View Full Version : blocked from safer-networking.org and kapersky updates
I seem to be blocked from safer-networking.org and kapersky database updates. Ad-aware can't update either.
I've manually updated spybot s&d and scanned. It only found a couple infections. Zlob trojan was one of them.
I still can't update any or see safer-networking.
host file is normal.
My dns was redirected, i believe i reset it to 4.2.2.1 temporarily. (Until the problem is resolved, then i'll go back to obtaining automatically.)
HJT Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:01:00 AM, on 01/02/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
D:\program files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Windows\System32\rundll32.exe
C:\Windows\WindowsMobile\wmdSync.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Users\gerwen\AppData\Local\Temp\RtkBtMnt.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ERUNT\ERUNT.EXE
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ca.rd.yahoo.com/customize/ycomp/defaults/sp/*http://ca.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.ca.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.ca.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.ca.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.rd.yahoo.com/customize/ycomp/defaults/su/*http://ca.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Windows\system32\ActiveToolBand.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ALaunch] C:\Acer\ALaunch\AlaunchClient.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [PLFSet] rundll32.exe C:\Windows\PLFSet.dll,PLFDefSetting
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [SetPanel] C:\Acer\APanel\APanel.cmd
O4 - HKLM\..\Run: [LanguageShortcut] "D:\program files\cyberlink\powerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [AVP] "d:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\Windows\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - d:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{603D9702-23B6-4B54-8A14-05F35CD2A537}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{FE8ABFF2-E5E7-4193-8078-F16CAB3B579F}: NameServer = 4.2.2.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: eNetHook.dll,d:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll
O23 - Service: AdeonaClientService - Unknown owner - C:\Program Files\Adeona\cygrunsrv.exe
O23 - Service: ALaunch Service (ALaunchService) - Unknown owner - C:\Acer\ALaunch\ALaunchSvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - d:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: eDataSecurity Service - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: uvnc_service - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 10922 bytes
IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.
µTorrent
I'd like you to read this thread (http://forums.spybot.info/showthread.php?t=282).
Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).
Delete these folders afterwards:
C:\Program Files\uTorrent
Empty Recycle Bin.
After that:
Download random's system information tool (RSIT) by random/random from here (http://images.malwareremoval.com/random/RSIT.exe) and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized, if not you'll find it in c:\rsit folder)
Thanks for the help.
log.txt
Logfile of random's system information tool 1.05 (written by random/random)
Run by gerwen at 2009-02-05 06:37:35
Microsoft® Windows Vista™ Home Premium Service Pack 1
System drive C: has 23 GB (33%) free of 71 GB
Total RAM: 2046 MB (48% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:37:47 AM, on 05/02/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
D:\program files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Windows\System32\rundll32.exe
C:\Windows\WindowsMobile\wmdSync.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Users\gerwen\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\Windows Sidebar\sidebar.exe
I:\RECYCLER\S-6-1-68-100002912-100009968-100016372-6644.com
C:\Program Files\Last.fm\LastFM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\SyncServer.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\gerwen\Desktop\Downloads\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\gerwen.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.ca.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.ca.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.ca.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.rd.yahoo.com/customize/ycomp/defaults/su/*http://ca.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Windows\system32\ActiveToolBand.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ALaunch] C:\Acer\ALaunch\AlaunchClient.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [PLFSet] rundll32.exe C:\Windows\PLFSet.dll,PLFDefSetting
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [SetPanel] C:\Acer\APanel\APanel.cmd
O4 - HKLM\..\Run: [LanguageShortcut] "D:\program files\cyberlink\powerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [AVP] "d:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\Windows\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - d:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{603D9702-23B6-4B54-8A14-05F35CD2A537}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{FE8ABFF2-E5E7-4193-8078-F16CAB3B579F}: NameServer = 4.2.2.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: eNetHook.dll,d:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll
O23 - Service: AdeonaClientService - Unknown owner - C:\Program Files\Adeona\cygrunsrv.exe
O23 - Service: ALaunch Service (ALaunchService) - Unknown owner - C:\Acer\ALaunch\ALaunchSvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - d:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: eDataSecurity Service - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: uvnc_service - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 10628 bytes
======Scheduled tasks folder======
C:\Windows\tasks\Ad-Aware Update (Weekly).job
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 63136]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2009-01-26 1879896]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83A2F9B1-01A2-4AA5-87D1-45B6B8505E96}]
ShowBarObj Class - C:\Windows\system32\ActiveToolBand.dll [2007-04-12 299008]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll [2009-01-15 657904]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - Acer eDataSecurity Management - C:\Windows\system32\eDStoolbar.dll [2007-04-12 151552]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-19 1008184]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2007-05-09 865840]
"ALaunch"=C:\Acer\ALaunch\AlaunchClient.exe []
"RtHDVCpl"=C:\Windows\RtHDVCpl.exe [2007-05-10 4468736]
"PLFSet"=C:\Windows\PLFSet.dll [2007-03-09 45056]
"Skytel"=C:\Windows\Skytel.exe [2007-05-07 1826816]
"IAAnotif"=C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe [2007-02-12 174872]
"SetPanel"=C:\Acer\APanel\APanel.cmd []
"LanguageShortcut"=D:\program files\cyberlink\powerDVD\Language\Language.exe [2007-10-11 62760]
"LManager"=C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE [2007-05-04 502544]
"AVP"=d:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe [2007-06-28 218376]
"NvSvc"=C:\Windows\system32\nvsvc.dll [2008-01-11 86016]
"NvCplDaemon"=C:\Windows\system32\NvCpl.dll [2008-01-11 8501792]
"NvMediaCenter"=C:\Windows\system32\NvMcTray.dll [2008-01-11 81920]
"USB2Check"=C:\Windows\system32\PCLECoInst.dll [2006-11-06 81920]
"Windows Mobile-based device management"=C:\Windows\WindowsMobile\wmdSync.exe [2006-11-02 215552]
"WinampAgent"=C:\Program Files\Winamp\winampa.exe []
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2008-11-04 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-11-20 290088]
"Ad-Watch"=C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe [2009-01-18 506712]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"=C:\Program Files\Windows Sidebar\sidebar.exe [2008-01-19 1233920]
"ehTray.exe"=C:\Windows\ehome\ehTray.exe [2008-01-19 125952]
"DAEMON Tools Lite"=C:\Program Files\DAEMON Tools Lite\daemon.exe [2008-03-14 486856]
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe [2008-01-19 202240]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="eNetHook.dll,d:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\klogon]
C:\Windows\system32\klogon.dll [2007-06-28 206088]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Lavasoft Ad-Aware Service]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"LogonHoursAction"=2
"DontDisplayLogonHoursWarnings"=1
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe"="C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe"="C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{29e5e048-c064-11dd-8455-001b2464df4f}]
shell\AutoRun\command - G:\LiteAuto.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8a8c4ef6-25bd-11dd-8e36-c1fdc292d7b1}]
shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL I:\RECYCLER\S-6-1-68-100002912-100009968-100016372-6644.com i:\
shell\Open\command - I:\RECYCLER\S-6-1-68-100002912-100009968-100016372-6644.com i:\
======List of files/folders created in the last 3 months======
2009-02-05 06:37:35 ----D---- C:\rsit
2009-02-01 11:00:27 ----D---- C:\Program Files\Trend Micro
2009-02-01 10:58:59 ----D---- C:\Windows\ERDNT
2009-02-01 10:58:31 ----D---- C:\Program Files\ERUNT
2009-02-01 09:26:47 ----SHD---- C:\Config.Msi
2009-02-01 09:20:40 ----D---- C:\fixwareout
2009-01-31 13:29:54 ----A---- C:\Windows\system32\lsdelete.exe
2009-01-31 13:17:45 ----A---- C:\Windows\ntbtlog.txt
2009-01-31 13:14:28 ----D---- C:\ProgramData\Lavasoft
2009-01-31 13:14:28 ----D---- C:\Program Files\Lavasoft
2009-01-31 13:13:53 ----HDC---- C:\ProgramData\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-01-31 12:51:36 ----D---- C:\ProgramData\Spybot - Search & Destroy
2009-01-31 12:51:36 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-01-24 14:26:08 ----D---- C:\RECYCLER
2009-01-10 14:29:06 ----D---- C:\Program Files\Skyhook Wireless
2009-01-08 06:34:09 ----D---- C:\Users\gerwen\AppData\Roaming\iTSfv
2009-01-06 06:29:00 ----D---- C:\ProgramData\Last.fm
2009-01-06 06:26:46 ----D---- C:\Program Files\Last.fm
2009-01-03 13:21:05 ----A---- C:\Windows\DelToolbox.bat
2009-01-02 16:04:48 ----D---- C:\Program Files\Bonjour
2009-01-02 16:03:17 ----D---- C:\Program Files\iPod
2009-01-02 16:03:16 ----D---- C:\ProgramData\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-02 16:03:16 ----D---- C:\Program Files\iTunes
2009-01-02 16:00:41 ----D---- C:\Program Files\QuickTime
2009-01-01 20:37:03 ----D---- C:\Program Files\Common Files\SWF Studio
2008-12-30 17:06:45 ----D---- C:\Program Files\iGain
2008-12-19 03:17:17 ----A---- C:\Windows\system32\mshtml.dll
2008-12-17 16:28:10 ----D---- C:\Program Files\Common Files\Skype
2008-12-12 11:18:16 ----A---- C:\Windows\system32\dns-sd.exe
2008-12-12 11:11:46 ----A---- C:\Windows\system32\dnssd.dll
2008-12-12 03:03:37 ----A---- C:\Windows\system32\tzres.dll
2008-12-11 14:11:03 ----A---- C:\Windows\system32\Apphlpdm.dll
2008-12-11 14:11:02 ----A---- C:\Windows\system32\GameUXLegacyGDFs.dll
2008-12-11 14:10:59 ----A---- C:\Windows\system32\gdi32.dll
2008-12-11 14:10:44 ----A---- C:\Windows\system32\shell32.dll
2008-12-11 14:10:32 ----A---- C:\Windows\system32\urlmon.dll
2008-12-11 14:10:31 ----A---- C:\Windows\system32\ieframe.dll
2008-12-11 14:10:30 ----A---- C:\Windows\system32\wininet.dll
2008-12-11 14:10:28 ----A---- C:\Windows\system32\mstime.dll
2008-12-11 14:10:27 ----A---- C:\Windows\system32\iertutil.dll
2008-12-11 14:10:26 ----A---- C:\Windows\system32\jsproxy.dll
2008-12-11 14:10:20 ----A---- C:\Windows\explorer.exe
2008-12-11 14:10:16 ----A---- C:\Windows\system32\mf.dll
2008-12-11 14:10:15 ----A---- C:\Windows\system32\WMVCORE.DLL
2008-12-11 14:10:14 ----A---- C:\Windows\system32\WMNetMgr.dll
2008-12-11 14:10:14 ----A---- C:\Windows\system32\logagent.exe
2008-12-07 03:01:19 ----D---- C:\Windows\SQL9_KB948109_ENU
2008-12-06 17:24:19 ----SHDC---- C:\Program Files\Common Files\WindowsLiveInstaller
2008-12-06 17:23:56 ----D---- C:\Program Files\Windows Live
2008-12-06 17:23:14 ----D---- C:\ProgramData\WLInstaller
2008-12-04 18:45:42 ----D---- C:\ProgramData\Novatel Wireless
2008-12-03 18:35:04 ----D---- C:\Users\gerwen\AppData\Roaming\TeraCopy
2008-12-03 18:35:01 ----D---- C:\Program Files\TeraCopy
2008-11-29 08:32:35 ----A---- C:\Windows\system32\wups2.dll
2008-11-29 08:32:35 ----A---- C:\Windows\system32\wucltux.dll
2008-11-29 08:32:35 ----A---- C:\Windows\system32\wuaueng.dll
2008-11-29 08:32:35 ----A---- C:\Windows\system32\wuauclt.exe
2008-11-29 08:32:14 ----A---- C:\Windows\system32\wups.dll
2008-11-29 08:32:14 ----A---- C:\Windows\system32\wudriver.dll
2008-11-29 08:32:14 ----A---- C:\Windows\system32\wuapi.dll
2008-11-29 08:32:00 ----A---- C:\Windows\system32\wuwebv.dll
2008-11-29 08:32:00 ----A---- C:\Windows\system32\wuapp.exe
2008-11-26 06:51:22 ----A---- C:\Windows\system32\PortableDeviceApi.dll
2008-11-26 06:51:19 ----A---- C:\Windows\system32\WindowsCodecsExt.dll
2008-11-26 06:51:19 ----A---- C:\Windows\system32\WindowsCodecs.dll
2008-11-26 06:51:19 ----A---- C:\Windows\system32\PhotoMetadataHandler.dll
2008-11-26 06:51:15 ----A---- C:\Windows\system32\connect.dll
2008-11-12 06:21:12 ----A---- C:\Windows\system32\msxml3.dll
2008-11-12 06:21:10 ----A---- C:\Windows\system32\msxml6.dll
======List of files/folders modified in the last 3 months======
2009-02-05 06:37:46 ----D---- C:\Windows\Prefetch
2009-02-05 06:37:37 ----D---- C:\Windows\Temp
2009-02-05 06:35:45 ----RD---- C:\Program Files
2009-02-05 06:34:04 ----D---- C:\Users\gerwen\AppData\Roaming\uTorrent
2009-02-03 09:52:48 ----SHD---- C:\System Volume Information
2009-02-03 09:12:01 ----D---- C:\ProgramData\Google Updater
2009-02-01 19:56:44 ----D---- C:\ProgramData\Kaspersky Lab
2009-02-01 19:40:15 ----D---- C:\Users\gerwen\AppData\Roaming\foobar2000
2009-02-01 17:23:08 ----D---- C:\Windows\Minidump
2009-02-01 17:22:43 ----D---- C:\Windows
2009-02-01 10:49:58 ----D---- C:\Users\gerwen\AppData\Roaming\Skype
2009-02-01 09:31:40 ----HD---- C:\ProgramData
2009-02-01 09:31:40 ----D---- C:\Program Files\Google
2009-02-01 09:30:11 ----SHD---- C:\Windows\Installer
2009-02-01 09:29:54 ----D---- C:\Program Files\Common Files
2009-02-01 09:29:40 ----D---- C:\Windows\System32
2009-02-01 09:27:40 ----D---- C:\Program Files\Java
2009-02-01 09:27:13 ----D---- C:\Windows\system32\drivers
2009-02-01 08:59:05 ----D---- C:\Users\gerwen\AppData\Roaming\skypePM
2009-01-31 13:15:19 ----D---- C:\Windows\Tasks
2009-01-31 13:15:19 ----D---- C:\Windows\system32\Tasks
2009-01-31 13:15:08 ----DC---- C:\Windows\system32\DRVSTORE
2009-01-31 13:15:08 ----D---- C:\Windows\system32\catroot
2009-01-31 13:14:24 ----D---- C:\Windows\winsxs
2009-01-31 12:48:53 ----D---- C:\Program Files\Loonies
2009-01-31 12:48:06 ----D---- C:\Program Files\Mozilla Thunderbird
2009-01-28 16:19:19 ----D---- C:\Windows\inf
2009-01-28 16:19:19 ----A---- C:\Windows\system32\PerfStringBackup.INI
2009-01-27 19:15:04 ----D---- C:\Program Files\MP3Gain
2009-01-24 14:43:34 ----D---- C:\Users\gerwen\AppData\Roaming\SanDisk
2009-01-14 03:03:55 ----D---- C:\Program Files\Windows Mail
2009-01-09 20:35:28 ----A---- C:\Windows\system32\mrt.exe
2009-01-05 06:30:43 ----D---- C:\Program Files\Mp3tag
2009-01-02 16:03:17 ----D---- C:\Program Files\Common Files\Apple
2009-01-02 15:33:09 ----D---- C:\Program Files\Winamp
2009-01-01 20:37:01 ----D---- C:\Windows\system
2009-01-01 20:35:19 ----HD---- C:\Program Files\InstallShield Installation Information
2009-01-01 15:44:35 ----D---- C:\Users\gerwen\AppData\Roaming\WinFF
2009-01-01 13:17:32 ----D---- C:\Program Files\WinFF
2008-12-25 10:02:51 ----D---- C:\Users\gerwen\AppData\Roaming\Apple Computer
2008-12-21 09:18:32 ----D---- C:\Program Files\foobar2000
2008-12-20 11:12:40 ----D---- C:\Windows\system32\WDI
2008-12-19 03:17:42 ----D---- C:\Windows\system32\catroot2
2008-12-17 20:07:34 ----D---- C:\Program Files\Mozilla Firefox
2008-12-12 03:37:44 ----D---- C:\Windows\rescache
2008-12-12 03:16:42 ----D---- C:\Windows\system32\en-US
2008-12-12 03:16:42 ----D---- C:\Windows\AppPatch
2008-12-12 03:10:06 ----A---- C:\Windows\win.ini
2008-12-07 03:07:54 ----RSD---- C:\Windows\assembly
2008-12-07 03:07:23 ----D---- C:\Windows\WindowsMobile
2008-12-07 03:06:43 ----RSD---- C:\Windows\Fonts
2008-12-07 03:06:08 ----D---- C:\Program Files\Common Files\microsoft shared
2008-12-07 03:01:47 ----D---- C:\Program Files\Microsoft SQL Server
2008-12-06 17:15:12 ----D---- C:\Windows\ModemLogs
2008-12-04 18:46:39 ----SD---- C:\Users\gerwen\AppData\Roaming\Microsoft
2008-11-11 18:29:22 ----D---- C:\Windows\twain_32
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 eeCtrl;Symantec Eraser Control driver; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [2008-03-18 385072]
R1 kl1;kl1; C:\Windows\system32\DRIVERS\kl1.sys [2008-05-28 112144]
R1 KLIF;KLIF; C:\Windows\system32\DRIVERS\klif.sys [2008-04-17 127768]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter; C:\Windows\system32\DRIVERS\klim6.sys [2007-04-04 20760]
R1 ssmdrv;ssmdrv; C:\Windows\system32\DRIVERS\ssmdrv.sys [2007-03-01 28352]
R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}; \??\C:\Program Files\Acer Arcade Deluxe\Play Movie\000.fcl [2007-11-05 39408]
R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B}; \??\D:\program files\cyberlink\powerDVD\000.fcl [2008-01-30 41456]
R2 int15;int15; \??\C:\Acer\Empowering Technology\eRecovery\int15.sys [2006-12-07 76584]
R2 mdmxsdk;mdmxsdk; C:\Windows\system32\DRIVERS\mdmxsdk.sys [2007-03-14 12672]
R2 rimmptsk;rimmptsk; C:\Windows\system32\DRIVERS\rimmptsk.sys [2007-02-24 39936]
R2 rimsptsk;rimsptsk; C:\Windows\system32\DRIVERS\rimsptsk.sys [2007-01-23 42496]
R2 rismxdp;Ricoh xD-Picture Card Driver; C:\Windows\system32\DRIVERS\rixdptsk.sys [2007-03-22 37376]
R2 SSPORT;SSPORT; \??\C:\Windows\system32\Drivers\SSPORT.sys [2007-01-03 5120]
R2 XAudio;XAudio; C:\Windows\system32\DRIVERS\xaudio.sys [2007-03-14 8192]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0; C:\Windows\system32\DRIVERS\b57nd60x.sys [2007-02-08 179712]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\Windows\system32\DRIVERS\CmBatt.sys [2008-01-19 14208]
R3 DKbFltr;Dritek Keyboard Filter Driver; C:\Windows\system32\DRIVERS\DKbFltr.sys [2007-05-03 21264]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\Windows\system32\DRIVERS\GEARAspiWDM.sys [2008-04-17 15464]
R3 HSF_DPV;HSF_DPV; C:\Windows\system32\DRIVERS\HSX_DPV.sys [2007-03-14 985600]
R3 HSXHWAZL;HSXHWAZL; C:\Windows\system32\DRIVERS\HSXHWAZL.sys [2007-03-14 207360]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHDA.sys [2007-05-10 1775712]
R3 MarvinBus;Pinnacle Marvin Bus; C:\Windows\system32\DRIVERS\MarvinBus.sys [2005-09-23 171520]
R3 MXOPSWD;Maxtor OneTouch Security Driver; C:\Windows\system32\DRIVERS\mxopswd.sys [2007-05-03 22152]
R3 NETw4v32;Intel(R) Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit; C:\Windows\system32\DRIVERS\NETw4v32.sys [2007-02-24 2216448]
R3 NTIDrvr;Upper Class Filter Driver; C:\Windows\system32\DRIVERS\NTIDrvr.sys [2007-05-15 6144]
R3 NuidFltr;NUID filter driver; C:\Windows\system32\DRIVERS\NuidFltr.sys [2007-01-15 9728]
R3 nvlddmkm;nvlddmkm; C:\Windows\system32\DRIVERS\nvlddmkm.sys [2008-01-11 7629504]
R3 sdbus;sdbus; C:\Windows\system32\DRIVERS\sdbus.sys [2008-01-19 88576]
R3 SNP2UVC;USB2.0 PC Camera (SNP2UVC); C:\Windows\system32\DRIVERS\snp2uvc.sys [2007-02-07 1729152]
R3 StillCam;Still Serial Digital Camera Driver; C:\Windows\system32\DRIVERS\serscan.sys [2008-01-19 9216]
R3 SynTP;Synaptics TouchPad Driver; C:\Windows\system32\DRIVERS\SynTP.sys [2007-05-09 185392]
R3 winachsf;winachsf; C:\Windows\system32\DRIVERS\HSX_CNXT.sys [2007-03-14 659968]
R3 winbondcir;Winbond IR Transceiver; C:\Windows\system32\DRIVERS\winbondcir.sys [2007-04-19 43008]
R3 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\DRIVERS\wmiacpi.sys [2008-01-19 11264]
S2 DgiVecp;DgiVecp; \??\C:\Windows\system32\Drivers\DgiVecp.sys [2007-01-03 41984]
S3 61883;61883 Unit Device; C:\Windows\system32\DRIVERS\61883.sys [2008-01-19 45696]
S3 av3aj05k;av3aj05k; C:\Windows\system32\drivers\av3aj05k.sys []
S3 Avc;AVC Device; C:\Windows\system32\DRIVERS\avc.sys [2008-01-19 40448]
S3 DCamUSBEMPIA;Dazzle DVC Video Device; C:\Windows\system32\DRIVERS\emDevice.sys [2005-12-21 100957]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-19 5632]
S3 emAudio;Dazzle DVC Audio Device; C:\Windows\system32\drivers\emAudio.sys [2006-12-12 22528]
S3 FiltUSBEMPIA;USB Device Lower Filter; C:\Windows\system32\DRIVERS\emFilter.sys [2005-12-21 5245]
S3 gbridge;Gbridge Virtual Miniport; C:\Windows\system32\DRIVERS\gbridge.sys [2008-07-22 36864]
S3 gbridge;Gbridge Virtual Miniport; C:\Windows\system32\DRIVERS\gbridge.sys [2008-07-22 36864]
S3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
S3 HSFHWAZL;HSFHWAZL; C:\Windows\system32\DRIVERS\VSTAZL3.SYS [2006-11-02 200704]
S3 MSDV;Microsoft DV Camera and VCR; C:\Windows\system32\DRIVERS\msdv.sys [2008-01-19 52608]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-19 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-19 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-19 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-19 6016]
S3 NPF;Netgroup Packet Filter; C:\Windows\system32\drivers\npf.sys []
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver; \??\C:\Windows\system32\NSNDIS5.SYS []
S3 ScanUSBEMPIA;USB Still Image Capture Device; C:\Windows\system32\DRIVERS\emScan.sys [2005-12-21 4493]
S3 ser2plms;Microsoft USB GPS driver; C:\Windows\system32\DRIVERS\ser2plms.sys [2004-07-22 42240]
S3 USBAAPL;Apple Mobile USB Driver; C:\Windows\System32\Drivers\usbaapl.sys [2008-10-01 32000]
S3 usbbus;LGE Mobile Composite USB Device; C:\Windows\system32\DRIVERS\lgusbbus.sys [2007-07-11 12416]
S3 UsbDiag;LGE Mobile USB Serial Port; C:\Windows\system32\DRIVERS\lgusbdiag.sys [2007-07-11 19840]
S3 USBModem;LGE Mobile USB Modem; C:\Windows\system32\DRIVERS\lgusbmodem.sys [2007-07-11 21632]
S3 usbscan;USB Scanner Driver; C:\Windows\system32\DRIVERS\usbscan.sys [2008-01-19 35328]
S3 winusb;WinUSB Service; C:\Windows\system32\DRIVERS\winusb.sys [2008-01-19 31616]
S3 WpdUsb;WpdUsb; C:\Windows\System32\Drivers\wpdusb.sys [2008-01-19 39936]
S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-19 83328]
S4 UIUSys;Conexant Setup API; C:\Windows\system32\DRIVERS\UIUSYS.SYS []
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 AdeonaClientService;AdeonaClientService; C:\Program Files\Adeona\cygrunsrv.exe [2008-07-13 68096]
R2 ALaunchService;ALaunch Service; C:\Acer\ALaunch\ALaunchSvc.exe [2007-01-26 50688]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-11-07 132424]
R2 AVP;Kaspersky Anti-Virus 7.0; d:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe [2007-06-28 218376]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 Capture Device Service;Capture Device Service; C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe [2006-08-11 200704]
R2 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-10-14 168432]
R2 IAANTMON;Intel(R) Matrix Storage Event Monitor; C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe [2007-02-12 355096]
R2 Maxtor Sync Service;Maxtor Service; C:\Program Files\Maxtor\Sync\SyncServices.exe [2007-09-28 156976]
R2 MobilityService;MobilityService; C:\Acer\Mobility Center\MobilityService.exe [2006-11-24 107008]
R2 RapiMgr;@%windir%\WindowsMobile\rapimgr.dll,-104; C:\Windows\system32\svchost.exe [2008-01-19 21504]
R2 SQLWriter;SQL Server VSS Writer; C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe [2007-02-10 89968]
R2 WcesComm;@%windir%\WindowsMobile\wcescomm.dll,-40079; C:\Windows\system32\svchost.exe [2008-01-19 21504]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-11-20 536872]
S2 CLTNetCnService;Symantec Lic NetConnect service; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe /h ccCommon []
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 921936]
S2 Net Driver HPZ12;Net Driver HPZ12; C:\Windows\System32\svchost.exe [2008-01-19 21504]
S2 Pml Driver HPZ12;Pml Driver HPZ12; C:\Windows\System32\svchost.exe [2008-01-19 21504]
S3 eDataSecurity Service;eDataSecurity Service; C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe [2007-04-12 457512]
S3 eLockService;eLock Service; C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe [2007-03-14 24576]
S3 eNet Service;eNet Service; C:\Acer\Empowering Technology\eNet\eNet Service.exe [2007-05-22 135168]
S3 eRecoveryService;eRecovery Service; C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe [2007-02-13 53248]
S3 eSettingsService;eSettings Service; C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe [2007-05-10 24576]
S3 HPSLPSVC;HP Network Devices Support; C:\Windows\system32\svchost.exe [2008-01-19 21504]
S3 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2007-01-17 61440]
S3 LiveUpdate Notice Ex;LiveUpdate Notice Service Ex; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe /h ccCommon []
S3 LiveUpdate Notice Service;LiveUpdate Notice Service; C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe [2008-01-29 583048]
S3 MSSQL$SONY_MEDIAMGR2;SQL Server (SONY_MEDIAMGR2); C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-02-26 29183504]
S3 Nero BackItUp Scheduler 3;Nero BackItUp Scheduler 3; C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe [2007-08-08 836904]
S3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe [2007-08-03 382248]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 RichVideo;Cyberlink RichVideo Service(CRVS); C:\Program Files\CyberLink\Shared Files\RichVideo.exe [2007-10-16 243056]
S3 uvnc_service;uvnc_service; C:\Program Files\UltraVNC\WinVNC.exe [2008-08-30 1519168]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]
S3 WMIService;ePower Service; C:\Acer\Empowering Technology\ePower\ePowerSvc.exe [2007-05-17 163840]
S3 XAudioService;XAudioService; C:\Windows\system32\DRIVERS\xaudio.exe [2007-03-14 386560]
S4 MSSQLServerADHelper;SQL Server Active Directory Helper; C:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe [2005-10-14 45272]
S4 SQLBrowser;SQL Server Browser; C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe [2007-02-10 242544]
-----------------EOF-----------------
info.txt
info.txt logfile of random's system information tool 1.05 2009-02-05 06:37:57
======Uninstall list======
Sansa Media Converter-->"C:\Program Files\InstallShield Installation Information\{FC053571-8507-44E4-8B6D-AACEAB8CA57C}\setup.exe" --u:{FC053571-8507-44E4-8B6D-AACEAB8CA57C}
-->"C:\Program Files\InstallShield Installation Information\{BB8AE808-F003-4C7F-B56B-8C80EEAFFE23}\setup.exe" --u:{BB8AE808-F003-4C7F-B56B-8C80EEAFFE23}
-->C:\Program Files\Nero\Nero8\\nero\uninstall\UNNERO.exe /UNINSTALL
-->C:\Windows\UNNeroBackItUp.exe /UNINSTALL
-->C:\Windows\UNNeroMediaHome.exe /UNINSTALL
-->C:\Windows\UNNeroShowTime.exe /UNINSTALL
-->C:\Windows\UNNeroVision.exe /UNINSTALL
-->C:\Windows\UNRecode.exe /UNINSTALL
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{31403E22-2FDB-452F-AE9E-20854633226D}\Setup.exe" -uninst
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A450831D-25F6-4F42-9662-D000B25E0D82}\Setup.exe" -uninstall
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AA4BF92B-2AAF-11DA-9D78-000129760D75}\setup.exe" -uninstall
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B145EC69-66F5-11D8-9D75-000129760D75}\setup.exe" -uninstall
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B804C424-B66D-447A-84BD-C6B88C392C3A}\setup.exe" -uninstall
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F79A208D-D929-11D9-9D77-000129760D75}\setup.exe" -uninstall
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{34449598-3F4B-43B5-A996-84A7345FD15F}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B95708FA-609B-4F7F-A50C-76D2338464AE}\setup.exe" -l0x9
32 Bit HP CIO Components Installer-->MsiExec.exe /I{09BDEEF0-5590-457D-89A9-5DB2742F9BBF}
7-Zip 4.42-->"C:\Program Files\7-Zip\Uninstall.exe"
Acer Arcade Deluxe-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EFBDC2B0-FAA8-4B78-8DE1-AEBE7958FA37}\Setup.exe" -uninstall
Acer Assist-->C:\Program Files\Acer Assist\uninstall.exe
Acer Crystal Eye webcam-->C:\Program Files\InstallShield Installation Information\{399C37FB-08AF-493B-BFED-20FBD85EDF7F}\setup.exe -runfromtemp -l0x0009 -removeonly -u
Acer Crystal Eye webcam-->C:\Program Files\InstallShield Installation Information\{AA047D7C-5E7C-4878-B75C-77589151B563}\setup.exe -runfromtemp -l0x0009 -removeonly
Acer eAudio Management-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{57265292-228A-41FA-9AEC-4620CBCC2739}\Setup.EXE" -uninstall
Acer eDataSecurity Management-->C:\Acer\Empowering Technology\eDataSecurity\eDSnstHelper.exe -Operation UNINSTALL
Acer eLock Management-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{116FF17B-1A30-4FC2-9B01-5BC5BD46B0B3}\setup.exe" -l0x9 -removeonly
Acer Empowering Technology-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AB6097D9-D722-4987-BD9E-A076E2848EE2}\setup.exe" -l0x9 -removeonly
Acer eNet Management-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C06554A1-2C1E-4D20-B613-EE62C79927CC}\setup.exe" -l0x9 -removeonly
Acer ePower Management-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{58E5844B-7CE2-413D-83D1-99294BF6C74F}\setup.exe" -l0x9 -removeonly
Acer ePresentation Management-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BF839132-BD43-4056-ACBF-4377F4A88E2A}\setup.exe" -l0x9 -removeonly
Acer eSettings Management-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CE65A9A0-9686-45C6-9098-3C9543A412F0}\setup.exe" -l0x9 -removeonly
Acer GridVista-->C:\Windows\UnInst32.exe GridV.UNI
Acer Mobility Center Plug-In-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{11316260-6666-467B-AC34-183FCB5D4335}\setup.exe" -l0x9 -removeonly
Acer Registration-->C:\Program Files\Acer Registration\uninstall.exe
Acer ScreenSaver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{79DD56FC-DB8B-47F5-9C80-78B62E05F9BC}\setup.exe" -l0x9 -removeonly
Acer Tour-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{94389919-B0AA-4882-9BE8-9F0B004ECA35}\setup.exe" -l0x9 -removeonly
Acer VCM-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{047F790A-7A2A-4B6A-AD02-38092BA63DAC}\setup.exe" -l0x9 -removeonly
Ad-Aware-->"C:\ProgramData\{83C91755-2546-441D-AC40-9A6B4B860800}\Ad-AwareAE.exe" REMOVE=TRUE MODIFY=FALSE
Ad-Aware-->C:\ProgramData\{83C91755-2546-441D-AC40-9A6B4B860800}\Ad-AwareAE.exe
Adobe Flash Player 9 ActiveX-->C:\Windows\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Flash Player Plugin-->C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 7.0-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
Apple Mobile Device Support-->MsiExec.exe /I{EC4455AB-F155-4CC1-A4C5-88F3777F9886}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
Audacity 1.2.6-->"C:\Program Files\Audacity\unins000.exe"
Bit Che-->"C:\Program Files\Bit Che\unins000.exe"
BitPim 1.0.6-->"C:\Program Files\BitPim\unins000.exe"
Bonjour-->MsiExec.exe /I{07287123-B8AC-41CE-8346-3D777245C35B}
Canon PowerShot A40 TWAIN Driver-->C:\Windows\IsUninst.exe -f"C:\Program Files\Canon\PowerShot A40 TWAIN\Uninst.isu" -c"C:\Program Files\Canon\PowerShot A40 TWAIN\UNSTD113.dll"
CDisplay 1.8-->"C:\Program Files\CDisplay\unins000.exe"
Citrix Presentation Server Client - Web Only-->MsiExec.exe /X{C49067A8-8212-4A82-A4D9-1519701644F0}
DVD Flick-->"C:\Program Files\DVD Flick\unins000.exe"
Earth Bridge-->MsiExec.exe /I{7370B886-918B-4D52-9E93-1A496B07AF0C}
ERUNT 1.1j-->"C:\Program Files\ERUNT\unins000.exe"
Exact Audio Copy 0.99pb4-->C:\Program Files\Exact Audio Copy\uninst.exe
FinalBurner Free v2.1.0.130-->"C:\Program Files\FinalBurner\Uninstall.exe" "C:\Program Files\FinalBurner\install.log" -u
FLAC 1.2.1b (remove only)-->C:\Program Files\FLAC\uninstall.exe
foobar2000 v0.9.5.5-->"C:\Program Files\foobar2000\uninstall.exe"
Foxit Reader-->MsiExec.exe /I{35D4B689-722A-413B-BC6E-8ACA8C1E8636}
GDR 3068 for SQL Server Database Services 2005 ENU (KB948109)-->C:\Windows\SQL9_KB948109_ENU\Hotfix.exe /Uninstall
Google Earth-->MsiExec.exe /I{1D14373E-7970-4F2F-A467-ACA4F0EA21E3}
Google SketchUp 6-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{98736A65-3C79-49EC-B7E9-A3C77774B0E6}\setup.exe" -l0x9 -removeonly
Google SketchUp 6-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B3D8B2F8-3C2C-45BC-933E-8B60E78F6684}\setup.exe" -l0x9 -removeonly
Google Updater-->"C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
HDAUDIO Soft Data Fax Modem with SmartCP-->C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFAOR2C06_118\UIU32m.exe -U -Ic:\Release\Foxconn\51338\AcrZUn32z.inf
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HP Photosmart All-In-One Driver Software 10.0 Rel .2-->C:\Program Files\HP\Digital Imaging\{86D3D561-D1FD-4d57-8395-20030467E0F9}\setup\hpzscr01.exe -datfile hposcr21.dat -onestop
Huffyuv AVI lossless video codec (Remove Only)-->rundll.exe setupx.dll,InstallHinfSection DefaultUninstall 132 C:\Windows\INF\HUFFYUV.INF
iGain-->MsiExec.exe /I{26549A54-725D-4A72-B630-5797D69AE373}
Intel Matrix Storage Manager-->C:\Windows\system32\imsmudlg.exe -uninstall
InterVideo DeviceService-->MsiExec.exe /I{521AAD14-5030-44BB-8B0E-5CE65FCE57E0}
IrfanView (remove only)-->C:\Program Files\IrfanView\iv_uninstall.exe
ISO Recorder-->MsiExec.exe /I{39600969-41C3-4658-876E-16F108FC5C92}
iTSfv 5.60.24.1 BETA-->"C:\Users\gerwen\Documents\Applications\iTSfv\unins000.exe"
iTunes-->MsiExec.exe /I{318AB667-3230-41B5-A617-CB3BF748D371}
Kaspersky Anti-Virus 7.0-->MsiExec.exe /I{4B9BB601-13E9-4042-A3BC-E7955BF4A98F}
Kaspersky Anti-Virus 7.0-->MsiExec.exe /I{4B9BB601-13E9-4042-A3BC-E7955BF4A98F}
Last.fm 1.5.2.38918-->"C:\Program Files\Last.fm\unins000.exe"
Launch Manager-->C:\Windows\UnInst32.exe QtZgAcer.UNI
LG PC Suite-->C:\Program Files\InstallShield Installation Information\{993960EE-CA4D-443F-8F88-E24260DD5FD2}\setup.exe -runfromtemp -l0x0009 -removeonly
LG USB Modem driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C3ABE126-2BB2-4246-BFE1-6797679B3579}\setup.exe" -l0x9 LG -removeonly
LiveUpdate Notice (Symantec Corporation)-->MsiExec.exe /X{DBA4DB9D-EE51-4944-A419-98AB1F1249C8}
Logitech Harmony Remote Software 7-->C:\Program Files\InstallShield Installation Information\{5C6F884D-680C-448B-B4C9-22296EE1B206}\setup.exe -runfromtemp -l0x0009 -removeonly
Maxtor Manager-->"C:\Program Files\InstallShield Installation Information\{ED01D958-AEDC-40C8-93FD-0C08E8AA9530}\setup.exe" -runfromtemp -l0x0409 -removeonly
Maxtor Manager-->MsiExec.exe /I{ED01D958-AEDC-40C8-93FD-0C08E8AA9530}
MediaCoder 0.6.1-->C:\Program Files\MediaCoder\uninst.exe
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft SQL Server 2005 Express Edition (SONY_MEDIAMGR2)-->MsiExec.exe /I{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}
Microsoft SQL Server 2005-->"c:\Program Files\Microsoft SQL Server\90\Setup Bootstrap\ARPWrapper.exe" /Remove
Microsoft SQL Server Native Client-->MsiExec.exe /I{F9B3DD02-B0B3-42E9-8650-030DFF0D133D}
Microsoft SQL Server Setup Support Files (English)-->MsiExec.exe /X{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}
Microsoft SQL Server VSS Writer-->MsiExec.exe /I{E9F44C98-B8B6-480F-AF7B-E42A0A46F4E3}
Microsoft Streets & Trips 2008-->MsiExec.exe /I{C82185E8-C27B-4EF4-2008-4444BC2C2B6D}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (3.0.5)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Mozilla Thunderbird (2.0.0.19)-->C:\Program Files\Mozilla Thunderbird\uninstall\helper.exe
Mp3tag v2.42-->C:\Program Files\Mp3tag\Mp3tagUninstall.EXE
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833)-->MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML4 Parser-->MsiExec.exe /I{01501EBA-EC35-4F9F-8889-3BE346E5DA13}
Nero 8-->MsiExec.exe /X{8AEA4BE2-2B52-41C0-BB7D-9F2D17AF1033}
Nexus Terminal-->C:\Windows\uni_nmt.exe
Notepad++-->C:\Program Files\Notepad++\uninstall.exe
NTI Backup NOW! 4.7-->"C:\Program Files\InstallShield Installation Information\{67ADE9AF-5CD9-4089-8825-55DE4B366799}\setup.exe" -removeonly
NTI CD & DVD-Maker-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2} /l1033 CDM7
NVIDIA Drivers-->C:\Windows\system32\NVUNINST.EXE UninstallGUI
Picasa 2-->"C:\Program Files\Picasa2\Uninstall.exe"
Pinnacle Studio 12-->MsiExec.exe /I{D041EB9E-890A-4098-8F94-51DA194AC72A}
Pinnacle Video Driver-->MsiExec.exe /X{5EB90C06-964F-4195-B83E-BD7E55C88415}
PowerDVD Ultra-->"C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -l0x000409 /z-uninstall
PowerProducer-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B7A0CE06-068E-11D6-97FD-0050BACBF861}\Setup.exe" -uninstall
Print Server Driver-->C:\Windows\IsUninst.exe -f"C:\Program Files\Print Server\PTP\Uninst.isu"
QuickTime-->MsiExec.exe /I{F958CA02-BB40-4007-894B-258729456EE4}
Realtek High Definition Audio Driver-->RtlUpd.exe -r -m
Remote Control USB Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8471021C-F529-43DE-84DF-3612E10F58C4}\setup.exe" -l0x9 -removeonly
RICOH R5C83x/84x Flash Media Controller Driver Ver.3.51.01-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{59F6A514-9813-47A3-948C-8A155460CC2A}\Setup.exe" -l0x9 anything
Samsung ML-1610 Series-->C:\Program Files\Samsung\Samsung ML-1610 Series\Install\Setup.exe /R
SequoiaView-->C:\Program Files\SequoiaView\Uninstal.exe
Skype™ 3.8-->MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
Sony Media Manager 2.3-->MsiExec.exe /X{8FA5B6B7-D8BD-49F7-98D7-701C26B01E97}
Sony Vegas 6.0b-->MsiExec.exe /X{576FBE17-EBF2-4CC7-87A4-A28034CBE424}
Sony Vegas Pro 8.0-->MsiExec.exe /X{7C9AD221-994C-45B2-B46D-26F5735158CF}
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Synaptics Pointing Device Driver-->rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
System Requirements Lab-->C:\Program Files\SystemRequirementsLab\Uninstall.exe
TeraCopy 1.22-->"C:\Program Files\TeraCopy\unins000.exe"
Ulead DVD MovieFactory 6-->C:\Program Files\InstallShield Installation Information\{CCC4E428-411E-4605-B515-317D50ABD477}\setup.exe -runfromtemp -l0x0409
UltraVNC 1.0.5-->"C:\Program Files\UltraVNC\unins000.exe"
VideoLAN VLC media player 0.8.6i-->C:\Program Files\VideoLAN\VLC\uninstall.exe
VideoReDo TVSuite Version 3.1.4.549-->"C:\Program Files\VideoReDoTVSuite\unins000.exe"
Vista Codec Package-->MsiExec.exe /I{F9FD80CE-0448-4D4F-8BCD-77FC514C3F99}
Visual C++ 2008 x86 Runtime - (v9.0.30729)-->MsiExec.exe /X{F333A33D-125C-32A2-8DCE-5C5D14231E27}
Visual C++ 2008 x86 Runtime - v9.0.30729.01-->C:\Windows\system32\msiexec.exe /x {F333A33D-125C-32A2-8DCE-5C5D14231E27} /qb+ REBOOTPROMPT=""
Winbond CIR Drivers-->MsiExec.exe /X{427967BF-09F8-46D5-9275-37001CCBBA5D}
Windows Live installer-->MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Media Player Firefox Plugin-->MsiExec.exe /I{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}
WinFF 0.43-->"C:\Program Files\WinFF\unins000.exe"
=====HijackThis Backups=====
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ca.rd.yahoo.com/customize/ycomp/defaults/sp/*http://ca.yahoo.com
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
======Security center information======
AV: Kaspersky Anti-Virus (outdated)
AS: Avira AntiVir PersonalEdition
AS: Lavasoft Ad-Watch Live! (disabled)
AS: Windows Defender (disabled)
AS: Kaspersky Anti-Virus
System event log
Computer Name: ger2
Event Code: 7036
Message: The Windows Image Acquisition (WIA) service entered the running state.
Record Number: 108672
Source Name: Service Control Manager
Time Written: 20090205112133.000000-000
Event Type: Information
User:
Computer Name: ger2
Event Code: 1
Message: The system has resumed from sleep.
Sleep Time: 2009-02-04T03:33:47.127Z
Wake Time: 2009-02-05T11:21:32.677Z
Wake Source: Power Button
Record Number: 108673
Source Name: Microsoft-Windows-Power-Troubleshooter
Time Written: 20090205112135.074000-000
Event Type: Information
User: NT AUTHORITY\LOCAL SERVICE
Computer Name: ger2
Event Code: 6013
Message: The system uptime is 101497 seconds.
Record Number: 108674
Source Name: EventLog
Time Written: 20090205112156.000000-000
Event Type: Information
User:
Computer Name: ger2
Event Code: 7036
Message: The WinHTTP Web Proxy Auto-Discovery Service service entered the running state.
Record Number: 108675
Source Name: Service Control Manager
Time Written: 20090205112200.000000-000
Event Type: Information
User:
Computer Name: ger2
Event Code: 104
Message: The service is publishing to the network.
Record Number: 108676
Source Name: Microsoft-Windows-ResourcePublication
Time Written: 20090205112208.187000-000
Event Type: Information
User: NT AUTHORITY\LOCAL SERVICE
Application event log
Computer Name: ger2
Event Code: 9009
Message: The Desktop Window Manager has exited with code (0x40010004)
Record Number: 13764
Source Name: Desktop Window Manager
Time Written: 20090204014519.000000-000
Event Type: Information
User:
Computer Name: ger2
Event Code: 6000
Message: The winlogon notification subscriber <SessionEnv> was unavailable to handle a notification event.
Record Number: 13765
Source Name: Microsoft-Windows-Winlogon
Time Written: 20090204014519.000000-000
Event Type: Information
User:
Computer Name: ger2
Event Code: 1530
Message: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.
DETAIL -
1 user registry handles leaked from \Registry\User\S-1-5-21-569827172-978502480-999087599-1001:
Process 1136 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-569827172-978502480-999087599-1001
Record Number: 13766
Source Name: Microsoft-Windows-User Profiles Service
Time Written: 20090204014519.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM
Computer Name: ger2
Event Code: 1530
Message: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.
DETAIL -
1 user registry handles leaked from \Registry\User\S-1-5-21-569827172-978502480-999087599-1001_Classes:
Process 1136 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-569827172-978502480-999087599-1001_CLASSES
Record Number: 13767
Source Name: Microsoft-Windows-User Profiles Service
Time Written: 20090204014520.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM
Computer Name: ger2
Event Code: 6000
Message: The winlogon notification subscriber <SessionEnv> was unavailable to handle a notification event.
Record Number: 13768
Source Name: Microsoft-Windows-Winlogon
Time Written: 20090204014540.000000-000
Event Type: Information
User:
Security event log
Computer Name: ger2
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.
File Name: \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys
Record Number: 26764
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090205113745.663600-000
Event Type: Audit Failure
User:
Computer Name: ger2
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.
File Name: \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys
Record Number: 26765
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090205113745.706600-000
Event Type: Audit Failure
User:
Computer Name: ger2
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.
File Name: \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys
Record Number: 26766
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090205113745.741600-000
Event Type: Audit Failure
User:
Computer Name: ger2
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.
File Name: \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys
Record Number: 26767
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090205113745.778600-000
Event Type: Audit Failure
User:
Computer Name: ger2
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.
File Name: \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys
Record Number: 26768
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090205113745.813600-000
Event Type: Audit Failure
User:
======Environment variables======
"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Microsoft SQL Server\90\Tools\binn\;C:\Program Files\Common Files\Ulead Systems\MPEG;C:\Program Files\Pinnacle\Shared Files\;C:\Program Files\Pinnacle\Shared Files\Filter\;C:\Program Files\QuickTime\QTSystem\
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=x86
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 13, GenuineIntel
"PROCESSOR_REVISION"=0f0d
"NUMBER_OF_PROCESSORS"=2
"CLASSPATH"=.;C:\Program Files\Java\jre1.5.0_15\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.5.0_15\lib\ext\QTJava.zip
-----------------EOF-----------------
Good, now we start cleaning :)
Please visit this webpage for download links, and instructions for running ComboFix tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New HijackThis log.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
I really appreciate the help.
I'm currently at work, so I can't run the tools yet, however I''ve downloaded combofix, as well as kaperky's updates and stuck them on a flash drive.
Is there anything else we might use that I could download now (away from infected pc)? Might avoid a headache later trying to download from a blocked host.
Thanks,
gerwen
Hi gerwen,
You could add these two to "for just in case" -list :) :
Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe)
GMER (http://www.gmer.net/gmer.zip)
Log.txt from combofix.
ComboFix 09-02-05.01 - gerwen 2009-02-05 16:08:14.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2046.1221 [GMT -5:00]
Running from: c:\users\gerwen\Desktop\ComboFix.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Outdated)
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\autorun.inf
c:\recycler\S-6-1-68-100002912-100009968-100016372-6644.com
c:\windows\setup.exe
c:\windows\system32\drivers\gaopdxaqxcnokb.sys
c:\windows\system32\gaopdxcpmvethq.dll
D:\Autorun.inf
d:\recycler\S-6-1-68-100002912-100009968-100016372-6644.com
I:\Autorun.inf
i:\recycler\S-6-1-68-100002912-100009968-100016372-6644.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_gaopdxserv.sys
-------\Legacy_NPF
-------\Service_NPF
((((((((((((((((((((((((( Files Created from 2009-01-05 to 2009-02-05 )))))))))))))))))))))))))))))))
.
2009-02-05 06:37 . 2009-02-05 06:37 <DIR> d-------- C:\rsit
2009-02-01 11:00 . 2009-02-01 11:00 <DIR> d-------- c:\program files\Trend Micro
2009-02-01 10:58 . 2009-02-01 10:58 <DIR> d-------- c:\program files\ERUNT
2009-02-01 09:20 . 2009-02-01 09:20 <DIR> d-------- C:\fixwareout
2009-01-31 13:29 . 2009-01-18 16:35 15,688 --a------ c:\windows\System32\lsdelete.exe
2009-01-31 13:15 . 2009-01-18 16:30 64,160 --a------ c:\windows\System32\drivers\Lbd.sys
2009-01-31 13:14 . 2009-01-31 13:15 <DIR> d-------- c:\users\All Users\Lavasoft
2009-01-31 13:14 . 2009-01-31 13:15 <DIR> d-------- c:\programdata\Lavasoft
2009-01-31 13:14 . 2009-01-31 13:14 <DIR> d-------- c:\program files\Lavasoft
2009-01-31 13:13 . 2009-01-31 13:14 <DIR> d--h-c--- c:\users\All Users\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-01-31 13:13 . 2009-01-31 13:14 <DIR> d--h-c--- c:\programdata\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-01-31 12:51 . 2009-01-31 19:32 <DIR> d-------- c:\users\All Users\Spybot - Search & Destroy
2009-01-31 12:51 . 2009-01-31 19:32 <DIR> d-------- c:\programdata\Spybot - Search & Destroy
2009-01-31 12:51 . 2009-01-31 12:51 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-13 22:29 . 2008-12-15 21:42 288,768 --a------ c:\windows\System32\drivers\srv.sys
2009-01-10 14:29 . 2009-02-01 09:32 <DIR> d-------- c:\program files\Skyhook Wireless
2009-01-08 06:34 . 2009-01-24 20:43 <DIR> d-------- c:\users\gerwen\AppData\Roaming\iTSfv
2009-01-06 06:29 . 2009-01-06 06:29 <DIR> d-------- c:\users\All Users\Last.fm
2009-01-06 06:29 . 2009-01-06 06:29 <DIR> d-------- c:\programdata\Last.fm
2009-01-06 06:26 . 2009-01-06 06:26 <DIR> d-------- c:\program files\Last.fm
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-05 22:26 31,209,504 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-02-05 22:03 89,601 ----a-w c:\windows\system32\drivers\klick.dat
2009-02-05 22:03 101,287 ----a-w c:\windows\system32\drivers\klin.dat
2009-02-05 21:19 --------- d-----w c:\programdata\Google Updater
2009-02-05 21:04 424,172 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-02-05 20:57 --------- d-----w c:\users\gerwen\AppData\Roaming\TeraCopy
2009-02-05 20:55 151,198 ----a-w c:\users\gerwen\AppData\Roaming\nvModes.dat
2009-02-05 13:32 --------- d-----w c:\programdata\Kaspersky Lab
2009-02-05 11:34 --------- d-----w c:\users\gerwen\AppData\Roaming\uTorrent
2009-02-04 01:29 27,744 ----a-w c:\users\Doll\AppData\Roaming\nvModes.dat
2009-02-02 00:40 --------- d-----w c:\users\gerwen\AppData\Roaming\foobar2000
2009-02-01 15:49 --------- d-----w c:\users\gerwen\AppData\Roaming\Skype
2009-02-01 14:31 --------- d-----w c:\program files\Google
2009-02-01 14:27 --------- d-----w c:\program files\Java
2009-02-01 13:59 --------- d-----w c:\users\gerwen\AppData\Roaming\skypePM
2009-01-31 17:48 --------- d-----w c:\program files\Mozilla Thunderbird
2009-01-31 17:48 --------- d-----w c:\program files\Loonies
2009-01-28 00:15 --------- d-----w c:\program files\MP3Gain
2009-01-24 19:43 --------- d-----w c:\users\gerwen\AppData\Roaming\SanDisk
2009-01-14 08:03 --------- d-----w c:\program files\Windows Mail
2009-01-06 11:29 --------- d-----w c:\program files\iTunes
2009-01-05 11:30 --------- d-----w c:\program files\Mp3tag
2009-01-02 21:04 --------- d-----w c:\program files\Bonjour
2009-01-02 21:03 --------- d-----w c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-02 21:03 --------- d-----w c:\program files\iPod
2009-01-02 21:03 --------- d-----w c:\program files\Common Files\Apple
2009-01-02 21:01 --------- d-----w c:\program files\QuickTime
2009-01-02 20:33 --------- d-----w c:\program files\Winamp
2009-01-02 01:37 --------- d-----w c:\program files\Common Files\SWF Studio
2009-01-02 01:35 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-01 20:44 --------- d-----w c:\users\gerwen\AppData\Roaming\WinFF
2009-01-01 18:17 --------- d-----w c:\program files\WinFF
2008-12-30 22:06 --------- d-----w c:\program files\iGain
2008-12-25 15:02 --------- d-----w c:\users\gerwen\AppData\Roaming\Apple Computer
2008-12-21 14:18 --------- d-----w c:\program files\foobar2000
2008-12-17 21:28 56 ---ha-w c:\users\All Users\ezsidmv.dat
2008-12-17 21:28 56 ---ha-w c:\programdata\ezsidmv.dat
2008-12-17 21:28 --------- d-----w c:\program files\Common Files\Skype
2008-12-15 00:56 --------- d-----w c:\users\Doll\AppData\Roaming\foobar2000
2008-12-12 16:18 87,336 ----a-w c:\windows\System32\dns-sd.exe
2008-12-12 16:11 61,440 ----a-w c:\windows\System32\dnssd.dll
2008-12-07 08:01 --------- d-----w c:\program files\Microsoft SQL Server
2008-12-06 22:25 --------- dcsh--w c:\program files\Common Files\WindowsLiveInstaller
2008-12-06 22:23 --------- d-----w c:\programdata\WLInstaller
2008-12-06 22:23 --------- d-----w c:\program files\Windows Live
2008-12-05 00:32 0 ---ha-w c:\windows\system32\drivers\Msft_User_WpdRapi_01_00_00.Wdf
2008-11-05 00:36 410,976 ----a-w c:\windows\System32\deploytk.dll
2008-04-23 23:58 174 --sha-w c:\program files\desktop.ini
2008-03-21 11:51 32 ----a-w c:\users\All Users\ezsid.dat
2008-03-21 11:51 32 ----a-w c:\programdata\ezsid.dat
2008-03-21 14:23 16,384 --sha-w c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-03-21 14:23 32,768 --sha-w c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-03-21 14:23 16,384 --sha-w c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-03-14 486856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-05-09 865840]
"PLFSet"="c:\windows\PLFSet.dll" [2007-03-09 45056]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-02-12 174872]
"LanguageShortcut"="d:\program files\cyberlink\powerDVD\Language\Language.exe" [2007-10-11 62760]
"LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2007-05-04 502544]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2008-01-11 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-01-11 8501792]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-01-11 81920]
"USB2Check"="c:\windows\system32\PCLECoInst.dll" [2006-11-06 81920]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2006-11-02 215552]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-01-18 506712]
"RtHDVCpl"="RtHDVCpl.exe" [2007-05-10 c:\windows\RtHDVCpl.exe]
"Skytel"="Skytel.exe" [2007-05-07 c:\windows\SkyTel.exe]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=eNetHook.dll d:\progra~1\KASPER~1\KASPER~1.0\r3hook.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= emYUV.dll
"VIDC.HFYU"= huffyuv.dll
"msacm.mpegacm"= mpegacm.acm
"msacm.ulmp3acm"= ulmp3acm.acm
"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\vio\dvacm.acm
"msacm.divxa32"= divxa32.acm
"vidc.mjpg"= pvmjpg30.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"= c:\program files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{D28A59B1-7B7B-4C53-9D7D-0861425D667F}"= c:\program files\Acer Arcade Deluxe\DVDivine\DVDivine.exe:DVDivine
"{9545413F-140C-4727-B4FB-7A027390EED3}"= c:\program files\Acer Arcade Deluxe\VideoMagician\VideoMagician.exe:VideoMagician
"{CE23AB87-A186-4796-83C8-7BEA2C9554E3}"= c:\program files\Acer Arcade Deluxe\HomeMedia\HomeMedia.exe:HomeMedia
"{5F2628C7-45BC-4248-8641-1D63D84FF3C2}"= c:\program files\Acer Arcade Deluxe\DV Wizard\DV Wizard.exe:DV Wizard
"{564356F2-A5E2-47AA-82A1-2FF2331C746C}"= c:\program files\Acer\Acer VCM\VC.exe:Acer VCM
"{5761D40F-A451-452E-929D-054C299F9808}"= UDP:c:\program files\Google\Google Talk\googletalk.exe:Google Talk
"{1CE0043E-9DF4-4204-BE5B-9F54BEAB2C88}"= TCP:c:\program files\Google\Google Talk\googletalk.exe:Google Talk
"TCP Query User{D33E6591-85DC-4E17-B3F0-F16CB33C779F}c:\\program files\\skype\\phone\\skype.exe"= UDP:c:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"UDP Query User{8A860A08-FB3D-404D-B9AB-43AC7D993880}c:\\program files\\skype\\phone\\skype.exe"= TCP:c:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"TCP Query User{C550ED0F-04BC-4A32-9181-E4CC8BA33B92}c:\\program files\\nmt\\nmt.exe"= UDP:c:\program files\nmt\nmt.exe:Nexus Terminal - TN/SSH/SSL 3270/5250/VT220
"UDP Query User{B38D8338-5DED-4C8D-99DC-0AE34FCD2723}c:\\program files\\nmt\\nmt.exe"= TCP:c:\program files\nmt\nmt.exe:Nexus Terminal - TN/SSH/SSL 3270/5250/VT220
"{8C3E1795-1BC8-4541-9F03-78B11F7DD83C}"= c:\program files\Acer Arcade Deluxe\Play Movie\PlayMovie.exe:Play Movie
"{95CB0A9A-CCE0-4199-A713-C652F399AE35}"= c:\program files\Acer Arcade Deluxe\Play Movie\PMVService.exe:Play Movie Resident Program
"{53D3D1E3-FEDE-4318-BC81-4AE75B1C6AFF}"= c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\Acer Arcade Deluxe.exe:Acer Arcade Deluxe
"{E76A3CEA-EE30-4F98-888C-AE8CEB682DF6}"= d:\program files\cyberlink\powerDVD\PowerDVD.EXE:CyberLink PowerDVD
"TCP Query User{347DE8B3-5267-40C6-AA01-A2001E10AC7B}c:\\program files\\skype\\phone\\skype.exe"= UDP:c:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"UDP Query User{848E13C6-992D-440F-A554-7BC1D371A8CF}c:\\program files\\skype\\phone\\skype.exe"= TCP:c:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"TCP Query User{E23B9658-97E0-41A1-91BA-8982DC683C00}c:\\users\\gerwen\\desktop\\downloads\\torrents\\utorrent.exe"= UDP:c:\users\gerwen\desktop\downloads\torrents\utorrent.exe:utorrent.exe
"UDP Query User{BD03C1B1-6774-465B-87CD-2F7381592CC0}c:\\users\\gerwen\\desktop\\downloads\\torrents\\utorrent.exe"= TCP:c:\users\gerwen\desktop\downloads\torrents\utorrent.exe:utorrent.exe
"TCP Query User{6F25FBCC-25F8-484F-BDC3-294C81602754}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{60FF1847-789F-45FE-B33A-832DC536D368}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:uTorrent
"{AAB9CB78-25C1-41AF-8916-CA137FA94C12}"= UDP:c:\program files\Gizmo5\Gizmo5.exe:Gizmo5
"{7EC3AD64-28BA-4475-B4B4-ED93F50AE381}"= TCP:c:\program files\Gizmo5\Gizmo5.exe:Gizmo5
"{2DA473BE-3384-413F-A684-4B7E006218F3}"= UDP:24213:uTorrent port
"TCP Query User{B98B8570-6043-440E-83BD-08B19B9B5D20}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{69BADC27-C3F9-444B-8504-2DD42207EC9B}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:uTorrent
"{60102B68-8084-44C7-B6D7-C5C7CA4383A2}"= Disabled:UDP:c:\users\gerwen\AppData\Local\Temp\7zSEC80.tmp\setup\HPZnui01.exe:hpznui01.exe
"{451C60EC-D357-4EA9-A89D-1E178C544D40}"= Disabled:TCP:c:\users\gerwen\AppData\Local\Temp\7zSEC80.tmp\setup\HPZnui01.exe:hpznui01.exe
"{93B139F8-585C-4134-AFBA-13F006DBA595}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpiscnapp.exe:hpiscnapp.exe
"{14255BE7-5A7A-434D-8D96-24937202CD13}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpiscnapp.exe:hpiscnapp.exe
"{14FCDFFB-C607-4016-B9BE-AA44D394342E}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqkygrp.exe:hpqkygrp.exe
"{A098B515-8368-4747-9EA4-7EA90792B095}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqkygrp.exe:hpqkygrp.exe
"{05CBD7A6-92DD-472E-A249-0AC35EEC5EC1}"= UDP:c:\program files\UltraVNC\vncviewer.exe:vncviewer.exe
"{3139B05C-3AF2-4263-B297-5CA72A883B1F}"= TCP:c:\program files\UltraVNC\vncviewer.exe:vncviewer.exe
"{5418B87C-33A9-49AB-8051-5883239FC8E6}"= UDP:c:\program files\Gbridge LLC\Gbridge\Gbridge.exe:GBridge
"{D04D5404-415F-4462-9749-05AEDF7DB297}"= TCP:c:\program files\Gbridge LLC\Gbridge\Gbridge.exe:GBridge
"{4DD81762-6145-41FF-890A-57E9CC197419}"= UDP:c:\program files\Gbridge LLC\Gbridge\gbwinvnc.exe:Gbwinvnc
"{79B12BCF-4F90-4387-AA13-592E4C869AD0}"= TCP:c:\program files\Gbridge LLC\Gbridge\gbwinvnc.exe:Gbwinvnc
"{3E1A3C28-B7FF-4D12-B4F9-EF2018BBD279}"= UDP:c:\program files\Gbridge LLC\Gbridge\gbvncviewer.exe:Gbvncviewer
"{63544C2E-054C-46D3-87AB-346D46ECD508}"= TCP:c:\program files\Gbridge LLC\Gbridge\gbvncviewer.exe:Gbvncviewer
"{F4FF262B-3FD8-4886-91B8-33145DAD714C}"= UDP:c:\program files\Pinnacle\Studio 12\Programs\RM.exe:Render Manager
"{84C515C9-205B-4136-9776-C1A9326C92EF}"= TCP:c:\program files\Pinnacle\Studio 12\Programs\RM.exe:Render Manager
"{5BBA94AC-FD9F-48F8-9F9F-83FFD7BE7084}"= UDP:c:\program files\Pinnacle\Studio 12\Programs\Studio.exe:Studio
"{E34D8D3A-C02F-4502-A3F9-FB66989F21D5}"= TCP:c:\program files\Pinnacle\Studio 12\Programs\Studio.exe:Studio
"{F665F931-0B84-4EAD-9BD8-307157591B05}"= UDP:c:\program files\Pinnacle\Studio 12\Programs\umi.exe:umi
"{F68F56A2-71FA-44AB-8C35-0A7C8D377692}"= TCP:c:\program files\Pinnacle\Studio 12\Programs\umi.exe:umi
"{08C3ECEF-3AE3-4446-AF81-C9D7BFA14407}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{9ECFA7D8-FCCE-4BD2-A4A5-85E47C2D8127}"= UDP:5214:Shared iTunes Libs
"{D7963AF6-9F90-4713-B403-781DB24B64E5}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{DB5313EC-424E-4775-AFDE-1D97CD67F63D}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{D0FEA42A-0DA1-4E72-87FB-1144FAA17820}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{64DF97B2-6271-4042-8E32-F6D873250988}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"TCP Query User{E103D678-BD5F-4422-B27F-7EB2676A62BE}c:\\program files\\itunes\\itunes.exe"= UDP:c:\program files\itunes\itunes.exe:iTunes
"UDP Query User{52C6B4F0-66A6-4931-94B8-5059DE2D5DFE}c:\\program files\\itunes\\itunes.exe"= TCP:c:\program files\itunes\itunes.exe:iTunes
"TCP Query User{E111B51B-BF83-40F0-ABBE-BF4D2168559B}c:\\program files\\ultravnc\\winvnc.exe"= UDP:c:\program files\ultravnc\winvnc.exe:VNC server for Win32
"UDP Query User{EF4F0DD0-B7D9-4C7E-804C-C2C4EF47FF7E}c:\\program files\\ultravnc\\winvnc.exe"= TCP:c:\program files\ultravnc\winvnc.exe:VNC server for Win32
"{B26B6E23-6CF5-40D3-A9F5-69BB79ED6227}"= UDP:c:\program files\Spybot - Search & Destroy\SpybotSD.exe:Spybot - Search & Destroy
"{35559736-B3CE-4F01-942B-F8997CD50A10}"= TCP:c:\program files\Spybot - Search & Destroy\SpybotSD.exe:Spybot - Search & Destroy
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"= c:\program files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7
R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [2009-01-31 64160]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\System32\drivers\klim6.sys [2007-04-04 20760]
R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\Acer Arcade Deluxe\Play Movie\000.fcl [2007-07-26 02:11:06 39408]
R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};d:\program files\cyberlink\powerDVD\000.fcl [2008-01-30 11:28:36 41456]
R2 AdeonaClientService;AdeonaClientService;c:\program files\Adeona\cygrunsrv.exe [2008-07-13 68096]
R2 ALaunchService;ALaunch Service;c:\acer\ALaunch\ALaunchSvc.exe [2007-05-15 50688]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 921936]
R2 SSPORT;SSPORT;c:\windows\System32\drivers\SSPORT.SYS [2008-06-25 5120]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [2007-05-15 179712]
R3 winbondcir;Winbond IR Transceiver;c:\windows\System32\drivers\winbondcir.sys [2007-05-15 43008]
S3 gbridge;Gbridge Virtual Miniport;c:\windows\System32\drivers\gbridge.sys [2008-07-22 36864]
S3 MSSQL$SONY_MEDIAMGR2;SQL Server (SONY_MEDIAMGR2);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-02-26 29183504]
S3 uvnc_service;uvnc_service;c:\program files\UltraVNC\winvnc.exe [2008-04-13 1519168]
--- Other Services/Drivers In Memory ---
*Deregistered* - sptd
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\shell\AutoRun\command - .\Encryption Tool\MaxtorEncryption.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\shell\AutoRun\command - .\Encryption Tool\MaxtorEncryption.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\shell\AutoRun\command - .\Encryption Tool\MaxtorEncryption.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{29e5e048-c064-11dd-8455-001b2464df4f}]
\shell\AutoRun\command - G:\LiteAuto.exe
.
Contents of the 'Scheduled Tasks' folder
2009-02-01 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 16:34]
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-ALaunch - c:\acer\ALaunch\AlaunchClient.exe
HKLM-Run-SetPanel - c:\acer\APanel\APanel.cmd
HKLM-Run-WinampAgent - c:\program files\Winamp\winampa.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://en.ca.acer.yahoo.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.ca.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://ca.rd.yahoo.com/customize/ycomp/defaults/su/*http://ca.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\wpclsp.dll
TCP: {603D9702-23B6-4B54-8A14-05F35CD2A537} = 208.67.220.220,208.67.222.222
TCP: {FE8ABFF2-E5E7-4193-8078-F16CAB3B579F} = 4.2.2.1
FF - ProfilePath - c:\users\gerwen\AppData\Roaming\Mozilla\Firefox\Profiles\r6o93vos.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
1 file(s) moved.
FF - component: c:\users\gerwen\AppData\Roaming\Mozilla\Firefox\Profiles\r6o93vos.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
FF - plugin: c:\program files\VistaCodecPack\rm\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\VistaCodecPack\rm\browser\plugins\nprpjplug.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-05 17:26:26
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\program files\Adeona\adeona-client.exe
d:\program files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\InterVideo\DeviceService\DevSvc.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Maxtor\Sync\SyncServices.exe
c:\acer\Mobility Center\MobilityService.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\System32\WUDFHost.exe
c:\windows\System32\wbem\unsecapp.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Windows Defender\MpCmdRun.exe
c:\windows\System32\WerFault.exe
c:\windows\System32\wbem\unsecapp.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Launch Manager\QtZgAcer.EXE
c:\windows\System32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\users\gerwen\AppData\Local\Temp\RtkBtMnt.exe
c:\windows\ehome\ehmsas.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\System32\consent.exe
c:\windows\System32\dllhost.exe
.
**************************************************************************
.
Completion time: 2009-02-05 17:33:21 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-05 22:33:07
Pre-Run: 23,468,515,328 bytes free
Post-Run: 23,459,082,240 bytes free
317 --- E O F --- 2009-01-23 02:25:20
hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:58:48 PM, on 05/02/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\System32\WerFault.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Windows\System32\rundll32.exe
C:\Windows\WindowsMobile\wmdSync.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\System32\rundll32.exe
C:\Users\gerwen\AppData\Local\Temp\RtkBtMnt.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\Explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.ca.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.ca.acer.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.rd.yahoo.com/customize/ycomp/defaults/su/*http://ca.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Windows\system32\ActiveToolBand.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [PLFSet] rundll32.exe C:\Windows\PLFSet.dll,PLFDefSetting
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [LanguageShortcut] "D:\program files\cyberlink\powerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\Windows\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - d:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{603D9702-23B6-4B54-8A14-05F35CD2A537}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{FE8ABFF2-E5E7-4193-8078-F16CAB3B579F}: NameServer = 4.2.2.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: eNetHook.dll d:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll
O23 - Service: AdeonaClientService - Unknown owner - C:\Program Files\Adeona\cygrunsrv.exe
O23 - Service: ALaunch Service (ALaunchService) - Unknown owner - C:\Acer\ALaunch\ALaunchSvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - d:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: eDataSecurity Service - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: uvnc_service - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 9150 bytes
I don't see a way to edit my posts, or i would have added this info in one of the previous:
Symptoms which brought me here seem to be gone, although I realize this doesn't mean i'm clean.
I just noticed, windows bluescreened while running combofix. I wasn't at the console when it happened, i thought it was a normal reboot in the process.
Hi again,
Let's carry out a few more steps :)
Start hjt (right click hijackthis.exe and select 'run as administrator'), do a system scan, check (if found):
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O17 - HKLM\System\CCS\Services\Tcpip\..\{603D9702-23B6-4B54-8A14-05F35CD2A537}: NameServer = 208.67.220.220,208.67.222.222
Close browsers and fix checked.
Uninstall old Adobe Reader versions and get the latest one here (http://www.filehippo.com/download_adobe_reader/) or get Foxit Reader here (http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm). Make sure you don't install toolbar if choose Foxit Reader!
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6 Update 12 (http://java.sun.com/javase/downloads/index.jsp).
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u12-windows-i586-p.exe to install the newest version. Uncheck MSN toolbar if it's offered there.
Open notepad and copy/paste the text in the quotebox below into it:
Folder::
c:\users\gerwen\AppData\Roaming\uTorrent
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{E23B9658-97E0-41A1-91BA-8982DC683C00}c:\\users\\gerwen\\desktop\\downloads\\torrents\\utorrent.exe"=-
"UDP Query User{BD03C1B1-6774-465B-87CD-2F7381592CC0}c:\\users\\gerwen\\desktop\\downloads\\torrents\\utorrent.exe"=-
"TCP Query User{6F25FBCC-25F8-484F-BDC3-294C81602754}c:\\program files\\utorrent\\utorrent.exe"=-
"UDP Query User{60FF1847-789F-45FE-B33A-832DC536D368}c:\\program files\\utorrent\\utorrent.exe"=-
"{2DA473BE-3384-413F-A684-4B7E006218F3}"=-
"TCP Query User{B98B8570-6043-440E-83BD-08B19B9B5D20}c:\\program files\\utorrent\\utorrent.exe"=-
"UDP Query User{69BADC27-C3F9-444B-8504-2DD42207EC9B}c:\\program files\\utorrent\\utorrent.exe"=-
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif). If you get a message that latest Java must be installed "enable" the Java add-ons in IE7. Do that using "manage add-ons" from the IE7 toolbar.
Post back its report, a fresh hjt log and above mentioned ComboFix resultant log.
I hope the script ran correctly, combofix wanted to update when i dragged the script onto the icon. I let it update.
ComboFix 09-02-06.01 - gerwen 2009-02-06 18:04:16.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2046.1013 [GMT -5:00]
Running from: c:\users\gerwen\Desktop\ComboFix.exe
Command switches used :: c:\users\gerwen\Desktop\cfscript.txt
AV: Kaspersky Anti-Virus *On-access scanning enabled* (Updated)
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\users\gerwen\AppData\Roaming\uTorrent
c:\users\gerwen\AppData\Roaming\uTorrent\02 Stephen King - The Mist.wma.torrent
c:\users\gerwen\AppData\Roaming\uTorrent\Apt Pupil.torrent
c:\users\gerwen\AppData\Roaming\uTorrent\Arthur C Clarke - Rendezvous with Rama.torrent
c:\users\gerwen\AppData\Roaming\uTorrent\Children Of The Corn.torrent
c:\users\gerwen\AppData\Roaming\uTorrent\dht.dat
c:\users\gerwen\AppData\Roaming\uTorrent\dht.dat.old
c:\users\gerwen\AppData\Roaming\uTorrent\Dragonlance 1-3 Audiobook s.torrent
c:\users\gerwen\AppData\Roaming\uTorrent\resume.dat
c:\users\gerwen\AppData\Roaming\uTorrent\resume.dat.old
c:\users\gerwen\AppData\Roaming\uTorrent\rss.dat
c:\users\gerwen\AppData\Roaming\uTorrent\rss.dat.old
c:\users\gerwen\AppData\Roaming\uTorrent\settings.dat
c:\users\gerwen\AppData\Roaming\uTorrent\settings.dat.1.bad
c:\users\gerwen\AppData\Roaming\uTorrent\settings.dat.2.bad
c:\users\gerwen\AppData\Roaming\uTorrent\settings.dat.old
c:\users\gerwen\AppData\Roaming\uTorrent\utorrent-help.zip
c:\users\gerwen\AppData\Roaming\uTorrent\utorrent.chm
c:\users\gerwen\AppData\Roaming\uTorrent\utorrent.lng
I:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2009-01-06 to 2009-02-06 )))))))))))))))))))))))))))))))
.
2009-02-05 06:37 . 2009-02-05 06:37 <DIR> d-------- C:\rsit
2009-02-01 11:00 . 2009-02-01 11:00 <DIR> d-------- c:\program files\Trend Micro
2009-02-01 10:58 . 2009-02-01 10:58 <DIR> d-------- c:\program files\ERUNT
2009-02-01 09:20 . 2009-02-01 09:20 <DIR> d-------- C:\fixwareout
2009-01-31 13:29 . 2009-02-05 19:42 15,688 --a------ c:\windows\System32\lsdelete.exe
2009-01-31 13:15 . 2009-01-18 16:30 64,160 --a------ c:\windows\System32\drivers\Lbd.sys
2009-01-31 13:14 . 2009-01-31 13:15 <DIR> d-------- c:\users\All Users\Lavasoft
2009-01-31 13:14 . 2009-01-31 13:15 <DIR> d-------- c:\programdata\Lavasoft
2009-01-31 13:14 . 2009-01-31 13:14 <DIR> d-------- c:\program files\Lavasoft
2009-01-31 13:13 . 2009-01-31 13:14 <DIR> d--h-c--- c:\users\All Users\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-01-31 13:13 . 2009-01-31 13:14 <DIR> d--h-c--- c:\programdata\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-01-31 12:51 . 2009-01-31 19:32 <DIR> d-------- c:\users\All Users\Spybot - Search & Destroy
2009-01-31 12:51 . 2009-01-31 19:32 <DIR> d-------- c:\programdata\Spybot - Search & Destroy
2009-01-31 12:51 . 2009-01-31 12:51 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-13 22:29 . 2008-12-15 21:42 288,768 --a------ c:\windows\System32\drivers\srv.sys
2009-01-10 14:29 . 2009-02-01 09:32 <DIR> d-------- c:\program files\Skyhook Wireless
2009-01-08 06:34 . 2009-01-24 20:43 <DIR> d-------- c:\users\gerwen\AppData\Roaming\iTSfv
2009-01-06 06:29 . 2009-01-06 06:29 <DIR> d-------- c:\users\All Users\Last.fm
2009-01-06 06:29 . 2009-01-06 06:29 <DIR> d-------- c:\programdata\Last.fm
2009-01-06 06:26 . 2009-01-06 06:26 <DIR> d-------- c:\program files\Last.fm
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-06 23:06 31,524,896 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-02-06 22:56 410,984 ----a-w c:\windows\System32\deploytk.dll
2009-02-06 22:56 --------- d-----w c:\program files\Java
2009-02-06 22:53 --------- d-----w c:\programdata\Kaspersky Lab
2009-02-06 22:19 --------- d-----w c:\programdata\Google Updater
2009-02-06 21:28 427,268 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-02-06 21:10 151,198 ----a-w c:\users\gerwen\AppData\Roaming\nvModes.dat
2009-02-05 23:27 --------- d-----w c:\users\gerwen\AppData\Roaming\TeraCopy
2009-02-05 22:03 89,601 ----a-w c:\windows\system32\drivers\klick.dat
2009-02-05 22:03 101,287 ----a-w c:\windows\system32\drivers\klin.dat
2009-02-04 01:29 27,744 ----a-w c:\users\Doll\AppData\Roaming\nvModes.dat
2009-02-02 00:40 --------- d-----w c:\users\gerwen\AppData\Roaming\foobar2000
2009-02-01 15:49 --------- d-----w c:\users\gerwen\AppData\Roaming\Skype
2009-02-01 14:31 --------- d-----w c:\program files\Google
2009-02-01 13:59 --------- d-----w c:\users\gerwen\AppData\Roaming\skypePM
2009-01-31 17:48 --------- d-----w c:\program files\Mozilla Thunderbird
2009-01-31 17:48 --------- d-----w c:\program files\Loonies
2009-01-28 00:15 --------- d-----w c:\program files\MP3Gain
2009-01-24 19:43 --------- d-----w c:\users\gerwen\AppData\Roaming\SanDisk
2009-01-14 08:03 --------- d-----w c:\program files\Windows Mail
2009-01-06 11:29 --------- d-----w c:\program files\iTunes
2009-01-05 11:30 --------- d-----w c:\program files\Mp3tag
2009-01-02 21:04 --------- d-----w c:\program files\Bonjour
2009-01-02 21:03 --------- d-----w c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-02 21:03 --------- d-----w c:\program files\iPod
2009-01-02 21:03 --------- d-----w c:\program files\Common Files\Apple
2009-01-02 21:01 --------- d-----w c:\program files\QuickTime
2009-01-02 20:33 --------- d-----w c:\program files\Winamp
2009-01-02 01:37 --------- d-----w c:\program files\Common Files\SWF Studio
2009-01-02 01:35 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-01 20:44 --------- d-----w c:\users\gerwen\AppData\Roaming\WinFF
2009-01-01 18:17 --------- d-----w c:\program files\WinFF
2008-12-30 22:06 --------- d-----w c:\program files\iGain
2008-12-25 15:02 --------- d-----w c:\users\gerwen\AppData\Roaming\Apple Computer
2008-12-21 14:18 --------- d-----w c:\program files\foobar2000
2008-12-17 21:28 56 ---ha-w c:\users\All Users\ezsidmv.dat
2008-12-17 21:28 56 ---ha-w c:\programdata\ezsidmv.dat
2008-12-17 21:28 --------- d-----w c:\program files\Common Files\Skype
2008-12-15 00:56 --------- d-----w c:\users\Doll\AppData\Roaming\foobar2000
2008-12-12 16:18 87,336 ----a-w c:\windows\System32\dns-sd.exe
2008-12-12 16:11 61,440 ----a-w c:\windows\System32\dnssd.dll
2008-12-07 08:01 --------- d-----w c:\program files\Microsoft SQL Server
2008-12-06 22:25 --------- dcsh--w c:\program files\Common Files\WindowsLiveInstaller
2008-12-06 22:23 --------- d-----w c:\programdata\WLInstaller
2008-12-06 22:23 --------- d-----w c:\program files\Windows Live
2008-04-23 23:58 174 --sha-w c:\program files\desktop.ini
2008-03-21 11:51 32 ----a-w c:\users\All Users\ezsid.dat
2008-03-21 11:51 32 ----a-w c:\programdata\ezsid.dat
2008-03-21 14:23 16,384 --sha-w c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-03-21 14:23 32,768 --sha-w c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-03-21 14:23 16,384 --sha-w c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.
((((((((((((((((((((((((((((( SnapShot@2009-02-05_17.30.51.32 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-02-05 21:51:37 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\ntuser.dat
+ 2009-02-06 21:31:56 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\ntuser.dat
+ 2009-02-06 21:31:56 262,144 ---ha-w c:\windows\ServiceProfiles\LocalService\ntuser.dat.LOG1
- 2009-02-05 22:26:18 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat
+ 2009-02-06 22:52:54 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat
+ 2009-02-06 22:52:54 262,144 ---ha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2009-02-05 21:41:17 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-02-06 22:36:16 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-02-05 21:41:17 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-06 22:36:16 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-02-05 21:41:18 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-02-06 22:36:16 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-02-05 21:00:50 262,144 ----a-w c:\windows\System32\config\systemprofile\ntuser.dat
+ 2009-02-06 23:03:10 262,144 ----a-w c:\windows\System32\config\systemprofile\ntuser.dat
+ 2009-02-06 22:56:53 144,792 ----a-w c:\windows\System32\java.exe
+ 2009-02-06 22:56:53 144,792 ----a-w c:\windows\System32\javaw.exe
+ 2009-02-06 22:56:53 148,888 ----a-w c:\windows\System32\javaws.exe
- 2009-02-05 21:08:26 9,122 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-569827172-978502480-999087599-1000_UserData.bin
+ 2009-02-05 23:27:08 9,154 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-569827172-978502480-999087599-1000_UserData.bin
- 2009-02-05 21:08:26 86,576 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-02-05 23:27:08 86,678 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2009-02-05 21:04:11 2,828 ----a-w c:\windows\System32\WDI\ERCQueuedResolutions.dat
+ 2009-02-06 21:28:19 2,828 ----a-w c:\windows\System32\WDI\ERCQueuedResolutions.dat
- 2009-02-01 15:47:57 61,336 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-02-06 21:32:41 61,504 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2009-02-05 13:31:10 482,376 ----a-w c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2009-02-06 11:24:41 483,642 ----a-w c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-03-14 486856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-05-09 865840]
"PLFSet"="c:\windows\PLFSet.dll" [2007-03-09 45056]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-02-12 174872]
"LanguageShortcut"="d:\program files\cyberlink\powerDVD\Language\Language.exe" [2007-10-11 62760]
"LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2007-05-04 502544]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2008-01-11 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-01-11 8501792]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-01-11 81920]
"USB2Check"="c:\windows\system32\PCLECoInst.dll" [2006-11-06 81920]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2006-11-02 215552]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-02-05 509784]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-06 148888]
"RtHDVCpl"="RtHDVCpl.exe" [2007-05-10 c:\windows\RtHDVCpl.exe]
"Skytel"="Skytel.exe" [2007-05-07 c:\windows\SkyTel.exe]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=eNetHook.dll d:\progra~1\KASPER~1\KASPER~1.0\r3hook.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= emYUV.dll
"VIDC.HFYU"= huffyuv.dll
"msacm.mpegacm"= mpegacm.acm
"msacm.ulmp3acm"= ulmp3acm.acm
"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\vio\dvacm.acm
"msacm.divxa32"= divxa32.acm
"vidc.mjpg"= pvmjpg30.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"= c:\program files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{D28A59B1-7B7B-4C53-9D7D-0861425D667F}"= c:\program files\Acer Arcade Deluxe\DVDivine\DVDivine.exe:DVDivine
"{9545413F-140C-4727-B4FB-7A027390EED3}"= c:\program files\Acer Arcade Deluxe\VideoMagician\VideoMagician.exe:VideoMagician
"{CE23AB87-A186-4796-83C8-7BEA2C9554E3}"= c:\program files\Acer Arcade Deluxe\HomeMedia\HomeMedia.exe:HomeMedia
"{5F2628C7-45BC-4248-8641-1D63D84FF3C2}"= c:\program files\Acer Arcade Deluxe\DV Wizard\DV Wizard.exe:DV Wizard
"{564356F2-A5E2-47AA-82A1-2FF2331C746C}"= c:\program files\Acer\Acer VCM\VC.exe:Acer VCM
"{5761D40F-A451-452E-929D-054C299F9808}"= UDP:c:\program files\Google\Google Talk\googletalk.exe:Google Talk
"{1CE0043E-9DF4-4204-BE5B-9F54BEAB2C88}"= TCP:c:\program files\Google\Google Talk\googletalk.exe:Google Talk
"TCP Query User{D33E6591-85DC-4E17-B3F0-F16CB33C779F}c:\\program files\\skype\\phone\\skype.exe"= UDP:c:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"UDP Query User{8A860A08-FB3D-404D-B9AB-43AC7D993880}c:\\program files\\skype\\phone\\skype.exe"= TCP:c:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"TCP Query User{C550ED0F-04BC-4A32-9181-E4CC8BA33B92}c:\\program files\\nmt\\nmt.exe"= UDP:c:\program files\nmt\nmt.exe:Nexus Terminal - TN/SSH/SSL 3270/5250/VT220
"UDP Query User{B38D8338-5DED-4C8D-99DC-0AE34FCD2723}c:\\program files\\nmt\\nmt.exe"= TCP:c:\program files\nmt\nmt.exe:Nexus Terminal - TN/SSH/SSL 3270/5250/VT220
"{8C3E1795-1BC8-4541-9F03-78B11F7DD83C}"= c:\program files\Acer Arcade Deluxe\Play Movie\PlayMovie.exe:Play Movie
"{95CB0A9A-CCE0-4199-A713-C652F399AE35}"= c:\program files\Acer Arcade Deluxe\Play Movie\PMVService.exe:Play Movie Resident Program
"{53D3D1E3-FEDE-4318-BC81-4AE75B1C6AFF}"= c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\Acer Arcade Deluxe.exe:Acer Arcade Deluxe
"{E76A3CEA-EE30-4F98-888C-AE8CEB682DF6}"= d:\program files\cyberlink\powerDVD\PowerDVD.EXE:CyberLink PowerDVD
"TCP Query User{347DE8B3-5267-40C6-AA01-A2001E10AC7B}c:\\program files\\skype\\phone\\skype.exe"= UDP:c:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"UDP Query User{848E13C6-992D-440F-A554-7BC1D371A8CF}c:\\program files\\skype\\phone\\skype.exe"= TCP:c:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"{AAB9CB78-25C1-41AF-8916-CA137FA94C12}"= UDP:c:\program files\Gizmo5\Gizmo5.exe:Gizmo5
"{7EC3AD64-28BA-4475-B4B4-ED93F50AE381}"= TCP:c:\program files\Gizmo5\Gizmo5.exe:Gizmo5
"{60102B68-8084-44C7-B6D7-C5C7CA4383A2}"= Disabled:UDP:c:\users\gerwen\AppData\Local\Temp\7zSEC80.tmp\setup\HPZnui01.exe:hpznui01.exe
"{451C60EC-D357-4EA9-A89D-1E178C544D40}"= Disabled:TCP:c:\users\gerwen\AppData\Local\Temp\7zSEC80.tmp\setup\HPZnui01.exe:hpznui01.exe
"{93B139F8-585C-4134-AFBA-13F006DBA595}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpiscnapp.exe:hpiscnapp.exe
"{14255BE7-5A7A-434D-8D96-24937202CD13}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpiscnapp.exe:hpiscnapp.exe
"{14FCDFFB-C607-4016-B9BE-AA44D394342E}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqkygrp.exe:hpqkygrp.exe
"{A098B515-8368-4747-9EA4-7EA90792B095}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqkygrp.exe:hpqkygrp.exe
"{05CBD7A6-92DD-472E-A249-0AC35EEC5EC1}"= UDP:c:\program files\UltraVNC\vncviewer.exe:vncviewer.exe
"{3139B05C-3AF2-4263-B297-5CA72A883B1F}"= TCP:c:\program files\UltraVNC\vncviewer.exe:vncviewer.exe
"{5418B87C-33A9-49AB-8051-5883239FC8E6}"= UDP:c:\program files\Gbridge LLC\Gbridge\Gbridge.exe:GBridge
"{D04D5404-415F-4462-9749-05AEDF7DB297}"= TCP:c:\program files\Gbridge LLC\Gbridge\Gbridge.exe:GBridge
"{4DD81762-6145-41FF-890A-57E9CC197419}"= UDP:c:\program files\Gbridge LLC\Gbridge\gbwinvnc.exe:Gbwinvnc
"{79B12BCF-4F90-4387-AA13-592E4C869AD0}"= TCP:c:\program files\Gbridge LLC\Gbridge\gbwinvnc.exe:Gbwinvnc
"{3E1A3C28-B7FF-4D12-B4F9-EF2018BBD279}"= UDP:c:\program files\Gbridge LLC\Gbridge\gbvncviewer.exe:Gbvncviewer
"{63544C2E-054C-46D3-87AB-346D46ECD508}"= TCP:c:\program files\Gbridge LLC\Gbridge\gbvncviewer.exe:Gbvncviewer
"{F4FF262B-3FD8-4886-91B8-33145DAD714C}"= UDP:c:\program files\Pinnacle\Studio 12\Programs\RM.exe:Render Manager
"{84C515C9-205B-4136-9776-C1A9326C92EF}"= TCP:c:\program files\Pinnacle\Studio 12\Programs\RM.exe:Render Manager
"{5BBA94AC-FD9F-48F8-9F9F-83FFD7BE7084}"= UDP:c:\program files\Pinnacle\Studio 12\Programs\Studio.exe:Studio
"{E34D8D3A-C02F-4502-A3F9-FB66989F21D5}"= TCP:c:\program files\Pinnacle\Studio 12\Programs\Studio.exe:Studio
"{F665F931-0B84-4EAD-9BD8-307157591B05}"= UDP:c:\program files\Pinnacle\Studio 12\Programs\umi.exe:umi
"{F68F56A2-71FA-44AB-8C35-0A7C8D377692}"= TCP:c:\program files\Pinnacle\Studio 12\Programs\umi.exe:umi
"{08C3ECEF-3AE3-4446-AF81-C9D7BFA14407}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{9ECFA7D8-FCCE-4BD2-A4A5-85E47C2D8127}"= UDP:5214:Shared iTunes Libs
"{D7963AF6-9F90-4713-B403-781DB24B64E5}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{DB5313EC-424E-4775-AFDE-1D97CD67F63D}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{D0FEA42A-0DA1-4E72-87FB-1144FAA17820}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{64DF97B2-6271-4042-8E32-F6D873250988}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"TCP Query User{E103D678-BD5F-4422-B27F-7EB2676A62BE}c:\\program files\\itunes\\itunes.exe"= UDP:c:\program files\itunes\itunes.exe:iTunes
"UDP Query User{52C6B4F0-66A6-4931-94B8-5059DE2D5DFE}c:\\program files\\itunes\\itunes.exe"= TCP:c:\program files\itunes\itunes.exe:iTunes
"TCP Query User{E111B51B-BF83-40F0-ABBE-BF4D2168559B}c:\\program files\\ultravnc\\winvnc.exe"= UDP:c:\program files\ultravnc\winvnc.exe:VNC server for Win32
"UDP Query User{EF4F0DD0-B7D9-4C7E-804C-C2C4EF47FF7E}c:\\program files\\ultravnc\\winvnc.exe"= TCP:c:\program files\ultravnc\winvnc.exe:VNC server for Win32
"{B26B6E23-6CF5-40D3-A9F5-69BB79ED6227}"= UDP:c:\program files\Spybot - Search & Destroy\SpybotSD.exe:Spybot - Search & Destroy
"{35559736-B3CE-4F01-942B-F8997CD50A10}"= TCP:c:\program files\Spybot - Search & Destroy\SpybotSD.exe:Spybot - Search & Destroy
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"= c:\program files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7
R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [2009-01-31 64160]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\System32\drivers\klim6.sys [2007-04-04 20760]
R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\Acer Arcade Deluxe\Play Movie\000.fcl [2007-07-26 02:11:06 39408]
R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};d:\program files\cyberlink\powerDVD\000.fcl [2008-01-30 11:28:36 41456]
R2 AdeonaClientService;AdeonaClientService;c:\program files\Adeona\cygrunsrv.exe [2008-07-13 68096]
R2 ALaunchService;ALaunch Service;c:\acer\ALaunch\ALaunchSvc.exe [2007-05-15 50688]
R2 SSPORT;SSPORT;c:\windows\System32\drivers\SSPORT.SYS [2008-06-25 5120]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [2007-05-15 179712]
R3 winbondcir;Winbond IR Transceiver;c:\windows\System32\drivers\winbondcir.sys [2007-05-15 43008]
S3 gbridge;Gbridge Virtual Miniport;c:\windows\System32\drivers\gbridge.sys [2008-07-22 36864]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 950096]
S3 MSSQL$SONY_MEDIAMGR2;SQL Server (SONY_MEDIAMGR2);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-02-26 29183504]
S3 uvnc_service;uvnc_service;c:\program files\UltraVNC\winvnc.exe [2008-04-13 1519168]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\shell\AutoRun\command - .\Encryption Tool\MaxtorEncryption.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\shell\AutoRun\command - .\Encryption Tool\MaxtorEncryption.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\shell\AutoRun\command - .\Encryption Tool\MaxtorEncryption.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{12bde37a-3b46-11dc-840e-806e6f6e6963}]
\shell\AutoRun\command - F:\INSTALL.EXE id=10000010000017000022 ver=1.0.0.0
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{29e5e048-c064-11dd-8455-001b2464df4f}]
\shell\AutoRun\command - G:\LiteAuto.exe
.
Contents of the 'Scheduled Tasks' folder
2009-02-01 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-02-05 19:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://en.ca.acer.yahoo.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.ca.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://ca.rd.yahoo.com/customize/ycomp/defaults/su/*http://ca.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\wpclsp.dll
TCP: {FE8ABFF2-E5E7-4193-8078-F16CAB3B579F} = 4.2.2.1
FF - ProfilePath - c:\users\gerwen\AppData\Roaming\Mozilla\Firefox\Profiles\r6o93vos.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - component: c:\users\gerwen\AppData\Roaming\Mozilla\Firefox\Profiles\r6o93vos.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
FF - plugin: c:\program files\VistaCodecPack\rm\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\VistaCodecPack\rm\browser\plugins\nprpjplug.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-06 18:08:18
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2009-02-06 18:11:56
ComboFix-quarantined-files.txt 2009-02-06 23:11:52
ComboFix2.txt 2009-02-05 22:33:23
Pre-Run: 22,670,606,336 bytes free
Post-Run: 22,337,363,968 bytes free
311 --- E O F --- 2009-01-23 02:25:20
That went well there :bigthumb:
I'll get back to this when Kaspersky online scanner report & a fresh hjt log are ready.
Kaspersky took a looooong time to run.
Uninstalled VNC (don't think it was a threat, i installed it myself)
Rest i deleted.
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, February 7, 2009
Operating System: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, February 07, 2009 00:27:54
Records in database: 1761868
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
F:\
I:\
Scan statistics:
Files scanned: 148607
Threat name: 14
Infected objects: 28
Suspicious objects: 0
Duration of the scan: 02:20:33
File name / Threat name / Threats count
C:\Program Files\UltraVNC\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.ab 1
C:\Users\gerwen\Desktop\Downloads\UltraVNC_1.0.4_RC14_Setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.r 1
C:\Users\gerwen\Desktop\Downloads\UltraVNC_105_Setup_W32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.ab 1
C:\Users\gerwen\Desktop\Old\from old laptop\lee mailbox.zip Infected: Email-Worm.Win32.Luder.a 5
C:\Users\gerwen\Desktop\Old\from old laptop\lee mailbox.zip Infected: Trojan-Downloader.Win32.Small.dam 1
C:\Users\gerwen\Desktop\Old\from old laptop\lee mailbox.zip Infected: Email-Worm.Win32.Zhelatin.a 6
C:\Users\gerwen\Desktop\Old\from old laptop\lee mailbox.zip Infected: Trojan-Proxy.Win32.Lager.dp 2
C:\Users\gerwen\Desktop\Old\from old laptop\lee mailbox.zip Infected: Email-Worm.Win32.Zhelatin.d 1
C:\Users\gerwen\Desktop\Old\from old laptop\lee mailbox.zip Infected: Email-Worm.Win32.Zhelatin.h 2
C:\Users\gerwen\Desktop\Old\from old laptop\lee mailbox.zip Infected: Email-Worm.Win32.Zhelatin.k 1
C:\Users\gerwen\Desktop\Old\from old laptop\lee mailbox.zip Infected: Email-Worm.Win32.Zhelatin.o 2
C:\Users\gerwen\Desktop\Old\from old laptop\lee mailbox.zip Infected: Email-Worm.Win32.Zhelatin.r 1
C:\Users\gerwen\Desktop\Old\from old laptop\lee mailbox.zip Infected: Email-Worm.Win32.Zhelatin.u 1
C:\Users\gerwen\Desktop\Old\from old laptop\lee mailbox.zip Infected: Email-Worm.Win32.Zhelatin.ab 2
C:\Users\gerwen\Desktop\where pics were\backed up\Random from desktop\New Folder\bev2.exe Infected: not-a-virus:NetTool.Win32.RemoteProcessSpawn.a 1
The selected area was scanned.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:44:14 AM, on 07/02/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Windows\WindowsMobile\wmdSync.exe
C:\Program Files\iTunes\iTunesHelper.exe
D:\program files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\Explorer.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\Java\jre6\bin\jp2launcher.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Last.fm\LastFM.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.ca.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.ca.acer.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.rd.yahoo.com/customize/ycomp/defaults/su/*http://ca.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Windows\system32\ActiveToolBand.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [PLFSet] rundll32.exe C:\Windows\PLFSet.dll,PLFDefSetting
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [LanguageShortcut] "D:\program files\cyberlink\powerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\Windows\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - d:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{FE8ABFF2-E5E7-4193-8078-F16CAB3B579F}: NameServer = 4.2.2.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: eNetHook.dll d:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll
O23 - Service: AdeonaClientService - Unknown owner - C:\Program Files\Adeona\cygrunsrv.exe
O23 - Service: ALaunch Service (ALaunchService) - Unknown owner - C:\Acer\ALaunch\ALaunchSvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - d:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: eDataSecurity Service - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 9288 bytes
Hi,
Yes, WinVNC is not malware and completely safe to have installed once system owner is aware of its presence :)
Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.
THESE STEPS ARE VERY IMPORTANT
Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.
A To disable the System Restore feature:
1. Click on the Start button.
2. Hover over the Computer option, right click on it and then click Properties.
3. On the left hand side, click Advanced Settings.
4. If asked to permit the action, click on Allow.
5. Click on the System Protection tab.
6. Uncheck any checkboxes listed for your hard drives.
7. Press OK.
B. Reboot.
C Turn ON System Restore.
Follow the steps like you did when disabling system restore but on step 6. check any checkboxes listed for your hard drives.
Now lets uninstall ComboFix:
Click START then RUN
Now type Combofix /u in the runbox and click OK
UPDATING WINDOWS AND INTERNET EXPLORER
IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.
If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.
Make your Internet Explorer more secure
This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.
Download SpywareBlaster
Spyware blaster is a program that stops known malicious activex controls from installing on your computer. It works by changing settings in your registry. It makes
kill bits
in the registry, so that certain activex controls can't install.
If you don't know what activex controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
You can download SpywareBlaster here here (http://majorgeeks.com/downloadget.php?id=2859&file=11&evp=61b0e8ad41924a03c37615f4682b4cef)
SpywareBlaster tutorial (http://www.bleepingcomputer.com/forums/tutorial49.html)
hosts file:
Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. This is why using a hosts file is optional!!
Download it here (http://www.mvps.org/winhelp2002/hosts.htm). Make sure you read the instructions on how to install the hosts file. There is a good tutorial here (http://www.bleepingcomputer.com/forums/tutorial51.html)
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok
Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Once again, please post and tell me how things are going with your system... problems etc.
Have a great day,
Blade :cool:
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)
Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.