PDA

View Full Version : virtumonde hjt log



stressonthesky
2008-07-13, 20:59
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:57:18, on 13/07/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
C:\Acer\Empowering Technology\eAudio\eAudio.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Users\Jane\AppData\Local\Temp\RtkBtMnt.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Acer\Acer VCM\AcerVCM.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\system32\igfxext.exe
C:\Windows\system32\igfxsrvc.exe
C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE
C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Program Files\Acer\Acer VCM\acp2HID.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.uk.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe
O4 - HKLM\..\Run: [eAudio] "C:\Acer\Empowering Technology\eAudio\eAudio.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [PlayMovie] "C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe"
O4 - HKLM\..\Run: [PLFSet] rundll32.exe C:\Windows\PLFSet.dll,PLFDefSetting
O4 - HKLM\..\Run: [WarReg_PopUp] C:\Acer\WR_PopUp\WarReg_PopUp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\wvUoOHxw.dll,#1
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Jane\AppData\Local\Temp\byXQKbxv.dll,#1
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Jane\AppData\Local\Temp\fccaWMcb.dll,c
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [84bdc57b] rundll32.exe "C:\Users\Jane\AppData\Local\Temp\njtdudpj.dll",b
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Acer VCM.lnk = ?
O4 - Global Startup: Empowering Technology Launcher.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Azada/Images/stg_drm.ocx
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD42/JSCDL/jre/6u6-b90/jinstall-6u6-windows-i586-jc.cab?e=1214076609642&h=fadc96a16eaae44d026b0cbe422c8c2a/&filename=jinstall-6u6-windows-i586-jc.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Azada/Images/armhelper.ocx
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/webgames/popcaploader_v10.cab
O23 - Service: ALaunch Service (ALaunchService) - Unknown owner - C:\Acer\ALaunch\ALaunchSvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: eDataSecurity Service - Egis Incorporated - C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Raw Socket Service (RS_Service) - Acer Inc. - C:\Program Files\Acer\Acer VCM\RS_Service.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 12299 bytes

pskelley
2008-07-16, 16:51
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

I apologize for the wait, I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
This can be a tough infection to remove so do not expect fast or easy.

Vista: Many tools that run on XP will not run on Vista and we are still learning the Operating System (tough when you do not own one)
I'll do my best to help you clean your computer if this works for you proceed like this:

Let's give combofix a try first, it will usually run on Vista, remember to run it as administrator.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.

Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop.

Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log.

Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Thanks

stressonthesky
2008-07-16, 21:04
combofix log
ComboFix 08-07-15.4 - Jane 2008-07-16 18:41:40.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1792 [GMT 1:00]
Running from: C:\Users\Jane\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Users\Jane\AppData\Roaming\.#
C:\Users\Jane\AppData\Roaming\.#\MBX@1590@722990.###
C:\Users\Jane\AppData\Roaming\.#\MBX@1590@7229C0.###
C:\Users\Jane\AppData\Roaming\.#\MBX@1590@7229F0.###
C:\Users\Jane\AppData\Roaming\.#\MBX@DA0@1D02990.###
C:\Users\Jane\AppData\Roaming\.#\MBX@DA0@1D029C0.###
C:\Users\Jane\AppData\Roaming\.#\MBX@DA0@1D029F0.###
C:\Windows\system32\ACER.exe
C:\Windows\system32\byXQGwvu.dll
C:\Windows\system32\efcCuspn.dll
C:\Windows\system32\hgGwWpmk.dll
C:\Windows\system32\iifgGXop.dll
C:\Windows\system32\jkkHxVLc.dll
C:\Windows\system32\ljJCssPH.dll
C:\Windows\system32\qoMfCtrR.dll
C:\Windows\system32\qoMggFUK.dll
C:\Windows\system32\wvUoOHxw.dll
C:\Windows\system32\x64
C:\Windows\system32\yayXOFvV.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-16 to 2008-07-16 )))))))))))))))))))))))))))))))
.

2008-07-13 18:56 . 2008-07-13 18:56 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-11 23:04 . 2008-07-11 23:20 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-07-11 23:04 . 2008-07-11 23:20 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-07-11 23:04 . 2008-07-11 23:04 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-10 21:34 . 2008-07-10 21:34 <DIR> d-------- C:\Program Files\ReflexiveArcade
2008-07-10 20:52 . 2008-07-10 20:52 <DIR> d-------- C:\Users\Jane\AppData\Roaming\SpinTop
2008-07-10 18:14 . 2008-06-26 02:45 12,240,896 --a------ C:\Windows\System32\NlsLexicons0007.dll
2008-07-10 18:14 . 2008-06-26 02:45 2,644,480 --a------ C:\Windows\System32\NlsLexicons0009.dll
2008-07-10 18:13 . 2008-06-26 04:29 801,280 --a------ C:\Windows\System32\NaturalLanguage6.dll
2008-07-09 22:50 . 2008-07-09 22:50 <DIR> d-------- C:\Users\Jane\AppData\Roaming\Big Fish Games
2008-07-09 11:15 . 2008-04-26 09:25 3,600,952 --a------ C:\Windows\System32\ntkrnlpa.exe
2008-07-09 11:15 . 2008-04-26 09:25 3,549,240 --a------ C:\Windows\System32\ntoskrnl.exe
2008-07-09 11:15 . 2008-04-26 09:26 891,448 --a------ C:\Windows\System32\drivers\tcpip.sys
2008-07-09 11:15 . 2008-04-12 04:32 784,896 --a------ C:\Windows\System32\rpcrt4.dll
2008-07-09 11:15 . 2008-05-10 04:35 564,736 --a------ C:\Windows\System32\emdmgmt.dll
2008-07-09 11:15 . 2008-04-05 02:21 72,192 --a------ C:\Windows\System32\drivers\pacer.sys
2008-07-09 11:15 . 2008-04-05 04:34 15,360 --a------ C:\Windows\System32\pacerprf.dll
2008-07-09 11:13 . 2008-05-08 22:59 430,080 --a------ C:\Windows\System32\vbscript.dll
2008-07-09 11:13 . 2008-05-08 22:59 180,224 --a------ C:\Windows\System32\scrobj.dll
2008-07-09 11:13 . 2008-05-08 22:59 172,032 --a------ C:\Windows\System32\scrrun.dll
2008-07-09 11:13 . 2008-05-08 22:59 155,648 --a------ C:\Windows\System32\wscript.exe
2008-07-09 11:13 . 2008-05-08 22:58 135,168 --a------ C:\Windows\System32\wshom.ocx
2008-07-09 11:13 . 2008-05-08 22:58 135,168 --a------ C:\Windows\System32\cscript.exe
2008-07-09 11:13 . 2008-05-08 22:59 90,112 --a------ C:\Windows\System32\wshext.dll
2008-07-02 23:02 . 2008-07-02 23:02 <DIR> d-------- C:\Program Files\Veoh Networks
2008-07-02 23:01 . 2008-07-02 23:01 <DIR> d-------- C:\Windows\Downloaded Installations
2008-06-29 23:22 . 2008-07-16 18:43 <DIR> d-------- C:\Users\All Users\Kontiki
2008-06-29 23:22 . 2008-07-16 18:43 <DIR> d-------- C:\ProgramData\Kontiki
2008-06-29 23:22 . 2008-06-29 23:22 <DIR> d-------- C:\Program Files\Kontiki
2008-06-29 23:22 . 2008-06-29 23:22 <DIR> d-------- C:\Program Files\Channel4
2008-06-29 23:21 . 2008-06-29 23:21 <DIR> d-------- C:\Users\All Users\Channel4
2008-06-29 23:21 . 2008-06-29 23:21 <DIR> d-------- C:\ProgramData\Channel4
2008-06-23 16:23 . 2008-06-23 16:23 <DIR> d-------- C:\Users\All Users\PopCap Games
2008-06-23 16:23 . 2008-06-23 16:23 <DIR> d-------- C:\ProgramData\PopCap Games
2008-06-23 13:06 . 2008-06-23 13:06 <DIR> d-------- C:\Program Files\GamesBar
2008-06-23 12:48 . 2008-06-23 12:48 <DIR> d-------- C:\Users\Jane\AppData\Roaming\PlayFirst
2008-06-23 12:48 . 2008-06-23 12:48 <DIR> d-------- C:\Users\All Users\PlayFirst
2008-06-23 12:48 . 2008-06-23 12:48 <DIR> d-------- C:\ProgramData\PlayFirst
2008-06-21 20:32 . 2008-07-15 11:39 <DIR> d-------- C:\Users\Jane\AppData\Roaming\LimeWire
2008-06-21 20:32 . 2008-06-21 20:32 <DIR> d-------- C:\Program Files\Sun
2008-06-21 20:30 . 2008-06-21 20:31 <DIR> d-------- C:\Program Files\Java
2008-06-21 20:29 . 2008-06-21 20:29 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-21 20:27 . 2008-06-21 20:27 <DIR> d-------- C:\Program Files\LimeWire
2008-06-20 22:06 . 2008-06-20 22:06 <DIR> d-------- C:\Users\Jane\AppData\Roaming\CopyTrans
2008-06-20 22:05 . 2008-06-20 22:05 <DIR> d-------- C:\Program Files\WindSolutions
2008-06-20 22:04 . 2008-06-20 22:04 <DIR> d-------- C:\Users\Jane\AppData\Roaming\CopyTransControlCenter
2008-06-20 22:04 . 2008-06-20 22:05 <DIR> d-------- C:\Users\All Users\CopyTransControlCenter
2008-06-20 22:04 . 2008-06-20 22:05 <DIR> d-------- C:\ProgramData\CopyTransControlCenter
2008-06-17 20:56 . 2008-06-20 21:46 <DIR> d-------- C:\Users\Jane\AppData\Roaming\iPod Copy Expert
2008-06-16 22:13 . 2008-06-16 22:13 <DIR> d-------- C:\Program Files\Common Files\eSellerate
2008-06-16 19:42 . 2008-06-16 19:42 <DIR> dr------- C:\Windows\System32\config\systemprofile\Music
2008-06-16 19:22 . 2008-06-16 19:22 <DIR> d-------- C:\Users\Jane\AppData\Roaming\Apple Computer
2008-06-16 19:22 . 2008-06-16 19:22 <DIR> d-------- C:\Program Files\iTunes
2008-06-16 19:22 . 2008-06-16 19:22 <DIR> d-------- C:\Program Files\iPod
2008-06-16 19:21 . 2008-06-16 19:22 <DIR> d-------- C:\Users\All Users\Apple Computer
2008-06-16 19:21 . 2008-06-16 19:22 <DIR> d-------- C:\ProgramData\Apple Computer
2008-06-16 19:21 . 2008-06-16 19:21 <DIR> d-------- C:\Program Files\QuickTime
2008-06-16 19:21 . 2008-06-16 19:21 <DIR> d-------- C:\Program Files\Bonjour
2008-06-16 19:21 . 2008-06-16 19:21 <DIR> d-------- C:\Program Files\Apple Software Update
2008-06-16 19:20 . 2008-06-16 19:20 <DIR> d-------- C:\Users\All Users\Apple
2008-06-16 19:20 . 2008-06-16 19:20 <DIR> d-------- C:\ProgramData\Apple
2008-06-16 19:20 . 2008-06-16 19:20 <DIR> d-------- C:\Program Files\Common Files\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-11 19:38 --------- d-----w C:\ProgramData\Microsoft Help
2008-07-11 19:38 --------- d-----w C:\Program Files\Windows Mail
2008-07-11 19:38 --------- d-----w C:\Program Files\Microsoft Works
2008-07-11 09:31 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-10 19:52 --------- d---a-w C:\ProgramData\TEMP
2008-07-02 22:03 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-30 20:48 --------- d-----w C:\Users\Jane\AppData\Roaming\CyberLink
2008-06-30 17:50 --------- d-----w C:\Program Files\Norton 360
2008-06-23 12:06 --------- d-----w C:\Program Files\Common Files\Oberon Media
2008-06-23 12:06 --------- d-----w C:\Program Files\Acer GameZone
2008-06-13 13:14 24,112 ----a-w C:\Windows\system32\drivers\SymIMV.sys
2008-06-13 13:14 13,093 ----a-w C:\Windows\system32\drivers\SymRedir.cat
2008-06-13 13:14 1,611 ----a-w C:\Windows\system32\drivers\SymRedir.inf
2008-06-13 13:13 96,432 ----a-w C:\Windows\system32\drivers\symfw.sys
2008-06-13 13:13 41,008 ----a-w C:\Windows\system32\drivers\symndisv.sys
2008-06-13 13:13 38,576 ----a-w C:\Windows\system32\drivers\symids.sys
2008-06-13 13:13 22,320 ----a-w C:\Windows\system32\drivers\symredrv.sys
2008-06-13 13:13 184,240 ----a-w C:\Windows\system32\drivers\symtdi.sys
2008-06-13 13:13 13,616 ----a-w C:\Windows\system32\drivers\symdns.sys
2008-06-04 19:57 0 ---ha-w C:\Windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-06-04 18:19 --------- d-----w C:\Users\Jane\AppData\Roaming\FloodLightGames
2008-06-04 09:51 --------- d-----w C:\Users\Jane\AppData\Roaming\Acer
2008-06-04 09:38 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-06-04 09:38 --------- d-----w C:\Program Files\Windows Live
2008-06-04 09:29 --------- d-----w C:\ProgramData\WLInstaller
2008-06-04 09:24 805 ----a-w C:\Windows\system32\drivers\SYMEVENT.INF
2008-06-04 09:24 123,952 ----a-w C:\Windows\system32\drivers\SYMEVENT.SYS
2008-06-04 09:24 10,671 ----a-w C:\Windows\system32\drivers\SYMEVENT.CAT
2008-06-04 09:24 --------- d-----w C:\ProgramData\Symantec
2008-06-04 09:24 --------- d-----w C:\Program Files\Symantec
2008-06-04 09:21 --------- d-----w C:\Users\Jane\AppData\Roaming\Symantec
2008-06-04 09:13 --------- d-----w C:\Program Files\MSXML 4.0
2008-06-01 11:40 0 ----a-w C:\Users\Jane\AppData\Roaming\wklnhst.dat
2008-04-26 08:08 1,314,816 ----a-w C:\Windows\System32\quartz.dll
2008-04-25 04:35 826,880 ----a-w C:\Windows\System32\wininet.dll
2008-04-23 04:42 428,544 ----a-w C:\Windows\System32\EncDec.dll
2008-04-23 04:42 293,376 ----a-w C:\Windows\System32\psisdecd.dll
2008-01-21 02:43 174 --sha-w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-01-03 11:00 39472 --a------ C:\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]
@="{4433A54A-1AC8-432F-90FC-85F045CF383C}"
[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]
2008-02-26 09:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]
@="{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}"
[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]
2008-02-26 09:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]
@="{476D0EA3-80F9-48B5-B70B-05E677C9C148}"
[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]
2008-02-26 09:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-21 03:23 1233920]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 11:23 1032640]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2008-06-19 15:15 3664944]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 03:25 202240]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 09:42 2156368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2008-01-30 11:34 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2008-01-30 11:34 8501792]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2008-01-30 11:34 81920]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2008-01-24 03:28 102400]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-03-08 13:38 40048]
"eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-01-03 10:55 521776]
"eAudio"="C:\Acer\Empowering Technology\eAudio\eAudio.exe" [2007-10-10 15:41 1286144]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-01-24 03:28 174616]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2008-01-24 03:25 141848]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2008-01-24 03:25 166424]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2008-01-24 03:25 133656]
"LManager"="C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE" [2008-01-02 14:17 707080]
"PlayMovie"="C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe" [2008-01-22 19:14 200704]
"PLFSet"="C:\Windows\PLFSet.dll" [2007-04-25 21:47 45056]
"WarReg_PopUp"="C:\Acer\WR_PopUp\WarReg_PopUp.exe" [2006-11-05 21:48 57344]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-18 20:37 51048]
"osCheck"="C:\Program Files\Norton 360\osCheck.exe" [2008-02-26 15:50 988512]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-06-02 11:13 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"4oD"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 11:23 1032640]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-24 03:29 4702208 C:\Windows\RtHDVCpl.exe]

C:\Users\Jane\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-27 05:24:54 98632]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Acer VCM.lnk - C:\Program Files\Acer\Acer VCM\AcerVCM.exe [2008-03-16 00:34:00 1216512]
Empowering Technology Launcher.lnk - C:\Acer\Empowering Technology\eAPLauncher.exe [2008-02-06 02:34:28 535336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{1C49520E-CF7A-45F9-94E3-61052F6BD148}"= C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\Acer Arcade Deluxe.exe:Acer Arcade Deluxe
"{792083B3-4EF9-494E-A573-9B30221BE5DE}"= C:\Program Files\Acer Arcade Deluxe\VideoMagician\VideoMagician.exe:VideoMagician
"{70BCC102-8C2D-4097-926A-85B89F5C7E01}"= C:\Program Files\Acer Arcade Deluxe\HomeMedia\HomeMedia.exe:HomeMedia
"{6A572296-3867-4960-AFB9-01CB537CE88C}"= C:\Program Files\Acer Arcade Deluxe\DV Wizard\DV Wizard.exe:DV Wizard
"{2D951B47-AE68-4487-AB13-D9A810D20DFC}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{B30C5C23-E916-4A13-8D81-B6733C0A5DCA}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{64A5FFAD-CCDC-4394-A0B1-2263F8B1D4F7}"= C:\Program Files\Acer Arcade Deluxe\DVDivine\DVDivine.exe:DVDivine
"{BF9C87FE-07DA-43D0-960B-9728BF72EDFD}"= C:\Program Files\Acer Arcade Deluxe\Play Movie\PlayMovie.exe:Play Movie
"{758AB80B-A059-45DD-9469-9919ED5F7AE0}"= C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe:Play Movie Resident Program
"{AAEFCD8E-DDA4-467C-8848-6F6F42969989}"= C:\Program Files\Acer\Acer VCM\VC.exe:Acer VCM
"{97E4EA1C-0444-45D1-919B-BEAAA504515A}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{65B25890-0884-4011-9FC7-FAF6860ECFAB}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{CB911B85-7555-4DBB-8926-647F3C60B847}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{25F2690F-5B65-4715-8086-4E41DED02976}"= UDP:C:\Program Files\Kontiki\KService.exe:Delivery Manager Service
"{3EF61A7F-1057-48A2-AF46-8FD17B07632E}"= TCP:C:\Program Files\Kontiki\KService.exe:Delivery Manager Service
"{C6FDC690-CAAF-44EF-AA00-071453B3B1C7}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{5F0378A1-E6F9-4B49-84E4-EE02E042CDCF}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\ipsdefs\20080711.001\IDSvix86.sys [2008-05-12 23:55]
R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};C:\Program Files\Acer Arcade Deluxe\Play Movie\000.fcl [2008-01-25 08:41]
R2 ALaunchService;ALaunch Service;C:\Acer\ALaunch\ALaunchSvc.exe [2007-09-19 23:41]
R2 LiveUpdate Notice;LiveUpdate Notice;C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-02-18 20:37]
R2 RS_Service;Raw Socket Service;C:\Program Files\Acer\Acer VCM\RS_Service.exe [2007-09-29 03:18]
R3 COH_Mon;COH_Mon;C:\Windows\system32\Drivers\COH_Mon.sys [2008-03-06 21:32]
R3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2008-06-13 14:13]
R3 winbondcir;Winbond IR Transceiver;C:\Windows\system32\DRIVERS\winbondcir.sys [2008-01-24 03:29]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\b57nd60x.sys [2008-01-24 03:29]
S4 ErrDev;Microsoft Hardware Error Device Driver;C:\Windows\system32\drivers\errdev.sys [2008-01-21 03:23]
S4 MegaSR;MegaSR;C:\Windows\system32\drivers\megasr.sys [2008-01-21 03:23]

*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2008-07-15 21:37:15 C:\Windows\Tasks\User_Feed_Synchronization-{B593F204-7E08-4FE2-9816-EA5F30807B96}.job"
- C:\Windows\system32\msfeedssync.exe
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-MSServer - C:\Windows\system32\wvUoOHxw.dll
HKLM-Run-eRecoveryService - (no file)
ShellExecuteHooks-{6CF0A05E-7D6B-4E00-B836-B3F23513657C} - C:\Windows\system32\wvUoOHxw.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-16 18:44:24
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-16 18:45:47
ComboFix-quarantined-files.txt 2008-07-16 17:45:28

Pre-Run: 75,791,589,376 bytes free
Post-Run: 75,667,038,208 bytes free

258 --- E O F --- 2008-07-15 22:12:33


hjt log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:57:18, on 13/07/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
C:\Acer\Empowering Technology\eAudio\eAudio.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Users\Jane\AppData\Local\Temp\RtkBtMnt.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Acer\Acer VCM\AcerVCM.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\system32\igfxext.exe
C:\Windows\system32\igfxsrvc.exe
C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE
C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Program Files\Acer\Acer VCM\acp2HID.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.uk.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe
O4 - HKLM\..\Run: [eAudio] "C:\Acer\Empowering Technology\eAudio\eAudio.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [PlayMovie] "C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe"
O4 - HKLM\..\Run: [PLFSet] rundll32.exe C:\Windows\PLFSet.dll,PLFDefSetting
O4 - HKLM\..\Run: [WarReg_PopUp] C:\Acer\WR_PopUp\WarReg_PopUp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\wvUoOHxw.dll,#1
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Jane\AppData\Local\Temp\byXQKbxv.dll,#1
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Jane\AppData\Local\Temp\fccaWMcb.dll,c
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [84bdc57b] rundll32.exe "C:\Users\Jane\AppData\Local\Temp\njtdudpj.dll",b
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Acer VCM.lnk = ?
O4 - Global Startup: Empowering Technology Launcher.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Azada/Images/stg_drm.ocx
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD42/JSCDL/jre/6u6-b90/jinstall-6u6-windows-i586-jc.cab?e=1214076609642&h=fadc96a16eaae44d026b0cbe422c8c2a/&filename=jinstall-6u6-windows-i586-jc.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Azada/Images/armhelper.ocx
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/webgames/popcaploader_v10.cab
O23 - Service: ALaunch Service (ALaunchService) - Unknown owner - C:\Acer\ALaunch\ALaunchSvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: eDataSecurity Service - Egis Incorporated - C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Raw Socket Service (RS_Service) - Acer Inc. - C:\Program Files\Acer\Acer VCM\RS_Service.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 12299 bytes

pskelley
2008-07-16, 22:41
Thanks for returning your combofix log, please follow the directions carefully and in the numbered order. Please understand some instructions may vary for Vista, while I have done my best to adjust.

1) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)

2) Windows Vista: Click Start > Open Computer.
Press the ALT key.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

3) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

Notes for Windows Vista users from the tool creator:
On Windows Vista that "Windows Temp" is disabled, to empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator"
Prefetch has been disabled on Windows Vista. As I'm not sure the effects that emptying prefetch on Windows Vista will have for the time being it I won't enable that function.

4) Open notepad and copy/paste the text in the codebox below into it:


File::
C:\Windows\system32\wvUoOHxw.dll
C:\Users\Jane\AppData\Local\Temp\byXQKbxv.dll
C:\Users\Jane\AppData\Local\Temp\fccaWMcb.dll
C:\Users\Jane\AppData\Local\Temp\njtdudpj.dll

Save this as CFScript

http://i24.photobucket.com/albums/c30/ken545/CFScript.gif

Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)

5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

(items may be gone, removed by CFScript)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [PLFSet] rundll32.exe C:\Windows\PLFSet.dll,PLFDefSetting
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\wvUoOHxw.dll,#1
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Jane\AppData\Local\Temp\byXQKbxv.dll,#1
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Jane\AppData\Local\Temp\fccaWMcb.dll,c
O4 - HKCU\..\Run: [84bdc57b] rundll32.exe "C:\Users\Jane\AppData\Local\Temp\njtdudpj.dll",b
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/webgames/popcaploader_v10.cab

Close all programs but HJT and all browser windows, then click on "Fix Checked"

6) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

7) Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file, the combofix log from CFScript, and a new HJT log in your next reply.

Tell me how the computer is running now.

Thanks

I need your help with this item, Google give me conflicting answers. I believe it is safe and valid but I want to be sure.
Scan the file in red here: http://virusscan.jotti.org/ and post the results for me to view.
O4 - HKLM\..\Run: [PLFSet] rundll32.exe C:\Windows\PLFSet.dll,PLFDefSetting
http://www.google.com/search?hl=en&q=PLFSet.dll&btnG=Search

stressonthesky
2008-07-17, 00:18
hjt log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:57:18, on 13/07/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
C:\Acer\Empowering Technology\eAudio\eAudio.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Users\Jane\AppData\Local\Temp\RtkBtMnt.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Acer\Acer VCM\AcerVCM.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\system32\igfxext.exe
C:\Windows\system32\igfxsrvc.exe
C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE
C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Program Files\Acer\Acer VCM\acp2HID.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.uk.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe
O4 - HKLM\..\Run: [eAudio] "C:\Acer\Empowering Technology\eAudio\eAudio.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [PlayMovie] "C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe"
O4 - HKLM\..\Run: [PLFSet] rundll32.exe C:\Windows\PLFSet.dll,PLFDefSetting
O4 - HKLM\..\Run: [WarReg_PopUp] C:\Acer\WR_PopUp\WarReg_PopUp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\wvUoOHxw.dll,#1
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Jane\AppData\Local\Temp\byXQKbxv.dll,#1
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Jane\AppData\Local\Temp\fccaWMcb.dll,c
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [84bdc57b] rundll32.exe "C:\Users\Jane\AppData\Local\Temp\njtdudpj.dll",b
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Acer VCM.lnk = ?
O4 - Global Startup: Empowering Technology Launcher.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Azada/Images/stg_drm.ocx
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD42/JSCDL/jre/6u6-b90/jinstall-6u6-windows-i586-jc.cab?e=1214076609642&h=fadc96a16eaae44d026b0cbe422c8c2a/&filename=jinstall-6u6-windows-i586-jc.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Azada/Images/armhelper.ocx
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/webgames/popcaploader_v10.cab
O23 - Service: ALaunch Service (ALaunchService) - Unknown owner - C:\Acer\ALaunch\ALaunchSvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: eDataSecurity Service - Egis Incorporated - C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Raw Socket Service (RS_Service) - Acer Inc. - C:\Program Files\Acer\Acer VCM\RS_Service.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 12299 bytes


combofix log

ComboFix 08-07-15.4 - Jane 2008-07-16 21:30:48.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1752 [GMT 1:00]
Running from: C:\Users\Jane\Desktop\ComboFix.exe
Command switches used :: C:\Users\Jane\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Users\Jane\AppData\Local\Temp\byXQKbxv.dll
C:\Users\Jane\AppData\Local\Temp\fccaWMcb.dll
C:\Users\Jane\AppData\Local\Temp\njtdudpj.dll
C:\Windows\system32\wvUoOHxw.dll
.

((((((((((((((((((((((((( Files Created from 2008-06-16 to 2008-07-16 )))))))))))))))))))))))))))))))
.

2008-07-13 18:56 . 2008-07-13 18:56 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-11 23:04 . 2008-07-11 23:20 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-07-11 23:04 . 2008-07-11 23:20 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-07-11 23:04 . 2008-07-11 23:04 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-10 21:34 . 2008-07-10 21:34 <DIR> d-------- C:\Program Files\ReflexiveArcade
2008-07-10 20:52 . 2008-07-10 20:52 <DIR> d-------- C:\Users\Jane\AppData\Roaming\SpinTop
2008-07-10 18:14 . 2008-06-26 02:45 12,240,896 --a------ C:\Windows\System32\NlsLexicons0007.dll
2008-07-10 18:14 . 2008-06-26 02:45 2,644,480 --a------ C:\Windows\System32\NlsLexicons0009.dll
2008-07-10 18:13 . 2008-06-26 04:29 801,280 --a------ C:\Windows\System32\NaturalLanguage6.dll
2008-07-09 22:50 . 2008-07-09 22:50 <DIR> d-------- C:\Users\Jane\AppData\Roaming\Big Fish Games
2008-07-09 11:15 . 2008-04-26 09:25 3,600,952 --a------ C:\Windows\System32\ntkrnlpa.exe
2008-07-09 11:15 . 2008-04-26 09:25 3,549,240 --a------ C:\Windows\System32\ntoskrnl.exe
2008-07-09 11:15 . 2008-04-26 09:26 891,448 --a------ C:\Windows\System32\drivers\tcpip.sys
2008-07-09 11:15 . 2008-04-12 04:32 784,896 --a------ C:\Windows\System32\rpcrt4.dll
2008-07-09 11:15 . 2008-05-10 04:35 564,736 --a------ C:\Windows\System32\emdmgmt.dll
2008-07-09 11:15 . 2008-04-05 02:21 72,192 --a------ C:\Windows\System32\drivers\pacer.sys
2008-07-09 11:15 . 2008-04-05 04:34 15,360 --a------ C:\Windows\System32\pacerprf.dll
2008-07-09 11:13 . 2008-05-08 22:59 430,080 --a------ C:\Windows\System32\vbscript.dll
2008-07-09 11:13 . 2008-05-08 22:59 180,224 --a------ C:\Windows\System32\scrobj.dll
2008-07-09 11:13 . 2008-05-08 22:59 172,032 --a------ C:\Windows\System32\scrrun.dll
2008-07-09 11:13 . 2008-05-08 22:59 155,648 --a------ C:\Windows\System32\wscript.exe
2008-07-09 11:13 . 2008-05-08 22:58 135,168 --a------ C:\Windows\System32\wshom.ocx
2008-07-09 11:13 . 2008-05-08 22:58 135,168 --a------ C:\Windows\System32\cscript.exe
2008-07-09 11:13 . 2008-05-08 22:59 90,112 --a------ C:\Windows\System32\wshext.dll
2008-07-02 23:02 . 2008-07-02 23:02 <DIR> d-------- C:\Program Files\Veoh Networks
2008-07-02 23:01 . 2008-07-02 23:01 <DIR> d-------- C:\Windows\Downloaded Installations
2008-06-29 23:22 . 2008-07-16 21:32 <DIR> d-------- C:\Users\All Users\Kontiki
2008-06-29 23:22 . 2008-07-16 21:32 <DIR> d-------- C:\ProgramData\Kontiki
2008-06-29 23:22 . 2008-06-29 23:22 <DIR> d-------- C:\Program Files\Kontiki
2008-06-29 23:22 . 2008-06-29 23:22 <DIR> d-------- C:\Program Files\Channel4
2008-06-29 23:21 . 2008-06-29 23:21 <DIR> d-------- C:\Users\All Users\Channel4
2008-06-29 23:21 . 2008-06-29 23:21 <DIR> d-------- C:\ProgramData\Channel4
2008-06-23 16:23 . 2008-06-23 16:23 <DIR> d-------- C:\Users\All Users\PopCap Games
2008-06-23 16:23 . 2008-06-23 16:23 <DIR> d-------- C:\ProgramData\PopCap Games
2008-06-23 13:06 . 2008-06-23 13:06 <DIR> d-------- C:\Program Files\GamesBar
2008-06-23 12:48 . 2008-06-23 12:48 <DIR> d-------- C:\Users\Jane\AppData\Roaming\PlayFirst
2008-06-23 12:48 . 2008-06-23 12:48 <DIR> d-------- C:\Users\All Users\PlayFirst
2008-06-23 12:48 . 2008-06-23 12:48 <DIR> d-------- C:\ProgramData\PlayFirst
2008-06-21 20:32 . 2008-07-15 11:39 <DIR> d-------- C:\Users\Jane\AppData\Roaming\LimeWire
2008-06-21 20:32 . 2008-06-21 20:32 <DIR> d-------- C:\Program Files\Sun
2008-06-21 20:30 . 2008-06-21 20:31 <DIR> d-------- C:\Program Files\Java
2008-06-21 20:29 . 2008-06-21 20:29 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-21 20:27 . 2008-06-21 20:27 <DIR> d-------- C:\Program Files\LimeWire
2008-06-20 22:06 . 2008-06-20 22:06 <DIR> d-------- C:\Users\Jane\AppData\Roaming\CopyTrans
2008-06-20 22:05 . 2008-06-20 22:05 <DIR> d-------- C:\Program Files\WindSolutions
2008-06-20 22:04 . 2008-06-20 22:04 <DIR> d-------- C:\Users\Jane\AppData\Roaming\CopyTransControlCenter
2008-06-20 22:04 . 2008-06-20 22:05 <DIR> d-------- C:\Users\All Users\CopyTransControlCenter
2008-06-20 22:04 . 2008-06-20 22:05 <DIR> d-------- C:\ProgramData\CopyTransControlCenter
2008-06-17 20:56 . 2008-06-20 21:46 <DIR> d-------- C:\Users\Jane\AppData\Roaming\iPod Copy Expert
2008-06-16 22:13 . 2008-06-16 22:13 <DIR> d-------- C:\Program Files\Common Files\eSellerate
2008-06-16 19:42 . 2008-06-16 19:42 <DIR> dr------- C:\Windows\System32\config\systemprofile\Music
2008-06-16 19:22 . 2008-06-16 19:22 <DIR> d-------- C:\Users\Jane\AppData\Roaming\Apple Computer
2008-06-16 19:22 . 2008-06-16 19:22 <DIR> d-------- C:\Program Files\iTunes
2008-06-16 19:22 . 2008-06-16 19:22 <DIR> d-------- C:\Program Files\iPod
2008-06-16 19:21 . 2008-06-16 19:22 <DIR> d-------- C:\Users\All Users\Apple Computer
2008-06-16 19:21 . 2008-06-16 19:22 <DIR> d-------- C:\ProgramData\Apple Computer
2008-06-16 19:21 . 2008-06-16 19:21 <DIR> d-------- C:\Program Files\QuickTime
2008-06-16 19:21 . 2008-06-16 19:21 <DIR> d-------- C:\Program Files\Bonjour
2008-06-16 19:21 . 2008-06-16 19:21 <DIR> d-------- C:\Program Files\Apple Software Update
2008-06-16 19:20 . 2008-06-16 19:20 <DIR> d-------- C:\Users\All Users\Apple
2008-06-16 19:20 . 2008-06-16 19:20 <DIR> d-------- C:\ProgramData\Apple
2008-06-16 19:20 . 2008-06-16 19:20 <DIR> d-------- C:\Program Files\Common Files\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-11 19:38 --------- d-----w C:\ProgramData\Microsoft Help
2008-07-11 19:38 --------- d-----w C:\Program Files\Windows Mail
2008-07-11 19:38 --------- d-----w C:\Program Files\Microsoft Works
2008-07-11 09:31 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-10 19:52 --------- d---a-w C:\ProgramData\TEMP
2008-07-02 22:03 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-30 20:48 --------- d-----w C:\Users\Jane\AppData\Roaming\CyberLink
2008-06-30 17:50 --------- d-----w C:\Program Files\Norton 360
2008-06-23 12:06 --------- d-----w C:\Program Files\Common Files\Oberon Media
2008-06-23 12:06 --------- d-----w C:\Program Files\Acer GameZone
2008-06-13 13:14 24,112 ----a-w C:\Windows\system32\drivers\SymIMV.sys
2008-06-13 13:14 13,093 ----a-w C:\Windows\system32\drivers\SymRedir.cat
2008-06-13 13:14 1,611 ----a-w C:\Windows\system32\drivers\SymRedir.inf
2008-06-13 13:13 96,432 ----a-w C:\Windows\system32\drivers\symfw.sys
2008-06-13 13:13 41,008 ----a-w C:\Windows\system32\drivers\symndisv.sys
2008-06-13 13:13 38,576 ----a-w C:\Windows\system32\drivers\symids.sys
2008-06-13 13:13 22,320 ----a-w C:\Windows\system32\drivers\symredrv.sys
2008-06-13 13:13 184,240 ----a-w C:\Windows\system32\drivers\symtdi.sys
2008-06-13 13:13 13,616 ----a-w C:\Windows\system32\drivers\symdns.sys
2008-06-04 19:57 0 ---ha-w C:\Windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-06-04 18:19 --------- d-----w C:\Users\Jane\AppData\Roaming\FloodLightGames
2008-06-04 09:51 --------- d-----w C:\Users\Jane\AppData\Roaming\Acer
2008-06-04 09:38 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-06-04 09:38 --------- d-----w C:\Program Files\Windows Live
2008-06-04 09:29 --------- d-----w C:\ProgramData\WLInstaller
2008-06-04 09:24 805 ----a-w C:\Windows\system32\drivers\SYMEVENT.INF
2008-06-04 09:24 123,952 ----a-w C:\Windows\system32\drivers\SYMEVENT.SYS
2008-06-04 09:24 10,671 ----a-w C:\Windows\system32\drivers\SYMEVENT.CAT
2008-06-04 09:24 --------- d-----w C:\ProgramData\Symantec
2008-06-04 09:24 --------- d-----w C:\Program Files\Symantec
2008-06-04 09:21 --------- d-----w C:\Users\Jane\AppData\Roaming\Symantec
2008-06-04 09:13 --------- d-----w C:\Program Files\MSXML 4.0
2008-06-01 11:40 0 ----a-w C:\Users\Jane\AppData\Roaming\wklnhst.dat
2008-04-26 08:08 1,314,816 ----a-w C:\Windows\System32\quartz.dll
2008-04-25 04:35 826,880 ----a-w C:\Windows\System32\wininet.dll
2008-04-23 04:42 428,544 ----a-w C:\Windows\System32\EncDec.dll
2008-04-23 04:42 293,376 ----a-w C:\Windows\System32\psisdecd.dll
2008-01-21 02:43 174 --sha-w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((( snapshot@2008-07-16_18.44.52.06 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-16 17:30:25 51,200 ----a-w C:\Windows\inf\infpub.dat
+ 2008-07-16 20:30:24 51,200 ----a-w C:\Windows\inf\infpub.dat
- 2008-07-16 17:30:25 143,360 ----a-w C:\Windows\inf\infstrng.dat
+ 2008-07-16 20:30:24 143,360 ----a-w C:\Windows\inf\infstrng.dat
- 2008-07-16 17:27:30 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-07-16 20:17:28 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2008-07-16 17:27:30 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2008-07-16 20:17:28 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-07-16 17:29:06 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-07-16 20:19:08 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-07-16 20:19:08 262,144 ---ha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1
- 2008-07-16 17:29:01 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-07-16 20:19:03 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-07-16 20:19:03 262,144 ---ha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2008-07-16 17:27:30 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-07-16 20:17:33 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-07-16 17:27:30 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-07-16 20:17:33 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-07-16 17:27:30 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-07-16 20:17:33 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-07-16 17:35:11 105,852 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-07-16 20:24:26 105,852 ----a-w C:\Windows\System32\perfc009.dat
- 2008-07-16 17:35:11 600,378 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-07-16 20:24:27 600,378 ----a-w C:\Windows\System32\perfh009.dat
- 2008-07-16 17:29:31 8,548 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2588065996-3365791777-504432143-1000_UserData.bin
+ 2008-07-16 20:19:31 8,556 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2588065996-3365791777-504432143-1000_UserData.bin
- 2008-07-16 17:29:31 85,456 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-07-16 20:19:31 85,884 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-07-16 17:29:28 54,098 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-07-16 20:19:30 54,286 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-01-03 11:00 39472 --a------ C:\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]
@="{4433A54A-1AC8-432F-90FC-85F045CF383C}"
[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]
2008-02-26 09:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]
@="{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}"
[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]
2008-02-26 09:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]
@="{476D0EA3-80F9-48B5-B70B-05E677C9C148}"
[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]
2008-02-26 09:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-21 03:23 1233920]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 11:23 1032640]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2008-06-19 15:15 3664944]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 03:25 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2008-01-30 11:34 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2008-01-30 11:34 8501792]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2008-01-30 11:34 81920]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2008-01-24 03:28 102400]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-03-08 13:38 40048]
"eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-01-03 10:55 521776]
"eAudio"="C:\Acer\Empowering Technology\eAudio\eAudio.exe" [2007-10-10 15:41 1286144]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-01-24 03:28 174616]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2008-01-24 03:25 141848]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2008-01-24 03:25 166424]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2008-01-24 03:25 133656]
"LManager"="C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE" [2008-01-02 14:17 707080]
"PlayMovie"="C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe" [2008-01-22 19:14 200704]
"PLFSet"="C:\Windows\PLFSet.dll" [2007-04-25 21:47 45056]
"WarReg_PopUp"="C:\Acer\WR_PopUp\WarReg_PopUp.exe" [2006-11-05 21:48 57344]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-18 20:37 51048]
"osCheck"="C:\Program Files\Norton 360\osCheck.exe" [2008-02-26 15:50 988512]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-06-02 11:13 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"4oD"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 11:23 1032640]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-24 03:29 4702208 C:\Windows\RtHDVCpl.exe]

C:\Users\Jane\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-27 05:24:54 98632]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Acer VCM.lnk - C:\Program Files\Acer\Acer VCM\AcerVCM.exe [2008-03-16 00:34:00 1216512]
Empowering Technology Launcher.lnk - C:\Acer\Empowering Technology\eAPLauncher.exe [2008-02-06 02:34:28 535336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{1C49520E-CF7A-45F9-94E3-61052F6BD148}"= C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\Acer Arcade Deluxe.exe:Acer Arcade Deluxe
"{792083B3-4EF9-494E-A573-9B30221BE5DE}"= C:\Program Files\Acer Arcade Deluxe\VideoMagician\VideoMagician.exe:VideoMagician
"{70BCC102-8C2D-4097-926A-85B89F5C7E01}"= C:\Program Files\Acer Arcade Deluxe\HomeMedia\HomeMedia.exe:HomeMedia
"{6A572296-3867-4960-AFB9-01CB537CE88C}"= C:\Program Files\Acer Arcade Deluxe\DV Wizard\DV Wizard.exe:DV Wizard
"{2D951B47-AE68-4487-AB13-D9A810D20DFC}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{B30C5C23-E916-4A13-8D81-B6733C0A5DCA}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{64A5FFAD-CCDC-4394-A0B1-2263F8B1D4F7}"= C:\Program Files\Acer Arcade Deluxe\DVDivine\DVDivine.exe:DVDivine
"{BF9C87FE-07DA-43D0-960B-9728BF72EDFD}"= C:\Program Files\Acer Arcade Deluxe\Play Movie\PlayMovie.exe:Play Movie
"{758AB80B-A059-45DD-9469-9919ED5F7AE0}"= C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe:Play Movie Resident Program
"{AAEFCD8E-DDA4-467C-8848-6F6F42969989}"= C:\Program Files\Acer\Acer VCM\VC.exe:Acer VCM
"{97E4EA1C-0444-45D1-919B-BEAAA504515A}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{65B25890-0884-4011-9FC7-FAF6860ECFAB}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{CB911B85-7555-4DBB-8926-647F3C60B847}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{25F2690F-5B65-4715-8086-4E41DED02976}"= UDP:C:\Program Files\Kontiki\KService.exe:Delivery Manager Service
"{3EF61A7F-1057-48A2-AF46-8FD17B07632E}"= TCP:C:\Program Files\Kontiki\KService.exe:Delivery Manager Service
"{C6FDC690-CAAF-44EF-AA00-071453B3B1C7}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{5F0378A1-E6F9-4B49-84E4-EE02E042CDCF}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"DoNotAllowExceptions"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\ipsdefs\20080711.001\IDSvix86.sys [2008-05-12 23:55]
R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};C:\Program Files\Acer Arcade Deluxe\Play Movie\000.fcl [2008-01-25 08:41]
R2 ALaunchService;ALaunch Service;C:\Acer\ALaunch\ALaunchSvc.exe [2007-09-19 23:41]
R2 LiveUpdate Notice;LiveUpdate Notice;C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-02-18 20:37]
R2 RS_Service;Raw Socket Service;C:\Program Files\Acer\Acer VCM\RS_Service.exe [2007-09-29 03:18]
R3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2008-06-13 14:13]
R3 winbondcir;Winbond IR Transceiver;C:\Windows\system32\DRIVERS\winbondcir.sys [2008-01-24 03:29]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\b57nd60x.sys [2008-01-24 03:29]
S3 COH_Mon;COH_Mon;C:\Windows\system32\Drivers\COH_Mon.sys [2008-03-06 21:32]
S4 ErrDev;Microsoft Hardware Error Device Driver;C:\Windows\system32\drivers\errdev.sys [2008-01-21 03:23]
S4 MegaSR;MegaSR;C:\Windows\system32\drivers\megasr.sys [2008-01-21 03:23]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-07-15 21:37:15 C:\Windows\Tasks\User_Feed_Synchronization-{B593F204-7E08-4FE2-9816-EA5F30807B96}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-16 21:33:20
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-16 21:34:54
ComboFix-quarantined-files.txt 2008-07-16 20:34:25
ComboFix2.txt 2008-07-16 17:45:47

Pre-Run: 76,947,083,264 bytes free
Post-Run: 76,917,846,016 bytes free

271 --- E O F --- 2008-07-15 22:12:33


mwb log

Malwarebytes' Anti-Malware 1.20
Database version: 960
Windows 6.0.6001 Service Pack 1

22:14:14 16/07/2008
mbam-log-7-16-2008 (22-14-14).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 128707
Time elapsed: 25 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Windows\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.



my computer is now running fine, thankyou!

stressonthesky
2008-07-17, 00:19
i also checked that file and it said nothing was found

pskelley
2008-07-17, 00:36
Thanks for returning your information and the feedback. I thought that file was ok, but best to check. You posted the same HJT log twice, please post a new HJT log thay was run after CFScript.

Thanks

tashi
2008-07-22, 20:21
stressonthesky this topic has been archived due to inactivity.

As it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, this topic will not be reopened. If you still require help, please start a new topic and include a fresh HijackThis log and a link to this thread.