Go Back   Cyber Tech Help Support Forums > Software > Malware Removal Forum

Notices

Reply
 
Topic Tools
  #1  
Old January 7th, 2010, 05:54 AM
dreemsnake dreemsnake is offline
Member
 
Join Date: Jan 2010
Posts: 51
Trojan.Script.255082

I have F-Secure Charter Security Suite on my Windows Vista (Home) computer. Two hours ago, it popped up and said that it detected Trojan.Script.255082 but was unable to remove it. I found that it was in my Temporary Internet Files so I deleted them. I don't know if I need to do anything else.

I've been searching for trojan.script problems online but haven't been able to find anything similar. I'm worried that it's something worse and deleting the file won't get rid of it.

The only other problem I've had like this was last September. We were getting rid of an old PC so I put some of the data files on my laptop until I could figure out who needed them (a couple of PCs replaced it so it depended on who needed what files). I had this same kind of thing happen...it was Trojan.Generic.IS.559211 and was listed twice - one said "Failed" and the other said "Restart Required" and the file was Chinese music in an iTunes subdirectory from the old computer. I deleted the iTunes subdirectory and I haven't had anything else happen until now.

I notice that some people post their Hijack This data and some don't. I was trying to find out what you require but I would have had to watch the movie or animation and normally that would be fine, but I needed to get to bed almost 2 hours ago and I am worried about this and wanted to get this out so that if you need me to use Hijack This or whatever, you could let me know and I could continue with this in the morning.

I thank you for your help.
Reply With Quote


  #2  
Old January 7th, 2010, 06:22 AM
touch's Avatar
touch touch is offline
Malware Removal Team
 
Join Date: Jan 2007
O/S: Windows XP Pro
Posts: 3,595
Hello dreemsnake and welcome to CTH :-)

Please download: CCleaner here:
Ccleaner

Once installed, run CCleaner click the Windows tab
Select the following:
Internet Explorer:
Temp Internet
History
Recently Typed URLs
Delete Index.dat files


System:
Empty Recycle Bin
Temporary Files
Memory Dumps
Chkdsk File Fragments
Old Prefetch Data


Next: click Options click the Settings tab
Uncheck: "Only delete files older than 48 hrs.", click Ok

Then click Run Cleaner (bottom right) then Exit


Please download Malwarebytes' Anti-Malware:
Malwarebytes-Anti-Malware
to your desktop.

Double-click mbam-setup and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location.
NB: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Click here: HJTInstall.exe
to download HJTinstall.exe
Save HJTinstall.exe to your desktop.
Double click on the HJTinstall.exe icon on your desktop.
By default it will install to C:\Program Files\Trend Micro\Hijack This.
Click I accept
Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
Click Save to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.

DO NOT have Hijack This fix anything yet.
Most of what it finds will be harmless or even required.

Post hijackthis log along with Malwarebytes' Anti-Malware log in your next reply.
Reply With Quote
  #3  
Old January 7th, 2010, 07:05 PM
dreemsnake dreemsnake is offline
Member
 
Join Date: Jan 2010
Posts: 51
Hi Touch, I followed your instructions. cccleaner has areas gray-shaded that I couldn't select, but I think the 'old prefetch data' setting was the only one I couldn't choose of the ones on your list.

Here are the results you said to post. I didn't have to remove anything in MBAM. And Hijack This doesn't have anything checked.

--------------------------------------------
Malwarebytes' Anti-Malware 1.43
Database version: 3508
Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

1/7/2010 12:34:42 PM
mbam-log-2010-01-07 (12-34-42).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 261338
Time elapsed: 1 hour(s), 31 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

--------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:54:26 PM, on 1/7/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe
C:\Program Files\Charter Security Suite\Common\FSM32.EXE
C:\Windows\PLFSetL.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\PLFSetI.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\system32\igfxext.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe
C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Creative Home\Hallmark Card Studio 2009\Planner\PLNRnote.exe
C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE
C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EX E
C:\Windows\ehome\ehmsas.exe
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Users\Extensa\AppData\Local\Temp\RtkBtMnt.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Windows\Explorer.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\DAEMON Tools Pro\DTProShellHlp.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.us.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows

Live\WindowsLiveLogin.dll
O2 - BHO: LitmusBHO - {C6867EB7-8350-4856-877F-93CF8AE3DC9C} - C:\Program Files\Charter Security Suite\NRS\iescript\baselitmus.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: Browsing Protection Toolbar - {265EEE8E-3228-44D3-AEA5-F7FDF5860049} - C:\Program Files\Charter Security Suite\NRS\iescript\baselitmus.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [Acer Assist Launcher] C:\Program Files\Acer Assist\launcher.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Charter Security Suite\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [PLFSetL] C:\Windows\PLFSetL.exe
O4 - HKLM\..\Run: [PLFSetI] C:\Windows\PLFSetI.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [UpdateLBPShortCut] "C:\Program Files\CyberLink\LabelPrint\MUITransfer\MUIStartMen u.exe" "C:\Program Files\CyberLink\LabelPrint"

UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5"
O4 - HKLM\..\Run: [CLMLServer] "C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe"
O4 - HKLM\..\Run: [UpdateP2GoShortCut] "C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu. exe" "C:\Program Files\CyberLink\Power2Go"

UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
O4 - HKLM\..\Run: [RemoteControl8] "C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe"
O4 - HKLM\..\Run: [PDVD8LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe"
O4 - HKLM\..\Run: [UpdatePPShortCut] "C:\Program Files\CyberLink\PowerProducer\MUITransfer\MUIStart Menu.exe" "C:\Program Files\CyberLink\PowerProducer"

UpdateWithCreateOnce "Software\CyberLink\PowerProducer\5.0"
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.ex e" "C:\Program Files\CyberLink\YouCam" UpdateWithCreateOnce

"Software\CyberLink\YouCam\2.0"
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [UpdatePSTShortCut] "C:\Program Files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\DVD Suite"

UpdateWithCreateOnce "Software\CyberLink\PowerStarter"
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Charter Security Suite\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Empowering Technology Launcher.lnk = C:\Acer\Empowering Technology\eAPLauncher.exe
O4 - Global Startup: Event Planner Reminder 2009.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {2EDF75C0-5ABD-49f9-BAB6-220476A32034} (System Requirements Lab) - http://intel-drv-cdn.systemrequireme...eqlab_srlx.cab
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) -

http://catalog.update.microsoft.com/...?1252249608118
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9C5CA174-B2D8-4188-9B22-57AA7925BF4C}: NameServer = 208.67.222.222,208.67.220.220
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlcf_device - - C:\Windows\system32\dlcfcoms.exe
O23 - Service: eDataSecurity Service - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Charter Security Suite\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Charter Security Suite\FWES\Program\fsdfwd.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\Charter Security Suite\Common\FSMA32.EXE
O23 - Service: F-Secure ORSP Client (FSORSPClient) - F-Secure Corporation - C:\Program Files\Charter Security Suite\ORSP Client\fsorsp.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32

\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxdnCATSCustConnectService - Lexmark International, Inc. - C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxdnse rv.exe
O23 - Service: lxdn_device - - C:\Windows\system32\lxdncoms.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe

--
End of file - 10927 bytes
Reply With Quote
  #4  
Old January 8th, 2010, 04:37 AM
touch's Avatar
touch touch is offline
Malware Removal Team
 
Join Date: Jan 2007
O/S: Windows XP Pro
Posts: 3,595
There are nothing suspicious in the log files. However, I´ll suggest we dig deeper ->


Please download combofix here ->
ComboFix
Before Saving it to Desktop, please rename it to alg.exe to stop malware from disabling it.

Disable your AntiVirus and AntiSpyware applications, they may otherwise interfere with Combofix.
There are details for disabling many programmes Here

Now, please make sure no other programs are running, close all other windows.

Please double click on the file you downloaded. Follow the onscreen prompts to start the scan.
Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall.
It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after
scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted.
Usually located in c:\combofix.txt, please post it to your next reply

The logs will be reasonably large so you may have to divide them into sections and make several posts to post them.
Reply With Quote
  #5  
Old January 8th, 2010, 04:34 PM
dreemsnake dreemsnake is offline
Member
 
Join Date: Jan 2010
Posts: 51
Thanks again and here is the first part:

ComboFix 10-01-04.01 - Extensa 01/08/2010 0:03.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2038.1244 [GMT -5:00]
Running from: c:\downloads\ComboFix.exe
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-266150569-1508974284-1849778782-1002
c:\users\Lori\AppData\Roaming\inst.exe
c:\users\Lori\Documents\LoriRegBackup.reg
c:\windows\Suyin.reg
I:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-12-08 to 2010-01-08 )))))))))))))))))))))))))))))))
.

2010-01-08 05:18 . 2010-01-08 05:19 -------- d-----w- c:\users\Extensa\AppData\Local\temp
2010-01-08 05:18 . 2010-01-08 05:18 -------- d-----w- c:\users\lythandeBk\AppData\Local\temp
2010-01-08 05:18 . 2010-01-08 05:18 -------- d-----w- c:\users\lythande\AppData\Local\temp
2010-01-08 05:18 . 2010-01-08 05:18 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-08 05:18 . 2010-01-08 05:18 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2010-01-07 15:20 . 2010-01-07 15:20 -------- d-----w- c:\program files\CCleaner
2010-01-07 15:07 . 2010-01-07 15:07 655360 ----a-w- C:\alertlog.dat
2010-01-06 19:19 . 2009-09-03 02:58 626688 ----a-w- c:\windows\system32\vp7vfw.dll
2010-01-06 19:19 . 2009-09-03 02:57 1184984 ----a-w- c:\windows\system32\wvc1dmod.dll
2010-01-06 19:06 . 2010-01-06 19:07 -------- d-----w- c:\users\Extensa\AppData\Roaming\log
2010-01-05 18:50 . 2010-01-05 18:50 -------- d-----w- c:\users\Extensa\AppData\Local\Power2Go
2010-01-05 18:49 . 2010-01-05 18:49 -------- d-----w- c:\programdata\Office Genuine Advantage
2010-01-05 16:23 . 2010-01-06 18:37 -------- d-----w- c:\program files\Google
2010-01-05 16:22 . 2010-01-05 16:22 -------- d-----w- c:\users\Extensa\AppData\Local\{E00349D7-2D4A-40AB-AD07-7E81E8674BDA}
2010-01-05 16:18 . 2010-01-05 16:18 -------- d-----w- c:\users\Extensa\AppData\Local\{9E5C7B4F-5A46-458E-9BAE-0001A6640C4A}
2010-01-05 05:18 . 2010-01-05 05:18 -------- d-----w- c:\users\Public\CyberLink
2010-01-03 17:07 . 2010-01-03 17:07 -------- d-----w- C:\Temp
2010-01-03 17:06 . 2010-01-03 17:06 53319 ----a-w- c:\programdata\TEMP\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\PostBuild.exe
2010-01-03 17:06 . 2010-01-03 17:07 16384 ----a-w- c:\windows\system32\lgfwunis.exe
2010-01-03 17:06 . 1998-07-22 05:00 102160 ----a-w- c:\windows\system32\VB6KO.DLL
2010-01-03 17:06 . 2010-01-07 15:51 -------- d-----w- c:\program files\lg_fwupdate
2010-01-03 17:03 . 2010-01-03 17:03 36864 ----a-w- c:\programdata\TEMP\{01FB4998-33C4-4431-85ED-079E3EEFE75D}\PostBuild.exe
2010-01-03 17:01 . 2010-01-03 17:01 36864 ----a-w- c:\programdata\TEMP\{B7A0CE06-068E-11D6-97FD-0050BACBF861}\PostBuild.exe
2010-01-03 17:00 . 2010-01-03 17:00 -------- d-----w- c:\program files\Common Files\CyberLink
2010-01-03 16:58 . 2010-01-03 16:58 53319 ----a-w- c:\programdata\TEMP\{2BF2E31F-B8BB-40A7-B650-98D28E0F7D47}\PostBuild.exe
2010-01-03 16:58 . 2009-01-08 16:20 34088 ----a-w- c:\programdata\CyberLink\Power2Go\P2GoGadget.dll
2010-01-03 16:56 . 2010-01-03 16:56 36864 ----a-w- c:\programdata\TEMP\{40BF1E83-20EB-11D8-97C5-0009C5020658}\PostBuild.exe
2010-01-03 16:53 . 2010-01-03 16:53 53319 ----a-w- c:\programdata\TEMP\{C59C179C-668D-49A9-B6EA-0121CCFC1243}\PostBuild.exe
2010-01-03 16:46 . 2010-01-03 16:46 53319 ----a-w- c:\programdata\TEMP\{5DB1DF0C-AABC-4362-8A6D-CEFDFB036E41}\PostBuild.exe
2010-01-03 08:23 . 2010-01-06 19:06 -------- d-----w- c:\program files\VSO
2009-12-25 07:12 . 2009-12-25 07:12 658184 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlig ht\MCESpotlight\SpotlightResources.dll
2009-12-23 22:56 . 2009-12-23 22:56 -------- d-----w- c:\users\Extensa\AppData\Local\Nova Development
2009-12-18 15:55 . 2009-09-29 00:34 47416 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc. dll
2009-12-18 15:55 . 2009-09-29 00:34 28984 ----a-w- c:\windows\system32\LMIport.dll
2009-12-18 15:55 . 2009-09-29 00:34 83288 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2009-12-18 15:55 . 2008-08-11 17:41 47640 ----a-w- c:\windows\system32\drivers\LMIRfsDriver.sys
2009-12-18 15:54 . 2009-09-29 00:34 87352 ----a-w- c:\windows\system32\LMIinit.dll
2009-12-18 14:50 . 2009-12-18 14:50 -------- d-----w- c:\users\Extensa\AppData\Roaming\Malwarebytes
2009-12-18 14:50 . 2009-12-30 19:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-18 14:50 . 2009-12-18 14:50 -------- d-----w- c:\programdata\Malwarebytes
2009-12-18 14:50 . 2010-01-07 15:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-18 14:50 . 2009-12-30 19:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-18 14:36 . 2009-12-18 14:36 -------- d-----w- c:\program files\iPod
2009-12-18 14:35 . 2009-12-18 14:37 -------- d-----w- c:\program files\iTunes
2009-12-18 14:29 . 2009-12-18 14:30 -------- d-----w- c:\program files\QuickTime
2009-12-18 14:25 . 2009-12-18 14:25 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-12-18 14:21 . 2009-12-18 14:21 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe
2009-12-11 18:09 . 2009-12-11 18:09 -------- d-----w- c:\users\Extensa\AppData\Local\MigWiz
2009-12-11 16:49 . 2009-12-11 16:49 179232 ----a-w- c:\users\Administrator\AppData\Local\GDIPFONTCACHE V1.DAT
2009-12-11 15:32 . 2009-12-11 15:32 -------- d-----w- c:\program files\Windows Portable Devices
2009-12-11 15:13 . 2009-09-10 02:00 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2009-12-11 15:13 . 2009-09-10 02:00 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2009-12-11 15:13 . 2009-09-10 02:01 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2009-12-11 15:10 . 2009-10-01 01:02 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2009-12-11 15:10 . 2009-10-01 01:02 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2009-12-11 15:10 . 2009-10-01 01:01 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2009-12-11 15:09 . 2009-10-01 01:01 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll
2009-12-11 15:09 . 2009-10-01 01:02 2537472 ----a-w- c:\windows\system32\wpdshext.dll
2009-12-11 15:09 . 2009-10-01 01:02 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll
2009-12-11 15:09 . 2009-10-01 01:01 546816 ----a-w- c:\windows\system32\wpd_ci.dll
2009-12-11 15:09 . 2009-10-01 01:02 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2009-12-11 15:09 . 2009-10-01 01:01 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2009-12-11 15:09 . 2009-10-01 01:01 350208 ----a-w- c:\windows\system32\WPDSp.dll
2009-12-11 15:09 . 2009-10-01 01:01 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll
2009-12-11 15:09 . 2009-10-01 01:01 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.d ll
2009-12-11 15:06 . 2009-10-08 21:07 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2009-12-11 15:06 . 2009-10-08 21:08 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2009-12-11 15:06 . 2009-10-08 21:08 234496 ----a-w- c:\windows\system32\oleacc.dll
2009-12-10 15:09 . 2009-11-09 12:30 8192 ----a-w- c:\windows\system32\iisrstap.dll
2009-12-10 15:09 . 2009-11-09 10:48 14848 ----a-w- c:\windows\system32\iisreset.exe
2009-12-10 15:09 . 2009-11-09 12:30 153600 ----a-w- c:\windows\system32\iisRtl.dll
2009-12-10 15:08 . 2009-11-09 12:31 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-10 15:08 . 2009-11-09 12:28 51712 ----a-w- c:\windows\system32\admwprox.dll
2009-12-10 15:08 . 2009-11-09 12:28 27136 ----a-w- c:\windows\system32\ahadmin.dll
2009-12-10 15:08 . 2009-11-09 10:36 411648 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-10 15:08 . 2009-11-09 12:30 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-12-10 15:08 . 2009-11-09 12:32 10752 ----a-w- c:\windows\system32\wamregps.dll
2009-12-09 23:07 . 2009-10-27 14:11 834048 ----a-w- c:\windows\system32\wininet.dll
2009-12-09 23:07 . 2009-10-27 13:16 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-12-09 18:55 . 2009-08-24 11:36 377344 ----a-w- c:\windows\system32\winhttp.dll
2009-12-09 18:53 . 2009-10-07 11:36 243712 ----a-w- c:\windows\system32\rastls.dll
2009-12-09 18:36 . 2009-12-09 18:41 -------- d-----w- c:\windows\system32\ca-ES
2009-12-09 18:36 . 2009-12-09 18:41 -------- d-----w- c:\windows\system32\eu-ES
2009-12-09 18:36 . 2009-12-09 18:41 -------- d-----w- c:\windows\system32\vi-VN
2009-12-09 08:43 . 2009-12-09 08:43 -------- d-----w- c:\windows\system32\EventProviders

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2010-01-08 04:44 . 2009-05-31 16:34 720 ----a-w- c:\programdata\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2010-01-07 19:32 . 2009-08-30 17:01 -------- d-----w- c:\programdata\Lx_cats
2010-01-07 15:37 . 2009-08-27 04:48 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-01-07 03:53 . 2009-02-18 17:03 -------- d-----w- c:\users\Extensa\AppData\Roaming\Vso
2010-01-06 19:06 . 2009-02-18 17:03 47360 ----a-w- c:\users\Extensa\AppData\Roaming\pcouffin.sys
2010-01-06 19:06 . 2009-02-18 17:03 47360 ----a-w- c:\users\Extensa\AppData\Roaming\pcouffin.sys
2010-01-05 21:11 . 2009-03-03 04:43 -------- d-----w- c:\programdata\CyberLink
2010-01-05 21:11 . 2009-03-03 04:44 -------- d-----w- c:\users\Extensa\AppData\Roaming\CyberLink
2010-01-04 14:42 . 2007-11-25 06:19 184320 ----a-w- c:\users\Extensa\AppData\Local\GDIPFONTCACHEV1.DAT
2010-01-03 17:32 . 2007-08-26 04:52 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-03 17:07 . 2007-09-15 11:15 -------- d-----w- c:\program files\CyberLink
2010-01-03 16:58 . 2007-08-26 05:15 505128 ----a-w- c:\windows\system32\msvcp71.dll
2010-01-03 16:58 . 2007-08-26 05:15 353576 ----a-w- c:\windows\system32\msvcr71.dll
2009-12-30 19:57 . 2009-08-26 17:40 -------- d-----w- c:\program files\Charter Security Suite
2009-12-18 15:49 . 2008-02-21 17:22 -------- d-----w- c:\program files\Java
2009-12-18 14:35 . 2009-07-13 22:56 -------- d-----w- c:\program files\Common Files\Apple
2009-12-18 14:35 . 2008-02-12 23:38 -------- d-----w- c:\programdata\Apple Computer
2009-12-18 14:24 . 2009-07-13 23:09 -------- d-----w- c:\program files\Safari
2009-12-18 12:00 . 2009-08-26 18:03 -------- d-----w- c:\users\Extensa\AppData\Roaming\F-Secure
2009-12-17 02:19 . 2009-08-26 17:42 33920 ----a-w- c:\windows\system32\drivers\fsbts.sys
2009-12-17 02:07 . 2009-08-26 17:39 -------- d-----w- c:\programdata\fssg
2009-12-11 19:05 . 2007-08-26 05:30 -------- d-----w- c:\program files\Microsoft Works
2009-12-11 16:49 . 2009-02-19 19:48 8224 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-12-11 16:42 . 2008-01-08 03:12 -------- d-----w- c:\users\Extensa\AppData\Roaming\Yahoo!
2009-12-11 15:32 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-12-11 15:31 . 2009-12-11 15:31 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_ 00.Wdf
2009-12-10 15:30 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-12-09 18:41 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-12-09 18:41 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-12-09 18:41 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2009-12-09 18:41 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2009-12-09 18:41 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2009-12-09 18:41 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-12-03 19:38 . 2007-04-18 09:28 -------- d-----w- c:\program files\Intel
2009-12-03 16:11 . 2009-12-03 16:11 -------- d-----w- c:\program files\MSXML 4.0
2009-12-03 05:03 . 2009-11-11 20:07 -------- d-----w- c:\users\Extensa\AppData\Roaming\FreeFLVConverter
2009-12-03 01:35 . 2009-11-11 20:07 -------- d-----w- c:\program files\Free FLV Converter
2009-12-02 23:27 . 2009-12-02 23:26 -------- d-----w- c:\program files\SystemRequirementsLab
2009-12-01 01:11 . 2009-12-01 01:11 -------- d-----w- c:\program files\Alcohol Soft
2009-11-19 03:55 . 2009-11-19 03:55 40960 ----a-r- c:\users\Extensa\AppData\Roaming\Microsoft\Install er\{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}\WinDlg.exe_0AB76F69E7614CFAB9B0A1906 B4E9E4B_3.exe
2009-11-19 03:55 . 2009-11-19 03:55 8854 ----a-r- c:\users\Extensa\AppData\Roaming\Microsoft\Install er\{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}\Uninstall_WD_Diagnos_0AB76F69E7614CF AB9B0A1906B4E9E4B.exe
2009-11-19 03:55 . 2009-11-19 03:55 10134 ----a-r- c:\users\Extensa\AppData\Roaming\Microsoft\Install er\{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}\ARPPRODUCTICON.exe
2009-11-19 03:55 . 2009-11-19 03:55 -------- d-----w- c:\program files\Western Digital Technologies
2009-11-15 22:48 . 2009-10-27 05:19 -------- d-----w- c:\users\Extensa\AppData\Roaming\ImgBurn
2009-11-11 19:50 . 2009-11-11 20:07 311296 ----a-w- c:\windows\system32\TubeFinder.exe
2009-11-11 04:43 . 2008-06-03 18:53 -------- d-----w- c:\users\Extensa\AppData\Roaming\GetRightToGo
2009-11-02 15:19 . 2009-06-06 07:26 5972 ----a-w- c:\users\Extensa\AppData\Local\d3d9caps.dat
2009-10-29 09:17 . 2009-12-03 16:13 2048 ----a-w- c:\windows\system32\tzres.dll
2007-09-15 11:45 . 2007-09-15 11:45 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.
Reply With Quote
  #6  
Old January 8th, 2010, 04:35 PM
dreemsnake dreemsnake is offline
Member
 
Join Date: Jan 2010
Posts: 51
And here is the last:

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-23 815104]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2007-06-15 850704]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-12 178712]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-04-25 457216]
"Acer Assist Launcher"="c:\program files\Acer Assist\launcher.exe" [2007-02-02 1261568]
"F-Secure Manager"="c:\program files\Charter Security Suite\Common\FSM32.EXE" [2009-08-05 199264]
"PLFSetL"="c:\windows\PLFSetL.exe" [2007-07-05 94208]
"PLFSetI"="c:\windows\PLFSetI.exe" [2007-10-23 200704]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-26 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-26 173592]
"Persistence"="c:\windows\system32\igfxpers.ex e" [2009-02-26 150552]
"RtHDVCpl"="RtHDVCpl.exe" [2007-05-29 4472832]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-20 136600]
"UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMen u.exe" [2009-05-20 222504]
"CLMLServer"="c:\program files\CyberLink\Power2Go\CLMLSvc.exe" [2009-06-04 103720]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu. exe" [2009-05-20 222504]
"RemoteControl8"="c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2009-04-16 91432]
"PDVD8LanguageShortcut"="c:\program files\CyberLink\PowerDVD8\Language\Language.exe" [2009-04-16 50472]
"UpdatePPShortCut"="c:\program files\CyberLink\PowerProducer\MUITransfer\MUIStart Menu.exe" [2009-05-20 222504]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.ex e" [2009-02-18 218408]
"LGODDFU"="c:\program files\lg_fwupdate\fwupdate.exe" [2010-01-03 557056]
"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2009-09-29 210216]
"F-Secure TNB"="c:\program files\Charter Security Suite\FSGUI\TNBUtil.exe" [2009-08-05 2349664]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2007-8-26 535336]
Event Planner Reminder 2009.lnk - c:\windows\Installer\{C4609419-C11E-4CE6-B369-F3F8A7DDD94C}\Shortcut_EventPlan_E2FBA8F7F7FD4C5EA A7D652BB0CAAA9D.exe [2009-5-26 237568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Wind ows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Wind ows^Start Menu^Programs^Startup^Forget Me Not.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Forget Me Not.lnk
backup=c:\windows\pss\Forget Me Not.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Wind ows^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Wind ows^Start Menu^Programs^Startup^PDFCreator.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\PDFCreator.lnk
backup=c:\windows\pss\PDFCreator.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Extensa^AppData^Roam ing^Microsoft^Windows^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\users\Extensa\AppData\Roaming\Microsoft\Wi ndows\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
2009-04-24 03:16 203928 ----a-w- c:\program files\Alcohol Soft\Alcohol 120\AxCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
2009-04-29 20:38 188728 ----a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2007-09-14 01:50 1603152 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
2007-10-26 01:10 652624 ----a-w- c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cdloader]
2009-08-01 16:11 50520 ----a-w- c:\users\Extensa\AppData\Roaming\mjusbsp\cdloader2 .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Pro Agent]
2009-04-09 08:48 228808 ----a-w- c:\program files\DAEMON Tools Pro\DTProAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLCFCATS]
2006-10-20 21:48 73728 ----a-w- c:\windows\System32\spool\drivers\w32x86\3\dlcftim e.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]
2009-01-29 15:43 320168 ----a-w- c:\program files\Lexmark Fax Solutions\fm3032.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 21:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdnamon]
2009-01-29 15:43 16040 ----a-w- c:\program files\Lexmark 2600 Series\lxdnamon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdnmon.exe]
2009-01-29 15:43 660136 ----a-w- c:\program files\Lexmark 2600 Series\lxdnmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-06-20 07:03 4351216 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PLFSet]
2007-04-24 15:49 45056 ----a-w- c:\windows\PLFSet.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2007-05-29 00:29 4472832 ----a-w- c:\windows\RtHDVCpl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):10,56,d9,49,00,79,ca,01

R0 fsbts;fsbts;c:\windows\System32\drivers\fsbts.sys [8/26/2009 12:42 PM 33920]
R0 pavboot;pavboot;c:\windows\System32\drivers\pavboo t.sys [9/8/2009 1:42 PM 28544]
R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\Charter Security Suite\HIPS\drivers\fshs.sys [8/26/2009 12:41 PM 68064]
R1 FSES;F-Secure Email Scanning Driver;c:\windows\System32\drivers\fses.sys [8/26/2009 12:42 PM 35680]
R1 FSFW;F-Secure Firewall Driver;c:\windows\System32\drivers\fsdfw.sys [8/26/2009 12:42 PM 71040]
R1 fsvista;F-Secure Vista Support Driver;c:\program files\Charter Security Suite\Anti-Virus\minifilter\fsvista.sys [8/26/2009 12:40 PM 12384]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\System32\drivers\LMIRfsDriver.sy s [12/18/2009 10:55 AM 47640]
R2 lxdn_device;lxdn_device;c:\windows\system32\lxdnco ms.exe -service --> c:\windows\system32\lxdncoms.exe -service [?]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\Charter Security Suite\Anti-Virus\minifilter\fsgk.sys [8/26/2009 12:40 PM 107104]
R3 FSORSPClient;F-Secure ORSP Client;c:\program files\Charter Security Suite\ORSP Client\fsorsp.exe [8/26/2009 12:41 PM 55936]
S0 sptd;sptd;c:\windows\System32\drivers\sptd.sys [7/14/2009 1:22 AM 721904]
S2 lxdnCATSCustConnectService;lxdnCATSCustConnectServ ice;c:\windows\System32\spool\drivers\w32x86\3\lxd nserv.exe [2/27/2008 6:07 PM 98984]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [2/8/2007 5:03 PM 179712]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [7/18/2008 4:37 PM 21504]
S4 F-Secure Filter;F-Secure File System Filter;c:\program files\Charter Security Suite\Anti-Virus\win2k\fsfilter.sys [8/26/2009 12:40 PM 39776]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\Charter Security Suite\Anti-Virus\win2k\fsrec.sys [8/26/2009 12:40 PM 25184]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-01-08 c:\windows\Tasks\Scheduled scanning task.job
- c:\progra~1\CHARTE~1\ANTI-V~1\fsav.exe [2009-08-26 15:56]

2010-01-08 c:\windows\Tasks\User_Feed_Synchronization-{0552564B-BD87-4D0C-BC1A-7E929B2B9005}.job
- c:\windows\system32\msfeedssync.exe [2008-07-18 07:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\Charter Security Suite\FSPS\program\FSLSP.DLL
Trusted Zone: microsoft.com\forums
FF - ProfilePath - c:\users\Extensa\AppData\Roaming\Mozilla\Firefox\P rofiles\i82o4p1f.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Acer Tour Reminder - (no file)
HKLM-Run-Acer Tour - (no file)
HKLM-Run-eRecoveryService - (no file)
HKLM-Run-NWEReboot - (no file)
SafeBoot-mcmscsvc
SafeBoot-MCODS
MSConfigStartUp-DNS7reminder - d:\program files\Nuance\NaturallySpeaking9\Ereg\Ereg.exe
MSConfigStartUp-Google Update - c:\users\Extensa\AppData\Local\Google\Update\Googl eUpdate.exe
MSConfigStartUp-googletalk - c:\users\Extensa\AppData\Roaming\Google\Google Talk\googletalk.exe
MSConfigStartUp-LogMeIn GUI - c:\program files\LogMeIn\x86\LogMeInSystray.exe
MSConfigStartUp-SSBkgdUpdate - c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
MSConfigStartUp-Symantec PIF AlertEng - c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
MSConfigStartUp-ZoneAlarm Client - c:\program files\Zone Labs\ZoneAlarm\zlclient.exe



************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-08 00:18
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{ 95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-266150569-1508974284-1849778782-1000\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\{13C3AC3B-D03F-EDED-4559-8882B1793BAB}*]
"habbcfjplhdpemll"=hex:69,61,68,65,6e,6a,6f,70,66, 66,69,6b,6e,61,6b,66,6a,61,
00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(796)
c:\program files\charter security suite\hips\fshook32.dll

- - - - - - - > 'lsass.exe'(684)
c:\program files\charter security suite\hips\fshook32.dll
.
Completion time: 2010-01-08 00:25:46
ComboFix-quarantined-files.txt 2010-01-08 05:25

Pre-Run: 1,873,797,120 bytes free
Post-Run: 1,775,968,256 bytes free

- - End Of File - - 4A0C71322128FEDA5E38460890ECFDDA
Reply With Quote
  #7  
Old January 10th, 2010, 06:42 AM
touch's Avatar
touch touch is offline
Malware Removal Team
 
Join Date: Jan 2007
O/S: Windows XP Pro
Posts: 3,595
It looks clean. Please tell how things are running now ?
Reply With Quote
  #8  
Old January 10th, 2010, 08:31 PM
dreemsnake dreemsnake is offline
Member
 
Join Date: Jan 2010
Posts: 51
Touch, thank you so much for your help. I haven't gotten any warnings since and things seem to be running fine.

I typically get intrusion alerts too, but I haven't gotten those, either. My alert log was deleted in everything that was done, but that's okay. I don't know if I should worry about those because my firewall catches them.

Thanks again for the time spent. I'm relieved that everything's okay.
Reply With Quote
  #9  
Old January 11th, 2010, 07:17 AM
touch's Avatar
touch touch is offline
Malware Removal Team
 
Join Date: Jan 2007
O/S: Windows XP Pro
Posts: 3,595
Quote:
I haven't gotten any warnings since and things seem to be running fine.
That´s good news

Download OTL by OldTimer, saving it to your desktop: OTL.exe
Click on the CleanUp! button. You'll be asked if you want to Begin cleanup process? Select Yes.
This step removes the files, folders, and shortcuts created by the tools I had you download and run.

When done, you will be prompted to restart your computer. Please restart your computer.

To find out what programs need to be updated, please download and run the:
Secunia Personal Software Inspector (PSI)


Please read this guide about how to protect yourself while on the internet:
How to help Prevent reinfection
Reply With Quote
Reply

Bookmarks

Topic Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump




All times are GMT +1. The time now is 02:06 PM.