PM 805 32 C:\Windows\System32\drivers\SYMEVENT.INF
3/23/2009 9:56:24 PM 124976 32 C:\Windows\System32\drivers\SYMEVENT.SYS

====== Files Deleted under "%Temp%" ======

3 Files deleted

======"All Users\Application Data" Last 60 Days======

====== HKLM\~\ShellServiceObjectDelayLoad======

====== HKLM\~\SharedTaskScheduler======

Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - %SystemRoot%\system32\browseui.dll

======HKLM\~\msconfig\startupreg======

HKLM\Software\microsoft\shared tools\msconfig\startupreg\

====== Services ( Services that are Whitelisted are not shown) ======

adp94xx (adp94xx)- C:\Windows\system32\drivers\adp94xx.sys - Disabled/Stopped
adpahci (adpahci)- C:\Windows\system32\drivers\adpahci.sys - Disabled/Stopped
amdide (amdide)- C:\Windows\system32\drivers\amdide.sys - Disabled/Stopped
arcsas (arcsas)- C:\Windows\system32\drivers\arcsas.sys - Disabled/Stopped
athr (Atheros Extensible Wireless LAN device driver)- C:\Windows\system32\DRIVERS\athr.sys - Manual/Running
BCM43XV (Broadcom Extensible 802.11 Network Adapter Driver)- C:\Windows\system32\DRIVERS\bcmwl6.sys - Manual/Stopped
BHDrvx86 (BHDrvx86)- \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\BASHDefs\20100429.001\BHDrvx86.sys - System/Running
bowser (Bowser)- C:\Windows\system32\DRIVERS\bowser.sys - Manual/Running
BrFiltLo (Brother USB Mass-Storage Lower Filter Driver)- C:\Windows\system32\drivers\brfiltlo.sys - Manual/Stopped
BrFiltUp (Brother USB Mass-Storage Upper Filter Driver)- C:\Windows\system32\drivers\brfiltup.sys - Manual/Stopped
Brserid (Brother MFC Serial Port Interface Driver (WDM))- C:\Windows\system32\drivers\brserid.sys - Disabled/Stopped
BrSerWdm (Brother WDM Serial driver)- C:\Windows\system32\drivers\brserwdm.sys - Disabled/Stopped
BrUsbMdm (Brother MFC USB Fax Only Modem)- C:\Windows\system32\drivers\brusbmdm.sys - Disabled/Stopped
BrUsbSer (Brother MFC USB Serial WDM Driver)- C:\Windows\system32\drivers\brusbser.sys - Manual/Stopped
ccHP (Symantec Hash Provider)- C:\Windows\system32\drivers\N360\0402000.00C\ccHPx86.sys - System/Running
circlass (Consumer IR Devices)- C:\Windows\system32\drivers\circlass.sys - Disabled/Stopped
CLFS (Common Log (CLFS))- C:\Windows\system32\CLFS.sys - Boot/Running
Crusoe (Transmeta Crusoe Processor Driver)- C:\Windows\system32\drivers\crusoe.sys - Disabled/Stopped
DfsC (DFS Namespace Client Driver)- C:\Windows\system32\Drivers\dfsc.sys - System/Running
DKbFltr (Dritek Keyboard Filter Driver)- C:\Windows\system32\DRIVERS\DKbFltr.sys - Manual/Running
DXGKrnl (LDDM Graphics Subsystem)- C:\Windows\system32\drivers\dxgkrnl.sys - Manual/Running
E1G60 (Intel® PRO/1000 NDIS 6 Adapter Driver)- C:\Windows\system32\DRIVERS\E1G60I32.sys - Manual/Stopped
Ecache (ReadyBoost Caching Driver)- C:\Windows\system32\drivers\ecache.sys - Boot/Running
eeCtrl (Symantec Eraser Control driver)- \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys - System/Running
elxstor (elxstor)- C:\Windows\system32\drivers\elxstor.sys - Disabled/Stopped
EraserUtilRebootDrv (EraserUtilRebootDrv)- \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys - Manual/Running
FileInfo (File Information FS MiniFilter)- C:\Windows\system32\drivers\fileinfo.sys - Boot/Running
Filetrace (FileTrace)- C:\Windows\system32\drivers\filetrace.sys - Manual/Stopped
gagp30kx (Microsoft Generic AGPv3.0 Filter for K8 Processor Platforms)- C:\Windows\system32\drivers\gagp30kx.sys - Manual/Stopped
HidBth (Microsoft Bluetooth HID Miniport)- C:\Windows\system32\drivers\hidbth.sys - Disabled/Stopped
HidIr (Microsoft Infrared HID Driver)- C:\Windows\system32\drivers\hidir.sys - Disabled/Stopped
HpCISSs (HpCISSs)- C:\Windows\system32\drivers\hpcisss.sys - Disabled/Stopped
HSFHWAZL (HSFHWAZL)- C:\Windows\system32\DRIVERS\VSTAZL3.SYS - Manual/Stopped
HSF_DPV (HSF_DPV)- C:\Windows\system32\DRIVERS\HSX_DPV.sys - Manual/Running
HSXHWAZL (HSXHWAZL)- C:\Windows\system32\DRIVERS\HSXHWAZL.sys - Manual/Running
iaStor (Intel AHCI Controller)- C:\Windows\system32\DRIVERS\iaStor.sys - Boot/Running
iaStorV (Intel RAID Controller Vista)- C:\Windows\system32\drivers\iastorv.sys - Disabled/Stopped
IDSVix86 (IDSVix86)- \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\IPSDefs\20100513.002\IDSvix86.sys - System/Running
igfx (igfx)- C:\Windows\system32\DRIVERS\igdkmd32.sys - Manual/Running
int15 (int15)- \??\C:\Acer\Empowering Technology\eRecovery\int15.sys - Auto/Running
IPMIDRV (IPMIDRV)- C:\Windows\system32\drivers\ipmidrv.sys - Disabled/Stopped
iScsiPrt (iScsiPort Driver)- C:\Windows\system32\DRIVERS\msiscsi.sys - Manual/Running
iteatapi (ITEATAPI_Service_Install)- C:\Windows\system32\drivers\iteatapi.sys - Disabled/Stopped
iteraid (ITERAID_Service_Install)- C:\Windows\system32\drivers\iteraid.sys - Disabled/Stopped
lltdio (Link-Layer Topology Discovery Mapper I/O Driver)- C:\Windows\system32\DRIVERS\lltdio.sys - Auto/Running
LSI_FC (LSI_FC)- C:\Windows\system32\drivers\lsi_fc.sys - Disabled/Stopped
LSI_SAS (LSI_SAS)- C:\Windows\system32\drivers\lsi_sas.sys - Disabled/Stopped
LSI_SCSI (LSI_SCSI)- C:\Windows\system32\drivers\lsi_scsi.sys - Disabled/Stopped
luafv (UAC File Virtualization)- C:\Windows\system32\drivers\luafv.sys - Auto/Running
megasas (megasas)- C:\Windows\system32\drivers\megasas.sys - Disabled/Stopped
mpio (Microsoft Multi-Path Bus Driver)- C:\Windows\system32\drivers\mpio.sys - Disabled/Stopped
mpsdrv (Windows Firewall Authorization Driver)- C:\Windows\system32\drivers\mpsdrv.sys - Manual/Running
mrxsmb10 (SMB 1.x MiniRedirector)- C:\Windows\system32\DRIVERS\mrxsmb10.sys - Manual/Running
mrxsmb20 (SMB 2.0 MiniRedirector)- C:\Windows\system32\DRIVERS\mrxsmb20.sys - Manual/Running
msahci (msahci)- C:\Windows\system32\drivers\msahci.sys - Disabled/Stopped
msdsm (Microsoft Multi-Path Device Specific Module)- C:\Windows\system32\drivers\msdsm.sys - Disabled/Stopped
msisadrv (ISA/EISA Class Driver)- C:\Windows\system32\drivers\msisadrv.sys - Boot/Running
MsRPC (MsRPC)- C:\Windows\system32\drivers\MsRPC.sys - Manual/Stopped
NativeWifiP (NativeWiFi Filter)- C:\Windows\system32\DRIVERS\nwifi.sys - Manual/Running
nfrd960 (nfrd960)- C:\Windows\system32\drivers\nfrd960.sys - Disabled/Stopped
nsiproxy (NSI proxy service)- C:\Windows\system32\drivers\nsiproxy.sys - System/Running
NTIDrvr (Upper Class Filter Driver)- C:\Windows\system32\DRIVERS\NTIDrvr.sys - Manual/Running
ntrigdigi (N-trig HID Tablet Driver)- C:\Windows\system32\drivers\ntrigdigi.sys - Disabled/Stopped
nvstor (nvstor)- C:\Windows\system32\drivers\nvstor.sys - Disabled/Stopped
OCDE (ZTekWare Original CD Emulator Service)- C:\Windows\system32\Drivers\OCDE.sys - Boot/Running
PEAUTH (PEAUTH)- C:\Windows\system32\drivers\peauth.sys - Auto/Running
PSDFilter (PSDFilter)- C:\Windows\system32\DRIVERS\psdfilter.sys - Boot/Running
PSDNServ (PSDNSERVER)- C:\Windows\system32\drivers\PSDNServ.sys - Boot/Running
psdvdisk (psdvdisk)- C:\Windows\system32\drivers\psdvdisk.sys - Boot/Running
ql2300 (QLogic Fibre Channel Miniport Driver)- C:\Windows\system32\drivers\ql2300.sys - Disabled/Stopped
ql40xx (QLogic iSCSI Miniport Driver)- C:\Windows\system32\drivers\ql40xx.sys - Disabled/Stopped
QWAVEdrv (QWAVE driver)- C:\Windows\system32\drivers\qwavedrv.sys - Manual/Stopped
RDPENCDD (RDP Encoder Mirror Driver)- C:\Windows\system32\drivers\rdpencdd.sys - System/Running
RimUsb (BlackBerry Smartphone)- C:\Windows\system32\Drivers\RimUsb.sys - Manual/Stopped
RimVSerPort (RIM Virtual Serial Port v2)- C:\Windows\system32\DRIVERS\RimSerial.sys - Manual/Running
rspndr (Link-Layer Topology Discovery Responder)- C:\Windows\system32\DRIVERS\rspndr.sys - Auto/Running
sbp2port (SBP-2 Transport/Protocol Bus Driver)- C:\Windows\system32\drivers\sbp2port.sys - Disabled/Stopped
sermouse (Serial Mouse Driver)- C:\Windows\system32\drivers\sermouse.sys - Disabled/Stopped
sffdisk (SFF Storage Class Driver)- C:\Windows\system32\drivers\sffdisk.sys - Disabled/Stopped
sffp_mmc (SFF Storage Protocol Driver for MMC)- C:\Windows\system32\drivers\sffp_mmc.sys - Manual/Stopped
sffp_sd (SFF Storage Protocol Driver for SDBus)- C:\Windows\system32\drivers\sffp_sd.sys - Manual/Stopped
SiSRaid2 (SiSRaid2)- C:\Windows\system32\drivers\sisraid2.sys - Disabled/Stopped
SiSRaid4 (SiSRaid4)- C:\Windows\system32\drivers\sisraid4.sys - Disabled/Stopped
spldr (Security Processor Loader Driver)- C:\Windows\system32\drivers\spldr.sys - Boot/Running
SRTSP (Symantec Real Time Storage Protection)- C:\Windows\system32\Drivers\N360\0402000.00C\SRTSP.SYS - Manual/Running
SRTSPX (Symantec Real Time Storage Protection (PEL))- C:\Windows\system32\drivers\N360\0402000.00C\SRTSPX.SYS - System/Running
srv2 (srv2)- C:\Windows\system32\DRIVERS\srv2.sys - Manual/Running
srvnet (srvnet)- C:\Windows\system32\DRIVERS\srvnet.sys - Manual/Running
SymDS (Symantec Data Store)- C:\Windows\system32\drivers\N360\0402000.00C\SYMDS.SYS - Boot/Running
SymEFA (Symantec Extended File Attributes)- C:\Windows\system32\drivers\N360\0402000.00C\SYMEFA.SYS - Boot/Running
SymIRON (Symantec Iron Driver)- C:\Windows\system32\drivers\N360\0402000.00C\Ironx86.SYS - System/Running
SYMTDIv (Symantec Vista Network Dispatch Driver)- C:\Windows\system32\Drivers\N360\0402000.00C\SYMTDIV.SYS - System/Running
SynTP (Synaptics TouchPad Driver)- C:\Windows\system32\DRIVERS\SynTP.sys - Manual/Running
Tcpip6 (Microsoft IPv6 Protocol Driver)- C:\Windows\system32\DRIVERS\tcpip.sys - Manual/Stopped
tcpipreg (TCP/IP Registry Compatibility)- C:\Windows\system32\drivers\tcpipreg.sys - Auto/Running
tdx (NetIO Legacy TDI Support Driver)- C:\Windows\system32\DRIVERS\tdx.sys - System/Running
tssecsrv (Terminal Services Security Filter Driver)- C:\Windows\system32\DRIVERS\tssecsrv.sys - Manual/Stopped
tunmp (Microsoft Tun Miniport Adapter Driver)- C:\Windows\system32\DRIVERS\tunmp.sys - Manual/Running
tunnel (Microsoft IPv6 Tunnel Miniport Adapter Driver)- C:\Windows\system32\DRIVERS\tunnel.sys - Manual/Running
uagp35 (Microsoft AGPv3.5 Filter)- C:\Windows\system32\drivers\uagp35.sys - Manual/Stopped
uliagpkx (Uli AGP Bus Filter)- C:\Windows\system32\drivers\uliagpkx.sys - Manual/Stopped
uliahci (uliahci)- C:\Windows\system32\drivers\uliahci.sys - Disabled/Stopped
UlSata (UlSata)- C:\Windows\system32\drivers\ulsata.sys - Disabled/Stopped
ulsata2 (ulsata2)- C:\Windows\system32\drivers\ulsata2.sys - Disabled/Stopped
umbus (UMBus Enumerator Driver)- C:\Windows\system32\DRIVERS\umbus.sys - Manual/Running
USBAAPL (Apple Mobile USB Driver)- C:\Windows\system32\Drivers\usbaapl.sys - Manual/Stopped
usbcir (eHome Infrared Receiver (USBCIR))- C:\Windows\system32\drivers\usbcir.sys - Disabled/Stopped
usbvideo (USB Video Device (WDM))- C:\Windows\system32\Drivers\usbvideo.sys - Manual/Stopped
ViaC7 (VIA C7 Processor Driver)- C:\Windows\system32\drivers\viac7.sys - Disabled/Stopped
volmgr (Volume Manager Driver)- C:\Windows\system32\drivers\volmgr.sys - Boot/Running
volmgrx (Dynamic Volume Manager)- C:\Windows\system32\drivers\volmgrx.sys - Boot/Running
vsmraid (vsmraid)- C:\Windows\system32\drivers\vsmraid.sys - Disabled/Stopped
WacomPen (Wacom Serial Pen HID Driver)- C:\Windows\system32\drivers\wacompen.sys - Disabled/Stopped
Wanarpv6 (Remote Access IPv6 ARP Driver)- C:\Windows\system32\DRIVERS\wanarp.sys - System/Running
Wdf01000 (Kernel Mode Driver Frameworks service)- C:\Windows\system32\drivers\Wdf01000.sys - Boot/Running
WmiAcpi (Microsoft Windows Management Interface for ACPI)- C:\Windows\system32\DRIVERS\wmiacpi.sys - Manual/Running
WpdUsb (WpdUsb)- C:\Windows\system32\DRIVERS\wpdusb.sys - Manual/Stopped
XAudio (XAudio)- C:\Windows\system32\DRIVERS\xaudio.sys - Auto/Running
yukonwlh (NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller)- C:\Windows\system32\DRIVERS\yk60x86.sys - Manual/Running

====== Uninstall List ======

A file named 'UNI.txt' was created and saved to
FileListers default location. Post the results if requested.

======== Other Info ========

TOTAL PHYSICAL RAM: 1600 MB

Boot Info

OS Type: Microsoft® Windows Vista™ Home Basic
Build: 6.0.6002
Service Pack: 2.0

====== Files with Hidden Attributes======

A file named 'Hidden.txt' was created and saved to
FileListers default location. Post the results if requested.

==End of Report==

#43
SweetTech

Posted 23 May 2010 - 02:24 PM

Sir SpamAlot

Retired Staff
7,671 posts

Malwarebytes' Anti-Malware

I see that you have Malwarebytes' Anti-Malware installed on your computer could you please do a scan using these settings:

Open Malwarebytes' Anti-Malware
Select the Update tab
Click Check for Updates
After the update have been completed, Select the Scanner tab.
Select Perform quick scan, then click on Scan
Leave the default options as it is and click on Start Scan
When done, you will be prompted. Click OK, then click on Show Results
Checked (ticked) all items and click on Remove Selected
After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

#44
ZLynx

Posted 23 May 2010 - 03:17 PM

Member

Topic Starter
Member
38 posts

MBAM log
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4134

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

5/23/2010 3:14:23 PM
mbam-log-2010-05-23 (15-14-23).txt

Scan type: Quick scan
Objects scanned: 132848
Time elapsed: 11 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I was reading up on some of those files and it definitely doesnt look like its easy to get rid of em.

#45
SweetTech

Posted 23 May 2010 - 03:32 PM

Sir SpamAlot

Retired Staff
7,671 posts

Download Dr.Web CureIt to the desktop.

Doubleclick the drweb-cureit.exe file, then on Start and allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, chose the Complete Scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look and see if you can click the following icon next to the files found:
If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer to allow files that were in use to be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply along with a new OTL log.

NOTE: During the scan, a pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.