Found it!
ComboFix 10-05-28.08 - Stu 06/02/2010 22:48:26.9.1 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1526.693 [GMT -6:00]
Running from: c:\users\Stu\Desktop\ComboFix.exe
Command switches used :: c:\users\Stu\Desktop\cfscript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\releaseengineer\Application Data\64dlls.exe
c:\documents and settings\releaseengineer\Application Data\intel64.exe
c:\documents and settings\releaseengineer\Application Data\localsys64.exe
c:\documents and settings\releaseengineer\Application Data\ntos.exe
c:\documents and settings\releaseengineer\Application Data\oembios.exe
c:\documents and settings\releaseengineer\Application Data\sdra64.exe
c:\documents and settings\releaseengineer\Application Data\sdra73.exe
c:\documents and settings\releaseengineer\Application Data\swin32.exe
c:\documents and settings\releaseengineer\Application Data\twex.exe
c:\documents and settings\releaseengineer\Application Data\twext.exe
c:\documents and settings\releaseengineer\Application Data\wsnpoema.exe
.
((((((((((((((((((((((((( Files Created from 2010-05-03 to 2010-06-03 )))))))))))))))))))))))))))))))
.
2010-06-03 05:03 . 2010-06-03 05:05 -------- d-----w- c:\users\Stu\AppData\Local\temp
2010-06-03 05:03 . 2010-06-03 05:03 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-06-03 05:03 . 2010-06-03 05:03 -------- d-----w- c:\users\Guest\AppData\Local\temp
2010-06-03 05:03 . 2010-06-03 05:03 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-06-03 04:33 . 2010-06-03 04:34 -------- d-----w- C:\32788R22FWJFW
2010-05-26 11:01 . 2010-04-23 14:13 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-23 22:05 . 2010-05-24 12:45 -------- d-----w- c:\users\Stu\DoctorWeb
2010-05-21 15:50 . 2010-05-29 17:33 -------- d-----w- c:\users\Stu\AppData\Local\CrashDumps
2010-05-18 18:53 . 2010-05-18 18:53 -------- d-----w- c:\users\Stu\Office Genuine Advantage
2010-05-18 17:17 . 2010-05-18 17:17 -------- d-----w- c:\users\Stu\AppData\Local\Yahoo!
2010-05-17 20:13 . 2010-05-17 20:13 -------- d-----w- c:\program files\Foxit Software
2010-05-16 20:25 . 2010-05-16 20:25 -------- d-----w- c:\program files\ESET
2010-05-16 19:28 . 2010-04-12 23:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-16 17:30 . 2010-05-16 17:30 -------- d-----w- C:\_OTL
2010-05-15 19:16 . 2010-05-15 19:16 -------- d-----w- c:\program files\ERUNT
2010-05-12 21:39 . 2010-05-15 19:08 -------- d-----w- c:\windows\system32\MpEngineStore
2010-05-12 09:59 . 2010-01-29 15:40 738816 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-10 20:01 . 2010-05-10 20:01 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help
2010-05-04 23:40 . 2010-05-06 16:36 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-04 18:59 . 2010-05-04 18:58 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-04 18:50 . 2010-05-04 18:51 -------- d-----w- c:\program files\Lavasoft
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-03 05:07 . 2009-08-11 05:03 -------- d-----w- c:\program files\Common Files\Akamai
2010-06-03 03:49 . 2007-08-02 09:23 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-28 17:53 . 2009-08-11 05:03 -------- d-----w- c:\users\Stu\AppData\Roaming\Metacafe
2010-05-25 12:32 . 2009-02-24 05:40 6756 ----a-w- c:\users\Stu\AppData\Local\d3d9caps.dat
2010-05-17 20:11 . 2008-03-19 17:05 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-17 20:08 . 2008-01-23 03:35 -------- d-----w- c:\program files\Java
2010-05-16 19:28 . 2008-01-23 03:29 -------- d-----w- c:\program files\Common Files\Java
2010-05-16 18:57 . 2009-03-24 03:56 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-05-16 18:57 . 2009-03-24 03:56 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-05-16 18:57 . 2009-03-24 03:56 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-05-16 18:57 . 2009-03-24 03:56 -------- d-----w- c:\program files\Symantec
2010-05-16 07:18 . 2010-04-28 18:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-12 18:28 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-11 01:21 . 2007-12-29 05:17 140608 ----a-w- c:\users\Stu\AppData\Local\GDIPFONTCACHEV1.DAT
2010-05-10 19:45 . 2008-03-03 19:00 -------- d-----w- c:\program files\Microsoft Works
2010-05-04 19:29 . 2008-09-10 20:17 -------- d-----w- c:\program files\iWin Games
2010-04-30 16:20 . 2008-01-23 03:39 -------- d-----w- c:\users\Stu\AppData\Roaming\LimeWire
2010-04-29 21:39 . 2010-04-28 18:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 21:39 . 2010-04-28 18:43 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-28 18:43 . 2010-04-28 18:43 -------- d-----w- c:\users\Stu\AppData\Roaming\Malwarebytes
2010-04-27 00:48 . 2010-04-26 23:33 256 ----a-w- c:\windows\system32\pool.bin
2010-04-26 23:50 . 2010-04-26 23:50 -------- d-----w- c:\users\Stu\AppData\Roaming\Roxio
2010-04-26 23:33 . 2010-04-26 23:33 -------- d-----w- c:\users\Stu\AppData\Roaming\Research In Motion
2010-04-26 23:02 . 2010-04-26 23:00 -------- d-----w- c:\program files\Common Files\Roxio Shared
2010-04-26 23:02 . 2010-04-26 23:02 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2010-04-26 23:02 . 2010-04-26 23:01 -------- d-----w- c:\program files\Roxio
2010-04-26 23:01 . 2010-04-26 23:01 -------- d-----w- c:\program files\Common Files\Sonic Shared
2010-04-26 23:01 . 2007-08-02 09:53 -------- d-----w- c:\program files\Common Files\InstallShield
2010-04-26 22:42 . 2010-04-26 22:41 -------- d-----w- c:\program files\Common Files\Research In Motion
2010-04-26 22:41 . 2010-04-26 22:41 -------- d-----w- c:\program files\Research In Motion
2010-04-21 18:04 . 2010-04-21 18:04 -------- d-----w- c:\program files\NOS
2010-03-09 16:25 . 2010-04-23 16:50 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-09 15:42 . 2010-04-23 16:50 834048 ----a-w- c:\windows\system32\wininet.dll
2010-03-08 01:05 . 2010-03-08 01:05 64505 ----a-w- c:\users\Stu\AppData\Roaming\NeuLion\AdaptivePlugin\uninst.exe
2008-06-30 19:44 . 2008-08-31 08:42 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\users\Stu\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-04-16 133104]
"SkinClock"="c:\program files\Atomic Alarm Clock\AtomicAlarmClock.exe" [2008-09-30 1739776]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"RtHDVCpl"="RtHDVCpl.exe" [2007-07-06 4669440]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-05-09 865840]
"PCMService"="c:\program files\Acer\Acer Arcade\PCMService.exe" [2007-06-22 155648]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-04-25 457216]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2007-07-12 846344]
"Acer Assist Launcher"="c:\program files\Acer Assist\launcher.exe" [2007-02-02 1261568]
"Acer Product Registration"="c:\program files\Acer Registration\ACE1.exe" [2007-02-02 3383296]
"lxddmon.exe"="c:\program files\Lexmark 2500 Series\lxddmon.exe" [2007-05-04 291760]
"lxddamon"="c:\program files\Lexmark 2500 Series\lxddamon.exe" [2007-03-05 20480]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-05-04 312240]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-16 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-16 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-16 150552]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-01-07 1468296]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-01-22 198160]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2008-11-23 615696]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-11-10 236016]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
c:\users\Stu\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):39,0a,fc,b0,44,39,ca,01
R0 ntcdrdrv;ntcdrdrv;c:\windows\system32\DRIVERS\ntcdrdrv.sys [x]
R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\System32\Drivers\N360\0308000.029\SYMNDISV.SYS [x]
S0 OCDE;ZTekWare Original CD Emulator Service;c:\windows\System32\Drivers\OCDE.sys [2007-08-26 30480]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0402000.00C\SYMDS.SYS [2010-02-04 328752]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0402000.00C\SYMEFA.SYS [2010-04-22 173104]
S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\BASHDefs\20100429.001\BHDrvx86.sys [2010-04-29 537136]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0402000.00C\ccHPx86.sys [2010-02-26 501888]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\IPSDefs\20100528.003\IDSvix86.sys [2010-05-28 344112]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0402000.00C\Ironx86.SYS [2010-04-29 116784]
S1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\System32\Drivers\N360\0402000.00C\SYMTDIV.SYS [2010-05-06 339504]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2008-01-19 21504]
S2 AtomicAlarmClock;Atomic Alarm Clock Time;c:\program files\Atomic Alarm Clock\timeserv.exe [2008-09-29 415744]
S2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe [2007-04-26 537520]
S2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxddserv.exe [2007-04-26 99248]
S2 N360;Norton 360;c:\program files\Norton 360\Engine\4.2.0.12\ccSvcHst.exe [2010-02-26 126392]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-05-27 102448]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
Akamai REG_MULTI_SZ Akamai
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
2010-06-03 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-24 22:15]
2010-06-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2381161337-1183444262-2068861460-1000Core.job
- c:\users\Stu\AppData\Local\Google\Update\GoogleUpdate.exe [2009-04-16 06:02]
2010-06-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2381161337-1183444262-2068861460-1000UA.job
- c:\users\Stu\AppData\Local\Google\Update\GoogleUpdate.exe [2009-04-16 06:02]
2010-06-02 c:\windows\Tasks\User_Feed_Synchronization-{8CAA04C7-6A35-458B-8BD5-3FC5BD7F1DD3}.job
- c:\windows\system32\msfeedssync.exe [2008-08-20 07:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://en.us.acer.yahoo.com
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\users\Stu\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk
FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr
ef", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2010-06-02 23:08
Windows 6.0.6002 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\4.2.0.12\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\4.2.0.12\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'Explorer.exe'(5600)
c:\windows\system32\MsnChatHook.dll
c:\windows\system32\ShowErrMsg.dll
c:\windows\system32\sysenv.dll
c:\windows\system32\BatchCrypto.dll
c:\windows\system32\CryptoAPI.dll
c:\windows\system32\keyManager.dll
c:\acer\Empowering Technology\EPOWER\SysHook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
c:\program files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
c:\acer\Empowering Technology\eDataSecurity\eDSService.exe
c:\acer\Empowering Technology\eLock\Service\eLockServ.exe
c:\acer\Empowering Technology\eNet\eNet Service.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\spool\DRIVERS\W32X86\3\lxddserv.exe
c:\acer\Mobility Center\MobilityService.exe
c:\nexon\Mabinogi\npkcmsvc.exe
c:\windows\system32\DllHost.exe
c:\windows\RtHDVCpl.exe
c:\program files\Launch Manager\LManager.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\igfxext.exe
c:\acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
c:\acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
c:\acer\Empowering Technology\eRecovery\ERAGENT.EXE
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
c:\acer\Empowering Technology\eRecovery\eRecoveryService.exe
c:\acer\Empowering Technology\eSettings\Service\capuserv.exe
c:\acer\Empowering Technology\ePower\ePowerSvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\users\Stu\AppData\Local\Temp\RtkBtMnt.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2010-06-02 23:15:13 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-03 05:15
ComboFix2.txt 2010-05-29 17:51
ComboFix3.txt 2010-05-23 19:02
ComboFix4.txt 2010-05-19 00:37
ComboFix5.txt 2010-06-03 04:31
Pre-Run: 798,715,904 bytes free
Post-Run: 1,203,666,944 bytes free
- - End Of File - - 61FE91A04D25EB867D124381821C3594