Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zlob infection


  • This topic is locked This topic is locked
10 replies to this topic

#1 GoShox

GoShox

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:18 AM

Posted 24 March 2009 - 03:37 PM

Alright, so I got infected by the Zlob trojan for sure. I honestly have NO clue how it happened, because it happened to me two years ago and I remember how it started then, but I know now I'm smart enough to know not to randomly click on products that appear in ads on my screen.

An observation I had is that whenever an ad pops up, the process 'ieuser.exe' opens. Obviously that is a normal Windows process that comes with the computer, but it leads me to think it might be infected.. however I want to get other opinions first before taking action. I've ran Spyhunter and even identified the registry keys that were added and deleted them, but they seem to reappear right away. Even looking at my HJT log I see things that obviously shouldn't be there, but there just doesn't seem to be anything I can do. My proof of being infected is ads popping up all the time and random slowdown of the internet, as well as files that I know shouldn't be there, and SpyHunter telling me I had a Zlob infection.

FYI, I'm running Vista, so that may limit me on some of the programs you guys offer.

HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 3:35:34 PM, on 3/24/2009
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16809)

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:37:10 PM, on 3/24/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16809)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Kameron\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O1 - Hosts: 212.162.52.233 irc.westwood.com
O1 - Hosts: 212.162.52.233 servserv.westwood.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Windows\system32\ActiveToolBand.dll
O2 - BHO: (no name) - {a0771de7-5b1b-42ff-9783-eab5482323b3} - C:\Windows\system32\mulanaha.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: {53219757-5b3b-790a-e194-aee1949e8e6f} - {f6e8e949-1eea-491e-a097-b3b575791235} - C:\Windows\system32\qicepn.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\Run: [hoyukilila] Rundll32.exe "C:\Windows\system32\yunukino.dll",s
O4 - HKLM\..\Run: [CPM330d8f45] Rundll32.exe "c:\windows\system32\nijufagi.dll",a
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [hoyukilila] Rundll32.exe "C:\Windows\system32\yunukino.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [] (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E5DD56A-989C-4FEE-AB40-3C467F0D59CE}: NameServer = 208.67.222.222,208.67.220.220
O20 - AppInit_DLLs: C:\Windows\system32\zadowebi.dll c:\windows\system32\welatili.dll c:\windows\system32\nijufagi.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\nijufagi.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\nijufagi.dll
O23 - Service: Acer HomeMedia Connect Service - CyberLink - C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe
O23 - Service: ePerformance Service (AcerMemUsageCheckService) - Unknown owner - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: eDataSecurity Service - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxce_device - - C:\Windows\system32\lxcecoms.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 7816 bytes


Thanks in advance!

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:18 AM

Posted 24 March 2009 - 08:57 PM

Hello GoShox,

Posted Image

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 GoShox

GoShox
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:18 AM

Posted 24 March 2009 - 09:55 PM

First of all, thank you for the very quick reply! I've seen how many people like me you guys get on here and that's very impressive that you respond that quickly.

ComboFix:

ComboFix 09-03-23.01 - Kameron 2009-03-24 21:31:07.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.767.304 [GMT -5:00]
Running from: c:\users\Kameron\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning enabled* (Outdated)
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated)
FW: Norton Internet Security *disabled*
FW: ZoneAlarm Security Suite Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\~.exe
c:\windows\system32\amowapas.ini
c:\windows\system32\bavovayo.dll
c:\windows\system32\enehasur.ini
c:\windows\system32\fuwoduke.dll
c:\windows\system32\hosezora.dll
c:\windows\system32\mulanaha.dll
c:\windows\system32\muwujebu.dll
c:\windows\system32\nijufagi.dll
c:\windows\system32\qicepn.dll
c:\windows\system32\zadimeve.dll
c:\windows\system32\zadowebi.dll
c:\windows\system32\zosoyiro.dll

.
((((((((((((((((((((((((( Files Created from 2009-02-25 to 2009-03-25 )))))))))))))))))))))))))))))))
.

2009-03-24 21:27 . 2009-03-24 21:28 <DIR> d-------- C:\32788R22FWJFW
2009-03-24 16:59 . 2009-03-24 18:13 3,948 --a------ C:\rollback.ini
2009-03-24 16:33 . 2009-03-24 21:43 12,207,136 --ahs---- c:\windows\System32\drivers\fidbox.dat
2009-03-24 16:33 . 2009-03-24 21:36 164,480 --ahs---- c:\windows\System32\drivers\fidbox.idx
2009-03-24 16:25 . 2009-03-24 16:25 <DIR> d-------- c:\program files\AskBarDis
2009-03-24 16:24 . 2009-03-24 16:24 <DIR> d-------- c:\users\All Users\MailFrontier
2009-03-24 16:24 . 2009-03-24 16:24 <DIR> d-------- c:\programdata\MailFrontier
2009-03-24 16:23 . 2008-11-13 15:18 73,104 --a------ c:\windows\zllsputility.exe
2009-03-24 16:22 . 2009-03-24 16:22 <DIR> d-------- c:\program files\Zone Labs
2009-03-24 16:22 . 2008-11-13 15:18 1,221,008 --a------ c:\windows\System32\zpeng25.dll
2009-03-24 16:20 . 2009-03-24 17:11 <DIR> d-------- c:\windows\System32\ZoneLabs
2009-03-24 16:20 . 2009-03-24 16:20 <DIR> d-------- c:\users\All Users\CheckPoint
2009-03-24 16:20 . 2009-03-24 16:20 <DIR> d-------- c:\programdata\CheckPoint
2009-03-24 16:20 . 2009-03-24 21:37 348,389 --ah----- c:\windows\System32\drivers\vsconfig.xml
2009-03-24 16:20 . 2008-11-13 15:19 293,776 --a------ c:\windows\System32\drivers\vsdatant.sys
2009-03-24 16:19 . 2009-03-24 21:41 <DIR> d-------- c:\windows\Internet Logs
2009-03-23 16:25 . 2009-03-23 16:25 <DIR> d-------- c:\users\All Users\SUPERAntiSpyware.com
2009-03-23 16:25 . 2009-03-23 16:25 <DIR> d-------- c:\programdata\SUPERAntiSpyware.com
2009-03-23 16:24 . 2009-03-23 16:24 <DIR> d-------- c:\users\Kameron\AppData\Roaming\SUPERAntiSpyware.com
2009-03-23 16:24 . 2009-03-23 16:24 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-03-23 15:44 . 2009-03-23 18:05 <DIR> d-------- c:\program files\Spyware Doctor
2009-03-23 15:44 . 2009-03-23 18:05 <DIR> d-------- c:\program files\Common Files\PC Tools
2009-03-23 15:23 . 2009-03-23 15:23 <DIR> d-------- c:\windows\ERUNT
2009-03-23 15:23 . 2009-03-23 15:23 <DIR> d-------- C:\ERDNT
2009-03-23 15:22 . 2009-03-23 15:22 <DIR> d-------- C:\!FixIEDef
2009-03-22 16:36 . 2009-03-22 16:36 <DIR> d-------- c:\program files\Enigma Software Group
2009-03-22 16:35 . 2009-03-22 16:35 <DIR> d----c--- c:\users\All Users\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-03-22 16:35 . 2009-03-22 16:35 <DIR> d----c--- c:\programdata\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-03-22 11:06 . 2008-07-30 17:42 23,888 --a------ c:\windows\System32\drivers\COH_Mon.sys
2009-03-22 11:06 . 2008-07-30 17:28 10,537 --a------ c:\windows\System32\drivers\COH_Mon.cat
2009-03-22 11:06 . 2008-07-30 17:28 706 --a------ c:\windows\System32\drivers\COH_Mon.inf
2009-03-20 13:52 . 2009-03-20 13:52 <DIR> d-------- c:\program files\Microsoft Silverlight
2009-03-18 15:22 . 2009-03-18 15:22 <DIR> d-------- c:\program files\ICCup
2009-03-18 15:12 . 2009-03-18 15:14 94,208 --a------ c:\windows\ScUnin.exe
2009-03-18 15:12 . 2009-03-18 15:14 35,473 --a------ c:\windows\scunin.dat
2009-03-18 15:12 . 2009-03-18 15:14 967 --a------ c:\windows\ScUnin.pif
2009-03-18 15:11 . 2009-03-24 19:45 <DIR> d-------- c:\program files\Starcraft
2009-03-13 09:44 . 2009-03-13 09:44 118 --a------ c:\windows\System32\MRT.INI
2009-03-10 15:00 . 2008-12-15 23:00 8,147,968 --a------ c:\windows\System32\wmploc.DLL
2009-03-10 15:00 . 2009-02-08 20:59 2,028,032 --a------ c:\windows\System32\win32k.sys
2009-03-10 15:00 . 2008-11-26 23:42 269,824 --a------ c:\windows\System32\schannel.dll
2009-03-10 15:00 . 2008-12-16 00:53 7,680 --a------ c:\windows\System32\spwmp.dll
2009-03-10 15:00 . 2008-12-16 00:53 4,096 --a------ c:\windows\System32\msdxm.ocx
2009-03-10 15:00 . 2008-12-16 00:53 4,096 --a------ c:\windows\System32\dxmasf.dll
2009-03-07 21:47 . 2009-03-07 21:47 45 --a------ c:\windows\System32\RPVersion.ini
2009-03-07 21:27 . 2009-03-07 21:35 25,600 --a------ c:\windows\System32\~.exe.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-25 02:28 --------- d-----w c:\users\Kameron\AppData\Roaming\foobar2000
2009-03-25 02:28 --------- d-----w c:\program files\Steam
2009-03-23 23:04 --------- d---a-w c:\programdata\TEMP
2009-03-23 22:18 --------- d-----w c:\program files\Lx_cats
2009-03-23 21:23 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-22 16:25 --------- d-----w c:\program files\Norton Internet Security
2009-03-22 16:06 --------- d-----w c:\programdata\Symantec
2009-03-22 16:05 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-22 15:56 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-03-22 15:56 124,464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-03-22 15:56 10,635 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-03-22 15:56 --------- d-----w c:\program files\Symantec
2009-03-18 00:12 --------- d-----w c:\program files\Common Files\Steam
2009-03-17 02:37 --------- d-----w c:\users\Kameron\AppData\Roaming\uTorrent
2009-03-11 20:14 --------- d-----w c:\program files\Windows Mail
2009-02-01 22:51 --------- d-----w c:\users\Kameron\AppData\Roaming\U3
2009-01-15 04:16 52,736 ----a-w c:\windows\AppPatch\iebrshim.dll
2008-12-12 09:18 174 --sha-w c:\program files\desktop.ini
2008-05-03 16:35 77 ----a-w c:\users\Kameron\dsservers.com
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-10-16 18:22 333192 --a------ c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-10-16 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="c:\windows\system32\msconfig.exe" [2006-11-02 222208]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-11-13 981904]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"Acer Tour Reminder"="c:\acer\AcerTour\Reminder.exe" [2007-02-15 151552]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.mkdmp3enc"= c:\progra~1\ACERAR~1\ACERVI~1\Kernel\Burner\MKDMP3Enc.ACM

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Empowering Technology Launcher.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Empowering Technology Launcher.lnk
backup=c:\windows\pss\Empowering Technology Launcher.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^PCM Media Sharing.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\PCM Media Sharing.lnk
backup=c:\windows\pss\PCM Media Sharing.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^SJphone.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\SJphone.lnk
backup=c:\windows\pss\SJphone.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Kameron^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^hamachi.lnk]
path=c:\users\Kameron\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hamachi.lnk
backup=c:\windows\pss\hamachi.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Kameron^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\Kameron\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Assist Launcher]
--a------ 2007-02-02 13:05 1261568 c:\program files\Acer Assist\launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Empowering Technology Monitor]
--a------ 2007-01-24 12:27 319488 c:\acer\Empowering Technology\SysMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Product Registration]
--a------ 2007-02-02 14:24 3383296 c:\program files\Acer Registration\ACE1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Tour Reminder]
--a------ 2007-02-15 20:39 151552 c:\acer\AcerTour\Reminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ALUAlert]
--a------ 2007-09-12 19:27 492912 c:\program files\Symantec\LiveUpdate\ALUNOTIFY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2006-11-20 23:44 107112 c:\program files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eDataSecurity Loader]
--a------ 2007-02-07 02:04 464168 c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
--a------ 2006-11-02 07:35 125440 c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
--a------ 2007-05-17 11:13 103344 c:\program files\Lexmark 4300 Series\ezprint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-12-11 13:10 267048 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXCECATS]
--a------ 2007-02-22 06:17 73728 c:\windows\System32\spool\drivers\w32x86\3\lxcetime.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxcemon.exe]
--a------ 2007-05-17 11:11 205744 c:\program files\Lexmark 4300 Series\lxcemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2007-04-12 02:43 1661304 c:\program files\Messenger\Msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 12:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
--a------ 2006-11-20 23:42 22696 c:\program files\Norton Internet Security\osCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 15:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
--a------ 2008-01-09 04:01 1232896 c:\program files\Windows Sidebar\sidebar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
--a------ 2007-02-02 03:37 630784 c:\program files\Motorola\SMSERIAL\sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-10-12 13:08 1410296 c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 02:11 132496 c:\program files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2009-02-17 11:43 1830128 c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-05-17 17:28 171448 c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec PIF AlertEng]
--a------ 2008-01-29 18:38 583048 c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2007-12-25 18:56 1006264 c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--a------ 2006-11-02 07:36 201728 c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
--a------ 2007-03-23 06:04 4423680 c:\windows\RtHDVCpl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsWelcomeCenter]
--a------ 2006-11-02 07:34 2159104 c:\windows\System32\oobefldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{ED1E9675-5C5C-4552-8979-8FFBD704C996}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{C5A6A6A0-D297-4AA6-9383-21A16C3F9929}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{C0B04953-9D63-4886-9FEE-B20972592777}"= c:\program files\Acer Arcade Live\Acer Arcade Live Main Page\Acer Arcade Live.exe:Acer Arcade Live
"{64C52DD3-2977-4C34-BDA1-8FD96179DF00}"= c:\program files\Acer Arcade Live\SlideShow DVD\Component\CLSLDVD.exe:SlideShow DVD workprocess
"{F42A10AE-D383-4A78-9E05-64BBC84376C5}"= c:\program files\Acer Arcade Live\Acer DV Magician\Component\ARAWP.exe:DV Magician ARA workprocess
"{A0E22BD1-9D17-41A4-BF50-419B503C50D0}"= c:\program files\Acer Arcade Live\Acer DV Magician\Component\DVAX2Process.exe:DV Magician AVAX workprocess
"{E59634F8-1C07-40AC-84E1-E301FBC238EE}"= c:\program files\Acer Arcade Live\Acer DVDivine\DVDivine.exe:DVDivine
"{DFFF3429-DA90-43DB-898C-FAEEFE3F39E2}"= c:\program files\Acer Arcade Live\Acer HomeMedia\HomeMedia.exe:HomeMedia
"{5F06C73B-3B46-4ED5-983C-2880071833B2}"= c:\program files\Acer Arcade Live\Acer HomeMedia Connect\HomeMedia Connect.exe:HomeMedia Connect
"{1955E669-BE1F-4C13-B854-FB32F2900974}"= c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.EXE:HomeMedia Connect Service
"{A8757501-B402-4C19-AD10-EA4697A9512B}"= c:\program files\Acer Arcade Live\Acer VideoMagician\VideoMagician.exe:VideoMagician
"{4B6CA5C1-641B-4F88-B992-353EFCCA3031}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{88BFE9C8-3438-49F0-A3E3-154EFF8F7D5C}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{023F0AC4-35B4-4DF8-AF4F-B93E0409E64A}"= UDP:c:\program files\Messenger\Msmsgs.exe:Windows Messenger
"{98104CAC-27D9-4726-8567-CC78C6B351B6}"= TCP:c:\program files\Messenger\Msmsgs.exe:Windows Messenger
"{003CD255-DFFA-459E-9E50-C8F6AC6504E4}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{4D507A7E-4C4D-47F4-8F0B-7423A49C8949}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent
"{1931ABCD-FBC1-4F50-B228-71669B1AB094}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent
"{329DC4B9-C277-4B57-89EF-AAC4E773D908}"= Disabled:UDP:135:TCP Port 135
"{8FD054F0-6E35-4B2C-9319-2E6DE55C7ED4}"= Disabled:UDP:5000:TCP Port 5000
"{7B1FA34B-D2B0-4EFA-8F53-82A174461BEB}"= Disabled:UDP:5001:TCP Port 5001
"{DBB06658-A670-4128-9FCD-33DBFC8A3A06}"= Disabled:UDP:5002:TCP Port 5002
"{AC4D8C06-C226-4AF0-956D-3DA8A562051E}"= Disabled:UDP:5003:TCP Port 5003
"{454AFEBC-EB07-4152-AC70-A58862EC0D44}"= Disabled:UDP:5004:TCP Port 5004
"{A245AF34-CB4E-4E09-B8F3-E9D67DC4B50C}"= Disabled:UDP:5005:TCP Port 5005
"{0D803CAB-8440-4DD9-BF7A-D0359D8BE2AD}"= Disabled:UDP:5006:TCP Port 5006
"{A56E4135-B876-48EF-97A0-5171DE8B41B0}"= Disabled:UDP:5007:TCP Port 5007
"{5F2A8227-E841-4CFA-B68A-D4920B974C7A}"= Disabled:UDP:5008:TCP Port 5008
"{E9654043-20B6-4A93-8915-26D831BA2714}"= Disabled:UDP:5009:TCP Port 5009
"{9934E713-4F96-487B-B4CD-8CAE7FB7D1A5}"= Disabled:UDP:5010:TCP Port 5010
"{3AD0483B-BDAD-4E85-B807-2145816A3C0F}"= Disabled:UDP:5011:TCP Port 5011
"{BE165BF7-1599-4113-9BC6-784875EC10E8}"= Disabled:UDP:5012:TCP Port 5012
"{9BFD2D0E-7D3A-4BC1-99C3-F74BBE6443E9}"= Disabled:UDP:5013:TCP Port 5013
"{EDF03FA1-1430-444E-B84E-B40C3BA55458}"= Disabled:UDP:5014:TCP Port 5014
"{6BE6C876-0384-4AE7-A1D5-99585D97A90D}"= Disabled:UDP:5015:TCP Port 5015
"{00314D26-07DE-41E3-9E62-45B2E4F9964B}"= Disabled:UDP:5016:TCP Port 5016
"{F803EF59-B4B2-44E6-B98D-A99B6CD20573}"= Disabled:UDP:5017:TCP Port 5017
"{2CA6B3BA-29BD-42A1-96C8-89866E139030}"= Disabled:UDP:5018:TCP Port 5018
"{18781DA8-9FC8-4585-BCD1-78F806230E54}"= Disabled:UDP:5019:TCP Port 5019
"{7D2F4EF2-1113-4D64-964D-610BA1A9CBCE}"= Disabled:UDP:5020:TCP Port 5020
"{1F76D1EB-D26F-45BD-ADD9-1E51C295DA40}"= UDP:c:\windows\System32\lxcecoms.exe:4300 Series Server
"{0798255F-CB56-491C-9C1E-C0B454DF3CD7}"= TCP:c:\windows\System32\lxcecoms.exe:4300 Series Server
"{9813082A-1F21-492D-A725-97FB1E4536DD}"= UDP:c:\windows\System32\spool\drivers\w32x86\3\lxcepswx.exe:4300 Series Printer Status
"{839ED96B-82B0-431E-BF14-A9D5026C9A86}"= TCP:c:\windows\System32\spool\drivers\w32x86\3\lxcepswx.exe:4300 Series Printer Status
"{D267344C-F6AD-405C-94DE-D553A70A7E15}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent
"{CCADB09F-3935-4BCA-9912-E8CD164BEA30}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent
"{B2355313-1F20-43A1-9D38-9541349C87A9}"= UDP:c:\program files\Winamp Remote\bin\Orb.exe:Orb
"{3B9C52D5-8079-46F5-80A0-D3C375280396}"= TCP:c:\program files\Winamp Remote\bin\Orb.exe:Orb
"{08A866DD-F78C-41F2-852E-C06C1DCC03F6}"= UDP:c:\program files\Winamp Remote\bin\OrbTray.exe:OrbTray
"{3C844D52-17BC-423C-869A-898D135B55EF}"= TCP:c:\program files\Winamp Remote\bin\OrbTray.exe:OrbTray
"{C6610259-0321-49CF-AB3C-2FF2E588DB99}"= UDP:c:\program files\Winamp Remote\bin\OrbIR.exe:OrbIR
"{10748289-3E0A-4531-B703-FC3A866DAEAC}"= TCP:c:\program files\Winamp Remote\bin\OrbIR.exe:OrbIR
"{6518E690-2D2F-4536-8B54-8842C8DF1861}"= UDP:c:\program files\Winamp Remote\bin\OrbStreamerClient.exe:Orb Stream Client
"{F6E8D675-9249-49A1-AE67-81F0B6D112DB}"= TCP:c:\program files\Winamp Remote\bin\OrbStreamerClient.exe:Orb Stream Client
"{24FA0328-221D-432E-A0F6-DD3DAF1E7FEA}"= UDP:6112:wc3
"{55243596-31F4-4148-8E54-BDDF93AD50FB}"= UDP:6113:wc3
"{B01DE945-EFD4-4FB8-9ED2-1A7C7535AA0D}"= UDP:6114:6
"{4FD990DF-4D47-41D4-AD58-76864908BD80}"= UDP:6115:6
"{57E8D291-EA3C-4744-A34D-4D4630054F74}"= UDP:6116:6
"{70715A8F-001C-4F5F-9247-B01683691D59}"= UDP:6117:6
"{32D1A5F3-C103-4A90-A0B2-C3C4B9B89F1F}"= UDP:6118:6
"{EEBED669-3CEE-418C-B842-408E2E9DDA3C}"= UDP:6119:2
"TCP Query User{AC25E278-0E2A-4B41-8291-F9213498C335}c:\\program files\\steam\\steamapps\\goshox\\counter-strike source\\hl2.exe"= UDP:c:\program files\steam\steamapps\goshox\counter-strike source\hl2.exe:hl2
"UDP Query User{2E6CEF58-179E-4CCB-8054-2B70BCC846DF}c:\\program files\\steam\\steamapps\\goshox\\counter-strike source\\hl2.exe"= TCP:c:\program files\steam\steamapps\goshox\counter-strike source\hl2.exe:hl2
"{999678D7-02D3-47C5-9D64-A384C07863EE}"= UDP:c:\program files\Hamachi\hamachi.exe:Hamachi
"{6682ACB6-853E-4E33-86A0-D86E76526E65}"= TCP:c:\program files\Hamachi\hamachi.exe:Hamachi
"{9F96B4F3-4C8F-4F28-AFF8-85DCF51FEA7B}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{AAEDD06A-B6AC-4D00-A077-84A844FA1379}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{827C37BD-D819-4E44-B0D9-214BCE6E1D2C}"= UDP:c:\program files\Ventrilo\Ventrilo.exe:Ventrilo.exe
"{90C586CF-3120-49B1-8D0E-D010AA03E92C}"= TCP:c:\program files\Ventrilo\Ventrilo.exe:Ventrilo.exe
"{B15BB32E-CB54-41AD-AD5C-A0CB1B0C6D5D}"= UDP:c:\windows\explorer.exe:Explorer
"{EC5A4D7D-B00C-47F3-B3BC-D281597AFB04}"= TCP:c:\windows\explorer.exe:Explorer
"{3A614666-9551-4F63-80DC-559471A2369A}"= UDP:c:\program files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe:AcroRd32
"{9C2CFA03-0113-477B-92A7-5CB0DDA4C7B1}"= TCP:c:\program files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe:AcroRd32
"{4DEBC523-0847-4C1F-9B35-C0601B55F9E3}"= UDP:c:\windows\System32\wininit.exe:wininit
"{44FACEF2-550B-41D4-A0A6-71AFD56634ED}"= TCP:c:\windows\System32\wininit.exe:wininit
"{979B2013-A367-417A-A33E-1E057AD7072E}"= UDP:c:\windows\System32\lsass.exe:lsass
"{0D58F079-F701-4348-B6FF-5470847C9B10}"= TCP:c:\windows\System32\lsass.exe:lsass
"{58FCE2ED-70FB-4AC7-904F-63CA314D08B7}"= UDP:c:\windows\System32\winlogon.exe:winlogon
"{C37AAFA3-43DE-4923-B68B-674C06586E99}"= TCP:c:\windows\System32\winlogon.exe:winlogon
"TCP Query User{93EE055C-50E6-4F1B-AE93-05A4A072C289}c:\\program files\\starcraft\\starcraft.exe"= UDP:c:\program files\starcraft\starcraft.exe:StarCraft
"UDP Query User{9FFFDA18-B87C-4A16-A4D9-5C3F4D0529A4}c:\\program files\\starcraft\\starcraft.exe"= TCP:c:\program files\starcraft\starcraft.exe:StarCraft

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\idsdefs\20080314.001\IDSvix86.sys [2008-03-14 261680]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-02-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-02-17 55024]
R2 Acer HomeMedia Connect Service;Acer HomeMedia Connect Service;c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe [2007-04-16 266343]
R2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [2009-03-24 464264]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-03-24 109616]
R3 SYMNDISV;SYMNDISV;c:\windows\System32\drivers\symndisv.sys [2008-10-03 37936]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
*Deregistered* - sptd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\N]
\shell\AutoRun\command - N:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3c57c59d-3ab2-11dd-911f-001c25309b39}]
\shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{81a7feac-7de4-11dd-94f3-001c25309b39}]
\shell\AutoRun\command - K:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c932b897-6973-11dc-a40b-806e6f6e6963}]
\shell\AutoRun\command - E:\SETUP.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c98a1a9b-bbf4-11dc-afa9-001c25309b39}]
\shell\AutoRun\command - K:\autoplay.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-21 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Kameron.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2006-11-20 23:41]
.
- - - - ORPHANS REMOVED - - - -

BHO-{a0771de7-5b1b-42ff-9783-eab5482323b3} - c:\windows\system32\mulanaha.dll
BHO-{f6e8e949-1eea-491e-a097-b3b575791235} - c:\windows\system32\qicepn.dll
HKLM-Run-hoyukilila - c:\windows\system32\yunukino.dll
HKLM-Run-Acer Tour - (no file)
HKLM-Run-eRecoveryService - (no file)
MSConfigStartUp-AIM - c:\program files\AIM\aim.exe
MSConfigStartUp-AlcoholAutomount - c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe
MSConfigStartUp-CPM330d8f45 - c:\windows\system32\welatili.dll
MSConfigStartUp-DAEMON Tools Lite - c:\program files\DAEMON Tools Lite\daemon.exe
MSConfigStartUp-hoyukilila - c:\windows\system32\yunukino.dll
MSConfigStartUp-WinampAgent - c:\program files\Winamp\winampa.exe


.
------- Supplementary Scan -------
.
uStart Page =
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {3E5DD56A-989C-4FEE-AB40-3C467F0D59CE} = 208.67.222.222,208.67.220.220
FF - ProfilePath - c:\users\Kameron\AppData\Roaming\Mozilla\Firefox\Profiles\q11u0f4j.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-24 21:43:31
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\Ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
c:\acer\Empowering Technology\ePerformance\MemCheck.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\acer\Empowering Technology\eDataSecurity\eDSService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\System32\lxcecoms.exe
c:\windows\System32\PnkBstrA.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\acer\Empowering Technology\eRecovery\eRecoveryService.exe
c:\windows\System32\WUDFHost.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2009-03-24 21:52:09 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-25 02:51:41

Pre-Run: 79,975,071,744 bytes free
Post-Run: 80,011,382,784 bytes free

377 --- E O F --- 2009-03-13 14:44:25

HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:54:38 PM, on 3/24/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16809)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\Explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Kameron\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Windows\system32\ActiveToolBand.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ZoneAlarm Spy Blocker Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKUS\S-1-5-18\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E5DD56A-989C-4FEE-AB40-3C467F0D59CE}: NameServer = 208.67.222.222,208.67.220.220
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Acer HomeMedia Connect Service - CyberLink - C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe
O23 - Service: ePerformance Service (AcerMemUsageCheckService) - Unknown owner - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASKService - Unknown owner - C:\Program Files\AskBarDis\bar\bin\AskService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: eDataSecurity Service - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxce_device - - C:\Windows\system32\lxcecoms.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe

--
End of file - 7231 bytes

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:18 AM

Posted 24 March 2009 - 11:02 PM

Hello,

You're welcome. :thumbup2:

Do you use Norton or ZA for your AntiVirus? The ComboFix log shows both, and Norton to be outdated, but your HijackThis log indicates that Norton is what you use.

If you don't use the AskBar, then uninstall it in Add/Remove Programs/Software, then reboot.

Please download Malwarebytes' Anti-Malware from one of these places:
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/mbam/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

How is it running now please? :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 GoShox

GoShox
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:18 AM

Posted 25 March 2009 - 03:40 PM

Again, thanks for the reply.

I use Norton and it scans every Friday night (although I've been using the computer the past few weeks on that night so I've cancelled the scan then, so sadly I haven't scanned in a long time). I actually downloaded and installed Zone Alarm yesterday for a good firewall.. I haven't been running one on my computer (although my router has a supposedly strong firewall) so I decided to download one, rather than using Windows Firewall.

Anti-malware log:

Malwarebytes' Anti-Malware 1.34
Database version: 1897
Windows 6.0.6000

3/25/2009 3:26:43 PM
mbam-log-2009-03-25 (15-26-43).txt

Scan type: Quick Scan
Objects scanned: 57999
Time elapsed: 4 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:39:09 PM, on 3/25/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16809)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Last.fm\LastFM.exe
C:\Users\Kameron\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Windows\system32\ActiveToolBand.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKUS\S-1-5-18\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E5DD56A-989C-4FEE-AB40-3C467F0D59CE}: NameServer = 208.67.222.222,208.67.220.220
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Acer HomeMedia Connect Service - CyberLink - C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe
O23 - Service: ePerformance Service (AcerMemUsageCheckService) - Unknown owner - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: eDataSecurity Service - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxce_device - - C:\Windows\system32\lxcecoms.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe

--
End of file - 6882 bytes

The computer is definitely booting up faster and the internet on this computer is running more smoothly and isn't randomly slowing down and such.

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:18 AM

Posted 25 March 2009 - 04:07 PM

Hi there,

Good to know it's better. :thumbup2:

Good on you for the firewall, and I'll give you a specific reason why.......there is a DNS changer out there now that actually infects routers, so every measure of protection is encouraged. Without over doing it, of course. :) To better protect your router, put a strong password on it. Don't leave it at the default. This infection gets in by reading weak/default passwords.

I'm still concerned about Norton. ComboFix says it's outdated. Has your subscription run out? If so, even though it seems to be functioning you aren't fully protected. Also your Adobe is outdated. Older versions are vulnerable to exploit.

Your Java is out of date, which leaves your computer vulnerable.

Updating Java
  • Download the latest version of Java Runtime Environment (JRE) 6_u_13.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.
Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

Make me feel better about the Norton in your reply. :step4:

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 GoShox

GoShox
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:18 AM

Posted 25 March 2009 - 10:25 PM

Alright, Java updated and the old versions uninstalled. Combofix deleted as well as the folder. I haven't done anything with Adobe yet.. I'll have to see what to do with that.

As for Norton, I checked and it told me it was fully updated, and that it's been doing it through Windows Updates (which I have just automatically download whenever). However it did indicate that I do NOT have a certain anti-malware program, which might affect it? I was going to use Malwarebytes' Anti-Malware now and just scan it manually every few days (or whatever is recommended), unless you have a good suggestion for a free program.

Thanks!

Edited by GoShox, 25 March 2009 - 10:27 PM.


#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:18 AM

Posted 25 March 2009 - 10:31 PM

Hello,

You're welcome, and I'm glad it's running well now. :)

MBAM is fine to use along with your AntiVirus. :thumbup2:

I believe we're done then, if you have no further problems.

http://mvps.org/winhelp2002/unwanted.htm

Please also read Tony Klein's excellent article: How I got Infected in the First Place

Take care!
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 GoShox

GoShox
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:18 AM

Posted 25 March 2009 - 10:33 PM

Alright, thank you very much for all your help!!!

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:18 AM

Posted 25 March 2009 - 10:44 PM

You're welcome. :thumbup2:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:18 AM

Posted 28 March 2009 - 12:00 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users