|
Trojan.Script.255082
I have F-Secure Charter Security Suite on my Windows Vista (Home) computer. Two hours ago, it popped up and said that it detected Trojan.Script.255082 but was unable to remove it. I found that it was in my Temporary Internet Files so I deleted them. I don't know if I need to do anything else.
I've been searching for trojan.script problems online but haven't been able to find anything similar. I'm worried that it's something worse and deleting the file won't get rid of it. The only other problem I've had like this was last September. We were getting rid of an old PC so I put some of the data files on my laptop until I could figure out who needed them (a couple of PCs replaced it so it depended on who needed what files). I had this same kind of thing happen...it was Trojan.Generic.IS.559211 and was listed twice - one said "Failed" and the other said "Restart Required" and the file was Chinese music in an iTunes subdirectory from the old computer. I deleted the iTunes subdirectory and I haven't had anything else happen until now. I notice that some people post their Hijack This data and some don't. I was trying to find out what you require but I would have had to watch the movie or animation and normally that would be fine, but I needed to get to bed almost 2 hours ago and I am worried about this and wanted to get this out so that if you need me to use Hijack This or whatever, you could let me know and I could continue with this in the morning. I thank you for your help. |
Hello dreemsnake and welcome to CTH :-)
Please download: CCleaner here: Ccleaner Once installed, run CCleaner click the Windows tab Select the following: Internet Explorer: Temp Internet History Recently Typed URLs Delete Index.dat files System: Empty Recycle Bin Temporary Files Memory Dumps Chkdsk File Fragments Old Prefetch Data Next: click Options click the Settings tab Uncheck: "Only delete files older than 48 hrs.", click Ok Then click Run Cleaner (bottom right) then Exit Please download Malwarebytes' Anti-Malware: Malwarebytes-Anti-Malware to your desktop. Double-click mbam-setup and follow the prompts to install the program. At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. If an update is found, it will download and install the latest version. Once the program has loaded, select Perform full scan, then click Scan. When the scan is complete, click OK, then Show Results to view the results. Be sure that everything is checked, and click Remove Selected. When completed, a log will open in Notepad. Please save it to a convenient location. NB: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Click here: HJTInstall.exe to download HJTinstall.exe Save HJTinstall.exe to your desktop. Double click on the HJTinstall.exe icon on your desktop. By default it will install to C:\Program Files\Trend Micro\Hijack This. Click I accept Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log. Click Save to save the log file and then the log will open in notepad. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log. DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required. Post hijackthis log along with Malwarebytes' Anti-Malware log in your next reply. |
Hi Touch, I followed your instructions. cccleaner has areas gray-shaded that I couldn't select, but I think the 'old prefetch data' setting was the only one I couldn't choose of the ones on your list.
Here are the results you said to post. I didn't have to remove anything in MBAM. And Hijack This doesn't have anything checked. -------------------------------------------- Malwarebytes' Anti-Malware 1.43 Database version: 3508 Windows 6.0.6002 Service Pack 2 Internet Explorer 7.0.6002.18005 1/7/2010 12:34:42 PM mbam-log-2010-01-07 (12-34-42).txt Scan type: Full Scan (C:\|D:\|) Objects scanned: 261338 Time elapsed: 1 hour(s), 31 minute(s), 53 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) -------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:54:26 PM, on 1/7/2010 Platform: Windows Vista SP2 (WinNT 6.00.1906) MSIE: Internet Explorer v7.00 (7.00.6002.18005) Boot mode: Normal Running processes: C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Windows\system32\igfxsrvc.exe C:\Program Files\Launch Manager\LManager.exe C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe C:\Program Files\Charter Security Suite\Common\FSM32.EXE C:\Windows\PLFSetL.exe C:\Windows\system32\wbem\unsecapp.exe C:\Windows\PLFSetI.exe C:\Windows\System32\igfxtray.exe C:\Windows\system32\igfxext.exe C:\Windows\System32\hkcmd.exe C:\Windows\system32\igfxsrvc.exe C:\Windows\System32\igfxpers.exe C:\Windows\RtHDVCpl.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe C:\Windows\ehome\ehtray.exe C:\Program Files\Creative Home\Hallmark Card Studio 2009\Planner\PLNRnote.exe C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EX E C:\Windows\ehome\ehmsas.exe C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE C:\Users\Extensa\AppData\Local\Temp\RtkBtMnt.exe C:\Windows\system32\taskeng.exe C:\Program Files\Internet Explorer\ieuser.exe C:\Windows\Explorer.exe C:\Program Files\lg_fwupdate\fwupdate.exe C:\Program Files\DAEMON Tools Pro\DTProShellHlp.exe C:\Windows\system32\SearchFilterHost.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.us.acer.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O1 - Hosts: ::1 localhost O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: LitmusBHO - {C6867EB7-8350-4856-877F-93CF8AE3DC9C} - C:\Program Files\Charter Security Suite\NRS\iescript\baselitmus.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll O3 - Toolbar: Browsing Protection Toolbar - {265EEE8E-3228-44D3-AEA5-F7FDF5860049} - C:\Program Files\Charter Security Suite\NRS\iescript\baselitmus.dll O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe O4 - HKLM\..\Run: [Acer Assist Launcher] C:\Program Files\Acer Assist\launcher.exe O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Charter Security Suite\Common\FSM32.EXE" /splash O4 - HKLM\..\Run: [PLFSetL] C:\Windows\PLFSetL.exe O4 - HKLM\..\Run: [PLFSetI] C:\Windows\PLFSetI.exe O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [UpdateLBPShortCut] "C:\Program Files\CyberLink\LabelPrint\MUITransfer\MUIStartMen u.exe" "C:\Program Files\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5" O4 - HKLM\..\Run: [CLMLServer] "C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe" O4 - HKLM\..\Run: [UpdateP2GoShortCut] "C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu. exe" "C:\Program Files\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0" O4 - HKLM\..\Run: [RemoteControl8] "C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe" O4 - HKLM\..\Run: [PDVD8LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe" O4 - HKLM\..\Run: [UpdatePPShortCut] "C:\Program Files\CyberLink\PowerProducer\MUITransfer\MUIStart Menu.exe" "C:\Program Files\CyberLink\PowerProducer" UpdateWithCreateOnce "Software\CyberLink\PowerProducer\5.0" O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.ex e" "C:\Program Files\CyberLink\YouCam" UpdateWithCreateOnce "Software\CyberLink\YouCam\2.0" O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun O4 - HKLM\..\Run: [UpdatePSTShortCut] "C:\Program Files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter" O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Charter Security Suite\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE') O4 - Global Startup: Empowering Technology Launcher.lnk = C:\Acer\Empowering Technology\eAPLauncher.exe O4 - Global Startup: Event Planner Reminder 2009.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O13 - Gopher Prefix: O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O16 - DPF: {2EDF75C0-5ABD-49f9-BAB6-220476A32034} (System Requirements Lab) - http://intel-drv-cdn.systemrequireme...eqlab_srlx.cab O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/...?1252249608118 O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{9C5CA174-B2D8-4188-9B22-57AA7925BF4C}: NameServer = 208.67.222.222,208.67.220.220 O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: dlcf_device - - C:\Windows\system32\dlcfcoms.exe O23 - Service: eDataSecurity Service - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Charter Security Suite\Anti-Virus\fsgk32st.exe O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Charter Security Suite\FWES\Program\fsdfwd.exe O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\Charter Security Suite\Common\FSMA32.EXE O23 - Service: F-Secure ORSP Client (FSORSPClient) - F-Secure Corporation - C:\Program Files\Charter Security Suite\ORSP Client\fsorsp.exe O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32 \IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: lxdnCATSCustConnectService - Lexmark International, Inc. - C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxdnse rv.exe O23 - Service: lxdn_device - - C:\Windows\system32\lxdncoms.exe O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe -- End of file - 10927 bytes |
There are nothing suspicious in the log files. However, I´ll suggest we dig deeper ->
Please download combofix here -> ComboFix Before Saving it to Desktop, please rename it to alg.exe to stop malware from disabling it. Disable your AntiVirus and AntiSpyware applications, they may otherwise interfere with Combofix. There are details for disabling many programmes Here Now, please make sure no other programs are running, close all other windows. Please double click on the file you downloaded. Follow the onscreen prompts to start the scan. Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall. It may take a while to complete scanning and this is normal. You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after scanning has completed. Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please post it to your next reply The logs will be reasonably large so you may have to divide them into sections and make several posts to post them. |
Thanks again and here is the first part:
ComboFix 10-01-04.01 - Extensa 01/08/2010 0:03.1.2 - x86 Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2038.1244 [GMT -5:00] Running from: c:\downloads\ComboFix.exe SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\$recycle.bin\S-1-5-21-266150569-1508974284-1849778782-1002 c:\users\Lori\AppData\Roaming\inst.exe c:\users\Lori\Documents\LoriRegBackup.reg c:\windows\Suyin.reg I:\Autorun.inf . ((((((((((((((((((((((((( Files Created from 2009-12-08 to 2010-01-08 ))))))))))))))))))))))))))))))) . 2010-01-08 05:18 . 2010-01-08 05:19 -------- d-----w- c:\users\Extensa\AppData\Local\temp 2010-01-08 05:18 . 2010-01-08 05:18 -------- d-----w- c:\users\lythandeBk\AppData\Local\temp 2010-01-08 05:18 . 2010-01-08 05:18 -------- d-----w- c:\users\lythande\AppData\Local\temp 2010-01-08 05:18 . 2010-01-08 05:18 -------- d-----w- c:\users\Default\AppData\Local\temp 2010-01-08 05:18 . 2010-01-08 05:18 -------- d-----w- c:\users\Administrator\AppData\Local\temp 2010-01-07 15:20 . 2010-01-07 15:20 -------- d-----w- c:\program files\CCleaner 2010-01-07 15:07 . 2010-01-07 15:07 655360 ----a-w- C:\alertlog.dat 2010-01-06 19:19 . 2009-09-03 02:58 626688 ----a-w- c:\windows\system32\vp7vfw.dll 2010-01-06 19:19 . 2009-09-03 02:57 1184984 ----a-w- c:\windows\system32\wvc1dmod.dll 2010-01-06 19:06 . 2010-01-06 19:07 -------- d-----w- c:\users\Extensa\AppData\Roaming\log 2010-01-05 18:50 . 2010-01-05 18:50 -------- d-----w- c:\users\Extensa\AppData\Local\Power2Go 2010-01-05 18:49 . 2010-01-05 18:49 -------- d-----w- c:\programdata\Office Genuine Advantage 2010-01-05 16:23 . 2010-01-06 18:37 -------- d-----w- c:\program files\Google 2010-01-05 16:22 . 2010-01-05 16:22 -------- d-----w- c:\users\Extensa\AppData\Local\{E00349D7-2D4A-40AB-AD07-7E81E8674BDA} 2010-01-05 16:18 . 2010-01-05 16:18 -------- d-----w- c:\users\Extensa\AppData\Local\{9E5C7B4F-5A46-458E-9BAE-0001A6640C4A} 2010-01-05 05:18 . 2010-01-05 05:18 -------- d-----w- c:\users\Public\CyberLink 2010-01-03 17:07 . 2010-01-03 17:07 -------- d-----w- C:\Temp 2010-01-03 17:06 . 2010-01-03 17:06 53319 ----a-w- c:\programdata\TEMP\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\PostBuild.exe 2010-01-03 17:06 . 2010-01-03 17:07 16384 ----a-w- c:\windows\system32\lgfwunis.exe 2010-01-03 17:06 . 1998-07-22 05:00 102160 ----a-w- c:\windows\system32\VB6KO.DLL 2010-01-03 17:06 . 2010-01-07 15:51 -------- d-----w- c:\program files\lg_fwupdate 2010-01-03 17:03 . 2010-01-03 17:03 36864 ----a-w- c:\programdata\TEMP\{01FB4998-33C4-4431-85ED-079E3EEFE75D}\PostBuild.exe 2010-01-03 17:01 . 2010-01-03 17:01 36864 ----a-w- c:\programdata\TEMP\{B7A0CE06-068E-11D6-97FD-0050BACBF861}\PostBuild.exe 2010-01-03 17:00 . 2010-01-03 17:00 -------- d-----w- c:\program files\Common Files\CyberLink 2010-01-03 16:58 . 2010-01-03 16:58 53319 ----a-w- c:\programdata\TEMP\{2BF2E31F-B8BB-40A7-B650-98D28E0F7D47}\PostBuild.exe 2010-01-03 16:58 . 2009-01-08 16:20 34088 ----a-w- c:\programdata\CyberLink\Power2Go\P2GoGadget.dll 2010-01-03 16:56 . 2010-01-03 16:56 36864 ----a-w- c:\programdata\TEMP\{40BF1E83-20EB-11D8-97C5-0009C5020658}\PostBuild.exe 2010-01-03 16:53 . 2010-01-03 16:53 53319 ----a-w- c:\programdata\TEMP\{C59C179C-668D-49A9-B6EA-0121CCFC1243}\PostBuild.exe 2010-01-03 16:46 . 2010-01-03 16:46 53319 ----a-w- c:\programdata\TEMP\{5DB1DF0C-AABC-4362-8A6D-CEFDFB036E41}\PostBuild.exe 2010-01-03 08:23 . 2010-01-06 19:06 -------- d-----w- c:\program files\VSO 2009-12-25 07:12 . 2009-12-25 07:12 658184 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlig ht\MCESpotlight\SpotlightResources.dll 2009-12-23 22:56 . 2009-12-23 22:56 -------- d-----w- c:\users\Extensa\AppData\Local\Nova Development 2009-12-18 15:55 . 2009-09-29 00:34 47416 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc. dll 2009-12-18 15:55 . 2009-09-29 00:34 28984 ----a-w- c:\windows\system32\LMIport.dll 2009-12-18 15:55 . 2009-09-29 00:34 83288 ----a-w- c:\windows\system32\LMIRfsClientNP.dll 2009-12-18 15:55 . 2008-08-11 17:41 47640 ----a-w- c:\windows\system32\drivers\LMIRfsDriver.sys 2009-12-18 15:54 . 2009-09-29 00:34 87352 ----a-w- c:\windows\system32\LMIinit.dll 2009-12-18 14:50 . 2009-12-18 14:50 -------- d-----w- c:\users\Extensa\AppData\Roaming\Malwarebytes 2009-12-18 14:50 . 2009-12-30 19:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-12-18 14:50 . 2009-12-18 14:50 -------- d-----w- c:\programdata\Malwarebytes 2009-12-18 14:50 . 2010-01-07 15:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-12-18 14:50 . 2009-12-30 19:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-12-18 14:36 . 2009-12-18 14:36 -------- d-----w- c:\program files\iPod 2009-12-18 14:35 . 2009-12-18 14:37 -------- d-----w- c:\program files\iTunes 2009-12-18 14:29 . 2009-12-18 14:30 -------- d-----w- c:\program files\QuickTime 2009-12-18 14:25 . 2009-12-18 14:25 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe 2009-12-18 14:21 . 2009-12-18 14:21 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe 2009-12-11 18:09 . 2009-12-11 18:09 -------- d-----w- c:\users\Extensa\AppData\Local\MigWiz 2009-12-11 16:49 . 2009-12-11 16:49 179232 ----a-w- c:\users\Administrator\AppData\Local\GDIPFONTCACHE V1.DAT 2009-12-11 15:32 . 2009-12-11 15:32 -------- d-----w- c:\program files\Windows Portable Devices 2009-12-11 15:13 . 2009-09-10 02:00 92672 ----a-w- c:\windows\system32\UIAnimation.dll 2009-12-11 15:13 . 2009-09-10 02:00 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll 2009-12-11 15:13 . 2009-09-10 02:01 3023360 ----a-w- c:\windows\system32\UIRibbon.dll 2009-12-11 15:10 . 2009-10-01 01:02 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe 2009-12-11 15:10 . 2009-10-01 01:02 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll 2009-12-11 15:10 . 2009-10-01 01:01 81920 ----a-w- c:\windows\system32\wpdbusenum.dll 2009-12-11 15:09 . 2009-10-01 01:01 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll 2009-12-11 15:09 . 2009-10-01 01:02 2537472 ----a-w- c:\windows\system32\wpdshext.dll 2009-12-11 15:09 . 2009-10-01 01:02 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll 2009-12-11 15:09 . 2009-10-01 01:01 546816 ----a-w- c:\windows\system32\wpd_ci.dll 2009-12-11 15:09 . 2009-10-01 01:02 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll 2009-12-11 15:09 . 2009-10-01 01:01 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll 2009-12-11 15:09 . 2009-10-01 01:01 350208 ----a-w- c:\windows\system32\WPDSp.dll 2009-12-11 15:09 . 2009-10-01 01:01 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll 2009-12-11 15:09 . 2009-10-01 01:01 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.d ll 2009-12-11 15:06 . 2009-10-08 21:07 4096 ----a-w- c:\windows\system32\oleaccrc.dll 2009-12-11 15:06 . 2009-10-08 21:08 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll 2009-12-11 15:06 . 2009-10-08 21:08 234496 ----a-w- c:\windows\system32\oleacc.dll 2009-12-10 15:09 . 2009-11-09 12:30 8192 ----a-w- c:\windows\system32\iisrstap.dll 2009-12-10 15:09 . 2009-11-09 10:48 14848 ----a-w- c:\windows\system32\iisreset.exe 2009-12-10 15:09 . 2009-11-09 12:30 153600 ----a-w- c:\windows\system32\iisRtl.dll 2009-12-10 15:08 . 2009-11-09 12:31 24064 ----a-w- c:\windows\system32\nshhttp.dll 2009-12-10 15:08 . 2009-11-09 12:28 51712 ----a-w- c:\windows\system32\admwprox.dll 2009-12-10 15:08 . 2009-11-09 12:28 27136 ----a-w- c:\windows\system32\ahadmin.dll 2009-12-10 15:08 . 2009-11-09 10:36 411648 ----a-w- c:\windows\system32\drivers\http.sys 2009-12-10 15:08 . 2009-11-09 12:30 30720 ----a-w- c:\windows\system32\httpapi.dll 2009-12-10 15:08 . 2009-11-09 12:32 10752 ----a-w- c:\windows\system32\wamregps.dll 2009-12-09 23:07 . 2009-10-27 14:11 834048 ----a-w- c:\windows\system32\wininet.dll 2009-12-09 23:07 . 2009-10-27 13:16 78336 ----a-w- c:\windows\system32\ieencode.dll 2009-12-09 18:55 . 2009-08-24 11:36 377344 ----a-w- c:\windows\system32\winhttp.dll 2009-12-09 18:53 . 2009-10-07 11:36 243712 ----a-w- c:\windows\system32\rastls.dll 2009-12-09 18:36 . 2009-12-09 18:41 -------- d-----w- c:\windows\system32\ca-ES 2009-12-09 18:36 . 2009-12-09 18:41 -------- d-----w- c:\windows\system32\eu-ES 2009-12-09 18:36 . 2009-12-09 18:41 -------- d-----w- c:\windows\system32\vi-VN 2009-12-09 08:43 . 2009-12-09 08:43 -------- d-----w- c:\windows\system32\EventProviders . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2010-01-08 04:44 . 2009-05-31 16:34 720 ----a-w- c:\programdata\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll 2010-01-07 19:32 . 2009-08-30 17:01 -------- d-----w- c:\programdata\Lx_cats 2010-01-07 15:37 . 2009-08-27 04:48 -------- d-----w- c:\programdata\Spybot - Search & Destroy 2010-01-07 03:53 . 2009-02-18 17:03 -------- d-----w- c:\users\Extensa\AppData\Roaming\Vso 2010-01-06 19:06 . 2009-02-18 17:03 47360 ----a-w- c:\users\Extensa\AppData\Roaming\pcouffin.sys 2010-01-06 19:06 . 2009-02-18 17:03 47360 ----a-w- c:\users\Extensa\AppData\Roaming\pcouffin.sys 2010-01-05 21:11 . 2009-03-03 04:43 -------- d-----w- c:\programdata\CyberLink 2010-01-05 21:11 . 2009-03-03 04:44 -------- d-----w- c:\users\Extensa\AppData\Roaming\CyberLink 2010-01-04 14:42 . 2007-11-25 06:19 184320 ----a-w- c:\users\Extensa\AppData\Local\GDIPFONTCACHEV1.DAT 2010-01-03 17:32 . 2007-08-26 04:52 -------- d--h--w- c:\program files\InstallShield Installation Information 2010-01-03 17:07 . 2007-09-15 11:15 -------- d-----w- c:\program files\CyberLink 2010-01-03 16:58 . 2007-08-26 05:15 505128 ----a-w- c:\windows\system32\msvcp71.dll 2010-01-03 16:58 . 2007-08-26 05:15 353576 ----a-w- c:\windows\system32\msvcr71.dll 2009-12-30 19:57 . 2009-08-26 17:40 -------- d-----w- c:\program files\Charter Security Suite 2009-12-18 15:49 . 2008-02-21 17:22 -------- d-----w- c:\program files\Java 2009-12-18 14:35 . 2009-07-13 22:56 -------- d-----w- c:\program files\Common Files\Apple 2009-12-18 14:35 . 2008-02-12 23:38 -------- d-----w- c:\programdata\Apple Computer 2009-12-18 14:24 . 2009-07-13 23:09 -------- d-----w- c:\program files\Safari 2009-12-18 12:00 . 2009-08-26 18:03 -------- d-----w- c:\users\Extensa\AppData\Roaming\F-Secure 2009-12-17 02:19 . 2009-08-26 17:42 33920 ----a-w- c:\windows\system32\drivers\fsbts.sys 2009-12-17 02:07 . 2009-08-26 17:39 -------- d-----w- c:\programdata\fssg 2009-12-11 19:05 . 2007-08-26 05:30 -------- d-----w- c:\program files\Microsoft Works 2009-12-11 16:49 . 2009-02-19 19:48 8224 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT 2009-12-11 16:42 . 2008-01-08 03:12 -------- d-----w- c:\users\Extensa\AppData\Roaming\Yahoo! 2009-12-11 15:32 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat 2009-12-11 15:31 . 2009-12-11 15:31 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_ 00.Wdf 2009-12-10 15:30 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail 2009-12-09 18:41 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar 2009-12-09 18:41 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar 2009-12-09 18:41 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration 2009-12-09 18:41 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal 2009-12-09 18:41 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery 2009-12-09 18:41 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender 2009-12-03 19:38 . 2007-04-18 09:28 -------- d-----w- c:\program files\Intel 2009-12-03 16:11 . 2009-12-03 16:11 -------- d-----w- c:\program files\MSXML 4.0 2009-12-03 05:03 . 2009-11-11 20:07 -------- d-----w- c:\users\Extensa\AppData\Roaming\FreeFLVConverter 2009-12-03 01:35 . 2009-11-11 20:07 -------- d-----w- c:\program files\Free FLV Converter 2009-12-02 23:27 . 2009-12-02 23:26 -------- d-----w- c:\program files\SystemRequirementsLab 2009-12-01 01:11 . 2009-12-01 01:11 -------- d-----w- c:\program files\Alcohol Soft 2009-11-19 03:55 . 2009-11-19 03:55 40960 ----a-r- c:\users\Extensa\AppData\Roaming\Microsoft\Install er\{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}\WinDlg.exe_0AB76F69E7614CFAB9B0A1906 B4E9E4B_3.exe 2009-11-19 03:55 . 2009-11-19 03:55 8854 ----a-r- c:\users\Extensa\AppData\Roaming\Microsoft\Install er\{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}\Uninstall_WD_Diagnos_0AB76F69E7614CF AB9B0A1906B4E9E4B.exe 2009-11-19 03:55 . 2009-11-19 03:55 10134 ----a-r- c:\users\Extensa\AppData\Roaming\Microsoft\Install er\{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}\ARPPRODUCTICON.exe 2009-11-19 03:55 . 2009-11-19 03:55 -------- d-----w- c:\program files\Western Digital Technologies 2009-11-15 22:48 . 2009-10-27 05:19 -------- d-----w- c:\users\Extensa\AppData\Roaming\ImgBurn 2009-11-11 19:50 . 2009-11-11 20:07 311296 ----a-w- c:\windows\system32\TubeFinder.exe 2009-11-11 04:43 . 2008-06-03 18:53 -------- d-----w- c:\users\Extensa\AppData\Roaming\GetRightToGo 2009-11-02 15:19 . 2009-06-06 07:26 5972 ----a-w- c:\users\Extensa\AppData\Local\d3d9caps.dat 2009-10-29 09:17 . 2009-12-03 16:13 2048 ----a-w- c:\windows\system32\tzres.dll 2007-09-15 11:45 . 2007-09-15 11:45 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT . |
And here is the last:
((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-23 815104] "LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2007-06-15 850704] "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-12 178712] "eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-04-25 457216] "Acer Assist Launcher"="c:\program files\Acer Assist\launcher.exe" [2007-02-02 1261568] "F-Secure Manager"="c:\program files\Charter Security Suite\Common\FSM32.EXE" [2009-08-05 199264] "PLFSetL"="c:\windows\PLFSetL.exe" [2007-07-05 94208] "PLFSetI"="c:\windows\PLFSetI.exe" [2007-10-23 200704] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-26 141848] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-26 173592] "Persistence"="c:\windows\system32\igfxpers.ex e" [2009-02-26 150552] "RtHDVCpl"="RtHDVCpl.exe" [2007-05-29 4472832] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-20 136600] "UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMen u.exe" [2009-05-20 222504] "CLMLServer"="c:\program files\CyberLink\Power2Go\CLMLSvc.exe" [2009-06-04 103720] "UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu. exe" [2009-05-20 222504] "RemoteControl8"="c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2009-04-16 91432] "PDVD8LanguageShortcut"="c:\program files\CyberLink\PowerDVD8\Language\Language.exe" [2009-04-16 50472] "UpdatePPShortCut"="c:\program files\CyberLink\PowerProducer\MUITransfer\MUIStart Menu.exe" [2009-05-20 222504] "UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.ex e" [2009-02-18 218408] "LGODDFU"="c:\program files\lg_fwupdate\fwupdate.exe" [2010-01-03 557056] "UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2009-09-29 210216] "F-Secure TNB"="c:\program files\Charter Security Suite\FSGUI\TNBUtil.exe" [2009-08-05 2349664] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696] c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2007-8-26 535336] Event Planner Reminder 2009.lnk - c:\windows\Installer\{C4609419-C11E-4CE6-B369-F3F8A7DDD94C}\Shortcut_EventPlan_E2FBA8F7F7FD4C5EA A7D652BB0CAAA9D.exe [2009-5-26 237568] [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system] "EnableUIADesktopToggle"= 0 (0x0) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\WinDefend] @="Service" [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Wind ows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup backupExtension=.CommonStartup [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Wind ows^Start Menu^Programs^Startup^Forget Me Not.lnk] path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Forget Me Not.lnk backup=c:\windows\pss\Forget Me Not.lnk.CommonStartup backupExtension=.CommonStartup [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Wind ows^Start Menu^Programs^Startup^Kodak EasyShare software.lnk] path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Kodak EasyShare software.lnk backup=c:\windows\pss\Kodak EasyShare software.lnk.CommonStartup backupExtension=.CommonStartup [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Wind ows^Start Menu^Programs^Startup^PDFCreator.lnk] path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\PDFCreator.lnk backup=c:\windows\pss\PDFCreator.lnk.CommonStartup backupExtension=.CommonStartup [HKLM\~\startupfolder\C:^Users^Extensa^AppData^Roam ing^Microsoft^Windows^Start Menu^Programs^Startup^MagicDisc.lnk] path=c:\users\Extensa\AppData\Roaming\Microsoft\Wi ndows\Start Menu\Programs\Startup\MagicDisc.lnk backup=c:\windows\pss\MagicDisc.lnk.Startup backupExtension=.Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount] 2009-04-24 03:16 203928 ----a-w- c:\program files\Alcohol Soft\Alcohol 120\AxCmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service] 2009-04-29 20:38 188728 ----a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter] 2007-09-14 01:50 1603152 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu] 2007-10-26 01:10 652624 ----a-w- c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cdloader] 2009-08-01 16:11 50520 ----a-w- c:\users\Extensa\AppData\Roaming\mjusbsp\cdloader2 .exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Pro Agent] 2009-04-09 08:48 228808 ----a-w- c:\program files\DAEMON Tools Pro\DTProAgent.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLCFCATS] 2006-10-20 21:48 73728 ----a-w- c:\windows\System32\spool\drivers\w32x86\3\dlcftim e.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer] 2009-01-29 15:43 320168 ----a-w- c:\program files\Lexmark Fax Solutions\fm3032.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2009-11-12 21:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdnamon] 2009-01-29 15:43 16040 ----a-w- c:\program files\Lexmark 2600 Series\lxdnamon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdnmon.exe] 2009-01-29 15:43 660136 ----a-w- c:\program files\Lexmark 2600 Series\lxdnmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)] 2009-06-20 07:03 4351216 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PLFSet] 2007-04-24 15:49 45056 ----a-w- c:\windows\PLFSet.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl] 2007-05-29 00:29 4472832 ----a-w- c:\windows\RtHDVCpl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender] 2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc] "VistaSp2"=hex(b):10,56,d9,49,00,79,ca,01 R0 fsbts;fsbts;c:\windows\System32\drivers\fsbts.sys [8/26/2009 12:42 PM 33920] R0 pavboot;pavboot;c:\windows\System32\drivers\pavboo t.sys [9/8/2009 1:42 PM 28544] R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\Charter Security Suite\HIPS\drivers\fshs.sys [8/26/2009 12:41 PM 68064] R1 FSES;F-Secure Email Scanning Driver;c:\windows\System32\drivers\fses.sys [8/26/2009 12:42 PM 35680] R1 FSFW;F-Secure Firewall Driver;c:\windows\System32\drivers\fsdfw.sys [8/26/2009 12:42 PM 71040] R1 fsvista;F-Secure Vista Support Driver;c:\program files\Charter Security Suite\Anti-Virus\minifilter\fsvista.sys [8/26/2009 12:40 PM 12384] R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\System32\drivers\LMIRfsDriver.sy s [12/18/2009 10:55 AM 47640] R2 lxdn_device;lxdn_device;c:\windows\system32\lxdnco ms.exe -service --> c:\windows\system32\lxdncoms.exe -service [?] R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\Charter Security Suite\Anti-Virus\minifilter\fsgk.sys [8/26/2009 12:40 PM 107104] R3 FSORSPClient;F-Secure ORSP Client;c:\program files\Charter Security Suite\ORSP Client\fsorsp.exe [8/26/2009 12:41 PM 55936] S0 sptd;sptd;c:\windows\System32\drivers\sptd.sys [7/14/2009 1:22 AM 721904] S2 lxdnCATSCustConnectService;lxdnCATSCustConnectServ ice;c:\windows\System32\spool\drivers\w32x86\3\lxd nserv.exe [2/27/2008 6:07 PM 98984] S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [2/8/2007 5:03 PM 179712] S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [7/18/2008 4:37 PM 21504] S4 F-Secure Filter;F-Secure File System Filter;c:\program files\Charter Security Suite\Anti-Virus\win2k\fsfilter.sys [8/26/2009 12:40 PM 39776] S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\Charter Security Suite\Anti-Virus\win2k\fsrec.sys [8/26/2009 12:40 PM 25184] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache . Contents of the 'Scheduled Tasks' folder 2010-01-08 c:\windows\Tasks\Scheduled scanning task.job - c:\progra~1\CHARTE~1\ANTI-V~1\fsav.exe [2009-08-26 15:56] 2010-01-08 c:\windows\Tasks\User_Feed_Synchronization-{0552564B-BD87-4D0C-BC1A-7E929B2B9005}.job - c:\windows\system32\msfeedssync.exe [2008-07-18 07:33] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 LSP: c:\program files\Charter Security Suite\FSPS\program\FSLSP.DLL Trusted Zone: microsoft.com\forums FF - ProfilePath - c:\users\Extensa\AppData\Roaming\Mozilla\Firefox\P rofiles\i82o4p1f.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . - - - - ORPHANS REMOVED - - - - HKCU-Run-Acer Tour Reminder - (no file) HKLM-Run-Acer Tour - (no file) HKLM-Run-eRecoveryService - (no file) HKLM-Run-NWEReboot - (no file) SafeBoot-mcmscsvc SafeBoot-MCODS MSConfigStartUp-DNS7reminder - d:\program files\Nuance\NaturallySpeaking9\Ereg\Ereg.exe MSConfigStartUp-Google Update - c:\users\Extensa\AppData\Local\Google\Update\Googl eUpdate.exe MSConfigStartUp-googletalk - c:\users\Extensa\AppData\Roaming\Google\Google Talk\googletalk.exe MSConfigStartUp-LogMeIn GUI - c:\program files\LogMeIn\x86\LogMeInSystray.exe MSConfigStartUp-SSBkgdUpdate - c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe MSConfigStartUp-Symantec PIF AlertEng - c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe MSConfigStartUp-ZoneAlarm Client - c:\program files\Zone Labs\ZoneAlarm\zlclient.exe ************************************************** ************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-01-08 00:18 Windows 6.0.6002 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************** ************************ [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{ 95808DC4-FA4A-4c74-92FE-5B863F82066B}] "ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-266150569-1508974284-1849778782-1000\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\{13C3AC3B-D03F-EDED-4559-8882B1793BAB}*] "habbcfjplhdpemll"=hex:69,61,68,65,6e,6a,6f,70,66, 66,69,6b,6e,61,6b,66,6a,61, 00,00 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 "MSCurrentCountry"=dword:000000b5 . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(796) c:\program files\charter security suite\hips\fshook32.dll - - - - - - - > 'lsass.exe'(684) c:\program files\charter security suite\hips\fshook32.dll . Completion time: 2010-01-08 00:25:46 ComboFix-quarantined-files.txt 2010-01-08 05:25 Pre-Run: 1,873,797,120 bytes free Post-Run: 1,775,968,256 bytes free - - End Of File - - 4A0C71322128FEDA5E38460890ECFDDA |
It looks clean. Please tell how things are running now ?
|
Touch, thank you so much for your help. I haven't gotten any warnings since and things seem to be running fine.
I typically get intrusion alerts too, but I haven't gotten those, either. My alert log was deleted in everything that was done, but that's okay. I don't know if I should worry about those because my firewall catches them. Thanks again for the time spent. I'm relieved that everything's okay. |
Quote:
Download OTL by OldTimer, saving it to your desktop: OTL.exe Click on the CleanUp! button. You'll be asked if you want to Begin cleanup process? Select Yes. This step removes the files, folders, and shortcuts created by the tools I had you download and run. When done, you will be prompted to restart your computer. Please restart your computer. To find out what programs need to be updated, please download and run the: Secunia Personal Software Inspector (PSI) Please read this guide about how to protect yourself while on the internet: How to help Prevent reinfection |
| All times are GMT +1. The time now is 07:57 PM. |
Copyright ©2000 - 2010, Cyber Tech Help. All rights reserved. All other trademarks are the property of their respective owners.