Tech Support Forum - View Single Post - Slow, Window Explorer using lots of memory

TrojanVictim666 · 08-10-2008, 04:56 PM

Here are my logs. I submitted a file to bleeping computer from ComboFix.

ComboFix 08-08-10.01 - andrew 2008-08-10 16:00:07.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.399 [GMT -4:00]
Running from: C:\Users\andrew\Desktop\ComboFix.exe
Command switches used :: C:\Users\andrew\Desktop\CFScript.txt
* Created a new restore point
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\System32\gsgoeyys.exe
C:\Windows\System32\mkgeqcmp.exe

.
((((((((((((((((((((((((( Files Created from 2008-07-10 to 2008-08-10 )))))))))))))))))))))))))))))))
.

2008-08-09 21:28 . 2008-08-10 13:39 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-08-09 21:11 . 2008-08-09 21:11 <DIR> d-------- C:\Program Files\Sun
2008-08-09 21:02 . 2008-08-09 21:02 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-05 13:27 . 2008-08-09 15:20 <DIR> d-------- C:\Users\andrew\AppData\Roaming\App Launcher Gadget
2008-08-05 13:06 . 2008-08-05 13:06 <DIR> d-------- C:\Deckard
2008-08-05 11:43 . 2008-06-19 17:24 28,544 --a------ C:\Windows\System32\drivers\pavboot.sys
2008-08-04 10:34 . 2008-08-04 19:02 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-03 20:42 . 2008-08-03 21:06 <DIR> d-------- C:\UT2004
2008-07-29 18:34 . 2008-07-30 15:43 <DIR> d-------- C:\Windows\System32\Adobe
2008-07-28 19:37 . 2008-07-28 19:37 43,520 --a------ C:\Windows\System32\CmdLineExt03.dll
2008-07-23 09:05 . 2008-06-25 21:45 12,240,896 --a------ C:\Windows\System32\NlsLexicons0007.dll
2008-07-23 09:05 . 2008-06-25 21:45 2,644,480 --a------ C:\Windows\System32\NlsLexicons0009.dll
2008-07-23 09:05 . 2008-06-25 23:29 801,280 --a------ C:\Windows\System32\NaturalLanguage6.dll
2008-07-21 20:42 . 2008-07-21 20:42 42,320 --a------ C:\Windows\System32\xfcodec.dll
2008-07-21 16:54 . 2008-07-21 16:54 <DIR> d-------- C:\Users\andrew\AppData\Roaming\PGP Corporation
2008-07-21 16:50 . 2008-07-21 16:50 148,416 --a------ C:\Windows\System32\PGPlspRollback.reg
2008-07-21 16:49 . 2008-07-21 17:07 <DIR> d-------- C:\Program Files\Common Files\PGP Corporation
2008-07-19 02:04 . 2008-07-19 02:04 <DIR> dr------- C:\Windows\System32\config\systemprofile\Music
2008-07-15 14:05 . 2008-07-15 14:05 <DIR> d-------- C:\Users\andrew\AppData\Roaming\Realtime Soft
2008-07-15 14:04 . 2008-07-15 14:04 <DIR> d-------- C:\Users\All Users\Realtime Soft
2008-07-15 14:04 . 2008-07-15 14:04 <DIR> d-------- C:\ProgramData\Realtime Soft
2008-07-15 14:04 . 2008-07-15 14:04 <DIR> d-------- C:\Program Files\UltraMon
2008-07-13 22:16 . 2008-07-13 22:16 <DIR> d-------- C:\Program Files\WinDirStat
2008-07-13 13:05 . 2008-07-13 13:05 <DIR> d-------- C:\Users\All Users\Hewlett-Packard
2008-07-13 13:05 . 2008-07-13 13:05 <DIR> d-------- C:\ProgramData\Hewlett-Packard
2008-07-12 13:00 . 2008-08-07 03:08 <DIR> d-------- C:\Users\andrew\AppData\Roaming\Winamp
2008-07-12 13:00 . 2008-07-12 13:01 <DIR> d-------- C:\Program Files\Winamp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-10 04:25 --------- d-----w C:\ProgramData\AntiVir PersonalEdition Classic
2008-08-10 01:11 --------- d-----w C:\Program Files\Java
2008-08-05 00:19 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-08-04 19:20 --------- d-----w C:\Users\andrew\AppData\Roaming\uTorrent
2008-08-04 18:55 --------- d-----w C:\Users\andrew\AppData\Roaming\Hamachi
2008-08-03 18:51 137,840 ----a-w C:\Windows\system32\drivers\PnkBstrK.sys
2008-08-03 18:50 111,928 ----a-w C:\Windows\System32\PnkBstrB.exe
2008-07-29 22:36 --------- d-----w C:\ProgramData\Xfire
2008-07-28 23:20 --------- d-----w C:\Users\andrew\AppData\Roaming\Xfire
2008-07-28 23:20 --------- d-----w C:\Program Files\Xfire
2008-07-12 16:59 --------- d-----w C:\ProgramData\YAHOO
2008-07-08 21:21 --------- d-----w C:\Program Files\Windows Mail
2008-06-19 18:45 --------- d-----w C:\Program Files\DivX
2008-06-18 01:32 --------- d-----w C:\Program Files\QuickTime
2008-06-18 01:03 --------- d-----w C:\Program Files\Apple Software Update
2008-05-30 23:22 823,296 ----a-w C:\Windows\System32\divx_xx0c.dll
2008-05-30 23:22 823,296 ----a-w C:\Windows\System32\divx_xx07.dll
2008-05-30 23:22 815,104 ----a-w C:\Windows\System32\divx_xx0a.dll
2008-05-30 23:22 802,816 ----a-w C:\Windows\System32\divx_xx11.dll
2008-05-30 23:22 683,520 ----a-w C:\Windows\System32\DivX.dll
2008-05-30 23:22 593,920 ----a-w C:\Windows\System32\dpuGUI11.dll
2008-05-30 23:22 57,344 ----a-w C:\Windows\System32\dpv11.dll
2008-05-30 23:22 53,248 ----a-w C:\Windows\System32\dpuGUI10.dll
2008-05-30 23:22 344,064 ----a-w C:\Windows\System32\dpus11.dll
2008-05-30 23:22 294,912 ----a-w C:\Windows\System32\dpu11.dll
2008-05-30 23:22 294,912 ----a-w C:\Windows\System32\dpu10.dll
2008-05-27 05:21 1,582,592 ----a-w C:\Windows\System32\tquery.dll
2008-05-27 05:21 1,418,240 ----a-w C:\Windows\System32\mssrch.dll
2008-05-27 05:17 87,552 ----a-w C:\Windows\System32\SearchFilterHost.exe
2008-05-27 05:17 87,552 ----a-w C:\Windows\System32\mssitlb.dll
2008-05-27 05:17 754,176 ----a-w C:\Windows\System32\propsys.dll
2008-05-27 05:17 60,416 ----a-w C:\Windows\System32\msscntrs.dll
2008-05-27 05:17 6,103,040 ----a-w C:\Windows\System32\chtbrkr.dll
2008-05-27 05:17 34,816 ----a-w C:\Windows\System32\msscb.dll
2008-05-27 05:17 32,768 ----a-w C:\Windows\System32\mssprxy.dll
2008-05-27 05:17 313,344 ----a-w C:\Windows\System32\thawbrkr.dll
2008-05-27 05:17 301,568 ----a-w C:\Windows\System32\srchadmin.dll
2008-05-27 05:17 194,560 ----a-w C:\Windows\System32\offfilt.dll
2008-05-27 05:17 143,872 ----a-w C:\Windows\System32\korwbrkr.dll
2008-05-27 05:17 11,776 ----a-w C:\Windows\System32\msshooks.dll
2008-05-27 05:17 1,671,680 ----a-w C:\Windows\System32\chsbrkr.dll
2008-05-27 04:59 18,904 ----a-w C:\Windows\System32\StructuredQuerySchemaTrivial.bin
2008-05-27 04:59 106,605 ----a-w C:\Windows\System32\StructuredQuerySchema.bin
2008-05-22 22:22 524,288 ----a-w C:\Windows\System32\DivXsm.exe
2008-05-22 22:22 3,596,288 ----a-w C:\Windows\System32\qt-dx331.dll
2008-05-22 22:20 200,704 ----a-w C:\Windows\System32\ssldivx.dll
2008-05-22 22:20 1,044,480 ----a-w C:\Windows\System32\libdivx.dll
2008-05-22 22:19 81,920 ----a-w C:\Windows\System32\dpl100.dll
2008-05-22 22:19 196,608 ----a-w C:\Windows\System32\dtu100.dll
2008-05-22 22:19 161,096 ----a-w C:\Windows\System32\DivXCodecVersionChecker.exe
2008-05-22 22:18 12,288 ----a-w C:\Windows\System32\DivXWMPExtType.dll
2008-05-10 03:35 564,736 ----a-w C:\Windows\System32\emdmgmt.dll
2008-03-22 05:25 174 --sha-w C:\Program Files\desktop.ini
2008-02-07 04:39 20 ---h--w C:\Users\All Users\PKP_DLec.DAT
2008-02-07 04:39 20 ---h--w C:\Users\All Users\PKP_DLds.DAT
2008-02-07 04:39 20 ---h--w C:\ProgramData\PKP_DLec.DAT
2008-02-07 04:39 20 ---h--w C:\ProgramData\PKP_DLds.DAT
2007-12-12 00:07 47,360 ----a-w C:\Users\andrew\AppData\Roaming\pcouffin.sys
2007-08-12 19:28 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2007-08-12 19:28 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2007-08-12 19:28 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
2008-03-28 22:52 16,384 --sha-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-03-28 22:52 32,768 --sha-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-03-28 22:52 16,384 --sha-w C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

((((((((((((((((((((((((((((( snapshot@2008-08-09_14.12.51.48 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-09 18:04:59 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-08-10 16:39:23 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2008-08-09 18:04:59 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2008-08-10 16:39:23 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-08-09 18:06:30 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat
+ 2008-08-10 16:41:02 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat
- 2008-08-09 18:06:29 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat
+ 2008-08-10 16:41:53 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat
- 2008-08-09 17:24:32 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-08-10 04:26:01 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-08-09 17:24:32 49,152 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-08-10 04:26:01 49,152 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-08-09 17:24:32 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-08-10 04:26:01 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-08-09 17:56:38 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat
+ 2008-08-10 19:59:37 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat
- 2007-06-29 21:54:00 135,168 ----a-w C:\Windows\System32\java.exe
+ 2008-06-10 05:21:01 135,168 ----a-w C:\Windows\System32\java.exe
- 2007-06-29 21:54:00 135,168 ----a-w C:\Windows\System32\javaw.exe
+ 2008-06-10 05:21:04 135,168 ----a-w C:\Windows\System32\javaw.exe
- 2007-06-29 21:54:00 139,264 ----a-w C:\Windows\System32\javaws.exe
+ 2008-06-10 06:32:34 139,264 ----a-w C:\Windows\System32\javaws.exe
+ 2007-07-27 19:49:02 196,683 ----a-w C:\Windows\System32\lnod32apiA.dll
+ 2007-07-27 19:49:02 225,355 ----a-w C:\Windows\System32\lnod32apiW.dll
+ 2005-12-06 00:25:22 139,264 ----a-w C:\Windows\System32\lnod32umc.dll
+ 2005-12-05 17:37:10 106,496 ----a-w C:\Windows\System32\lnod32upd.dll
+ 2007-08-02 22:11:28 253,952 ----a-w C:\Windows\System32\OnlineScannerDLLA.dll
+ 2007-08-02 22:11:14 241,664 ----a-w C:\Windows\System32\OnlineScannerDLLW.dll
+ 2007-08-06 17:17:40 19,456 ----a-w C:\Windows\System32\OnlineScannerLang.dll
+ 2007-06-13 15:10:34 77,824 ----a-w C:\Windows\System32\OnlineScannerUninstaller.exe
+ 2004-12-07 15:11:34 258,352 ----a-w C:\Windows\System32\unicows.dll
- 2008-08-09 17:35:46 14,132 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2384316666-216903322-3591896781-1000_UserData.bin
+ 2008-08-10 16:41:43 14,434 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2384316666-216903322-3591896781-1000_UserData.bin
- 2008-08-09 17:35:45 80,342 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-08-10 16:41:43 80,660 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-08-08 03:56:23 2,990 ----a-w C:\Windows\System32\WDI\ERCQueuedResolutions.dat
+ 2008-08-10 00:51:29 2,990 ----a-w C:\Windows\System32\WDI\ERCQueuedResolutions.dat
- 2008-08-09 17:35:40 49,082 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-08-10 16:41:42 49,122 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2008-08-09 17:17:14 413,562 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_FastS4.bin
+ 2008-08-09 21:59:05 414,222 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_FastS4.bin
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-18 23:33 125952]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-09-20 15:35 202024]
"UltraMon"="C:\Program Files\UltraMon\UltraMon.exe" [2006-10-12 21:27 304640]
"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 15:35 67112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-17 19:52 815104]
"Broadcom Wireless Manager UI"="C:\Windows\system32\WLTRAY.exe" [2006-11-27 18:56 1540096]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-07-11 18:12 90112]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 12:37 81920]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-03-16 06:20 17920]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-06-29 18:19 1862144]
"PCMService"="C:\Program Files\Dell\MediaDirect\PCMService.exe" [2007-05-02 19:16 184320]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 12:35 221184]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-17 19:42 266497]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-10 19:15 185632]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 09:51 1836328]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"SigmatelSysTrayApp"="sttray.exe" [2007-02-08 01:11 303104 C:\Windows\sttray.exe]

C:\Users\andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 21:24:54 98632]
sidebar.exe - Shortcut.lnk - C:\Program Files\Windows Sidebar\sidebar.exe [2008-03-22 00:20:51 1233920]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2007-06-29 18:01:28 50688]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2008-02-03 14:22:57 118784]
QuickSet.lnk - C:\Windows\Installer\{7F0C4457-8E64-491B-8D7B-991504365D1E}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe [2007-06-29 17:57:35 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiSpywareOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2384316666-216903322-3591896781-1000]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{CF400DB8-F9A1-43D4-8D1C-DE34A5079B74}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{7DA07BC2-F211-4AC9-8F9D-86A7D3CE8A5A}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{02926E9F-E00A-492E-97D6-EC88BBC02BFD}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{35D70B32-434C-4DFF-A752-2942B1D1306E}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{9EC73CAF-EBD4-4E5C-BFA9-BF8449320B0D}"= UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{D0AAC93A-8B8A-4B0D-92E5-B36B39B4FAA1}"= TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"TCP Query User{719DC7DD-73D8-483C-9CA8-220C9A4DF032}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{1F8A01D9-1EC1-4D19-9330-83D656FE23A7}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{ECF82579-41EE-43FD-92DD-EB99EF79E80F}C:\\program files\\utorrent\\utorrent.exe"= UDP:C:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{8E6A913D-31BF-40CD-A24B-1C8811964209}C:\\program files\\utorrent\\utorrent.exe"= TCP:C:\program files\utorrent\utorrent.exe:uTorrent
"{E9D9744A-6BEE-46D2-AEB3-D4A9BE7BF7AC}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{8CDA1015-6E9E-4A10-BEF7-F5FAE8B776F0}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{643B157A-5745-427C-939A-247F4A5D95DE}"= UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{A5BF56D5-65E8-4E6D-B3E1-A88FFBF3B28F}"= TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{5CA820DA-BD17-403C-A641-98A1AA8036E3}"= UDP:C:\Program Files\EA Games\Battlefield 2\BF2.exe:Battlefield 2
"{D281BC01-3F2B-4CC2-B832-1AF0961944FD}"= TCP:C:\Program Files\EA Games\Battlefield 2\BF2.exe:Battlefield 2
"TCP Query User{D085DCA7-F2B8-4971-AC8C-DFA48A642619}C:\\program files\\xfire\\xfire.exe"= UDP:C:\program files\xfire\xfire.exe:Xfire
"UDP Query User{6982543A-4B06-4655-AF63-11C48991BA46}C:\\program files\\xfire\\xfire.exe"= TCP:C:\program files\xfire\xfire.exe:Xfire
"TCP Query User{7EEF2B02-D57A-4349-9897-0150D8E5F65A}C:\\program files\\real\\realplayer\\realplay.exe"= UDP:C:\program files\real\realplayer\realplay.exe:RealPlayer
"UDP Query User{23FADAB7-2FC5-4722-A966-9C2483C75CB8}C:\\program files\\real\\realplayer\\realplay.exe"= TCP:C:\program files\real\realplayer\realplay.exe:RealPlayer
"TCP Query User{8B66C364-FFB1-44AD-BCC5-1615EDCD8AAC}C:\\program files\\xfire\\xfire.exe"= UDP:C:\program files\xfire\xfire.exe:Xfire
"UDP Query User{C777015C-96EE-4974-8C98-3509C4E4579B}C:\\program files\\xfire\\xfire.exe"= TCP:C:\program files\xfire\xfire.exe:Xfire
"{E08F998C-D3D2-4BDA-820D-2382FB9DA7E9}"= UDP:C:\Program Files\Electronic Arts\The Battle for Middle-earth (tm) II\game.dat:The Battle for Middle-earth(tm) II
"{39BEF69D-E479-4408-8CB9-089654D3CE20}"= TCP:C:\Program Files\Electronic Arts\The Battle for Middle-earth (tm) II\game.dat:The Battle for Middle-earth(tm) II
"{AB4B6D70-1F83-4C8F-8170-DB2B1243506C}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{0E864900-8C12-4B95-B667-AA9E70CF9BBB}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{58E457D4-2B20-4311-8527-CDDD9CD6A197}"= UDP:C:\Program Files\Electronic Arts\The Battle for Middle-earth (tm) II\game.dat:The Battle for Middle-earth(tm) II
"{0EC2ED34-00E6-46A7-A763-92FF8812922D}"= TCP:C:\Program Files\Electronic Arts\The Battle for Middle-earth (tm) II\game.dat:The Battle for Middle-earth(tm) II
"{8253B057-97C1-40D9-9341-32030B713A18}"= UDP:C:\Program Files\Electronic Arts\The Lord of the Rings, The Rise of the Witch-king\game.dat:The Lord of the Rings, The Rise of the Witch-king
"{B70B6098-70B5-48D0-9A66-B7A14C191BF3}"= TCP:C:\Program Files\Electronic Arts\The Lord of the Rings, The Rise of the Witch-king\game.dat:The Lord of the Rings, The Rise of the Witch-king
"TCP Query User{AA4ED66C-9575-4EFF-A26D-A996EB2310FC}C:\\program files\\maple 11\\jre\\bin\\maple.exe"= UDP:C:\program files\maple 11\jre\bin\maple.exe:Maple 11
"UDP Query User{3C128BB4-74DE-4418-8E9E-1E0577BC01CD}C:\\program files\\maple 11\\jre\\bin\\maple.exe"= TCP:C:\program files\maple 11\jre\bin\maple.exe:Maple 11
"{459481C1-7BB8-4404-8E4F-B2699CE9A546}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{969424C3-5245-4A29-95E7-D72B7248012E}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"TCP Query User{353F9FAB-1CA4-4AEB-9938-0ED5E3B3BC36}C:\\program files\\mozilla firefox\\firefox.exe"= UDP:C:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{26075DF1-8AC0-4F4A-B53E-43C91EA717C3}C:\\program files\\mozilla firefox\\firefox.exe"= TCP:C:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{A5AAF171-13B4-4045-AF63-60D1177CCD07}C:\\program files\\your freedom\\freedom.exe"= UDP:C:\program files\your freedom\freedom.exe:freedom
"UDP Query User{902C51DE-97D3-48FD-8373-DC3A1345CDA0}C:\\program files\\your freedom\\freedom.exe"= TCP:C:\program files\your freedom\freedom.exe:freedom
"TCP Query User{6E008BE6-B943-47E4-8B8B-DD9FF1F3B81B}C:\\program files\\your freedom\\freedom.exe"= UDP:C:\program files\your freedom\freedom.exe:freedom
"UDP Query User{BFFC89B4-73BA-4405-B860-053A51D00270}C:\\program files\\your freedom\\freedom.exe"= TCP:C:\program files\your freedom\freedom.exe:freedom
"TCP Query User{B0AE6E4F-99BD-49A0-B80B-A363302F7391}C:\\users\\andrew\\desktop\\warcraft 3 lan\\war3.exe"= UDP:C:\users\andrew\desktop\warcraft 3 lan\war3.exe:war3.exe
"UDP Query User{ABEB3405-C554-4395-BB5B-847D062FCE25}C:\\users\\andrew\\desktop\\warcraft 3 lan\\war3.exe"= TCP:C:\users\andrew\desktop\warcraft 3 lan\war3.exe:war3.exe
"TCP Query User{C500788E-17E1-434C-8890-2BE8E5BE57AE}C:\\program files\\ea games\\command & conquer generals zero hour\\patchget.dat"= UDP:C:\program files\ea games\command & conquer generals zero hour\patchget.dat:patchgrabber
"UDP Query User{28A08393-828A-4AB4-975E-58DD6FD4D957}C:\\program files\\ea games\\command & conquer generals zero hour\\patchget.dat"= TCP:C:\program files\ea games\command & conquer generals zero hour\patchget.dat:patchgrabber
"TCP Query User{4712E4BD-135B-4E31-95D5-2CA9BBF1449F}C:\\program files\\ea games\\command & conquer generals zero hour\\game.dat"= UDP:C:\program files\ea games\command & conquer generals zero hour\game.dat:game
"UDP Query User{68CC8A9F-4F9D-4455-822C-066DF4972549}C:\\program files\\ea games\\command & conquer generals zero hour\\game.dat"= TCP:C:\program files\ea games\command & conquer generals zero hour\game.dat:game

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\BitTorrent\\bittorrent.exe"= C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

R0 pavboot;pavboot;C:\Windows\system32\drivers\pavboot.sys [2008-06-19 17:24]
R3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atikmdag.sys [2007-03-14 20:04]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dc744e5c-019f-11dd-8426-0019b983ec00}]
\shell\AutoRun\command - H:\LaunchU3.exe -a

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-08-09 C:\Windows\Tasks\User_Feed_Synchronization-{564643A4-4253-4BD6-B2AB-17AA8FDC5F64}.job
- C:\Windows\system32\msfeedssync.exe [2008-01-18 23:33]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-10 16:00:50
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-10 16:04:59
ComboFix-quarantined-files.txt 2008-08-10 20:04:55

Pre-Run: 31,158,644,736 bytes free
Post-Run: 31,152,865,280 bytes free

284 --- E O F --- 2008-08-09 18:17:31

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:14:02 PM, on 8/10/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\sttray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Windows\Explorer.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Windows\system32\SearchFilterHost.exe
C:\Users\andrew\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ECenter] c:\dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: sidebar.exe - Shortcut.lnk = C:\Program Files\Windows Sidebar\sidebar.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: QuickSet.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O13 - Gopher Prefix:
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 7947 bytes

AntiVir found TR/Trash.Gen, inside Qoobox\Quarantine... Does this mean it is simply finding a quarantined virus?

08-10-2008, 04:56 PM	#14 (permalink)
TrojanVictim666 Registered User Join Date: Aug 2008 Posts: 12 OS: Vista SP1	Re: Slow, Window Explorer using lots of memory - Virtumondo 2 trojans Here are my logs. I submitted a file to bleeping computer from ComboFix. ComboFix 08-08-10.01 - andrew 2008-08-10 16:00:07.2 - NTFSx86 Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.399 [GMT -4:00] Running from: C:\Users\andrew\Desktop\ComboFix.exe Command switches used :: C:\Users\andrew\Desktop\CFScript.txt * Created a new restore point . - REDUCED FUNCTIONALITY MODE - . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Windows\System32\gsgoeyys.exe C:\Windows\System32\mkgeqcmp.exe . ((((((((((((((((((((((((( Files Created from 2008-07-10 to 2008-08-10 ))))))))))))))))))))))))))))))) . 2008-08-09 21:28 . 2008-08-10 13:39 <DIR> d-------- C:\Program Files\EsetOnlineScanner 2008-08-09 21:11 . 2008-08-09 21:11 <DIR> d-------- C:\Program Files\Sun 2008-08-09 21:02 . 2008-08-09 21:02 <DIR> d-------- C:\Program Files\Common Files\Java 2008-08-05 13:27 . 2008-08-09 15:20 <DIR> d-------- C:\Users\andrew\AppData\Roaming\App Launcher Gadget 2008-08-05 13:06 . 2008-08-05 13:06 <DIR> d-------- C:\Deckard 2008-08-05 11:43 . 2008-06-19 17:24 28,544 --a------ C:\Windows\System32\drivers\pavboot.sys 2008-08-04 10:34 . 2008-08-04 19:02 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy 2008-08-03 20:42 . 2008-08-03 21:06 <DIR> d-------- C:\UT2004 2008-07-29 18:34 . 2008-07-30 15:43 <DIR> d-------- C:\Windows\System32\Adobe 2008-07-28 19:37 . 2008-07-28 19:37 43,520 --a------ C:\Windows\System32\CmdLineExt03.dll 2008-07-23 09:05 . 2008-06-25 21:45 12,240,896 --a------ C:\Windows\System32\NlsLexicons0007.dll 2008-07-23 09:05 . 2008-06-25 21:45 2,644,480 --a------ C:\Windows\System32\NlsLexicons0009.dll 2008-07-23 09:05 . 2008-06-25 23:29 801,280 --a------ C:\Windows\System32\NaturalLanguage6.dll 2008-07-21 20:42 . 2008-07-21 20:42 42,320 --a------ C:\Windows\System32\xfcodec.dll 2008-07-21 16:54 . 2008-07-21 16:54 <DIR> d-------- C:\Users\andrew\AppData\Roaming\PGP Corporation 2008-07-21 16:50 . 2008-07-21 16:50 148,416 --a------ C:\Windows\System32\PGPlspRollback.reg 2008-07-21 16:49 . 2008-07-21 17:07 <DIR> d-------- C:\Program Files\Common Files\PGP Corporation 2008-07-19 02:04 . 2008-07-19 02:04 <DIR> dr------- C:\Windows\System32\config\systemprofile\Music 2008-07-15 14:05 . 2008-07-15 14:05 <DIR> d-------- C:\Users\andrew\AppData\Roaming\Realtime Soft 2008-07-15 14:04 . 2008-07-15 14:04 <DIR> d-------- C:\Users\All Users\Realtime Soft 2008-07-15 14:04 . 2008-07-15 14:04 <DIR> d-------- C:\ProgramData\Realtime Soft 2008-07-15 14:04 . 2008-07-15 14:04 <DIR> d-------- C:\Program Files\UltraMon 2008-07-13 22:16 . 2008-07-13 22:16 <DIR> d-------- C:\Program Files\WinDirStat 2008-07-13 13:05 . 2008-07-13 13:05 <DIR> d-------- C:\Users\All Users\Hewlett-Packard 2008-07-13 13:05 . 2008-07-13 13:05 <DIR> d-------- C:\ProgramData\Hewlett-Packard 2008-07-12 13:00 . 2008-08-07 03:08 <DIR> d-------- C:\Users\andrew\AppData\Roaming\Winamp 2008-07-12 13:00 . 2008-07-12 13:01 <DIR> d-------- C:\Program Files\Winamp . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-10 04:25 --------- d-----w C:\ProgramData\AntiVir PersonalEdition Classic 2008-08-10 01:11 --------- d-----w C:\Program Files\Java 2008-08-05 00:19 --------- d-----w C:\ProgramData\Spybot - Search & Destroy 2008-08-04 19:20 --------- d-----w C:\Users\andrew\AppData\Roaming\uTorrent 2008-08-04 18:55 --------- d-----w C:\Users\andrew\AppData\Roaming\Hamachi 2008-08-03 18:51 137,840 ----a-w C:\Windows\system32\drivers\PnkBstrK.sys 2008-08-03 18:50 111,928 ----a-w C:\Windows\System32\PnkBstrB.exe 2008-07-29 22:36 --------- d-----w C:\ProgramData\Xfire 2008-07-28 23:20 --------- d-----w C:\Users\andrew\AppData\Roaming\Xfire 2008-07-28 23:20 --------- d-----w C:\Program Files\Xfire 2008-07-12 16:59 --------- d-----w C:\ProgramData\YAHOO 2008-07-08 21:21 --------- d-----w C:\Program Files\Windows Mail 2008-06-19 18:45 --------- d-----w C:\Program Files\DivX 2008-06-18 01:32 --------- d-----w C:\Program Files\QuickTime 2008-06-18 01:03 --------- d-----w C:\Program Files\Apple Software Update 2008-05-30 23:22 823,296 ----a-w C:\Windows\System32\divx_xx0c.dll 2008-05-30 23:22 823,296 ----a-w C:\Windows\System32\divx_xx07.dll 2008-05-30 23:22 815,104 ----a-w C:\Windows\System32\divx_xx0a.dll 2008-05-30 23:22 802,816 ----a-w C:\Windows\System32\divx_xx11.dll 2008-05-30 23:22 683,520 ----a-w C:\Windows\System32\DivX.dll 2008-05-30 23:22 593,920 ----a-w C:\Windows\System32\dpuGUI11.dll 2008-05-30 23:22 57,344 ----a-w C:\Windows\System32\dpv11.dll 2008-05-30 23:22 53,248 ----a-w C:\Windows\System32\dpuGUI10.dll 2008-05-30 23:22 344,064 ----a-w C:\Windows\System32\dpus11.dll 2008-05-30 23:22 294,912 ----a-w C:\Windows\System32\dpu11.dll 2008-05-30 23:22 294,912 ----a-w C:\Windows\System32\dpu10.dll 2008-05-27 05:21 1,582,592 ----a-w C:\Windows\System32\tquery.dll 2008-05-27 05:21 1,418,240 ----a-w C:\Windows\System32\mssrch.dll 2008-05-27 05:17 87,552 ----a-w C:\Windows\System32\SearchFilterHost.exe 2008-05-27 05:17 87,552 ----a-w C:\Windows\System32\mssitlb.dll 2008-05-27 05:17 754,176 ----a-w C:\Windows\System32\propsys.dll 2008-05-27 05:17 60,416 ----a-w C:\Windows\System32\msscntrs.dll 2008-05-27 05:17 6,103,040 ----a-w C:\Windows\System32\chtbrkr.dll 2008-05-27 05:17 34,816 ----a-w C:\Windows\System32\msscb.dll 2008-05-27 05:17 32,768 ----a-w C:\Windows\System32\mssprxy.dll 2008-05-27 05:17 313,344 ----a-w C:\Windows\System32\thawbrkr.dll 2008-05-27 05:17 301,568 ----a-w C:\Windows\System32\srchadmin.dll 2008-05-27 05:17 194,560 ----a-w C:\Windows\System32\offfilt.dll 2008-05-27 05:17 143,872 ----a-w C:\Windows\System32\korwbrkr.dll 2008-05-27 05:17 11,776 ----a-w C:\Windows\System32\msshooks.dll 2008-05-27 05:17 1,671,680 ----a-w C:\Windows\System32\chsbrkr.dll 2008-05-27 04:59 18,904 ----a-w C:\Windows\System32\StructuredQuerySchemaTrivial.bin 2008-05-27 04:59 106,605 ----a-w C:\Windows\System32\StructuredQuerySchema.bin 2008-05-22 22:22 524,288 ----a-w C:\Windows\System32\DivXsm.exe 2008-05-22 22:22 3,596,288 ----a-w C:\Windows\System32\qt-dx331.dll 2008-05-22 22:20 200,704 ----a-w C:\Windows\System32\ssldivx.dll 2008-05-22 22:20 1,044,480 ----a-w C:\Windows\System32\libdivx.dll 2008-05-22 22:19 81,920 ----a-w C:\Windows\System32\dpl100.dll 2008-05-22 22:19 196,608 ----a-w C:\Windows\System32\dtu100.dll 2008-05-22 22:19 161,096 ----a-w C:\Windows\System32\DivXCodecVersionChecker.exe 2008-05-22 22:18 12,288 ----a-w C:\Windows\System32\DivXWMPExtType.dll 2008-05-10 03:35 564,736 ----a-w C:\Windows\System32\emdmgmt.dll 2008-03-22 05:25 174 --sha-w C:\Program Files\desktop.ini 2008-02-07 04:39 20 ---h--w C:\Users\All Users\PKP_DLec.DAT 2008-02-07 04:39 20 ---h--w C:\Users\All Users\PKP_DLds.DAT 2008-02-07 04:39 20 ---h--w C:\ProgramData\PKP_DLec.DAT 2008-02-07 04:39 20 ---h--w C:\ProgramData\PKP_DLds.DAT 2007-12-12 00:07 47,360 ----a-w C:\Users\andrew\AppData\Roaming\pcouffin.sys 2007-08-12 19:28 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat 2007-08-12 19:28 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat 2007-08-12 19:28 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat 2008-03-28 22:52 16,384 --sha-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat 2008-03-28 22:52 32,768 --sha-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat 2008-03-28 22:52 16,384 --sha-w C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat . ((((((((((((((((((((((((((((( snapshot@2008-08-09_14.12.51.48 ))))))))))))))))))))))))))))))))))))))))) . - 2008-08-09 18:04:59 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat + 2008-08-10 16:39:23 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat - 2008-08-09 18:04:59 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat + 2008-08-10 16:39:23 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat - 2008-08-09 18:06:30 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat + 2008-08-10 16:41:02 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat - 2008-08-09 18:06:29 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat + 2008-08-10 16:41:53 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat - 2008-08-09 17:24:32 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat + 2008-08-10 04:26:01 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat - 2008-08-09 17:24:32 49,152 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat + 2008-08-10 04:26:01 49,152 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat - 2008-08-09 17:24:32 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat + 2008-08-10 04:26:01 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat - 2008-08-09 17:56:38 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat + 2008-08-10 19:59:37 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat - 2007-06-29 21:54:00 135,168 ----a-w C:\Windows\System32\java.exe + 2008-06-10 05:21:01 135,168 ----a-w C:\Windows\System32\java.exe - 2007-06-29 21:54:00 135,168 ----a-w C:\Windows\System32\javaw.exe + 2008-06-10 05:21:04 135,168 ----a-w C:\Windows\System32\javaw.exe - 2007-06-29 21:54:00 139,264 ----a-w C:\Windows\System32\javaws.exe + 2008-06-10 06:32:34 139,264 ----a-w C:\Windows\System32\javaws.exe + 2007-07-27 19:49:02 196,683 ----a-w C:\Windows\System32\lnod32apiA.dll + 2007-07-27 19:49:02 225,355 ----a-w C:\Windows\System32\lnod32apiW.dll + 2005-12-06 00:25:22 139,264 ----a-w C:\Windows\System32\lnod32umc.dll + 2005-12-05 17:37:10 106,496 ----a-w C:\Windows\System32\lnod32upd.dll + 2007-08-02 22:11:28 253,952 ----a-w C:\Windows\System32\OnlineScannerDLLA.dll + 2007-08-02 22:11:14 241,664 ----a-w C:\Windows\System32\OnlineScannerDLLW.dll + 2007-08-06 17:17:40 19,456 ----a-w C:\Windows\System32\OnlineScannerLang.dll + 2007-06-13 15:10:34 77,824 ----a-w C:\Windows\System32\OnlineScannerUninstaller.exe + 2004-12-07 15:11:34 258,352 ----a-w C:\Windows\System32\unicows.dll - 2008-08-09 17:35:46 14,132 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2384316666-216903322-3591896781-1000_UserData.bin + 2008-08-10 16:41:43 14,434 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2384316666-216903322-3591896781-1000_UserData.bin - 2008-08-09 17:35:45 80,342 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin + 2008-08-10 16:41:43 80,660 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin - 2008-08-08 03:56:23 2,990 ----a-w C:\Windows\System32\WDI\ERCQueuedResolutions.dat + 2008-08-10 00:51:29 2,990 ----a-w C:\Windows\System32\WDI\ERCQueuedResolutions.dat - 2008-08-09 17:35:40 49,082 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin + 2008-08-10 16:41:42 49,122 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin - 2008-08-09 17:17:14 413,562 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_FastS4.bin + 2008-08-09 21:59:05 414,222 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_FastS4.bin . -- Snapshot reset to current date -- . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-18 23:33 125952] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-09-20 15:35 202024] "UltraMon"="C:\Program Files\UltraMon\UltraMon.exe" [2006-10-12 21:27 304640] "AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 15:35 67112] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-17 19:52 815104] "Broadcom Wireless Manager UI"="C:\Windows\system32\WLTRAY.exe" [2006-11-27 18:56 1540096] "ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-07-11 18:12 90112] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 12:37 81920] "ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-03-16 06:20 17920] "Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-06-29 18:19 1862144] "PCMService"="C:\Program Files\Dell\MediaDirect\PCMService.exe" [2007-05-02 19:16 184320] "ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 12:35 221184] "avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-17 19:42 266497] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-10 19:15 185632] "NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57 153136] "NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 09:51 1836328] "dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784] "SigmatelSysTrayApp"="sttray.exe" [2007-02-08 01:11 303104 C:\Windows\sttray.exe] C:\Users\andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 21:24:54 98632] sidebar.exe - Shortcut.lnk - C:\Program Files\Windows Sidebar\sidebar.exe [2008-03-22 00:20:51 1233920] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696] Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2007-06-29 18:01:28 50688] NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2008-02-03 14:22:57 118784] QuickSet.lnk - C:\Windows\Installer\{7F0C4457-8E64-491B-8D7B-991504365D1E}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe [2007-06-29 17:57:35 45056] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableUIADesktopToggle"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.XFR1"= xfcodec.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc] "AntiVirusOverride"=dword:00000001 "AntiSpywareOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2384316666-216903322-3591896781-1000] "EnableNotifications"=dword:00000001 "EnableNotificationsRef"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules] "{CF400DB8-F9A1-43D4-8D1C-DE34A5079B74}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote "{7DA07BC2-F211-4AC9-8F9D-86A7D3CE8A5A}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote "{02926E9F-E00A-492E-97D6-EC88BBC02BFD}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes "{35D70B32-434C-4DFF-A752-2942B1D1306E}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes "{9EC73CAF-EBD4-4E5C-BFA9-BF8449320B0D}"= UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader "{D0AAC93A-8B8A-4B0D-92E5-B36B39B4FAA1}"= TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader "TCP Query User{719DC7DD-73D8-483C-9CA8-220C9A4DF032}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer "UDP Query User{1F8A01D9-1EC1-4D19-9330-83D656FE23A7}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer "TCP Query User{ECF82579-41EE-43FD-92DD-EB99EF79E80F}C:\\program files\\utorrent\\utorrent.exe"= UDP:C:\program files\utorrent\utorrent.exe:uTorrent "UDP Query User{8E6A913D-31BF-40CD-A24B-1C8811964209}C:\\program files\\utorrent\\utorrent.exe"= TCP:C:\program files\utorrent\utorrent.exe:uTorrent "{E9D9744A-6BEE-46D2-AEB3-D4A9BE7BF7AC}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent "{8CDA1015-6E9E-4A10-BEF7-F5FAE8B776F0}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent "{643B157A-5745-427C-939A-247F4A5D95DE}"= UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader "{A5BF56D5-65E8-4E6D-B3E1-A88FFBF3B28F}"= TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader "{5CA820DA-BD17-403C-A641-98A1AA8036E3}"= UDP:C:\Program Files\EA Games\Battlefield 2\BF2.exe:Battlefield 2 "{D281BC01-3F2B-4CC2-B832-1AF0961944FD}"= TCP:C:\Program Files\EA Games\Battlefield 2\BF2.exe:Battlefield 2 "TCP Query User{D085DCA7-F2B8-4971-AC8C-DFA48A642619}C:\\program files\\xfire\\xfire.exe"= UDP:C:\program files\xfire\xfire.exe:Xfire "UDP Query User{6982543A-4B06-4655-AF63-11C48991BA46}C:\\program files\\xfire\\xfire.exe"= TCP:C:\program files\xfire\xfire.exe:Xfire "TCP Query User{7EEF2B02-D57A-4349-9897-0150D8E5F65A}C:\\program files\\real\\realplayer\\realplay.exe"= UDP:C:\program files\real\realplayer\realplay.exe:RealPlayer "UDP Query User{23FADAB7-2FC5-4722-A966-9C2483C75CB8}C:\\program files\\real\\realplayer\\realplay.exe"= TCP:C:\program files\real\realplayer\realplay.exe:RealPlayer "TCP Query User{8B66C364-FFB1-44AD-BCC5-1615EDCD8AAC}C:\\program files\\xfire\\xfire.exe"= UDP:C:\program files\xfire\xfire.exe:Xfire "UDP Query User{C777015C-96EE-4974-8C98-3509C4E4579B}C:\\program files\\xfire\\xfire.exe"= TCP:C:\program files\xfire\xfire.exe:Xfire "{E08F998C-D3D2-4BDA-820D-2382FB9DA7E9}"= UDP:C:\Program Files\Electronic Arts\The Battle for Middle-earth (tm) II\game.dat:The Battle for Middle-earth(tm) II "{39BEF69D-E479-4408-8CB9-089654D3CE20}"= TCP:C:\Program Files\Electronic Arts\The Battle for Middle-earth (tm) II\game.dat:The Battle for Middle-earth(tm) II "{AB4B6D70-1F83-4C8F-8170-DB2B1243506C}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour "{0E864900-8C12-4B95-B667-AA9E70CF9BBB}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour "{58E457D4-2B20-4311-8527-CDDD9CD6A197}"= UDP:C:\Program Files\Electronic Arts\The Battle for Middle-earth (tm) II\game.dat:The Battle for Middle-earth(tm) II "{0EC2ED34-00E6-46A7-A763-92FF8812922D}"= TCP:C:\Program Files\Electronic Arts\The Battle for Middle-earth (tm) II\game.dat:The Battle for Middle-earth(tm) II "{8253B057-97C1-40D9-9341-32030B713A18}"= UDP:C:\Program Files\Electronic Arts\The Lord of the Rings, The Rise of the Witch-king\game.dat:The Lord of the Rings, The Rise of the Witch-king "{B70B6098-70B5-48D0-9A66-B7A14C191BF3}"= TCP:C:\Program Files\Electronic Arts\The Lord of the Rings, The Rise of the Witch-king\game.dat:The Lord of the Rings, The Rise of the Witch-king "TCP Query User{AA4ED66C-9575-4EFF-A26D-A996EB2310FC}C:\\program files\\maple 11\\jre\\bin\\maple.exe"= UDP:C:\program files\maple 11\jre\bin\maple.exe:Maple 11 "UDP Query User{3C128BB4-74DE-4418-8E9E-1E0577BC01CD}C:\\program files\\maple 11\\jre\\bin\\maple.exe"= TCP:C:\program files\maple 11\jre\bin\maple.exe:Maple 11 "{459481C1-7BB8-4404-8E4F-B2699CE9A546}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes "{969424C3-5245-4A29-95E7-D72B7248012E}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes "TCP Query User{353F9FAB-1CA4-4AEB-9938-0ED5E3B3BC36}C:\\program files\\mozilla firefox\\firefox.exe"= UDP:C:\program files\mozilla firefox\firefox.exe:Firefox "UDP Query User{26075DF1-8AC0-4F4A-B53E-43C91EA717C3}C:\\program files\\mozilla firefox\\firefox.exe"= TCP:C:\program files\mozilla firefox\firefox.exe:Firefox "TCP Query User{A5AAF171-13B4-4045-AF63-60D1177CCD07}C:\\program files\\your freedom\\freedom.exe"= UDP:C:\program files\your freedom\freedom.exe:freedom "UDP Query User{902C51DE-97D3-48FD-8373-DC3A1345CDA0}C:\\program files\\your freedom\\freedom.exe"= TCP:C:\program files\your freedom\freedom.exe:freedom "TCP Query User{6E008BE6-B943-47E4-8B8B-DD9FF1F3B81B}C:\\program files\\your freedom\\freedom.exe"= UDP:C:\program files\your freedom\freedom.exe:freedom "UDP Query User{BFFC89B4-73BA-4405-B860-053A51D00270}C:\\program files\\your freedom\\freedom.exe"= TCP:C:\program files\your freedom\freedom.exe:freedom "TCP Query User{B0AE6E4F-99BD-49A0-B80B-A363302F7391}C:\\users\\andrew\\desktop\\warcraft 3 lan\\war3.exe"= UDP:C:\users\andrew\desktop\warcraft 3 lan\war3.exe:war3.exe "UDP Query User{ABEB3405-C554-4395-BB5B-847D062FCE25}C:\\users\\andrew\\desktop\\warcraft 3 lan\\war3.exe"= TCP:C:\users\andrew\desktop\warcraft 3 lan\war3.exe:war3.exe "TCP Query User{C500788E-17E1-434C-8890-2BE8E5BE57AE}C:\\program files\\ea games\\command & conquer generals zero hour\\patchget.dat"= UDP:C:\program files\ea games\command & conquer generals zero hour\patchget.dat:patchgrabber "UDP Query User{28A08393-828A-4AB4-975E-58DD6FD4D957}C:\\program files\\ea games\\command & conquer generals zero hour\\patchget.dat"= TCP:C:\program files\ea games\command & conquer generals zero hour\patchget.dat:patchgrabber "TCP Query User{4712E4BD-135B-4E31-95D5-2CA9BBF1449F}C:\\program files\\ea games\\command & conquer generals zero hour\\game.dat"= UDP:C:\program files\ea games\command & conquer generals zero hour\game.dat:game "UDP Query User{68CC8A9F-4F9D-4455-822C-066DF4972549}C:\\program files\\ea games\\command & conquer generals zero hour\\game.dat"= TCP:C:\program files\ea games\command & conquer generals zero hour\game.dat:game [HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List] "C:\\Program Files\\BitTorrent\\bittorrent.exe"= C:\Program Files\BitTorrent\bittorrent.exe::Enabled:BitTorrent R0 pavboot;pavboot;C:\Windows\system32\drivers\pavboot.sys [2008-06-19 17:24] R3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atikmdag.sys [2007-03-14 20:04] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H] \shell\AutoRun\command - H:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dc744e5c-019f-11dd-8426-0019b983ec00}] \shell\AutoRun\command - H:\LaunchU3.exe -a Newly Created Service* - CATCHME . Contents of the 'Scheduled Tasks' folder 2008-08-09 C:\Windows\Tasks\User_Feed_Synchronization-{564643A4-4253-4BD6-B2AB-17AA8FDC5F64}.job - C:\Windows\system32\msfeedssync.exe [2008-01-18 23:33] . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-10 16:00:50 Windows 6.0.6001 Service Pack 1 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2008-08-10 16:04:59 ComboFix-quarantined-files.txt 2008-08-10 20:04:55 Pre-Run: 31,158,644,736 bytes free Post-Run: 31,152,865,280 bytes free 284 --- E O F --- 2008-08-09 18:17:31 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:14:02 PM, on 8/10/2008 Platform: Windows Vista SP1 (WinNT 6.00.1905) MSIE: Internet Explorer v7.00 (7.00.6001.18000) Boot mode: Normal Running processes: C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Windows\System32\WLTRAY.EXE C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE C:\Program Files\Dell\MediaDirect\PCMService.exe C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Windows\sttray.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Windows\ehome\ehtray.exe C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe C:\Program Files\UltraMon\UltraMon.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Nikon\PictureProject\NkbMonitor.exe C:\Windows\ehome\ehmsas.exe C:\Program Files\Dell\QuickSet\quickset.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe C:\Windows\Explorer.exe C:\Program Files\Microsoft Office\Office12\WINWORD.EXE C:\Windows\system32\SearchFilterHost.exe C:\Users\andrew\Desktop\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = .local O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [ECenter] c:\dell\E-Center\EULALauncher.exe O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe" O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE') O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE O4 - Startup: sidebar.exe - Shortcut.lnk = C:\Program Files\Windows Sidebar\sidebar.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe O4 - Global Startup: QuickSet.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O13 - Gopher Prefix: O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing) O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing) O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe -- End of file - 7947 bytes AntiVir found TR/Trash.Gen, inside Qoobox\Quarantine... Does this mean it is simply finding a quarantined virus? Last edited by TrojanVictim666; 08-10-2008 at 04:58 PM.*