Thread: Computer slowing, possible malware
View Single Post
Old 03-31-2008, 07:34 PM   #5 (permalink)
kalv
Registered User
 
Join Date: May 2005
Posts: 99
OS: xp


Re: Computer slowing, possible malware
Deckard's System Scanner v20071014.68
Run by Kelvin on 2008-03-31 21:29:26
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
101: 2008-04-01 02:29:40 UTC - RP211 - Deckard's System Scanner Restore Point
100: 2008-03-31 02:23:33 UTC - RP210 - System Checkpoint
99: 2008-03-29 19:45:33 UTC - RP209 - System Checkpoint
98: 2008-03-28 04:33:18 UTC - RP208 - Removed WinTasks Trial
97: 2008-03-28 02:36:47 UTC - RP207 - Installed WinTasks Trial


-- First Restore Point --
1: 2008-01-02 21:36:11 UTC - RP111 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Kelvin.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:31:11 PM, on 3/31/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Kelvin\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Kelvin.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemonsearch.com/ca/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: PokerTime Poker - {7220F1C9-B7E0-47a6-A0BD-D5B3940BCC79} - C:\Microgaming\Poker\pokertimeMPP\MPPoker.exe
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe (file missing)
O9 - Extra button: PartyCasino - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyCasino - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunApp.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {091CDD73-1401-4643-9B9C-65B091C88685} (MyLinker Control) - http://ljuro.contents.mylinker.co.kr...e/MyLinker.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1194311419452
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/activex/d...rsion=1,0,0,10
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://signin3.valueactive.com/Regi...18/flashax.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

--
End of file - 4910 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 StyleXPHelper - c:\program files\tgtsoft\stylexp\stylexphelper.exe <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
R3 USB100TX (Linksys EtherFast 10/100 USB Network Adapter) - c:\windows\system32\drivers\usb100tx.sys <Not Verified; Linksys; Linksys EtherFast 10/100 USB Network Adapter>

S1 intelppm (Intel Processor Driver) - c:\windows\system32\drivers\intelppm.sys (file missing)
S3 ip6fw (IPv6 Windows Firewall Driver) - c:\windows\system32\drivers\ip6fw.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 StyleXPService - "c:\program files\tgtsoft\stylexp\stylexpservice.exe" <Not Verified; ; StyleXPService Module>
S4 Nero BackItUp Scheduler 3 - c:\program files\nero\nero8\nero backitup\nbservice.exe
S4 pgsql-8.2 (PostgreSQL Database Server 8.2) - "c:\program files\postgresql\8.2\bin\pg_ctl.exe" runservice -w -n "pgsql-8.2" -d "c:\program files\postgresql\8.2\data\" <Not Verified; PostgreSQL Global Development Group; PostgreSQL>
S4 Rdpwpxx -


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: RAID Controller
Device ID: PCI\VEN_1106&DEV_3149&SUBSYS_31491849&REV_80\3&267A616A&0&78
Manufacturer:
Name: RAID Controller
PNP Device ID: PCI\VEN_1106&DEV_3149&SUBSYS_31491849&REV_80\3&267A616A&0&78
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Universal Serial Bus (USB) Controller
Device ID: PCI\VEN_1106&DEV_3104&SUBSYS_31041849&REV_86\3&267A616A&0&84
Manufacturer:
Name: Universal Serial Bus (USB) Controller
PNP Device ID: PCI\VEN_1106&DEV_3104&SUBSYS_31041849&REV_86\3&267A616A&0&84
Service:


-- Scheduled Tasks -------------------------------------------------------------

2008-02-09 10:11:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-02-29 and 2008-03-31 -----------------------------

2008-03-27 23:39:24 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-27 21:46:24 368912 --a------ C:\WINDOWS\System32\vbar332.dll <Not Verified; Microsoft Corporation; Microsoft Visual Basic for Applications>
2008-03-27 21:36:48 0 d-------- C:\Program Files\LIUtilities
2008-03-27 20:07:50 0 d-------- C:\Program Files\Trend Micro
2008-02-29 02:09:02 0 d--h----- C:\Documents and Settings\Administrator.JKC-7C6R1WFZE1Y.001\Templates
2008-02-29 02:09:02 0 dr------- C:\Documents and Settings\Administrator.JKC-7C6R1WFZE1Y.001\Start Menu
2008-02-29 02:09:02 0 dr-h----- C:\Documents and Settings\Administrator.JKC-7C6R1WFZE1Y.001\SendTo
2008-02-29 02:09:02 0 d--h----- C:\Documents and Settings\Administrator.JKC-7C6R1WFZE1Y.001\Recent
2008-02-29 02:09:02 0 d--h----- C:\Documents and Settings\Administrator.JKC-7C6R1WFZE1Y.001\PrintHood
2008-02-29 02:09:02 1835008 --ah----- C:\Documents and Settings\Administrator.JKC-7C6R1WFZE1Y.001\NTUSER.DAT
2008-02-29 02:09:02 0 d--h----- C:\Documents and Settings\Administrator.JKC-7C6R1WFZE1Y.001\NetHood
2008-02-29 02:09:02 0 d-------- C:\Documents and Settings\Administrator.JKC-7C6R1WFZE1Y.001\My Documents
2008-02-29 02:09:02 0 d--h----- C:\Documents and Settings\Administrator.JKC-7C6R1WFZE1Y.001\Local Settings
2008-02-29 02:09:02 0 d-------- C:\Documents and Settings\Administrator.JKC-7C6R1WFZE1Y.001\Favorites
2008-02-29 02:09:02 0 d-------- C:\Documents and Settings\Administrator.JKC-7C6R1WFZE1Y.001\Desktop
2008-02-29 02:09:02 0 d---s---- C:\Documents and Settings\Administrator.JKC-7C6R1WFZE1Y.001\Cookies
2008-02-29 02:09:02 0 dr-h----- C:\Documents and Settings\Administrator.JKC-7C6R1WFZE1Y.001\Application Data
2008-02-29 02:09:02 0 d---s---- C:\Documents and Settings\Administrator.JKC-7C6R1WFZE1Y.001\Application Data\Microsoft
2008-02-29 01:32:44 0 d-------- C:\Program Files\TweakNow RegCleaner Std


-- Find3M Report ---------------------------------------------------------------

2008-03-31 20:29:22 0 d-------- C:\Program Files\Steam
2008-03-31 20:28:27 0 d-------- C:\Program Files\PokerStars
2008-03-31 16:27:24 0 d-------- C:\Documents and Settings\Kelvin\Application Data\uTorrent
2008-03-29 15:26:47 0 d-------- C:\Program Files\Full Tilt Poker
2008-03-28 03:04:24 0 d-------- C:\Documents and Settings\Kelvin\Application Data\mIRC
2008-03-28 03:03:47 0 d-------- C:\Program Files\mIRC
2008-03-27 23:33:22 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-24 19:51:11 0 d-------- C:\Program Files\PartyGaming
2008-03-24 19:25:25 0 d-------- C:\Program Files\Holdem Indicator
2008-03-23 22:38:28 0 d-------- C:\Documents and Settings\Kelvin\Application Data\Microgaming
2008-03-21 02:15:22 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-21 0206 0 d-------- C:\Program Files\Warcraft III
2008-03-16 18:43:19 0 d-------- C:\Program Files\5APoker
2008-03-07 20:13:08 0 d-------- C:\Documents and Settings\Kelvin\Application Data\LimeWire
2008-03-07 18:37:28 0 d-------- C:\Program Files\LimeWire
2008-03-05 14:15:18 0 d-------- C:\Documents and Settings\Kelvin\Application Data\Adobe
2008-02-29 18:15:57 0 d-------- C:\Documents and Settings\Kelvin\Application Data\AVG7
2008-02-28 23:48:33 0 d-------- C:\Program Files\Lavasoft
2008-02-23 23:29:52 0 d-------- C:\Program Files\Sierra Entertainment
2008-02-23 23:29:14 0 d-------- C:\Documents and Settings\Kelvin\Application Data\InstallShield
2008-02-20 21:47:31 0 d-------- C:\Program Files\PokerRoom.com
2008-02-20 21:46:48 0 d-------- C:\Program Files\e-texaspoker client
2008-02-20 17:08:58 0 d-------- C:\Program Files\OpenAL
2008-02-20 17:08:57 409600 --a------ C:\WINDOWS\System32\wrap_oal.dll <Not Verified; Creative Labs; Creative Labs OpenAL32>
2008-02-20 17:08:57 114688 --a------ C:\WINDOWS\System32\OpenAL32.dll <Not Verified; Portions (C) Creative Labs Inc. and NVIDIA Corp.; Standard OpenAL(TM) Library>
2008-02-18 20:34:24 0 d--h----- C:\Documents and Settings\Kelvin\Application Data\ijjigame
2008-02-17 23:24:09 0 d-------- C:\Program Files\Common Files
2008-02-17 23:24:09 0 d-------- C:\Program Files\Common Files\INCA Shared
2008-02-17 13:59:39 0 d-------- C:\Program Files\Common Files\Adobe
2008-02-17 03:42:31 0 d-------- C:\Documents and Settings\Kelvin\Application Data\Winamp
2008-02-17 03:30:50 0 d-------- C:\Program Files\Winamp
2008-02-15 23:21:02 0 d-------- C:\Program Files\Ubisoft
2008-02-10 16:28:06 0 d-------- C:\Program Files\Absolute Poker
2008-02-06 02:19:39 0 d-------- C:\Program Files\iTunes
2008-02-06 02:19:29 0 d-------- C:\Program Files\iPod
2008-02-03 20:53:26 0 d-------- C:\Program Files\PokerTracker 3
2008-02-02 15:05:22 0 d-------- C:\Program Files\SystemRequirementsLab
2008-01-31 01:49:35 0 d-------- C:\Program Files\Eidos
2008-01-29 17:02:50 664 --a------ C:\WINDOWS\System32\d3d9caps.dat
2008-01-20 00:07:19 40 --a------ C:\WINDOWS\ujf635.bin


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [12/20/2007 12:50 PM]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= :\WINDOW

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio]
RunDll32 cmicnfg.cpl,CMICtrlWnd

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
Logi_MwX.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
"C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
"C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RunDLL32.exe NvMCTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QT Lite\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\STYLEXP]
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NVSvc"=2 (0x2)
"NMIndexingService"=3 (0x3)
"Nero BackItUp Scheduler 3"=2 (0x2)
"usnjsvc"=3 (0x3)
"pgsql-8.2"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"aawservice"=3 (0x3)
"iPod Service"=3 (0x3)




-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8073 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-03-31 21:31:50 ------------
Attached Files
File Type: txt extra.txt (11.0 KB, 3 views)
kalv is online now