1. I ran the malbytes scan, it found 4 infections which i removed (one needed rebooting). Here's the log from it -
2. I then ran a zonalarm antivirus scan and it found nothing.Malwarebytes' Anti-Malware 1.34
Database version: 1846
Windows 6.0.6001 Service Pack 1
14/03/2009 00:07:44
mbam-log-2009-03-14 (00-07-44).txt
Scan type: Quick Scan
Objects scanned: 60278
Time elapsed: 23 minute(s), 21 second(s)
Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
C:\Users\Taz\AppData\Roaming\Microsoft\Windows\lsass.exe (Heuristics.Reserved.Word.Exploit) -> Unloaded process successfully.
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wdapihe (Trojan.Agent) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass service (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Users\Taz\AppData\Local\anavigamepixohay.dll (Trojan.Agent) -> Delete on reboot.
C:\Users\Taz\AppData\Roaming\Microsoft\Windows\lsass.exe (Trojan.Agent) -> Quarantined and deleted successfully.
3. I did a Hijackthis log and here's the results -
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:42:33, on 14/03/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
C:\Program Files\Acer\Empowering Technology\eAudio\eAudio.exe
C:\Users\Taz\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Taz\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\SwiftKit\SwiftKit.exe
C:\Windows\system32\Taskmgr.exe
C:\Users\Taz\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Taz\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Taz\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Users\Taz\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Taz\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Taz\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\mmc.exe
C:\Windows\System32\mspaint.exe
C:\Users\Taz\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer...p;m=aspire_7530
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.uk.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.uk.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\ActiveToolBand.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ePower_DMC] C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe
O4 - HKLM\..\Run: [eAudio] "C:\Program Files\Acer\Empowering Technology\eAudio\eAudio.exe"
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE Systemboot
O4 - HKLM\..\Run: [WarReg_PopUp] C:\Program Files\Acer\WR_PopUp\WarReg_PopUp.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [cgi-bin] C:\Windows\cgi-bin.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\Taz\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O18 - Protocol: grooveLocalGWS - (no CLSID) - (no file)
O23 - Service: NTI Backup Now 5 Agent Service (BUNAgentSvc) - NewTech Infosystems, Inc. - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
O23 - Service: eDataSecurity Service - Egis Incorporated - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
O23 - Service: Empowering Technology Service (ETService) - Unknown owner - C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: NTI Backup Now 5 Backup Service (NTIBackupSvc) - NewTech InfoSystems, Inc. - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
O23 - Service: NTI Backup Now 5 Scheduler Service (NTISchedulerSvc) - Unknown owner - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 8591 bytes
4. I then did a OTListIt2 log -
OTListIt logfile created on: 14/03/2009 17:10:12 - Run 1
OTListIt2 by OldTimer - Version 2.0.3.6 Folder = C:\Users\Taz\Downloads
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy
2.00 Gb Total Physical Memory | 1.19 Gb Available Physical Memory | 59.64% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): ?:\pagefile.sys;
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 111.44 Gb Total Space | 62.07 Gb Free Space | 55.70% Space Free | Partition Type: NTFS
Drive D: | 111.44 Gb Total Space | 109.38 Gb Free Space | 98.15% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Computer Name: HOME-PC
Current User Name: Taz
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On
========== Processes (SafeList) ==========
PRC - C:\Windows\system32\nvvsvc.exe (NVIDIA Corporation)
PRC - C:\Windows\System32\ZoneLabs\vsmon.exe (Check Point Software Technologies LTD)
PRC - C:\Windows\System32\ZoneLabs\avsys\ScanningProcess.exe ()
PRC - C:\Windows\System32\ZoneLabs\avsys\ScanningProcess.exe ()
PRC - C:\Windows\Explorer.EXE (Microsoft Corporation)
PRC - C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
PRC - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
PRC - C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe (Acer Inc.)
PRC - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe (Egis Incorporated)
PRC - C:\Program Files\Acer\Empowering Technology\eAudio\eAudio.exe (Acer Incorporated)
PRC - C:\Users\Taz\AppData\Local\Temp\RtkBtMnt.exe (Realtek Semiconductor Corp.)
PRC - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe (NewTech Infosystems, Inc.)
PRC - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe (Egis Incorporated)
PRC - C:\Program Files\Acer\Empowering Technology\Service\ETService.exe ()
PRC - C:\Program Files\Common Files\LightScribe\LSSrvc.exe (Hewlett-Packard Company)
PRC - C:\Acer\Mobility Center\MobilityService.exe ()
PRC - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe (NewTech InfoSystems, Inc.)
PRC - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe ()
PRC - C:\Windows\system32\DRIVERS\xaudio.exe (Conexant Systems, Inc.)
PRC - C:\Windows\system32\wbem\unsecapp.exe (Microsoft Corporation)
PRC - C:\Windows\system32\wbem\wmiprvse.exe (Microsoft Corporation)
PRC - C:\Program Files\Launch Manager\QtZgAcer.EXE (Dritek System Inc.)
PRC - C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe (Microsoft Corporation)
PRC - C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Check Point Software Technologies LTD)
PRC - C:\Windows\ehome\ehtray.exe (Microsoft Corporation)
PRC - C:\Windows\system32\wbem\unsecapp.exe (Microsoft Corporation)
PRC - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
PRC - C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
PRC - C:\Users\Taz\AppData\Local\Google\Update\GoogleUpdate.exe (Google Inc.)
PRC - C:\Windows\ehome\ehmsas.exe (Microsoft Corporation)
PRC - C:\Program Files\Synaptics\SynTP\SynTPHelper.exe (Synaptics, Inc.)
PRC - C:\Program Files\SwiftKit\SwiftKit.exe (Bluelight Developments)
PRC - C:\Users\Taz\AppData\Local\Google\Chrome\Application\chrome.exe (Google Inc.)
PRC - C:\Users\Taz\AppData\Local\Google\Chrome\Application\chrome.exe (Google Inc.)
PRC - C:\Users\Taz\AppData\Local\Google\Chrome\Application\chrome.exe (Google Inc.)
PRC - C:\Program Files\Safari\Safari.exe (Apple Inc.)
PRC - C:\Users\Taz\Downloads\OTListIt2.exe (OldTimer Tools)
========== Win32 Services (SafeList) ==========
SRV - (BUNAgentSvc [Auto | Running]) -- C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe (NewTech Infosystems, Inc.)
SRV - (clr_optimization_v2.0.50727_32 [On_Demand | Stopped]) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (eDataSecurity Service [Auto | Running]) -- C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe (Egis Incorporated)
SRV - (ehRecvr [On_Demand | Stopped]) -- C:\Windows\ehome\ehRecvr.exe (Microsoft Corporation)
SRV - (ehSched [On_Demand | Stopped]) -- C:\Windows\ehome\ehsched.exe (Microsoft Corporation)
SRV - (ehstart [Auto | Stopped]) -- C:\Windows\ehome\ehstart.dll (Microsoft Corporation)
SRV - (ETService [Auto | Running]) -- C:\Program Files\Acer\Empowering Technology\Service\ETService.exe ()
SRV - (FLEXnet Licensing Service [On_Demand | Stopped]) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Acresso Software Inc.)
SRV - (FontCache3.0.0.0 [On_Demand | Stopped]) -- C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe (Microsoft Corporation)
SRV - (gusvc [On_Demand | Stopped]) -- File not found
SRV - (idsvc [Unknown | Stopped]) -- C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (Microsoft Corporation)
SRV - (LightScribeService [Auto | Running]) -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe (Hewlett-Packard Company)
SRV - (Microsoft Office Groove Audit Service [On_Demand | Stopped]) -- C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe (Microsoft Corporation)
SRV - (MobilityService [Auto | Running]) -- C:\Acer\Mobility Center\MobilityService.exe ()
SRV - (NetTcpPortSharing [Disabled | Stopped]) -- C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe (Microsoft Corporation)
SRV - (NTIBackupSvc [Auto | Running]) -- C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe (NewTech InfoSystems, Inc.)
SRV - (NTISchedulerSvc [Auto | Running]) -- C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe ()
SRV - (nvsvc [Auto | Running]) -- C:\Windows\system32\nvvsvc.exe (NVIDIA Corporation)
SRV - (odserv [On_Demand | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE (Microsoft Corporation)
SRV - (ose [On_Demand | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
SRV - (vsmon [Auto | Running]) -- C:\Windows\System32\ZoneLabs\vsmon.exe (Check Point Software Technologies LTD)
SRV - (WinDefend [Auto | Stopped]) -- C:\Program Files\Windows Defender\mpsvc.dll (Microsoft Corporation)
SRV - (WMPNetworkSvc [On_Demand | Stopped]) -- C:\Program Files\Windows Media Player\wmpnetwk.exe (Microsoft Corporation)
SRV - (XAudioService [Auto | Running]) -- C:\Windows\system32\DRIVERS\xaudio.exe (Conexant Systems, Inc.)
========== Driver Services (SafeList) ==========
DRV - (adfs [Auto | Running]) -- C:\Windows\System32\drivers\adfs.sys (Adobe Systems, Inc.)
DRV - (adp94xx [Disabled | Stopped]) -- C:\Windows\system32\drivers\adp94xx.sys (Adaptec, Inc.)
DRV - (adpahci [Disabled | Stopped]) -- C:\Windows\system32\drivers\adpahci.sys (Adaptec, Inc.)
DRV - (adpu160m [Disabled | Stopped]) -- C:\Windows\system32\drivers\adpu160m.sys (Adaptec, Inc.)
DRV - (adpu320 [Disabled | Stopped]) -- C:\Windows\system32\drivers\adpu320.sys (Adaptec, Inc.)
DRV - (aic78xx [Disabled | Stopped]) -- C:\Windows\system32\drivers\djsvs.sys (Adaptec, Inc.)
DRV - (aliide [Disabled | Stopped]) -- C:\Windows\system32\drivers\aliide.sys (Acer Laboratories Inc.)
DRV - (arc [Disabled | Stopped]) -- C:\Windows\system32\drivers\arc.sys (Adaptec, Inc.)
DRV - (arcsas [Disabled | Stopped]) -- C:\Windows\system32\drivers\arcsas.sys (Adaptec, Inc.)
DRV - (athr [On_Demand | Running]) -- C:\Windows\system32\DRIVERS\athr.sys (Atheros Communications, Inc.)
DRV - (b57nd60x [On_Demand | Running]) -- C:\Windows\system32\DRIVERS\b57nd60x.sys (Broadcom Corporation)
DRV - (BCM43XX [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\bcmwl6.sys (Broadcom Corporation)
DRV - (BrFiltLo [On_Demand | Stopped]) -- C:\Windows\system32\drivers\brfiltlo.sys (Brother Industries, Ltd.)
DRV - (BrFiltUp [On_Demand | Stopped]) -- C:\Windows\system32\drivers\brfiltup.sys (Brother Industries, Ltd.)
DRV - (Brserid [Disabled | Stopped]) -- C:\Windows\system32\drivers\brserid.sys (Brother Industries Ltd.)
DRV - (BrSerWdm [Disabled | Stopped]) -- C:\Windows\system32\drivers\brserwdm.sys (Brother Industries Ltd.)
DRV - (BrUsbMdm [Disabled | Stopped]) -- C:\Windows\system32\drivers\brusbmdm.sys (Brother Industries Ltd.)
DRV - (BrUsbSer [On_Demand | Stopped]) -- C:\Windows\system32\drivers\brusbser.sys (Brother Industries Ltd.)
DRV - (cmdide [Disabled | Stopped]) -- C:\Windows\system32\drivers\cmdide.sys (CMD Technology, Inc.)
DRV - (DKbFltr [On_Demand | Running]) -- C:\Windows\system32\DRIVERS\DKbFltr.sys (Dritek System Inc.)
DRV - (E1G60 [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\E1G60I32.sys (Intel Corporation)
DRV - (elxstor [Disabled | Stopped]) -- C:\Windows\system32\drivers\elxstor.sys (Emulex)
DRV - (HpCISSs [Disabled | Stopped]) -- C:\Windows\system32\drivers\hpcisss.sys (Hewlett-Packard Company)
DRV - (HSFHWAZL [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\VSTAZL3.SYS (Conexant Systems, Inc.)
DRV - (HSF_DPV [On_Demand | Running]) -- C:\Windows\system32\DRIVERS\HSX_DPV.sys (Conexant Systems, Inc.)
DRV - (HSXHWAZL [On_Demand | Running]) -- C:\Windows\system32\DRIVERS\HSXHWAZL.sys (Conexant Systems, Inc.)
DRV - (iaStorV [Disabled | Stopped]) -- C:\Windows\system32\drivers\iastorv.sys (Intel Corporation)
DRV - (iirsp [Disabled | Stopped]) -- C:\Windows\system32\drivers\iirsp.sys (Intel Corp./ICP vortex GmbH)
DRV - (int15 [Auto | Running]) -- C:\Windows\system32\drivers\int15.sys (Acer, Inc.)
DRV - (IntcAzAudAddService [On_Demand | Running]) -- C:\Windows\system32\drivers\RTKVHDA.sys (Realtek Semiconductor Corp.)
DRV - (iteatapi [Disabled | Stopped]) -- C:\Windows\system32\drivers\iteatapi.sys (Integrated Technology Express, Inc.)
DRV - (iteraid [Disabled | Stopped]) -- C:\Windows\system32\drivers\iteraid.sys (Integrated Technology Express, Inc.)
DRV - (KLIF [System | Running]) -- C:\Windows\system32\DRIVERS\klif.sys (Kaspersky Lab)
DRV - (LSI_FC [Disabled | Stopped]) -- C:\Windows\system32\drivers\lsi_fc.sys (LSI Logic)
DRV - (LSI_SAS [Disabled | Stopped]) -- C:\Windows\system32\drivers\lsi_sas.sys (LSI Logic)
DRV - (LSI_SCSI [Disabled | Stopped]) -- C:\Windows\system32\drivers\lsi_scsi.sys (LSI Logic)
DRV - (mdmxsdk [Auto | Running]) -- C:\Windows\system32\DRIVERS\mdmxsdk.sys (Conexant)
DRV - (megasas [Disabled | Stopped]) -- C:\Windows\system32\drivers\megasas.sys (LSI Corporation)
DRV - (MegaSR [Disabled | Stopped]) -- C:\Windows\system32\drivers\megasr.sys (LSI Corporation, Inc.)
DRV - (Mraid35x [Disabled | Stopped]) -- C:\Windows\system32\drivers\mraid35x.sys (LSI Logic Corporation)
DRV - (nfrd960 [Disabled | Stopped]) -- C:\Windows\system32\drivers\nfrd960.sys (IBM Corporation)
DRV - (NTIDrvr [On_Demand | Running]) -- C:\Windows\system32\DRIVERS\NTIDrvr.sys (NewTech Infosystems, Inc.)
DRV - (ntrigdigi [Disabled | Stopped]) -- C:\Windows\system32\drivers\ntrigdigi.sys (N-trig Innovative Technologies)
DRV - (NVHDA [On_Demand | Running]) -- C:\Windows\system32\drivers\nvhda32v.sys (NVIDIA Corporation)
DRV - (nvlddmkm [On_Demand | Running]) -- C:\Windows\system32\DRIVERS\nvlddmkm.sys (NVIDIA Corporation)
DRV - (nvraid [Disabled | Stopped]) -- C:\Windows\system32\drivers\nvraid.sys (NVIDIA Corporation)
DRV - (nvsmu [On_Demand | Running]) -- C:\Windows\system32\DRIVERS\nvsmu.sys (NVIDIA Corporation)
DRV - (nvstor [Disabled | Stopped]) -- C:\Windows\system32\drivers\nvstor.sys (NVIDIA Corporation)
DRV - (nvstor32 [Boot | Running]) -- C:\Windows\system32\DRIVERS\nvstor32.sys (NVIDIA Corporation)
DRV - (PSDFilter [Boot | Running]) -- C:\Windows\system32\DRIVERS\psdfilter.sys (Egis Incorporated)
DRV - (PSDNServ [Auto | Running]) -- C:\Windows\system32\DRIVERS\PSDNServ.sys (Egis Incorporated)
DRV - (psdvdisk [Auto | Running]) -- C:\Windows\system32\DRIVERS\PSDVdisk.sys (Egis Incorporated)
DRV - (ql2300 [Disabled | Stopped]) -- C:\Windows\system32\drivers\ql2300.sys (QLogic Corporation)
DRV - (ql40xx [Disabled | Stopped]) -- C:\Windows\system32\drivers\ql40xx.sys (QLogic Corporation)
DRV - (RTSTOR [On_Demand | Running]) -- C:\Windows\system32\drivers\RTSTOR.SYS (Realtek Semiconductor Corp.)
DRV - (secdrv [Auto | Running]) -- C:\Windows\System32\drivers\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (SiSRaid4 [Disabled | Stopped]) -- C:\Windows\system32\drivers\sisraid4.sys (Silicon Integrated Systems)
DRV - (Symc8xx [Disabled | Stopped]) -- C:\Windows\system32\drivers\symc8xx.sys (LSI Logic)
DRV - (Sym_hi [Disabled | Stopped]) -- C:\Windows\system32\drivers\sym_hi.sys (LSI Logic)
DRV - (Sym_u3 [Disabled | Stopped]) -- C:\Windows\system32\drivers\sym_u3.sys (LSI Logic)
DRV - (SynTP [On_Demand | Running]) -- C:\Windows\system32\DRIVERS\SynTP.sys (Synaptics, Inc.)
DRV - (UBHelper [Boot | Running]) -- C:\Windows\System32\drivers\UBHelper.sys (NewTech Infosystems Corporation)
DRV - (uliahci [Disabled | Stopped]) -- C:\Windows\system32\drivers\uliahci.sys (ULi Electronics Inc.)
DRV - (UlSata [Disabled | Stopped]) -- C:\Windows\system32\drivers\ulsata.sys (Promise Technology, Inc.)
DRV - (ulsata2 [Disabled | Stopped]) -- C:\Windows\system32\drivers\ulsata2.sys (Promise Technology, Inc.)
DRV - (viaide [Disabled | Stopped]) -- C:\Windows\system32\drivers\viaide.sys (VIA Technologies, Inc.)
DRV - (Vsdatant [System | Running]) -- C:\Windows\system32\DRIVERS\vsdatant.sys (Check Point Software Technologies LTD)
DRV - (vsmraid [Disabled | Stopped]) -- C:\Windows\system32\drivers\vsmraid.sys (VIA Technologies Inc.,Ltd)
DRV - (winachsf [On_Demand | Running]) -- C:\Windows\system32\DRIVERS\HSX_CNXT.sys (Conexant Systems, Inc.)
DRV - (winbondcir [On_Demand | Running]) -- C:\Windows\system32\DRIVERS\winbondcir.sys (Winbond Electronics Corporation)
DRV - (XAudio [Auto | Running]) -- C:\Windows\system32\DRIVERS\xaudio.sys (Conexant Systems, Inc.)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.uk.acer.yahoo.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://en.uk.acer.yahoo.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer...p;m=aspire_7530
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://global.acer.com;
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b} -> %SystemRoot%\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION [C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION\] -> [2009/02/15 13:31:28 00,000,000 | ---D | M]
O1 HOSTS File: (794 bytes) - C:\Windows\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O1 - Hosts: 127.0.0.1 activate.adobe.com
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll File not found
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (ShowBarObj Class) - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\ActiveToolBand.dll (Egis)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll (Google Inc.)
O2 - BHO: (Google Dictionary Compression sdch) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll (Google Inc.)
O2 - BHO: (Java Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - Reg Error: Key error. File not found
O3 - HKLM\..\Toolbar: (&Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
O3 - HKLM\..\Toolbar: (Acer eDataSecurity Management) - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll (Egis Incorporated.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll File not found
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {5CBE3B7C-1E47-477E-A7DD-396DB0476E29} - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll (Egis Incorporated.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
O4 - HKLM..\Run: [eAudio] "C:\Program Files\Acer\Empowering Technology\eAudio\eAudio.exe" (Acer Incorporated)
O4 - HKLM..\Run: [eDataSecurity Loader] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe (Egis Incorporated)
O4 - HKLM..\Run: [ePower_DMC] C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe (Acer Inc.)
O4 - HKLM..\Run: [eRecoveryService] File not found
O4 - HKLM..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" (Microsoft Corporation)
O4 - HKLM..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE Systemboot (Dritek System Inc.)
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit (NVIDIA Corporation)
O4 - HKLM..\Run: [RtHDVCpl] RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [WarReg_PopUp] C:\Program Files\Acer\WR_PopUp\WarReg_PopUp.exe (Acer Incorporated)
O4 - HKLM..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide (Microsoft Corporation)
O4 - HKLM..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" (Check Point Software Technologies LTD)
O4 - HKCU..\Run: [cgi-bin] C:\Windows\cgi-bin.exe ()
O4 - HKCU..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe (Microsoft Corporation)
O4 - HKCU..\Run: [Google Update] "C:\Users\Taz\AppData\Local\Google\Update\GoogleUpdate.exe" /c (Google Inc.)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableInstallerDetection = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableSecureUIAPaths = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableVirtualization = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ValidateAdminCodeSignatures = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: scforceoption = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: FilterAdministratorToken = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableUIADesktopToggle = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_TEXT = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_BITMAP = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_OEMTEXT = 7
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIB = 8
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_PALETTE = 9
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_UNICODETEXT = 13
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIBV5 = 17
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [@%SystemRoot%\system32\nlasvc.dll,-1000] - C:\Windows\system32\NLAapi.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [@%SystemRoot%\system32\napinsp.dll,-1000] - C:\Windows\system32\napinsp.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [@%SystemRoot%\system32\pnrpnsp.dll,-1000] - C:\Windows\system32\pnrpnsp.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [@%SystemRoot%\system32\pnrpnsp.dll,-1001] - C:\Windows\system32\pnrpnsp.dll (Microsoft Corporation)
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Sites: internet ([]about in Internet)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_12)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - Autorun File - C:\autoexec.bat () - [ NTFS ]
========== Files/Folders - Created Within 30 Days ==========
[2009/03/14 16:41:47 | 00,001,878 | ---- | C] () -- C:\Users\Taz\Desktop\HijackThis.lnk
[2009/03/14 16:41:45 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/03/14 16:27:14 | 00,032,973 | ---- | C] () -- C:\Users\Taz\Desktop\transfer 3.jpg
[2009/03/14 16:24:55 | 00,058,879 | ---- | C] () -- C:\Users\Taz\Desktop\transfer 2.jpg
[2009/03/14 16:23:39 | 00,050,534 | ---- | C] () -- C:\Users\Taz\Desktop\transfer 1.jpg
[2009/03/13 23:38:58 | 00,000,000 | ---D | C] -- C:\Users\Taz\AppData\Roaming\Malwarebytes
[2009/03/13 23:38:47 | 00,000,822 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/03/13 23:38:45 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2009/03/13 23:38:41 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2009/03/13 23:38:38 | 00,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2009/03/13 23:38:38 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/03/13 22:40:04 | 00,216,474 | ---- | C] () -- C:\Users\Taz\Desktop\prob.jpg
[2009/03/13 20:29:41 | 00,125,487 | ---- | C] () -- C:\Users\Taz\Desktop\problem 2.jpg
[2009/03/13 20:28:19 | 00,196,247 | ---- | C] () -- C:\Users\Taz\Desktop\problem 1.jpg
[2009/03/13 20:23:45 | 10,622,976 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wmp.dll
[2009/03/13 20:23:43 | 00,007,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\spwmp.dll
[2009/03/13 20:23:40 | 08,147,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wmploc.DLL
[2009/03/13 20:23:40 | 00,004,096 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msdxm.ocx
[2009/03/13 20:23:40 | 00,004,096 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\dxmasf.dll
[2009/03/13 20:23:08 | 00,268,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\schannel.dll
[2009/03/13 20:22:51 | 02,033,152 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
[2009/03/11 10:52:51 | 00,268,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\schannel(137).dll
[2009/03/09 20:48:05 | 00,008,224 | ---- | C] () -- C:\Users\Taz\AppData\Local\GDIPFONTCACHEV1.DAT
[2009/03/07 11:46:09 | 00,000,000 | ---D | C] -- C:\Users\Taz\AppData\Local\{4B73687E-B299-43FC-B003-6E1D22CD86B1}
[2009/03/05 10:56:31 | 00,000,000 | ---D | C] -- C:\Users\Taz\Documents\Downloads
[2009/03/05 10:56:22 | 00,001,996 | ---- | C] () -- C:\Users\Taz\Desktop\Google Chrome.lnk
[2009/03/05 10:52:18 | 00,000,848 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1482803467-2361875880-1312049289-1000.job
[2009/03/01 15:34:42 | 00,000,792 | ---- | C] () -- C:\Users\Taz\Desktop\SopCast.lnk
[2009/03/01 15:34:39 | 00,000,000 | ---D | C] -- C:\Program Files\SopCast
[2009/02/27 23:07:36 | 00,000,947 | ---- | C] () -- C:\Users\Taz\Desktop\Launch Internet Explorer Browser.lnk
[2009/02/26 20:20:40 | 00,026,624 | -HS- | C] () -- C:\Windows\System32\proto.dll
[2009/02/25 16:31:19 | 00,000,000 | ---D | C] -- C:\.jagex_cache_32
[2009/02/24 14:33:14 | 00,171,760 | -H-- | C] () -- C:\Windows\System32\mlfcache.dat
[2009/02/22 15:09:44 | 00,000,950 | ---- | C] () -- C:\Users\Taz\Desktop\Revolution Media.lnk
[2009/02/22 15:08:46 | 00,000,000 | ---D | C] -- C:\Program Files\Revolution Media 3.0.0
[2009/02/22 15:04:45 | 00,000,000 | ---D | C] -- C:\Users\Taz\AppData\Roaming\Runtime Revolution
[2009/02/20 22:45:30 | 00,000,000 | ---D | C] -- C:\Users\Taz\AppData\Roaming\Apple Computer
[2009/02/20 22:45:30 | 00,000,000 | ---D | C] -- C:\Users\Taz\AppData\Local\Apple Computer
[2009/02/20 22:44:48 | 00,000,000 | ---D | C] -- C:\Program Files\Safari
[2009/02/20 22:44:31 | 00,000,000 | ---D | C] -- C:\Program Files\Apple Software Update
[2009/02/20 22:44:30 | 00,000,000 | ---D | C] -- C:\ProgramData\Apple
[2009/02/19 21:14:41 | 00,048,913 | ---- | C] () -- C:\Windows\UninstVeetleTVPlayer.exe
[2009/02/19 21:14:41 | 00,000,000 | ---D | C] -- C:\Program Files\Veetle
[2009/02/19 19:31:48 | 00,000,000 | -H-- | C] () -- C:\Users\Taz\Documents\Default.rdp
[2009/02/19 11:19:19 | 00,000,000 | ---D | C] -- C:\Users\Taz\AppData\Roaming\Ventrilo
[2009/02/19 11:19:08 | 00,000,000 | ---D | C] -- C:\Program Files\Ventrilo
[2009/02/19 11:19:07 | 00,000,262 | ---- | C] () -- C:\Windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2009/02/19 11:17:48 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2009/02/18 18:16:37 | 00,000,000 | ---D | C] -- C:\Program Files\SystemRequirementsLab
[2009/02/18 18:16:29 | 00,000,000 | ---D | C] -- C:\Users\Taz\AppData\Roaming\SystemRequirementsLab
[2009/02/16 19:41:06 | 00,000,000 | ---D | C] -- C:\Users\Taz\AppData\Roaming\teamspeak2
[2009/02/16 19:40:58 | 00,034,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\lhacm.acm
[2009/02/16 19:40:48 | 00,000,000 | ---D | C] -- C:\Program Files\Teamspeak2_RC2
[2009/02/15 20:32:15 | 00,000,000 | ---D | C] -- C:\Users\Taz\AppData\Roaming\FileZilla
[2009/02/15 20:32:11 | 00,001,789 | ---- | C] () -- C:\Users\Public\Desktop\FileZilla Client.lnk
[2009/02/15 20:32:06 | 00,000,000 | ---D | C] -- C:\Program Files\FileZilla FTP Client
[2009/02/15 13:21:48 | 00,097,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\infocardapi.dll
[2009/02/15 13:21:47 | 00,105,016 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PresentationCFFRasterizerNative_v0300.dll
[2009/02/15 13:21:46 | 00,622,080 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\icardagt.exe
[2009/02/15 13:21:46 | 00,043,544 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PresentationHostProxy.dll
[2009/02/15 13:21:46 | 00,037,384 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\infocardcpl.cpl
[2009/02/15 13:21:46 | 00,011,264 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\icardres.dll
[2009/02/15 13:21:44 | 00,781,344 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PresentationNative_v0300.dll
[2009/02/15 13:21:40 | 00,326,160 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PresentationHost.exe
[2009/02/15 13:08:10 | 00,096,760 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\dfshim.dll
[2009/02/15 13:07:59 | 00,282,112 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mscoree.dll
[2009/02/15 13:07:56 | 00,041,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\netfxperf.dll
[2009/02/15 13:07:21 | 00,158,720 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mscorier.dll
[2009/02/15 13:07:07 | 00,083,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mscories.dll
[2009/02/15 12:38:16 | 00,428,544 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\EncDec.dll
[2009/02/15 12:38:15 | 00,217,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\psisrndr.ax
[2009/02/15 12:38:09 | 00,293,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\psisdecd.dll
[2009/02/15 12:38:08 | 00,177,664 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mpg2splt.ax
[2009/02/15 12:38:08 | 00,080,896 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\MSNP.ax
[2009/02/14 19:37:38 | 00,001,891 | ---- | C] () -- C:\Users\Public\Desktop\Adobe Reader 8.lnk
[2009/02/13 15:53:59 | 00,000,000 | ---D | C] -- C:\Users\Taz\Documents\Clan
[2009/02/13 11:01:43 | 03,580,416 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.dll
[2009/02/13 11:01:40 | 06,069,248 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieframe.dll
[2009/02/13 11:01:39 | 01,166,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\urlmon.dll
[2009/02/13 11:01:39 | 00,827,392 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wininet.dll
[2009/02/13 11:01:38 | 00,671,232 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mstime.dll
[2009/02/13 11:01:38 | 00,458,240 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2009/02/13 11:01:38 | 00,270,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iertutil.dll
[2009/02/13 11:01:38 | 00,028,160 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2009/02/13 11:01:37 | 01,383,424 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
========== Files - Modified Within 30 Days ==========
[2009/03/14 17:08:41 | 75,355,424 | -HS- | M] () -- C:\Windows\System32\drivers\fidbox.dat
[2009/03/14 16:51:39 | 00,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2009/03/14 16:51:39 | 00,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2009/03/14 16:41:47 | 00,001,878 | ---- | M] () -- C:\Users\Taz\Desktop\HijackThis.lnk
[2009/03/14 16:27:15 | 00,032,973 | ---- | M] () -- C:\Users\Taz\Desktop\transfer 3.jpg
[2009/03/14 16:24:56 | 00,058,879 | ---- | M] () -- C:\Users\Taz\Desktop\transfer 2.jpg
[2009/03/14 16:23:40 | 00,050,534 | ---- | M] () -- C:\Users\Taz\Desktop\transfer 1.jpg
[2009/03/14 15:54:17 | 00,027,649 | ---- | M] () -- C:\ProgramData\nvModes.001
[2009/03/14 15:42:23 | 00,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2009/03/14 15:18:30 | 00,027,649 | ---- | M] () -- C:\ProgramData\nvModes.dat
[2009/03/14 12:01:45 | 00,000,848 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1482803467-2361875880-1312049289-1000.job
[2009/03/14 11:07:08 | 00,690,960 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2009/03/14 11:07:08 | 00,600,378 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2009/03/14 11:07:08 | 00,105,852 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2009/03/14 11:02:32 | 00,000,000 | ---- | M] () -- C:\Windows\System32\LogConfigTemp.xml
[2009/03/14 11:01:58 | 00,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2009/03/14 11:01:56 | 00,349,222 | -H-- | M] () -- C:\Windows\System32\drivers\vsconfig.xml
[2009/03/14 11:01:45 | 29,510,32832 | -HS- | M] () -- C:\hiberfil.sys
[2009/03/14 00:25:08 | 00,905,384 | -HS- | M] () -- C:\Windows\System32\drivers\fidbox.idx
[2009/03/14 00:24:42 | 01,525,986 | -H-- | M] () -- C:\Users\Taz\AppData\Local\IconCache.db
[2009/03/13 23:38:47 | 00,000,822 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/03/13 22:40:45 | 00,216,474 | ---- | M] () -- C:\Users\Taz\Desktop\prob.jpg
[2009/03/13 22:16:51 | 02,303,448 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2009/03/13 20:56:03 | 00,026,624 | -HS- | M] () -- C:\Windows\System32\proto.dll
[2009/03/13 20:53:53 | 00,102,256 | ---- | M] () -- C:\Windows\System32\GDIPFONTCACHEV1.DAT
[2009/03/13 20:50:53 | 00,008,224 | ---- | M] () -- C:\Users\Taz\AppData\Local\GDIPFONTCACHEV1.DAT
[2009/03/13 20:29:41 | 00,125,487 | ---- | M] () -- C:\Users\Taz\Desktop\problem 2.jpg
[2009/03/13 20:28:20 | 00,196,247 | ---- | M] () -- C:\Users\Taz\Desktop\problem 1.jpg
[2009/03/10 08:58:34 | 59,001,632 | -HS- | M] () -- C:\Windows\System32\drivers\fidbox(254).dat
[2009/03/10 08:37:38 | 00,349,222 | -H-- | M] () -- C:\Windows\System32\drivers\vsconfig(256).xml
[2009/03/09 22:21:35 | 00,791,816 | -HS- | M] () -- C:\Windows\System32\drivers\fidbox(255).idx
[2009/03/09 19:43:26 | 00,000,959 | ---- | M] () -- C:\rollback.ini
[2009/03/09 17:05:46 | 00,002,583 | ---- | M] () -- C:\Users\Taz\Desktop\Microsoft Office Access 2007.lnk
[2009/03/08 22:17:09 | 00,027,136 | ---- | M] () -- C:\Users\Taz\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/03/08 17:17:40 | 00,002,627 | ---- | M] () -- C:\Users\Taz\Desktop\Microsoft Office Word 2007.lnk
[2009/03/05 10:56:22 | 00,001,996 | ---- | M] () -- C:\Users\Taz\Desktop\Google Chrome.lnk
[2009/03/01 20:22:41 | 32,837,8611 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2009/03/01 15:34:42 | 00,000,792 | ---- | M] () -- C:\Users\Taz\Desktop\SopCast.lnk
[2009/02/27 23:07:36 | 00,000,947 | ---- | M] () -- C:\Users\Taz\Desktop\Launch Internet Explorer Browser.lnk
[2009/02/27 23:07:36 | 00,000,476 | -HS- | M] () -- C:\Users\Taz\Desktop\desktop.ini
[2009/02/25 20:54:59 | 24,768,960 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\mrt.exe
[2009/02/24 14:33:14 | 00,171,760 | -H-- | M] () -- C:\Windows\System32\mlfcache.dat
[2009/02/22 15:09:44 | 00,000,950 | ---- | M] () -- C:\Users\Taz\Desktop\Revolution Media.lnk
[2009/02/19 21:14:41 | 00,048,913 | ---- | M] () -- C:\Windows\UninstVeetleTVPlayer.exe
[2009/02/19 19:31:48 | 00,000,000 | -H-- | M] () -- C:\Users\Taz\Documents\Default.rdp
[2009/02/19 11:19:10 | 00,000,262 | ---- | M] () -- C:\Windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2009/02/17 13:27:09 | 00,001,024 | RH-- | M] () -- C:\Users\Public\Documents\NTIMP3.dll
[2009/02/16 19:40:58 | 00,034,064 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\lhacm.acm
[2009/02/15 20:32:11 | 00,001,789 | ---- | M] () -- C:\Users\Public\Desktop\FileZilla Client.lnk
[2009/02/14 19:37:38 | 00,001,891 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader 8.lnk
< End of report >
5. I then did a rooter scan -
Microsoft Windows Vista Home Edition (6.0.6001) Service Pack 1
C:\ [Fixed] - NTFS - (Total:114115 Mo/Free:2121 Mo)
D:\ [Fixed] - NTFS - (Total:114116 Mo/Free:1412 Mo)
E:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)
14/03/2009|17:20
----------------------\\ Processes..
--Locked-- [System Process]
--Locked-- System
---------- \SystemRoot\System32\smss.exe
---------- C:\Windows\system32\csrss.exe
---------- C:\Windows\system32\wininit.exe
---------- C:\Windows\system32\csrss.exe
---------- C:\Windows\system32\services.exe
---------- C:\Windows\system32\lsass.exe
---------- C:\Windows\system32\lsm.exe
---------- C:\Windows\system32\svchost.exe
---------- C:\Windows\system32\nvvsvc.exe
---------- C:\Windows\system32\svchost.exe
---------- C:\Windows\System32\svchost.exe
---------- C:\Windows\System32\svchost.exe
---------- C:\Windows\system32\svchost.exe
--Locked-- audiodg.exe
---------- C:\Windows\system32\SLsvc.exe
---------- C:\Windows\system32\svchost.exe
---------- C:\Windows\system32\winlogon.exe
---------- C:\Windows\system32\svchost.exe
--Locked-- vsmon.exe
---------- C:\Windows\system32\rundll32.exe
--Locked-- ScanningProcess.exe
---------- C:\Windows\System32\spoolsv.exe
--Locked-- ScanningProcess.exe
---------- C:\Windows\system32\taskeng.exe
---------- C:\Windows\system32\svchost.exe
---------- C:\Windows\system32\taskeng.exe
---------- C:\Windows\system32\Dwm.exe
---------- C:\Windows\Explorer.EXE
---------- C:\Windows\RtHDVCpl.exe
---------- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
---------- C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe
---------- C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
---------- C:\Program Files\Acer\Empowering Technology\eAudio\eAudio.exe
---------- C:\Users\Taz\AppData\Local\Temp\RtkBtMnt.exe
---------- C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
---------- C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
---------- C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
---------- C:\Program Files\Common Files\LightScribe\LSSrvc.exe
---------- C:\Acer\Mobility Center\MobilityService.exe
---------- C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
---------- C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
---------- C:\Windows\system32\svchost.exe
---------- C:\Windows\System32\svchost.exe
---------- C:\Windows\system32\SearchIndexer.exe
---------- C:\Windows\system32\DRIVERS\xaudio.exe
---------- C:\Windows\system32\wbem\unsecapp.exe
---------- C:\Windows\system32\wbem\wmiprvse.exe
---------- C:\Program Files\Launch Manager\QtZgAcer.EXE
---------- C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
---------- C:\Program Files\Java\jre6\bin\jusched.exe
--Locked-- zlclient.exe
---------- C:\Windows\System32\rundll32.exe
---------- C:\Windows\ehome\ehtray.exe
---------- C:\Windows\system32\wbem\unsecapp.exe
---------- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
---------- C:\Program Files\Internet Explorer\iexplore.exe
---------- C:\Users\Taz\AppData\Local\Google\Update\GoogleUpdate.exe
---------- C:\Windows\ehome\ehmsas.exe
---------- C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
---------- C:\Program Files\SwiftKit\SwiftKit.exe
---------- C:\Windows\system32\taskeng.exe
---------- C:\Users\Taz\AppData\Local\Google\Chrome\Application\chrome.exe
---------- C:\Users\Taz\AppData\Local\Google\Chrome\Application\chrome.exe
---------- C:\Users\Taz\AppData\Local\Google\Chrome\Application\chrome.exe
---------- C:\Program Files\Safari\Safari.exe
---------- C:\Users\Taz\Downloads\OTListIt2.exe
---------- C:\Windows\notepad.exe
---------- C:\Windows\notepad.exe
---------- C:\Windows\system32\NOTEPAD.EXE
---------- C:\Windows\system32\cmd.exe
---------- C:\Rooter$\RK.exe
----------------------\\ Search..
----------------------\\ ROOTKIT !!
----------------------\\ Cracks & Keygens..
1 - "C:\Rooter$\Rooter_1.txt" - 14/03/2009|17:21
----------------------\\ Scan completed at 17:21
ps. Straight after the malbytes scan i also did a ATF Cleaner (removed 51mb worth of stuff).
Edited by Hexzar, 17 March 2009 - 02:31 PM.