Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.44.1033.18.893.305 [GMT 1:00]
Running from: c:\users\User\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2010-06-23 to 2010-07-23 )))))))))))))))))))))))))))))))
.
2010-07-23 19:27 . 2010-07-23 19:27 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-07-23 19:27 . 2010-07-23 19:27 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-07-20 21:43 . 2010-07-20 21:47 -------- d-----w- C:\MGADiagToolOutput
2010-07-20 21:42 . 2010-07-20 21:42 -------- d-----w- c:\programdata\Office Genuine Advantage
2010-07-16 15:56 . 2010-07-16 15:56 388096 ----a-r- c:\users\User\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-07-15 15:26 . 2010-07-15 15:26 -------- d-----w- c:\program files\Trend Micro
2010-07-14 20:42 . 2010-07-23 19:27 -------- d-----w- c:\users\User\AppData\Local\temp
2010-07-14 18:09 . 2010-07-14 18:09 -------- d-----w- c:\users\User\AppData\Roaming\Malwarebytes
2010-07-14 18:07 . 2010-07-14 18:07 -------- d-----w- c:\programdata\Malwarebytes
2010-07-13 13:25 . 2010-07-14 19:39 -------- dc----w- c:\windows\system32\DRVSTORE
2010-07-13 13:25 . 2010-07-13 13:25 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-07-13 13:09 . 2010-07-13 13:09 -------- d-----w- c:\users\User\AppData\Local\Sunbelt Software
2010-07-13 08:22 . 2010-07-14 19:41 -------- dc-h--w- c:\programdata\~0
2010-07-13 08:21 . 2010-07-14 19:39 -------- d-----w- c:\programdata\Lavasoft
2010-07-12 17:02 . 2010-07-14 20:50 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-07-12 17:02 . 2010-07-14 19:48 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-07-12 16:47 . 2010-07-12 16:47 -------- d-----w- c:\users\User\AppData\Roaming\widestream
2010-07-12 16:47 . 2010-07-12 21:42 -------- d-----w- c:\users\User\AppData\Local\widestream6 Air
2010-07-12 16:46 . 2010-07-12 21:45 -------- d-----w- c:\program files\Widestream6
2010-07-12 16:45 . 2010-07-14 18:04 -------- d-----w- c:\users\User\AppData\Roaming\OfferBox
2010-07-12 14:00 . 2010-07-12 14:00 -------- d-----w- c:\users\Default\AppData\Roaming\Trusteer
2010-07-11 21:53 . 2010-07-11 21:53 -------- d-----w- c:\users\User\AppData\Roaming\Yahoo!
2010-07-11 21:53 . 2010-07-12 11:17 -------- d-----w- c:\program files\Yahoo!
2010-07-11 21:51 . 2010-07-11 21:51 509552 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb43D3.tmp.exe
2010-07-03 07:03 . 2010-07-03 07:03 -------- d-----w- c:\users\User\AppData\Roaming\Trusteer
2010-07-03 07:02 . 2010-07-03 07:02 -------- d-----w- c:\program files\Trusteer
2010-07-03 06:30 . 2010-07-03 06:30 -------- d-----w- c:\programdata\Trusteer
2010-07-01 11:07 . 2010-07-01 11:07 434176 ----a-w- c:\programdata\Trusteer\Rapport\store\exts\RapportMS\17053\RapportMS.dll
2010-06-24 02:01 . 2009-11-08 09:55 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-06-24 02:01 . 2009-11-08 09:55 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-06-24 02:01 . 2009-11-08 09:55 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-06-24 02:01 . 2009-11-08 09:55 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-06-24 02:01 . 2009-11-08 09:55 1130824 ----a-w- c:\windows\system32\dfshim.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-23 18:22 . 2010-04-13 21:12 -------- d-----w- c:\programdata\Lx_cats
2010-07-20 21:20 . 2009-04-26 11:35 -------- d-----w- c:\program files\Vuze
2010-07-20 13:36 . 2010-03-14 17:21 -------- d-----w- c:\programdata\WinZip
2010-07-15 06:55 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-07-13 08:33 . 2009-10-25 08:06 -------- d-----w- c:\program files\Google
2010-07-11 21:57 . 2009-04-26 11:35 -------- d-----w- c:\users\User\AppData\Roaming\Azureus
2010-06-27 02:04 . 2009-04-22 14:34 -------- d-----w- c:\program files\Microsoft.NET
2010-06-13 13:47 . 2010-06-13 13:47 -------- d-----w- c:\programdata\Lexmark S300-S400 Series
2010-06-13 13:33 . 2009-04-26 08:36 -------- d-----w- c:\users\User\AppData\Roaming\FUJIFILM
2010-06-08 19:50 . 2009-12-30 12:46 174 ----a-w- c:\users\User\AppData\Roaming\Azureus\restart.bat
2010-05-26 16:16 . 2010-06-11 16:55 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:25 . 2010-06-11 16:55 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-04 05:59 . 2010-06-11 16:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 05:55 . 2010-06-11 16:53 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-05-04 05:55 . 2010-06-11 16:53 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-05-04 04:31 . 2010-06-11 16:53 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-05-01 13:53 . 2010-06-11 16:52 2036224 ----a-w- c:\windows\system32\win32k.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"lxeamon.exe"="c:\program files\Lexmark S300-S400 Series\lxeamon.exe" [2010-01-18 770728]
"EzPrint"="c:\program files\Lexmark S300-S400 Series\ezprint.exe" [2010-01-18 139944]
"Lexmark S300-S400 Series Fax Server"="c:\program files\Lexmark S300-S400 Series\fm3032.exe" [2009-04-29 316072]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Exif Launcher S.lnk - c:\program files\FinePixViewerS\QuickDCF2.exe [2009-4-26 303104]
VideoCam Suite 2.0.lnk - c:\program files\Panasonic\VideoCam Suite 2\VideoCamSuiteAutoStart.exe [2009-10-13 185688]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^AutoCAD LT Startup Accelerator.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\AutoCAD LT Startup Accelerator.lnk
backup=c:\windows\pss\AutoCAD LT Startup Accelerator.lnk.CommonStartup
backupExtension=.CommonStartup
[HKLM\~\startupfolder\C:^Users^User^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnk.Startup
backupExtension=.Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-12-11 15:57 948672 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 01:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
2005-03-16 18:16 970752 ----a-w- c:\program files\Common Files\Adobe\Updater\AdobeUpdater.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2008-02-28 16:07 1828136 ----a-w- c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2006-12-05 21:55 54832 ----a-w- c:\program files\CyberLink\PowerDVD\Language\Language.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2008-02-26 13:08 2289664 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxczbmgr.exe]
2007-04-19 14:44 74672 ----a-w- c:\program files\Lexmark 1200 Series\LXCZbmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
2008-02-18 15:29 2221352 ----a-w- c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2006-11-23 14:10 56928 ------w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-25 04:23 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-07-13 135664]
R2 lxeaCATSCustConnectService;lxeaCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxeaserv.exe [2010-01-07 98984]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1008000.029\SYMEFA.SYS [2009-08-22 310320]
S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\System32\Drivers\NIS\1008000.029\BHDrvx86.sys [2009-08-22 259632]
S1 ccHP;Symantec Hash Provider;c:\windows\System32\Drivers\NIS\1008000.029\ccHPx86.sys [2010-02-04 482432]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20100721.003\IDSvix86.sys [2010-05-28 344112]
S1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [2010-07-01 59240]
S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [2010-07-01 166632]
S2 lxea_device;lxea_device;c:\windows\system32\lxeacoms.exe [2010-01-07 598696]
S2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe [2009-08-22 117640]
S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [2010-07-01 840936]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-05-26 102448]
S3 SYMNDISV;Symantec Network Filter Driver;c:\windows\System32\Drivers\NIS\1008000.029\SYMNDISV.SYS [2009-08-22 48688]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-02-26 13:06 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
2010-07-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-13 08:23]
2010-07-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-13 08:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
.
------- File Associations -------
.
.scr=AutoCADLTScriptFile
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-23 20:28
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2010-07-23 20:35:05
ComboFix-quarantined-files.txt 2010-07-23 19:35
ComboFix2.txt 2010-07-14 20:42
Pre-Run: 38,010,003,456 bytes free
Post-Run: 37,342,674,944 bytes free
Current=1 Default=1 Failed=0 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - 91CB4D659FD828567194BFB175B05DE3