Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Difficulty removing spyware -hijackthis log


  • Please log in to reply
3 replies to this topic

#1 taz6071

taz6071

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 16 April 2010 - 10:40 AM

After scanning for spyware I am still getting random popups in IE and mozilla. Also having search engine redirects. ANy help would be greatly appreciated.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:33:31 AM, on 4/16/2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Enigma Software Group\SpyHunter\Spyhunter4.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Program Files\Lenovo\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Windows\System32\TpShocks.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Citrix\GoToMeeting\452\g2mstart.exe
C:\Program Files\Upromise\UpromiseTray.exe
C:\Program Files\Upromise\dca-ua.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\ThinkPad\Bluetooth Software\BtStackServer.exe
C:\Program Files\Citrix\GoToMeeting\452\g2mcomm.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Citrix\GoToMeeting\452\g2mlauncher.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lenovo.live.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.igoogle.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lenovo.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.live.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: DCA - {B49699FC-1665-4414-A1CB-C4A2A4A13EEC} - C:\Program Files\Upromise\dca-bho.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: ToolHelper - {EDC0F17F-F4B7-47e4-B73E-887FAEB376FA} - C:\Program Files\Upromise\upromisetoolbar.dll
O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O3 - Toolbar: Upromise TurboSaver - {06E58E5E-F8CB-4049-991E-A41C03BD419E} - C:\Program Files\Upromise\upromisetoolbar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [RoxioDragToDisc] C:\Program Files\Lenovo\Drag-to-Disc\Drgtodsc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [PWMTRV] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [GoToMeeting] "C:\Program Files\Citrix\GoToMeeting\452\g2mstart.exe" "/Trigger RunAtLogon"
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [Upromise Tray] C:\Program Files\Upromise\UpromiseTray.exe
O4 - HKCU\..\Run: [Upromise Update] C:\Program Files\Upromise\dca-ua.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: Upromise TurboSaver - {06E58E5E-F8CB-4049-991E-A41C03BD419E} - C:\Program Files\Upromise\upromisetoolbar.dll
O9 - Extra 'Tools' menuitem: Upromise TurboSaver - {06E58E5E-F8CB-4049-991E-A41C03BD419E} - C:\Program Files\Upromise\upromisetoolbar.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O13 - Gopher Prefix:
O15 - Trusted Zone: http://*.factory_dev
O15 - Trusted Zone: http://factory.hb.local
O16 - DPF: Microsoft Office Workgroup Web Control - http://192.0.2.16/common/wkgrpweb.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.5.3.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab
O16 - DPF: {89A32C64-6176-4D10-BCA3-10B0079818FA} (SCDeviceMonitor Class) - https://vpbbes01:3443/webconsole/RIMWebComponents.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mxlogic.webex.com/client/T26L/training/ieatgpc1.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = HB.Local
O17 - HKLM\Software\..\Telephony: DomainName = hb.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = HB.Local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = HB.Local
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\Windows\system32\AEADISRV.EXE
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: WebEx Service Host for Support Center (atashost) - WebEx Communications, Inc. - C:\Windows\system32\atashost.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GtDetectSc - OptionNV - C:\Program Files\Option\GlobeTrotter Connect\GtDetectSc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\Windows\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\Windows\system32\IPSSVC.EXE
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: LeapFrog Connect Device Service - LeapFrog Enterprises, Inc. - C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Data Protector Inet (omniInet) - Hewlett-Packard - C:\Program Files\OmniBack\bin\omniinet.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: SpyHunter 4 Service - Enigma Software Group USA, LLC. - C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: TeamViewer 5 (TeamViewer5) - TeamViewer GmbH - C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\Windows\System32\TPHDEXLG.exe
O23 - Service: On Screen Display (TPHKSVC) - Unknown owner - C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 15402 bytes

Edited by boopme, 16 April 2010 - 11:39 AM.
Moved from AII to Virus,Trojan and Malware Removal Logs~~boopme


BC AdBot (Login to Remove)

 


#2 taz6071

taz6071
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 16 April 2010 - 02:16 PM

Went ahead and ran ComboFix with no success...


ComboFix 10-04-15.05 - burcham 04/16/2010 14:50:09.2.2 - x86
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.2014.1089 [GMT -4:00]
Running from: c:\users\burcham\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-3426860383-1542811989-2919579048-500
c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
c:\programdata\Microsoft\Network\Downloader\qmgr1.dat
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
c:\users\burcham\AppData\Roaming\.#
c:\users\burcham\AppData\Roaming\.#\MBX@1D98@18666F8.###
c:\users\burcham\AppData\Roaming\.#\MBX@1D98@1866708.###
c:\windows\system32\DEBUG.log

----- BITS: Possible infected sites -----

hxxp://vpupdt01:8530
.
((((((((((((((((((((((((( Files Created from 2010-03-16 to 2010-04-16 )))))))))))))))))))))))))))))))
.

2010-04-16 18:59 . 2010-04-16 18:59 -------- d-----w- c:\users\prdadm\AppData\Local\temp
2010-04-16 18:59 . 2010-04-16 18:59 -------- d-----w- c:\users\helpdesk\AppData\Local\temp
2010-04-16 15:33 . 2010-04-16 15:33 -------- d-----w- c:\program files\Trend Micro
2010-04-16 15:10 . 2010-03-29 08:00 84912 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100416.003\NAVENG.SYS
2010-04-16 15:10 . 2010-03-29 08:00 1324720 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100416.003\NAVEX15.SYS
2010-04-16 15:10 . 2009-11-16 15:11 177520 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100416.003\NAVENG32.DLL
2010-04-16 15:10 . 2009-11-16 15:11 1647984 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100416.003\NAVEX32A.DLL
2010-04-16 15:10 . 2010-01-18 09:00 2747440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100416.003\CCERASER.DLL
2010-04-16 15:10 . 2009-11-16 15:11 371248 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100416.003\EECTRL.SYS
2010-04-16 15:10 . 2009-11-16 15:11 259440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100416.003\ECMSVR32.DLL
2010-04-16 15:10 . 2009-11-16 15:11 102448 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100416.003\ERASER.SYS
2010-04-16 14:57 . 2010-04-16 14:57 2 --shatr- c:\windows\winstart.bat
2010-04-16 14:56 . 2010-04-16 15:31 -------- d-----w- c:\program files\UnHackMe
2010-04-16 11:43 . 2010-04-16 11:43 0 ----a-w- c:\windows\nsreg.dat
2010-04-16 11:43 . 2010-04-16 11:43 -------- d-----w- c:\users\burcham\AppData\Local\Mozilla
2010-04-16 11:14 . 2010-04-16 11:14 -------- d-----w- c:\program files\Enigma Software Group
2010-04-16 11:14 . 2010-04-16 16:31 -------- d-----w- c:\windows\61D3AAE1D5214CD7939B37813DE8F955.TMP
2010-04-15 10:09 . 2010-04-15 10:09 -------- d-----w- c:\users\burcham\AppData\Local\Blizzard Entertainment
2010-04-15 07:06 . 2009-12-29 06:55 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-15 07:02 . 2010-02-27 12:07 3954568 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-15 07:02 . 2010-02-27 12:07 3899280 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-15 07:01 . 2010-03-08 21:33 427520 ----a-w- c:\windows\system32\vbscript.dll
2010-04-15 07:01 . 2010-01-09 06:52 132608 ----a-w- c:\windows\system32\cabview.dll
2010-04-15 07:01 . 2010-02-27 07:32 221696 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-15 07:01 . 2010-02-27 07:32 95744 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-15 07:01 . 2010-02-27 07:32 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-15 01:21 . 2010-04-15 05:33 -------- d-----w- c:\users\Public\Games
2010-04-15 00:01 . 2010-04-15 00:02 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-04-14 23:56 . 2010-04-14 23:56 -------- d-----w- c:\programdata\Blizzard
2010-04-14 01:24 . 2010-04-14 01:24 -------- d-----w- c:\program files\JAM Software
2010-04-14 00:17 . 2010-03-30 04:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-14 00:17 . 2010-03-30 04:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-14 00:07 . 2010-03-29 08:00 84912 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100413.021\NAVENG.SYS
2010-04-14 00:07 . 2010-03-29 08:00 1324720 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100413.021\NAVEX15.SYS
2010-04-14 00:07 . 2009-11-16 15:11 177520 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100413.021\NAVENG32.DLL
2010-04-14 00:07 . 2009-11-16 15:11 1647984 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100413.021\NAVEX32A.DLL
2010-04-14 00:07 . 2009-11-16 15:11 102448 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100413.021\ERASER.SYS
2010-04-14 00:07 . 2010-01-18 09:00 2747440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100413.021\CCERASER.DLL
2010-04-14 00:07 . 2009-11-16 15:11 371248 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100413.021\EECTRL.SYS
2010-04-14 00:07 . 2009-11-16 15:11 259440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100413.021\ECMSVR32.DLL
2010-04-13 23:29 . 2010-04-13 23:29 -------- d-----w- c:\users\burcham\AppData\Roaming\Malwarebytes
2010-04-13 23:29 . 2010-04-14 16:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-13 23:29 . 2010-04-13 23:29 -------- d-----w- c:\programdata\Malwarebytes
2010-04-13 22:14 . 2010-04-13 22:14 -------- d-----w- c:\users\burcham\AppData\Roaming\75866735AF6D5505FA6803487C5929AA
2010-04-13 11:07 . 2010-04-13 11:07 84912 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100208.048\naveng.sys
2010-04-13 11:07 . 2010-04-13 11:07 177520 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100208.048\naveng32.dll
2010-04-13 11:07 . 2010-04-13 11:07 1647984 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100208.048\navex32a.dll
2010-04-13 11:07 . 2010-04-13 11:07 1324720 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100208.048\navex15.sys
2010-04-13 11:07 . 2010-04-13 11:07 371248 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100208.048\eeCtrl.sys
2010-04-13 11:07 . 2010-04-13 11:07 2747440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100208.048\cceraser.dll
2010-04-13 11:07 . 2010-04-13 11:07 259440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100208.048\ecmsvr32.dll
2010-04-13 11:07 . 2010-04-13 11:07 102448 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100208.048\ERASER.sys
2010-04-13 11:03 . 2010-03-29 08:00 84912 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100412.056\NAVENG.SYS
2010-04-13 11:03 . 2010-03-29 08:00 1324720 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100412.056\NAVEX15.SYS
2010-04-13 11:03 . 2009-11-16 15:11 371248 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100412.056\EECTRL.SYS
2010-04-13 11:03 . 2009-11-16 15:11 259440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100412.056\ECMSVR32.DLL
2010-04-13 11:03 . 2009-11-16 15:11 177520 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100412.056\NAVENG32.DLL
2010-04-13 11:03 . 2009-11-16 15:11 1647984 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100412.056\NAVEX32A.DLL
2010-04-13 11:03 . 2009-11-16 15:11 102448 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100412.056\ERASER.SYS
2010-04-13 11:03 . 2010-01-18 09:00 2747440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100412.056\CCERASER.DLL
2010-04-12 23:00 . 2010-04-12 23:18 -------- d-----w- c:\windows\system32\Adobe
2010-04-11 21:39 . 2010-04-14 01:30 -------- d-----w- C:\gPotato.eu
2010-04-10 17:41 . 2010-04-14 16:00 -------- d-----w- c:\program files\Metin2
2010-04-10 16:55 . 2010-04-14 16:01 -------- d-----w- c:\users\burcham\AppData\Roaming\BitTorrent
2010-04-10 16:54 . 2010-04-14 16:00 -------- d-----w- c:\program files\BitTorrent
2010-04-08 21:49 . 2010-04-14 16:00 -------- d-----w- c:\program files\Conquer Online 2.0
2010-04-07 23:20 . 2008-07-31 14:41 68616 ----a-w- c:\windows\system32\XAPOFX1_1.dll
2010-04-07 23:20 . 2008-07-31 14:40 509448 ----a-w- c:\windows\system32\XAudio2_2.dll
2010-04-07 23:20 . 2008-07-31 14:41 238088 ----a-w- c:\windows\system32\xactengine3_2.dll
2010-04-07 23:20 . 2008-07-10 15:01 467984 ----a-w- c:\windows\system32\d3dx10_39.dll
2010-04-07 23:20 . 2008-07-10 15:00 1493528 ----a-w- c:\windows\system32\D3DCompiler_39.dll
2010-04-07 23:20 . 2008-07-10 15:00 3851784 ----a-w- c:\windows\system32\D3DX9_39.dll
2010-04-07 10:50 . 2010-03-29 08:00 84912 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100406.038\NAVENG.SYS
2010-04-07 10:50 . 2010-03-29 08:00 1324720 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100406.038\NAVEX15.SYS
2010-04-07 10:50 . 2010-01-18 09:00 2747440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100406.038\CCERASER.DLL
2010-04-07 10:50 . 2009-11-16 15:11 371248 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100406.038\EECTRL.SYS
2010-04-07 10:50 . 2009-11-16 15:11 259440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100406.038\ECMSVR32.DLL
2010-04-07 10:50 . 2009-11-16 15:11 177520 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100406.038\NAVENG32.DLL
2010-04-07 10:50 . 2009-11-16 15:11 1647984 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100406.038\NAVEX32A.DLL
2010-04-07 10:50 . 2009-11-16 15:11 102448 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100406.038\ERASER.SYS
2010-04-07 01:25 . 2010-04-14 16:01 -------- d-----w- c:\users\burcham\Graal
2010-04-02 00:34 . 2010-04-02 00:34 -------- d-----w- c:\program files\iPod
2010-04-02 00:34 . 2010-04-14 16:00 -------- d-----w- c:\program files\iTunes
2010-04-02 00:34 . 2010-04-02 00:34 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-02 00:32 . 2010-04-14 16:00 -------- d-----w- c:\program files\QuickTime
2010-04-02 00:30 . 2010-04-14 16:04 -------- d-----w- c:\program files\Bonjour
2010-04-02 00:28 . 2010-04-02 00:28 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-03-31 13:05 . 2010-02-23 07:56 977920 ----a-w- c:\windows\system32\wininet.dll
2010-03-30 19:31 . 2010-04-12 18:16 256 ----a-w- c:\windows\system32\pool.bin
2010-03-30 19:31 . 2010-03-30 19:31 -------- d-----w- c:\program files\Common Files\Research In Motion
2010-03-30 19:30 . 2010-03-30 19:30 -------- d-----w- c:\programdata\Downloaded Installations
2010-03-29 08:00 . 2010-03-29 08:00 84912 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\NAVENG.SYS
2010-03-29 08:00 . 2010-03-29 08:00 1324720 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\NAVEX15.SYS
2010-03-27 23:54 . 2010-04-14 16:01 -------- d-----w- c:\users\burcham\AppData\Roaming\Xfire
2010-03-27 23:54 . 2010-04-14 16:01 -------- d-----w- c:\programdata\Xfire
2010-03-27 23:54 . 2010-04-14 16:01 -------- d-----w- c:\program files\Xfire
2010-03-27 23:49 . 2010-03-27 23:49 -------- d-----w- C:\WeMade Entertainment
2010-03-26 14:31 . 2010-03-26 14:31 -------- d-----w- c:\users\burcham\AppData\Roaming\Kyocera Mita
2010-03-26 14:25 . 2008-04-17 09:13 57344 ----a-w- c:\windows\system32\MFP32U.DLL
2010-03-26 14:25 . 2008-03-18 11:39 250123 ----a-w- c:\windows\system32\KPRNMON.DLL
2010-03-26 14:25 . 2008-01-16 15:04 61440 ----a-w- c:\windows\KPUNINST.EXE
2010-03-26 14:25 . 2010-03-26 14:25 -------- d-----w- c:\program files\Kyocera
2010-03-25 14:09 . 2010-03-25 14:09 62768 ----a-r- c:\users\burcham\AppData\Roaming\Microsoft\Installer\{01949445-CB7F-436B-8ECC-771BE6184BBC}\PullClientStartSho_CD6A27034E724245941D2EB3A8CF0DD5.exe
2010-03-25 14:09 . 2010-03-25 14:09 62768 ----a-r- c:\users\burcham\AppData\Roaming\Microsoft\Installer\{01949445-CB7F-436B-8ECC-771BE6184BBC}\ParticipantStartSh_DF0BA5751BF84E0AABDD4B6DA83B3B0C.exe
2010-03-25 14:09 . 2010-03-25 14:09 62768 ----a-r- c:\users\burcham\AppData\Roaming\Microsoft\Installer\{01949445-CB7F-436B-8ECC-771BE6184BBC}\NewShortcut11_0A40599CA5B444D89111273D573729A6.exe
2010-03-25 14:09 . 2010-03-25 14:09 62768 ----a-r- c:\users\burcham\AppData\Roaming\Microsoft\Installer\{01949445-CB7F-436B-8ECC-771BE6184BBC}\MyATTStartShortcut_37B266125E564D7BBC298658403757C7.exe
2010-03-25 14:09 . 2010-03-25 14:09 62768 ----a-r- c:\users\burcham\AppData\Roaming\Microsoft\Installer\{01949445-CB7F-436B-8ECC-771BE6184BBC}\LSUStartShortcut1_0C445A24F06A4871AC024995E6B63EA6.exe
2010-03-25 14:09 . 2010-03-25 14:09 62768 ----a-r- c:\users\burcham\AppData\Roaming\Microsoft\Installer\{01949445-CB7F-436B-8ECC-771BE6184BBC}\LSUDesktopShortcut_5E8B335F6B1645798E61AE17118989A8.exe
2010-03-25 14:09 . 2010-03-25 14:09 62768 ----a-r- c:\users\burcham\AppData\Roaming\Microsoft\Installer\{01949445-CB7F-436B-8ECC-771BE6184BBC}\ARPPRODUCTICON.exe
2010-03-25 14:09 . 2010-03-25 14:09 58672 ----a-r- c:\users\burcham\AppData\Roaming\Microsoft\Installer\{01949445-CB7F-436B-8ECC-771BE6184BBC}\MyATTDesktopShortc_F98F597BB2C24BCA8A2E00E99FF50C40.exe
2010-03-25 14:09 . 2010-03-25 14:09 46384 ----a-r- c:\users\burcham\AppData\Roaming\Microsoft\Installer\{01949445-CB7F-436B-8ECC-771BE6184BBC}\ParticipantHelpSta_AFE5E24C07B1432883124EEC348980E5.exe
2010-03-25 14:09 . 2010-03-25 14:09 -------- d-----w- c:\users\burcham\AppData\Local\ATT Connect
2010-03-25 14:09 . 2010-03-25 14:09 -------- d-----w- c:\users\burcham\AppData\Local\Downloaded Installations
2010-03-24 08:04 . 2010-03-24 18:17 952768 ----a-w- c:\programdata\Adobe\Reader\9.3\ARM\5669\AdobeARM.exe
2010-03-24 08:04 . 2010-03-24 18:17 70584 ----a-w- c:\programdata\Adobe\Reader\9.3\ARM\5669\AdobeExtractFiles.dll
2010-03-24 08:04 . 2010-03-24 18:17 326056 ----a-w- c:\programdata\Adobe\Reader\9.3\ARM\5669\ReaderUpdater.exe
2010-03-24 08:04 . 2010-03-24 18:17 326056 ----a-w- c:\programdata\Adobe\Reader\9.3\ARM\5669\AcrobatUpdater.exe
2010-03-24 01:46 . 1998-10-29 20:45 306688 ----a-w- c:\windows\IsUninst.exe
2010-03-22 12:16 . 2010-03-22 12:16 -------- d-----w- c:\users\burcham\AppData\Local\ICS
2010-03-22 12:16 . 2010-04-14 16:02 -------- d-----w- c:\windows\LMIB2BE.tmp
2010-03-20 02:24 . 2000-07-15 03:00 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-16 14:56 . 2009-10-11 02:29 -------- d-----w- c:\programdata\Estsoft
2010-04-16 14:38 . 2009-08-06 21:19 -------- d-----w- c:\users\burcham\AppData\Roaming\.purple
2010-04-16 11:34 . 2009-11-28 05:01 -------- d-----w- c:\program files\AC Tool
2010-04-16 11:33 . 2010-03-13 19:16 -------- d-----w- c:\program files\Pando Networks
2010-04-16 11:14 . 2009-11-01 23:52 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-16 11:11 . 2009-09-02 10:43 -------- d-----w- c:\program files\DYMO
2010-04-15 15:54 . 2009-07-13 23:19 28240 ----a-w- c:\windows\system32\drivers\mssmbios.sys
2010-04-15 11:32 . 2009-10-29 13:17 -------- d-----w- c:\users\burcham\AppData\Roaming\VMware
2010-04-15 07:06 . 2008-12-08 04:09 -------- d-----w- c:\programdata\Microsoft Help
2010-04-14 16:04 . 2008-12-08 03:18 -------- d-----w- c:\program files\ThinkVantage Fingerprint Software
2010-04-14 16:02 . 2009-07-14 04:52 -------- d-----w- c:\program files\Windows Sidebar
2010-04-14 16:02 . 2009-07-14 02:37 -------- d-----w- c:\program files\Windows Mail
2010-04-14 16:01 . 2009-08-06 23:10 -------- d-----w- c:\users\burcham\AppData\Roaming\gtk-2.0
2010-04-14 16:01 . 2009-09-21 16:56 -------- d-----w- c:\programdata\WebEx
2010-04-14 16:01 . 2008-12-08 03:36 -------- d-----w- c:\programdata\Lenovo
2010-04-14 16:01 . 2009-10-14 15:52 -------- d-----w- c:\programdata\FLEXnet
2010-04-14 16:01 . 2010-02-24 01:45 -------- d-----w- c:\program files\Xtend
2010-04-14 16:01 . 2009-08-07 15:22 -------- d-----w- c:\program files\Windows Live Toolbar
2010-04-14 01:21 . 2009-11-08 17:33 -------- d-----w- c:\programdata\BioWare
2010-04-14 01:20 . 2009-11-08 17:21 -------- d-----w- c:\programdata\Media Center Programs
2010-04-08 16:36 . 2009-11-10 17:40 -------- d-----w- c:\users\burcham\AppData\Roaming\MSNStockQuote
2010-04-02 00:34 . 2009-08-10 18:03 -------- d-----w- c:\program files\Common Files\Apple
2010-03-20 02:24 . 2008-12-08 03:13 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-13 20:39 . 2010-03-13 20:39 -------- d-----w- c:\program files\Common Files\INCA Shared
2010-03-13 20:20 . 2010-03-13 20:20 -------- d-----w- c:\program files\GALA-NET
2010-03-13 00:28 . 2010-03-13 00:28 -------- d-----w- c:\program files\ijji
2010-03-13 00:24 . 2010-03-13 00:24 -------- d-----w- c:\programdata\InstallShield
2010-03-13 00:18 . 2008-12-08 03:13 -------- d-----w- c:\program files\Common Files\InstallShield
2010-03-08 14:47 . 2009-10-26 18:21 -------- d-----w- c:\programdata\Roxio
2010-03-05 00:11 . 2010-03-05 00:11 41872 ----a-w- c:\windows\system32\xfcodec.dll
2010-03-04 01:11 . 2010-03-04 01:11 942080 ----a-w- c:\programdata\WebEx\WebEx\925\mac.dll
2010-03-03 14:21 . 2009-11-07 01:53 127744 ----a-w- c:\users\burcham\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-02 01:25 . 2010-03-02 01:25 196608 ----a-w- c:\programdata\WebEx\WebEx\926\strsess.dll
2010-03-02 01:25 . 2010-03-02 01:25 622592 ----a-w- c:\programdata\WebEx\WebEx\926\mutiltpd.dll
2010-03-02 01:25 . 2010-03-02 01:25 69632 ----a-w- c:\programdata\WebEx\WebEx\926\mticket.dll
2010-03-02 01:25 . 2010-03-02 01:25 528384 ----a-w- c:\programdata\WebEx\WebEx\926\atastrm.dll
2010-02-28 23:20 . 2010-02-28 23:20 -------- d-----w- c:\users\burcham\AppData\Roaming\UltraVNC
2010-02-28 01:12 . 2010-02-28 01:12 -------- d-----w- c:\program files\RealVNC
2010-02-24 14:16 . 2009-10-03 11:11 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-24 01:44 . 2009-08-07 11:56 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-02-24 01:43 . 2009-08-07 11:56 38784 ----a-w- c:\users\burcham\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-24 01:43 . 2009-08-07 11:56 38784 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-23 14:26 . 2010-02-23 14:26 1232496 ----a-w- c:\programdata\Google\Google Toolbar\Component\GoogleCld_D9AEC8D4D1915047.dll
2010-02-23 01:26 . 2010-02-23 01:26 147456 ----a-w- c:\windows\system32\uc_neosteam_launching.dll
2010-02-12 15:46 . 2010-02-12 15:46 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 15:46 . 2010-02-12 15:46 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-02-07 03:37 . 2010-02-07 03:37 509552 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb6653.tmp.exe
2010-02-02 07:45 . 2010-02-25 18:00 2048 ----a-w- c:\windows\system32\tzres.dll
2010-01-22 15:24 . 2010-01-22 15:24 64000 ----a-w- c:\windows\system32\uc_sfighters_launching.dll
2010-01-18 23:29 . 2010-02-10 18:59 85504 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-18 23:29 . 2010-02-10 18:59 85504 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-18 23:29 . 2010-02-10 18:59 365568 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-18 23:29 . 2010-02-10 18:59 369152 ----a-w- c:\windows\system32\secproc.dll
2010-01-18 23:28 . 2010-02-10 18:59 324608 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-18 23:28 . 2010-02-10 18:59 277504 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-18 23:28 . 2010-02-10 18:59 320512 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-18 23:28 . 2010-02-10 18:59 280064 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-18 09:00 . 2010-01-18 09:00 2747440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\CCERASER.DLL
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
"GoToMeeting"="c:\program files\Citrix\GoToMeeting\452\g2mstart.exe" [2010-02-13 39816]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"Upromise Tray"="c:\program files\Upromise\UpromiseTray.exe" [2009-08-16 167936]
"Upromise Update"="c:\program files\Upromise\dca-ua.exe" [2009-07-01 81920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-07-05 820520]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2007-07-05 419112]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2007-07-05 124200]
"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2007-08-09 2630968]
"RoxioDragToDisc"="c:\program files\Lenovo\Drag-to-Disc\Drgtodsc.exe" [2007-03-13 1116920]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-28 149280]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2007-11-29 59168]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 66176]
"TpShocks"="TpShocks.exe" [2007-11-22 181536]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2007-01-09 536576]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-03-28 243248]
"PWMTRV"="c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2007-12-06 324896]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-05-18 1314816]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-09-06 13797992]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-12-08 115560]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]

c:\users\domburcham\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
GoZone iSync.lnk - c:\program files\GoZone\GoZone_iSync.exe [2009-8-7 425984]

c:\users\burcham\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-12-7 50688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"DisableCAD"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisablePersonalDirChange"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-03-15 06:17 89600 ----a-w- c:\windows\System32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3585493609-2884696751-1084245441-1184\Scripts\Logon\0\0]
"Script"=\\HB.Local\sysvol\HB.Local\scripts\sap_cc_history.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3585493609-2884696751-1084245441-1184\Scripts\Logon\1\0]
"Script"=\\HB.Local\SYSVOL\HB.Local\scripts\MapLouisville.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3585493609-2884696751-1084245441-1204\Scripts\Logon\0\0]
"Script"=\\HB.Local\sysvol\HB.Local\scripts\sap_cc_history.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3585493609-2884696751-1084245441-1204\Scripts\Logon\1\0]
"Script"=\\HB.Local\SYSVOL\HB.Local\scripts\MapLouisville.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
backup=c:\windows\pss\Adobe Reader Synchronizer.lnk.CommonStartup
backupExtension=.CommonStartup
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^LenovoRegistration.lnk]
backup=c:\windows\pss\LenovoRegistration.lnk.CommonStartup
backupExtension=.CommonStartup
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\LenovoRegistration.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2006-10-17 01:13 87584 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2006-10-17 01:17 1941784 ----a-w- c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2007-09-11 05:43 67488 ----a-w- c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 06:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AMSG]
2007-02-01 18:00 419376 ----a-w- c:\program files\ThinkVantage\AMSG\Amsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AwaySch]
2006-11-07 10:51 91688 ----a-w- c:\program files\Lenovo\AwayTask\AwaySch.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BLOG]
2007-12-06 17:11 214576 ----a-w- c:\progra~1\ThinkPad\UTILIT~1\BTVLOGEX.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-03-26 05:10 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LenovoOobeOffers]
2007-09-25 19:53 28672 ----a-w- c:\swtools\LenovoWelcome\LenovoOobeOffers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LPManager]
2007-04-26 17:10 120368 ----a-w- c:\progra~1\THINKV~1\PrdCtr\LPMGR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Monitor]
2009-11-10 15:14 443728 ----a-w- c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2009-08-27 04:10 1657376 ----a-w- c:\windows\System32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Push Client]
2009-09-17 22:50 935240 ----a-w- c:\users\burcham\AppData\Local\ATT Connect\Participant\pull.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RebateInformer]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-07-14 01:14 1173504 ----a-w- c:\program files\Windows Sidebar\sidebar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2010-02-07 03:35 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2006-10-17 01:12 1164912 ----a-w- c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TVT Scheduler Proxy]
2007-01-09 04:12 536576 ----a-w- c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2009-07-14 01:14 660480 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsWelcomeCenter]
2009-07-14 01:16 859648 ----a-w- c:\windows\System32\OobeFldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-07 135664]
R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [2007-01-09 569344]
R3 ADM851X;ADM851X USB To Fast Ethernet Adapter;c:\windows\system32\DRIVERS\ADM851X.SYS [x]
R3 FlyUsb;FLY Fusion;c:\windows\system32\DRIVERS\FlyUsb.sys [2009-07-31 19456]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2009-12-17 3453712]
R3 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys [2009-12-22 16456]
R3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys [2009-12-22 11088]
R3 TdxMrMINI;TdxMrMINI;c:\windows\system32\DRIVERS\TdxMrMini.sys [x]
R3 TdxVGAMINI;TdxVGAMINI;c:\windows\system32\DRIVERS\TdxVgaMini.sys [x]
R3 TdxVGAUSB;TARGUS USB2.0 VGA DOCK DEVICE(USB);c:\windows\system32\drivers\TdxVGAUSB.sys [x]
S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM86.sys [2007-10-17 19504]
S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiif32.sys [2006-08-30 13744]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 atashost;WebEx Service Host for Support Center;c:\windows\system32\atashost.exe [2009-11-06 43928]
S2 GtDetectSc;GtDetectSc;c:\program files\Option\GlobeTrotter Connect\GtDetectSc.exe [2007-12-18 196704]
S2 smihlp;SMI Helper Driver (smihlp);c:\program files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [2007-03-15 11152]
S2 TeamViewer5;TeamViewer 5;c:\program files\TeamViewer\Version5\TeamViewer_Service.exe [2009-11-27 185640]
S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2007-03-02 55936]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-11-16 102448]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-04-16 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 19:54]

2010-04-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-07 03:40]

2010-04-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-07 03:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.igoogle.com/
mStart Page = hxxp://lenovo.live.com
uInternet Settings,ProxyOverride = *.local
IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe
Trusted Zone: factory_dev
Trusted Zone: hb.local\factory
DPF: Microsoft Office Workgroup Web Control - hxxp://192.0.2.16/common/wkgrpweb.cab
DPF: {89A32C64-6176-4D10-BCA3-10B0079818FA} - hxxps://vpbbes01:3443/webconsole/RIMWebComponents.cab
FF - ProfilePath - c:\users\burcham\AppData\Roaming\Mozilla\Firefox\Profiles\es2u6v76.default\
FF - prefs.js: browser.startup.homepage - www.igoogle.com
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
SafeBoot-Symantec Antvirus
MSConfigStartUp-DymoQuickPrint - c:\program files\DYMO\DYMO Label Software\DymoQuickPrint.exe
MSConfigStartUp-Google Update - c:\users\burcham\AppData\Local\Google\Update\GoogleUpdate.exe
MSConfigStartUp-Pando Media Booster - c:\program files\Pando Networks\Media Booster\PMB.exe
MSConfigStartUp-PDF6 Registry Controller - c:\program files\Nuance\PDF Professional 6\RegistryController.exe
MSConfigStartUp-PDFHook - c:\program files\Nuance\PDF Professional 6\pdfpro6hook.exe
MSConfigStartUp-PDFProfessional-reminder - c:\program files\Nuance\PDF Professional 6\Ereg\Ereg.exe
AddRemove-Company Descriptions - c:\zir\CompDesc.isu



**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: >>UNKNOWN [0x82E37000]<< >>UNKNOWN [0x88FC0000]<< >>UNKNOWN [0x893DB000]<< >>UNKNOWN [0x88C47000]<< >>UNKNOWN [0x82E00000]<< >>UNKNOWN [0x86BAAAC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
IoDeviceObjectType -> DumpProcedure -> 0x644d6d73
SecurityProcedure -> 0x630069
QueryNameProcedure -> 0x5c0065
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(712)
c:\windows\system32\relog_ap.DLL
c:\windows\system32\psqlpwd.DLL
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll

- - - - - - - > 'Explorer.exe'(5868)
c:\windows\system32\btncopy.dll
c:\program files\Lenovo\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\program files\Lenovo\Drag-to-Disc\ShellRes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\windows\system32\IPSSVC.EXE
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
c:\windows\system32\AEADISRV.EXE
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe
c:\program files\OmniBack\bin\omniinet.exe
c:\program files\Lenovo\System Update\SUService.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\windows\System32\TPHDEXLG.exe
c:\program files\Lenovo\Client Security Solution\tvttcsd.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\windows\system32\msiexec.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\nvvsvc.exe
c:\windows\system32\sppsvc.exe
c:\program files\ThinkVantage Fingerprint Software\upeksvr.exe
c:\windows\system32\taskhost.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\windows\system32\conhost.exe
c:\windows\System32\TpShocks.exe
c:\program files\ThinkPad\Utilities\EZEJMNAP.EXE
c:\windows\System32\rundll32.exe
c:\program files\Synaptics\SynTP\SynTPLpr.exe
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\Zoom\TpScrex.exe
c:\program files\Citrix\GoToMeeting\452\g2mcomm.exe
c:\program files\Citrix\GoToMeeting\452\g2mlauncher.exe
c:\program files\Symantec\Symantec Endpoint Protection\SescLU.exe
c:\program files\Symantec\LiveUpdate\luall.exe
c:\progra~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
.
**************************************************************************
.
Completion time: 2010-04-16 15:11:12 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-16 19:11

Pre-Run: 16,548,720,640 bytes free
Post-Run: 16,909,352,960 bytes free

- - End Of File - - AF2396D7246675EE2337996761F6D9DD


#3 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:05:07 PM

Posted 20 April 2010 - 08:11 PM

Hello taz6071

Welcome to the Bleeping Computer Malware Removal Forum

Just a word of warning, Combofix is a very powerful tool and run without supervision from a helper on a forum can be disastrous, this forum, myself and sUbs will not be responsible if you run Combofix on your own and damage your computer

Its possible that you have been infected by a Rootkit, run this scan before we take any action.


Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
  • Double click GMER.exe.
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)

      Click the image to enlarge it
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
  • Save the log where you can easily find it, such as your desktop.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Please copy and paste the report into your Post.

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#4 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:05:07 PM

Posted 27 April 2010 - 07:49 PM

Due to inactivity, this thread will now be closed.

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users