Tech Support Forum - View Single Post - Pop Up Ads / Vista seems to run slower than before

Lionet · 11-08-2008, 01:16 PM

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, November 8, 2008
Operating System: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, November 08, 2008 12:49:02
Records in database: 1374510
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 181084
Threat name: 3
Infected objects: 6
Suspicious objects: 0
Duration of the scan: 02:45:41

File name / Threat name / Threats count
C:\Program Files\CrossLoop\VNCHooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b 1
C:\Program Files\CrossLoop\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.h 1
C:\ProgramData\SecTaskMan\ASKPBAR.DLL.q_E8AB003_q Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.a 1
C:\Users\All Users\SecTaskMan\ASKPBAR.DLL.q_E8AB003_q Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.a 1
C:\Users\Ally\Downloads\crossloopsetup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.h 1
C:\Users\Ally\Downloads\crossloopsetup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b 1

The selected area was scanned.

ComboFix Log::

ComboFix 08-11-07.01 - Ally 2008-11-08 11:46:19.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.909 [GMT -5:00]
Running from: c:\users\Ally\Downloads\ComboFix.exe
Command switches used :: c:\users\Ally\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\system32\kdkge.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_Windows Tribute Service

((((((((((((((((((((((((( Files Created from 2008-10-08 to 2008-11-08 )))))))))))))))))))))))))))))))
.

2008-11-08 11:35 . 2008-11-08 11:35 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2008-11-07 15:45 . 2008-10-16 16:13 1,809,944 --a------ c:\windows\System32\wuaueng.dll
2008-11-07 15:45 . 2008-10-16 15:56 1,524,736 --a------ c:\windows\System32\wucltux.dll
2008-11-07 15:45 . 2008-10-16 16:12 561,688 --a------ c:\windows\System32\wuapi.dll
2008-11-07 15:45 . 2008-10-16 14:08 162,064 --a------ c:\windows\System32\wuwebv.dll
2008-11-07 15:45 . 2008-10-16 15:55 83,456 --a------ c:\windows\System32\wudriver.dll
2008-11-07 15:45 . 2008-10-16 16:09 51,224 --a------ c:\windows\System32\wuauclt.exe
2008-11-07 15:45 . 2008-10-16 16:09 43,544 --a------ c:\windows\System32\wups2.dll
2008-11-07 15:45 . 2008-10-16 16:08 34,328 --a------ c:\windows\System32\wups.dll
2008-11-07 15:45 . 2008-10-16 13:56 31,232 --a------ c:\windows\System32\wuapp.exe
2008-11-06 00:03 . 2008-11-06 00:03 <DIR> dr------- c:\windows\System32\config\systemprofile\Videos
2008-11-06 00:03 . 2008-11-06 00:03 <DIR> dr------- c:\windows\System32\config\systemprofile\Searches
2008-11-06 00:03 . 2008-11-06 00:03 <DIR> dr------- c:\windows\System32\config\systemprofile\Saved Games
2008-11-06 00:03 . 2008-11-06 00:03 <DIR> dr------- c:\windows\System32\config\systemprofile\Pictures
2008-11-06 00:03 . 2008-11-06 00:03 <DIR> dr------- c:\windows\System32\config\systemprofile\Links
2008-11-06 00:03 . 2008-11-06 00:03 <DIR> dr------- c:\windows\System32\config\systemprofile\Downloads
2008-11-06 00:03 . 2008-11-06 00:03 <DIR> dr------- c:\windows\System32\config\systemprofile\Documents
2008-11-05 23:47 . 2008-11-05 23:47 <DIR> d-------- c:\users\Ally\AppData\Roaming\Desktopicon
2008-11-05 23:47 . 2008-11-05 23:55 <DIR> d-------- c:\program files\Unlocker
2008-11-04 19:12 . 2008-11-04 19:12 <DIR> d-------- c:\program files\CrossLoop
2008-11-01 14:07 . 2008-11-01 14:07 <DIR> d-------- c:\program files\Trend Micro
2008-10-28 12:06 . 2008-08-11 22:39 443,392 --a------ c:\windows\System32\win32spl.dll
2008-10-26 11:18 . 2008-11-08 11:51 <DIR> d-------- c:\users\Ally\AppData\Roaming\uTorrent
2008-10-26 11:18 . 2008-10-26 11:18 <DIR> d-------- c:\program files\uTorrent
2008-10-14 16:57 . 2008-10-01 22:49 827,392 --a------ c:\windows\System32\wininet.dll
2008-10-14 16:57 . 2008-08-26 20:06 288,768 --a------ c:\windows\System32\drivers\srv.sys
2008-10-14 16:56 . 2008-09-18 00:09 3,601,464 --a------ c:\windows\System32\ntkrnlpa.exe
2008-10-14 16:56 . 2008-09-18 00:09 3,549,240 --a------ c:\windows\System32\ntoskrnl.exe
2008-10-14 16:56 . 2008-09-17 21:16 2,032,640 --a------ c:\windows\System32\win32k.sys
2008-10-14 16:56 . 2008-10-01 20:32 1,383,424 --a------ c:\windows\System32\mshtml.tlb
2008-10-14 15:45 . 2008-10-14 15:45 0 --ah----- c:\windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-10-12 18:59 . 2008-10-12 18:59 <DIR> d----c--- c:\windows\System32\DRVSTORE
2008-10-12 18:59 . 2008-10-12 18:59 <DIR> d-------- c:\users\All Users\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-12 18:59 . 2008-10-12 18:59 <DIR> d-------- c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-12 18:59 . 2008-10-12 18:59 <DIR> d-------- c:\program files\iTunes
2008-10-12 18:59 . 2008-10-12 18:59 <DIR> d-------- c:\program files\iPod
2008-10-12 18:59 . 2008-04-17 12:12 107,368 --a------ c:\windows\System32\GEARAspi.dll
2008-10-12 18:59 . 2008-04-17 12:12 15,464 --a------ c:\windows\System32\drivers\GEARAspiWDM.sys
2008-10-12 18:56 . 2008-10-12 18:57 <DIR> d-------- c:\program files\QuickTime
2008-10-10 10:38 . 2008-10-10 10:38 <DIR> d-------- c:\users\All Users\Yahoo! Games
2008-10-10 10:38 . 2008-10-10 10:38 <DIR> d-------- c:\programdata\Yahoo! Games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-08 16:32 --------- d-----w c:\program files\Common Files\Adobe
2008-11-06 05:19 --------- d-----w c:\programdata\Roxio
2008-11-06 05:19 --------- d-----w c:\program files\Common Files\Roxio Shared
2008-11-06 04:45 --------- d-----w c:\users\Ally\AppData\Roaming\LimeWire
2008-11-01 14:40 --------- d-----w c:\programdata\Spybot - Search & Destroy
2008-10-31 22:26 --------- d-----w c:\programdata\SecTaskMan
2008-10-31 21:38 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-10-29 20:15 --------- d-----w c:\program files\LimeWire
2008-10-24 18:01 --------- d-----w c:\users\Ally\AppData\Roaming\OpenOffice.org2
2008-10-21 02:59 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-15 02:12 --------- d-----w c:\programdata\Microsoft Help
2008-10-12 23:57 --------- d-----w c:\program files\Bonjour
2008-10-12 23:56 --------- d-----w c:\program files\Common Files\Apple
2008-10-10 15:37 --------- d-----w c:\program files\Yahoo! Games
2008-10-03 00:23 174 --sha-w c:\program files\desktop.ini
2008-10-03 00:12 --------- d-----w c:\program files\Windows Sidebar
2008-10-03 00:12 --------- d-----w c:\program files\Windows Photo Gallery
2008-10-03 00:12 --------- d-----w c:\program files\Windows Mail
2008-10-03 00:12 --------- d-----w c:\program files\Windows Journal
2008-10-03 00:12 --------- d-----w c:\program files\Windows Defender
2008-10-03 00:12 --------- d-----w c:\program files\Windows Collaboration
2008-10-03 00:12 --------- d-----w c:\program files\Windows Calendar
2008-10-02 23:51 82,432 ----a-w c:\windows\System32\axaltocm.dll
2008-10-02 23:51 101,888 ----a-w c:\windows\System32\ifxcardm.dll
2008-10-02 23:31 --------- d-----w c:\program files\Java
2008-09-11 15:29 --------- d-----w c:\program files\Microsoft Works
2008-08-29 14:18 87,336 ----a-w c:\windows\System32\dns-sd.exe
2008-08-29 13:53 61,440 ----a-w c:\windows\System32\dnssd.dll
2008-07-29 20:38 1,004 ----a-w c:\program files\config.ini
2008-07-23 23:36 615,424 ----a-w c:\program files\ApRadar.exe
2008-07-23 23:36 32,768 ----a-w c:\program files\FFXIMemory.dll
2008-07-23 23:36 155,648 ----a-w c:\program files\ApneaControls.dll
2008-02-11 17:38 122 ----a-w c:\users\Ally\AppData\Roaming\wklnhst.dat
2007-05-03 13:23 442,368 ----a-w c:\users\Ally\ApRadar.exe
2007-03-08 20:41 217,088 ----a-w c:\program files\ApUpdater.exe
.

((((((((((((((((((((((((((((( snapshot@2008-11-05_13.27.16.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-11-08 16:45:41 6,230,016 ----a-w c:\windows\ERDNT\Hiv-backup\SCHEMA.DAT
+ 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
+ 2008-11-08 16:50:41 6,230,016 ----a-w c:\windows\ERDNT\subs\SCHEMA.DAT
+ 2007-12-12 20

42 295,606 ----a-r c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe
- 2008-11-05 18:17:07 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-11-08 16:53:46 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-11-05 18:26:28 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-11-08 16:53:41 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2008-07-19 02:08:20 72,256 ------w c:\windows\SoftwareDistribution\SelfUpdate\Handler\WuSetupV.exe
+ 2008-10-16 19:08:00 70,416 ------w c:\windows\SoftwareDistribution\SelfUpdate\Handler\WuSetupV.exe
- 2008-11-05 18:15:02 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-11-07 20:46:21 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-11-05 18:15:02 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-11-07 20:46:21 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-11-05 18:15:02 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-11-07 20:46:21 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-11-05 18:22:18 262,144 ----a-w c:\windows\System32\config\systemprofile\ntuser.dat
+ 2008-11-08 16:45:58 262,144 ----a-w c:\windows\System32\config\systemprofile\ntuser.dat
- 2008-10-15 04:00:09 1,786,848 ----a-w c:\windows\System32\FNTCACHE.DAT
+ 2008-11-06 19:17:39 1,744,288 ----a-w c:\windows\System32\FNTCACHE.DAT
- 2008-11-05 18:21:40 102,194 ----a-w c:\windows\System32\perfc009.dat
+ 2008-11-08 16:20:28 102,194 ----a-w c:\windows\System32\perfc009.dat
- 2008-11-05 18:21:40 598,588 ----a-w c:\windows\System32\perfh009.dat
+ 2008-11-08 16:20:28 598,588 ----a-w c:\windows\System32\perfh009.dat
- 2008-10-29 02

29 6,291,456 ----a-w c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
+ 2008-11-08 16:50:41 6,230,016 ----a-w c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
- 2008-11-05 18:17:14 12,786 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-837059545-616770465-622163208-1000_UserData.bin
+ 2008-11-08 16:55:09 13,804 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-837059545-616770465-622163208-1000_UserData.bin
- 2008-11-05 18:17:14 99,046 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-11-08 16:55:09 100,070 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-11-05 18:17:13 47,942 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-11-08 16:21:41 48,290 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2008-10-28 17:04:56 135,944,815 ----a-w c:\windows\winsxs\ManifestCache\6.0.6001.18000_001c50b5_blobs.bin
+ 2008-11-07 20:45:52 136,237,519 ----a-w c:\windows\winsxs\ManifestCache\6.0.6001.18000_001c50b5_blobs.bin
+ 2008-10-16 21:12:19 561,688 ----a-w c:\windows\winsxs\x86_microsoft-windows-w..owsupdateclient-aux_31bf3856ad364e35_7.2.6001.788_none_107673f57a433d77\wuapi.dll
+ 2008-10-16 20:55:59 83,456 ----a-w c:\windows\winsxs\x86_microsoft-windows-w..owsupdateclient-aux_31bf3856ad364e35_7.2.6001.788_none_107673f57a433d77\wudriver.dll
+ 2008-10-16 21:08:57 34,328 ----a-w c:\windows\winsxs\x86_microsoft-windows-w..owsupdateclient-aux_31bf3856ad364e35_7.2.6001.788_none_107673f57a433d77\wups.dll
+ 2008-10-16 18:56:04 31,232 ----a-w c:\windows\winsxs\x86_microsoft-windows-w..pdateclient-activex_31bf3856ad364e35_7.2.6001.788_none_ba8134361ffa6f73\wuapp.exe
+ 2008-10-16 19:08:00 162,064 ----a-w c:\windows\winsxs\x86_microsoft-windows-w..pdateclient-activex_31bf3856ad364e35_7.2.6001.788_none_ba8134361ffa6f73\wuwebv.dll
+ 2008-10-16 21:09:43 51,224 ----a-w c:\windows\winsxs\x86_microsoft-windows-w..wsupdateclient-core_31bf3856ad364e35_7.2.6001.788_none_2a6539a96682e474\wuauclt.exe
+ 2008-10-16 21:13:38 1,809,944 ----a-w c:\windows\winsxs\x86_microsoft-windows-w..wsupdateclient-core_31bf3856ad364e35_7.2.6001.788_none_2a6539a96682e474\wuaueng.dll
+ 2008-10-16 21:09:43 43,544 ----a-w c:\windows\winsxs\x86_microsoft-windows-w..wsupdateclient-core_31bf3856ad364e35_7.2.6001.788_none_2a6539a96682e474\wups2.dll
+ 2008-10-16 20:56:28 1,524,736 ----a-w c:\windows\winsxs\x86_microsoft-windows-windowsupdateclient-ui_31bf3856ad364e35_7.2.6001.788_none_a8125d5406872725\wucltux.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-03-25 50528]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2008-10-26 270128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-21 1548288]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-04-16 184320]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-09-29 1234712]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-27 857648]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-01 15872]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SigmatelSysTrayApp"="sttray.exe" [2007-03-06 c:\windows\sttray.exe]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-11-21 50688]
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2007-07-20 1180952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\startupfolder\C:^Users^Ally^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
path=c:\users\Ally\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk
backup=c:\windows\pss\OpenOffice.org 2.4.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-03-25 15:21 50528 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-04-01 04:39 486856 c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-10-01 17:57 289576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]
--a------ 2007-05-17 16:45 279912 c:\program files\Microsoft LifeCam\LifeExp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX1000]
--a------ 2007-04-10 16:46 709992 c:\windows\vVX1000.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-837059545-616770465-622163208-1000]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{4525BE82-D01E-42CC-9832-1EAB7989FBB5}"= c:\program files\Dell\MediaDirect\PowerCinema.exe:CyberLink PowerCinema
"{91637847-9106-4605-B103-43AA0561E9FF}"= c:\program files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program
"{7B8E6716-BE71-4698-BCEA-910C6451D54C}"= c:\program files\Dell\MediaDirect\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{1B034418-4506-4C8F-9487-8412BDDEB335}"= c:\program files\Dell\MediaDirect\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"{6C48D5CD-8C44-46CE-BFEF-D4AE68C6D78F}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{66F6A381-52B4-460B-95B2-838AFCCF7F08}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"TCP Query User{B3FC0B66-4E66-4AB6-A390-B9691379D1BE}c:\\program files\\playonline\\squareenix\\playonlineviewer\\pol.exe"= UDP:c:\program files\playonline\squareenix\playonlineviewer\pol.exe:PlayOnline Viewer
"UDP Query User{64D3E69A-05B5-409C-AE59-B558FCC925B3}c:\\program files\\playonline\\squareenix\\playonlineviewer\\pol.exe"= TCP:c:\program files\playonline\squareenix\playonlineviewer\pol.exe:PlayOnline Viewer
"TCP Query User{709995F6-905F-4CC6-BA66-95F8D836DCC2}c:\\program files\\aim6\\aim6.exe"= UDP:c:\program files\aim6\aim6.exe:AIM
"UDP Query User{DD7B15E5-665D-450A-82D3-2835BF6D6B2A}c:\\program files\\aim6\\aim6.exe"= TCP:c:\program files\aim6\aim6.exe:AIM
"TCP Query User{4EDD8B9F-CE88-4418-9ABE-2B4A0E1CF83E}c:\\program files\\playonline\\squareenix\\playonlineviewer\\pol.exe"= UDP:c:\program files\playonline\squareenix\playonlineviewer\pol.exe:PlayOnline Viewer
"UDP Query User{FF56311D-C7D0-4F6C-8CEB-B2AFD615BDBC}c:\\program files\\playonline\\squareenix\\playonlineviewer\\pol.exe"= TCP:c:\program files\playonline\squareenix\playonlineviewer\pol.exe:PlayOnline Viewer
"{C3FAE276-B457-450C-AB86-2916E2464E14}"= UDP:c:\program files\Microsoft LifeCam\LifeCam.exe:LifeCam.exe
"{10B333CC-71B8-4BBC-A295-A5F8542216EF}"= TCP:c:\program files\Microsoft LifeCam\LifeCam.exe:LifeCam.exe
"{7D4DAC30-121C-4660-9B15-8C41A849B4E3}"= UDP:c:\program files\Microsoft LifeCam\LifeExp.exe:LifeExp.exe
"{52598A37-7000-45D0-BC1C-10C2305F0935}"= TCP:c:\program files\Microsoft LifeCam\LifeExp.exe:LifeExp.exe
"TCP Query User{E426FA6A-1D16-449F-81DA-8842CA53F32A}c:\\program files\\aim6\\aim6.exe"= UDP:c:\program files\aim6\aim6.exe:AIM
"UDP Query User{A84BA074-94A3-4A4C-8088-25A746489CB7}c:\\program files\\aim6\\aim6.exe"= TCP:c:\program files\aim6\aim6.exe:AIM
"TCP Query User{FE1C412D-5DA3-45C8-BC63-8BDEE629B3CA}c:\\program files\\yahoo! games\\rock and roll jeopardy!\\rock & roll jeopardy!.exe"= UDP:c:\program files\yahoo! games\rock and roll jeopardy!\rock & roll jeopardy!.exe:Rock & Roll JEOPARDY!
"UDP Query User{2C053A59-44B2-4B77-9E3E-B8E3E05CF3E4}c:\\program files\\yahoo! games\\rock and roll jeopardy!\\rock & roll jeopardy!.exe"= TCP:c:\program files\yahoo! games\rock and roll jeopardy!\rock & roll jeopardy!.exe:Rock & Roll JEOPARDY!
"TCP Query User{94AF029F-CB61-4A04-939E-6B5FC57A2B0E}c:\\program files\\bittornado\\btdownloadgui.exe"= UDP:c:\program files\bittornado\btdownloadgui.exe:btdownloadgui
"UDP Query User{DAC18F2C-FEB5-4B64-8CFF-486487C67233}c:\\program files\\bittornado\\btdownloadgui.exe"= TCP:c:\program files\bittornado\btdownloadgui.exe:btdownloadgui
"TCP Query User{9C8A6992-68D2-4090-A8E2-ABF29E1B5233}c:\\program files\\bittornado\\btdownloadgui.exe"= UDP:c:\program files\bittornado\btdownloadgui.exe:btdownloadgui
"UDP Query User{B78D621A-877F-4359-9965-EC7D225F30B1}c:\\program files\\bittornado\\btdownloadgui.exe"= TCP:c:\program files\bittornado\btdownloadgui.exe:btdownloadgui
"{A90219DC-82E0-4559-802E-350F8F837EA9}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{D7D429EC-1F0D-4324-AF91-A3AD4B1ED136}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{C544AA85-E85F-4819-A263-66C898C73C9E}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{A17B1401-F4A6-4D79-946B-20259BB5B74F}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{B1CD4C24-D7A5-4870-AB14-FEC4190EB991}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{8618261C-FEF9-4546-8CE6-D0BFD053F642}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{C214B0C9-331C-450A-923E-B671D16544C3}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{570BF0AD-3993-497D-B77D-E1D23464A175}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{9ECB2525-B34D-4D20-B90F-EB3D899E9E41}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{5AE910C4-3638-4E9B-BDC7-472D3C465626}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"TCP Query User{01722F1C-90BC-4298-8316-B5725CD7CD3B}c:\\program files\\trillian\\trillian.exe"= UDP:c:\program files\trillian\trillian.exe:Trillian
"UDP Query User{D9DC8163-2D95-4BA1-92CE-2EE66484FA11}c:\\program files\\trillian\\trillian.exe"= TCP:c:\program files\trillian\trillian.exe:Trillian
"{3FF97F9A-D386-415A-B587-F98E20DF21B9}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"{94A6E40A-CAD3-42AE-8D92-3125A62CCA8F}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{7A92FA1A-8F1C-4C86-8AC4-BD01CC19F0DA}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{B9796DE7-355C-4525-AEF7-414E41B1AECF}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{C3FDBA85-916A-41EC-ABF3-77A80085F5D6}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{0D0BB0BD-4DA8-449C-B88A-65AE970A186C}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{43D3860E-2A5C-4711-AD49-3A4512ED58B5}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{4903ED70-89D1-4859-8C11-CB160D82E0C0}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{F1455237-187D-45D0-8B23-E195618BA0C1}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{7FA12038-7BD6-4BAF-9F29-248D4783B175}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{B976F9F7-034E-4BF3-B189-81EAAE7E5FA8}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"TCP Query User{83BF3E55-1D01-4107-BDE2-2A4CDB51F485}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:µTorrent
"UDP Query User{DA4AB036-71E9-47F7-BA84-D4FC24468C4B}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:µTorrent
"TCP Query User{2DA802FE-FF53-4C73-8B2F-6CD094905D36}c:\\program files\\crossloop\\crossloopconnect.exe"= UDP:c:\program files\crossloop\crossloopconnect.exe:CrossLoop - Simple Secure Screen Sharing
"UDP Query User{5DA94E35-DABD-4A4D-A3F9-BB2B9E90C146}c:\\program files\\crossloop\\crossloopconnect.exe"= TCP:c:\program files\crossloop\crossloopconnect.exe:CrossLoop - Simple Secure Screen Sharing
"TCP Query User{3295AD20-4831-4392-89C5-C27EAD390397}c:\\users\\ally\\appdata\\roaming\\macromedia\\flash player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"= UDP:c:\users\ally\appdata\roaming\macromedia\flash player\http://www.macromedia.com\bin\octosh...:octoshape.exe
"UDP Query User{CCB745BE-CC7E-4149-9CF5-CB4026735FD3}c:\\users\\ally\\appdata\\roaming\\macromedia\\flash player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"= TCP:c:\users\ally\appdata\roaming\macromedia\flash player\http://www.macromedia.com\bin\octosh...:octoshape.exe

R0 AtiPcie;ATI PCI Express (3GIO) Filter;c:\windows\system32\DRIVERS\AtiPcie.sys [2006-10-30 7680]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-08-29 97928]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-08-29 231704]
R2 MSCamSvc;MSCamSvc;c:\program files\Microsoft LifeCam\MSCamS32.exe [2007-05-17 271720]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
R3 atikmdag;atikmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2007-08-14 2593280]
S3 Steam Client Service;Steam Client Service;c:\program files\Common Files\Steam\SteamService.exe [2008-02-20 87288]
S3 UMPass;Microsoft UMPass Driver;c:\windows\system32\DRIVERS\umpass.sys [2008-01-19 7680]
S3 VX1000;VX-1000;c:\windows\system32\DRIVERS\VX1000.sys [2007-04-10 1966312]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4aa8253e-17ce-11dd-b2b0-001c2399b138}]
\shell\AutoRun\command - G:\Autorun.exe /run
\shell\Shell00\Command - G:\Autorun.exe /run
\shell\Shell01\Command - G:\Autorun.exe /action
\shell\Shell02\Command - G:\Autorun.exe /uninstall

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c39115c1-0b2d-11dd-b117-001c2399b138}]
\shell\AutoRun\command - F:\SETUP.EXE
.
Contents of the 'Scheduled Tasks' folder

2008-11-08 c:\windows\Tasks\User_Feed_Synchronization-{29AA11B2-594C-47F7-BCB0-C22DF6A1BF61}.job
- c:\windows\system32\msfeedssync.exe [2008-01-19 02:33]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-RoxWatchTray - c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-08 11:53:56
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: c:\windows\Explorer.exe
-> c:\program files\Unlocker\UnlockerHook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\BCMWLTRY.EXE
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\System32\stacsv.exe
c:\windows\System32\drivers\XAudio.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\AVG\AVG8\avgtray.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\AIM6\aolsoftware.exe
c:\program files\Mozilla Firefox\firefox.exe
c:\progra~1\AVG\AVG8\avgscanx.exe
c:\windows\System32\dllhost.exe
.
**************************************************************************
.
Completion time: 2008-11-08 12:00:19 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-08 17:00:11
ComboFix2.txt 2008-11-05 18:28:28

Pre-Run: 17,930,432,512 bytes free
Post-Run: 17,537,916,928 bytes free

317 --- E O F --- 2008-11-07 20:50:12

New HJT Log::

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:11:35 PM, on 11/8/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\sttray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\Explorer.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~4.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~4.0_0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 7351 bytes

Thanks so much, so far so good other than the items found on CrossLoop :D Seems to be running smoother, and no pop ups in the last 6 hours.

11-08-2008, 01:16 PM	#5 (permalink)
Lionet Registered User Join Date: Nov 2006 Posts: 18 OS: WinXP	Re: Pop Up Ads / Vista seems to run slower than before -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7 REPORT Saturday, November 8, 2008 Operating System: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Saturday, November 08, 2008 12:49:02 Records in database: 1374510 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: C:\ D:\ E:\ F:\ Scan statistics: Files scanned: 181084 Threat name: 3 Infected objects: 6 Suspicious objects: 0 Duration of the scan: 02:45:41 File name / Threat name / Threats count C:\Program Files\CrossLoop\VNCHooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b 1 C:\Program Files\CrossLoop\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.h 1 C:\ProgramData\SecTaskMan\ASKPBAR.DLL.q_E8AB003_q Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.a 1 C:\Users\All Users\SecTaskMan\ASKPBAR.DLL.q_E8AB003_q Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.a 1 C:\Users\Ally\Downloads\crossloopsetup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.h 1 C:\Users\Ally\Downloads\crossloopsetup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b 1 The selected area was scanned. ComboFix Log:: ComboFix 08-11-07.01 - Ally 2008-11-08 11:46:19.2 - NTFSx86 Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.909 [GMT -5:00] Running from: c:\users\Ally\Downloads\ComboFix.exe Command switches used :: c:\users\Ally\Desktop\CFScript.txt * Created a new restore point FILE :: c:\windows\system32\kdkge.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_Windows Tribute Service ((((((((((((((((((((((((( Files Created from 2008-10-08 to 2008-11-08 ))))))))))))))))))))))))))))))) . 2008-11-08 11:35 . 2008-11-08 11:35 <DIR> d-------- c:\program files\Common Files\Adobe AIR 2008-11-07 15:45 . 2008-10-16 16:13 1,809,944 --a------ c:\windows\System32\wuaueng.dll 2008-11-07 15:45 . 2008-10-16 15:56 1,524,736 --a------ c:\windows\System32\wucltux.dll 2008-11-07 15:45 . 2008-10-16 16:12 561,688 --a------ c:\windows\System32\wuapi.dll 2008-11-07 15:45 . 2008-10-16 14:08 162,064 --a------ c:\windows\System32\wuwebv.dll 2008-11-07 15:45 . 2008-10-16 15:55 83,456 --a------ c:\windows\System32\wudriver.dll 2008-11-07 15:45 . 2008-10-16 16:09 51,224 --a------ c:\windows\System32\wuauclt.exe 2008-11-07 15:45 . 2008-10-16 16:09 43,544 --a------ c:\windows\System32\wups2.dll 2008-11-07 15:45 . 2008-10-16 16:08 34,328 --a------ c:\windows\System32\wups.dll 2008-11-07 15:45 . 2008-10-16 13:56 31,232 --a------ c:\windows\System32\wuapp.exe 2008-11-06 00:03 . 2008-11-06 00:03 <DIR> dr------- c:\windows\System32\config\systemprofile\Videos 2008-11-06 00:03 . 2008-11-06 00:03 <DIR> dr------- c:\windows\System32\config\systemprofile\Searches 2008-11-06 00:03 . 2008-11-06 00:03 <DIR> dr------- c:\windows\System32\config\systemprofile\Saved Games 2008-11-06 00:03 . 2008-11-06 00:03 <DIR> dr------- c:\windows\System32\config\systemprofile\Pictures 2008-11-06 00:03 . 2008-11-06 00:03 <DIR> dr------- c:\windows\System32\config\systemprofile\Links 2008-11-06 00:03 . 2008-11-06 00:03 <DIR> dr------- c:\windows\System32\config\systemprofile\Downloads 2008-11-06 00:03 . 2008-11-06 00:03 <DIR> dr------- c:\windows\System32\config\systemprofile\Documents 2008-11-05 23:47 . 2008-11-05 23:47 <DIR> d-------- c:\users\Ally\AppData\Roaming\Desktopicon 2008-11-05 23:47 . 2008-11-05 23:55 <DIR> d-------- c:\program files\Unlocker 2008-11-04 19:12 . 2008-11-04 19:12 <DIR> d-------- c:\program files\CrossLoop 2008-11-01 14:07 . 2008-11-01 14:07 <DIR> d-------- c:\program files\Trend Micro 2008-10-28 12:06 . 2008-08-11 22:39 443,392 --a------ c:\windows\System32\win32spl.dll 2008-10-26 11:18 . 2008-11-08 11:51 <DIR> d-------- c:\users\Ally\AppData\Roaming\uTorrent 2008-10-26 11:18 . 2008-10-26 11:18 <DIR> d-------- c:\program files\uTorrent 2008-10-14 16:57 . 2008-10-01 22:49 827,392 --a------ c:\windows\System32\wininet.dll 2008-10-14 16:57 . 2008-08-26 20:06 288,768 --a------ c:\windows\System32\drivers\srv.sys 2008-10-14 16:56 . 2008-09-18 00:09 3,601,464 --a------ c:\windows\System32\ntkrnlpa.exe 2008-10-14 16:56 . 2008-09-18 00:09 3,549,240 --a------ c:\windows\System32\ntoskrnl.exe 2008-10-14 16:56 . 2008-09-17 21:16 2,032,640 --a------ c:\windows\System32\win32k.sys 2008-10-14 16:56 . 2008-10-01 20:32 1,383,424 --a------ c:\windows\System32\mshtml.tlb 2008-10-14 15:45 . 2008-10-14 15:45 0 --ah----- c:\windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf 2008-10-12 18:59 . 2008-10-12 18:59 <DIR> d----c--- c:\windows\System32\DRVSTORE 2008-10-12 18:59 . 2008-10-12 18:59 <DIR> d-------- c:\users\All Users\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2008-10-12 18:59 . 2008-10-12 18:59 <DIR> d-------- c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2008-10-12 18:59 . 2008-10-12 18:59 <DIR> d-------- c:\program files\iTunes 2008-10-12 18:59 . 2008-10-12 18:59 <DIR> d-------- c:\program files\iPod 2008-10-12 18:59 . 2008-04-17 12:12 107,368 --a------ c:\windows\System32\GEARAspi.dll 2008-10-12 18:59 . 2008-04-17 12:12 15,464 --a------ c:\windows\System32\drivers\GEARAspiWDM.sys 2008-10-12 18:56 . 2008-10-12 18:57 <DIR> d-------- c:\program files\QuickTime 2008-10-10 10:38 . 2008-10-10 10:38 <DIR> d-------- c:\users\All Users\Yahoo! Games 2008-10-10 10:38 . 2008-10-10 10:38 <DIR> d-------- c:\programdata\Yahoo! Games . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-08 16:32 --------- d-----w c:\program files\Common Files\Adobe 2008-11-06 05:19 --------- d-----w c:\programdata\Roxio 2008-11-06 05:19 --------- d-----w c:\program files\Common Files\Roxio Shared 2008-11-06 04:45 --------- d-----w c:\users\Ally\AppData\Roaming\LimeWire 2008-11-01 14:40 --------- d-----w c:\programdata\Spybot - Search & Destroy 2008-10-31 22:26 --------- d-----w c:\programdata\SecTaskMan 2008-10-31 21:38 --------- d-----w c:\program files\Spybot - Search & Destroy 2008-10-29 20:15 --------- d-----w c:\program files\LimeWire 2008-10-24 18:01 --------- d-----w c:\users\Ally\AppData\Roaming\OpenOffice.org2 2008-10-21 02:59 --------- d-----w c:\program files\Microsoft Silverlight 2008-10-15 02:12 --------- d-----w c:\programdata\Microsoft Help 2008-10-12 23:57 --------- d-----w c:\program files\Bonjour 2008-10-12 23:56 --------- d-----w c:\program files\Common Files\Apple 2008-10-10 15:37 --------- d-----w c:\program files\Yahoo! Games 2008-10-03 00:23 174 --sha-w c:\program files\desktop.ini 2008-10-03 00:12 --------- d-----w c:\program files\Windows Sidebar 2008-10-03 00:12 --------- d-----w c:\program files\Windows Photo Gallery 2008-10-03 00:12 --------- d-----w c:\program files\Windows Mail 2008-10-03 00:12 --------- d-----w c:\program files\Windows Journal 2008-10-03 00:12 --------- d-----w c:\program files\Windows Defender 2008-10-03 00:12 --------- d-----w c:\program files\Windows Collaboration 2008-10-03 00:12 --------- d-----w c:\program files\Windows Calendar 2008-10-02 23:51 82,432 ----a-w c:\windows\System32\axaltocm.dll 2008-10-02 23:51 101,888 ----a-w c:\windows\System32\ifxcardm.dll 2008-10-02 23:31 --------- d-----w c:\program files\Java 2008-09-11 15:29 --------- d-----w c:\program files\Microsoft Works 2008-08-29 14:18 87,336 ----a-w c:\windows\System32\dns-sd.exe 2008-08-29 13:53 61,440 ----a-w c:\windows\System32\dnssd.dll 2008-07-29 20:38 1,004 ----a-w c:\program files\config.ini 2008-07-23 23:36 615,424 ----a-w c:\program files\ApRadar.exe 2008-07-23 23:36 32,768 ----a-w c:\program files\FFXIMemory.dll 2008-07-23 23:36 155,648 ----a-w c:\program files\ApneaControls.dll 2008-02-11 17:38 122 ----a-w c:\users\Ally\AppData\Roaming\wklnhst.dat 2007-05-03 13:23 442,368 ----a-w c:\users\Ally\ApRadar.exe 2007-03-08 20:41 217,088 ----a-w c:\program files\ApUpdater.exe . ((((((((((((((((((((((((((((( snapshot@2008-11-05_13.27.16.29 ))))))))))))))))))))))))))))))))))))))))) . + 2008-11-08 16:45:41 6,230,016 ----a-w c:\windows\ERDNT\Hiv-backup\SCHEMA.DAT + 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE + 2008-11-08 16:50:41 6,230,016 ----a-w c:\windows\ERDNT\subs\SCHEMA.DAT + 2007-12-12 2042 295,606 ----a-r c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe - 2008-11-05 18:17:07 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT + 2008-11-08 16:53:46 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT - 2008-11-05 18:26:28 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT + 2008-11-08 16:53:41 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT - 2008-07-19 02:08:20 72,256 ------w c:\windows\SoftwareDistribution\SelfUpdate\Handler\WuSetupV.exe + 2008-10-16 19:08:00 70,416 ------w c:\windows\SoftwareDistribution\SelfUpdate\Handler\WuSetupV.exe - 2008-11-05 18:15:02 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat + 2008-11-07 20:46:21 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat - 2008-11-05 18:15:02 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat + 2008-11-07 20:46:21 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat - 2008-11-05 18:15:02 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat + 2008-11-07 20:46:21 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat - 2008-11-05 18:22:18 262,144 ----a-w c:\windows\System32\config\systemprofile\ntuser.dat + 2008-11-08 16:45:58 262,144 ----a-w c:\windows\System32\config\systemprofile\ntuser.dat - 2008-10-15 04:00:09 1,786,848 ----a-w c:\windows\System32\FNTCACHE.DAT + 2008-11-06 19:17:39 1,744,288 ----a-w c:\windows\System32\FNTCACHE.DAT - 2008-11-05 18:21:40 102,194 ----a-w c:\windows\System32\perfc009.dat + 2008-11-08 16:20:28 102,194 ----a-w c:\windows\System32\perfc009.dat - 2008-11-05 18:21:40 598,588 ----a-w c:\windows\System32\perfh009.dat + 2008-11-08 16:20:28 598,588 ----a-w c:\windows\System32\perfh009.dat - 2008-10-29 0229 6,291,456 ----a-w c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT + 2008-11-08 16:50:41 6,230,016 ----a-w c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT - 2008-11-05 18:17:14 12,786 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-837059545-616770465-622163208-1000_UserData.bin + 2008-11-08 16:55:09 13,804 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-837059545-616770465-622163208-1000_UserData.bin - 2008-11-05 18:17:14 99,046 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin + 2008-11-08 16:55:09 100,070 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin - 2008-11-05 18:17:13 47,942 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin + 2008-11-08 16:21:41 48,290 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin - 2008-10-28 17:04:56 135,944,815 ----a-w c:\windows\winsxs\ManifestCache\6.0.6001.18000_001c50b5_blobs.bin + 2008-11-07 20:45:52 136,237,519 ----a-w c:\windows\winsxs\ManifestCache\6.0.6001.18000_001c50b5_blobs.bin + 2008-10-16 21:12:19 561,688 ----a-w c:\windows\winsxs\x86_microsoft-windows-w..owsupdateclient-aux_31bf3856ad364e35_7.2.6001.788_none_107673f57a433d77\wuapi.dll + 2008-10-16 20:55:59 83,456 ----a-w c:\windows\winsxs\x86_microsoft-windows-w..owsupdateclient-aux_31bf3856ad364e35_7.2.6001.788_none_107673f57a433d77\wudriver.dll + 2008-10-16 21:08:57 34,328 ----a-w c:\windows\winsxs\x86_microsoft-windows-w..owsupdateclient-aux_31bf3856ad364e35_7.2.6001.788_none_107673f57a433d77\wups.dll + 2008-10-16 18:56:04 31,232 ----a-w c:\windows\winsxs\x86_microsoft-windows-w..pdateclient-activex_31bf3856ad364e35_7.2.6001.788_none_ba8134361ffa6f73\wuapp.exe + 2008-10-16 19:08:00 162,064 ----a-w c:\windows\winsxs\x86_microsoft-windows-w..pdateclient-activex_31bf3856ad364e35_7.2.6001.788_none_ba8134361ffa6f73\wuwebv.dll + 2008-10-16 21:09:43 51,224 ----a-w c:\windows\winsxs\x86_microsoft-windows-w..wsupdateclient-core_31bf3856ad364e35_7.2.6001.788_none_2a6539a96682e474\wuauclt.exe + 2008-10-16 21:13:38 1,809,944 ----a-w c:\windows\winsxs\x86_microsoft-windows-w..wsupdateclient-core_31bf3856ad364e35_7.2.6001.788_none_2a6539a96682e474\wuaueng.dll + 2008-10-16 21:09:43 43,544 ----a-w c:\windows\winsxs\x86_microsoft-windows-w..wsupdateclient-core_31bf3856ad364e35_7.2.6001.788_none_2a6539a96682e474\wups2.dll + 2008-10-16 20:56:28 1,524,736 ----a-w c:\windows\winsxs\x86_microsoft-windows-windowsupdateclient-ui_31bf3856ad364e35_7.2.6001.788_none_a8125d5406872725\wucltux.dll . -- Snapshot reset to current date -- . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Aim6"="c:\program files\AIM6\aim6.exe" [2008-03-25 50528] "uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2008-10-26 270128] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112] "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-21 1548288] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920] "PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-04-16 184320] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-09-29 1234712] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-27 857648] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576] "UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-01 15872] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672] "SigmatelSysTrayApp"="sttray.exe" [2007-03-06 c:\windows\sttray.exe] c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-11-21 50688] QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2007-07-20 1180952] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=avgrsstx.dll [HKLM\~\startupfolder\C:^Users^Ally^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk] path=c:\users\Ally\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk backup=c:\windows\pss\OpenOffice.org 2.4.lnk.Startup backupExtension=.Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6] --a------ 2008-03-25 15:21 50528 c:\program files\AIM6\aim6.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite] --a------ 2008-04-01 04:39 486856 c:\program files\DAEMON Tools Lite\daemon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2008-10-01 17:57 289576 c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam] --a------ 2007-05-17 16:45 279912 c:\program files\Microsoft LifeCam\LifeExp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] --a------ 2007-10-18 11:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX1000] --a------ 2007-04-10 16:46 709992 c:\windows\vVX1000.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-837059545-616770465-622163208-1000] "EnableNotifications"=dword:00000001 "EnableNotificationsRef"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules] "{4525BE82-D01E-42CC-9832-1EAB7989FBB5}"= c:\program files\Dell\MediaDirect\PowerCinema.exe:CyberLink PowerCinema "{91637847-9106-4605-B103-43AA0561E9FF}"= c:\program files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program "{7B8E6716-BE71-4698-BCEA-910C6451D54C}"= c:\program files\Dell\MediaDirect\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine "{1B034418-4506-4C8F-9487-8412BDDEB335}"= c:\program files\Dell\MediaDirect\Kernel\DMS\CLMSService.exe:CyberLink Media Server "{6C48D5CD-8C44-46CE-BFEF-D4AE68C6D78F}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader "{66F6A381-52B4-460B-95B2-838AFCCF7F08}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader "TCP Query User{B3FC0B66-4E66-4AB6-A390-B9691379D1BE}c:\\program files\\playonline\\squareenix\\playonlineviewer\\pol.exe"= UDP:c:\program files\playonline\squareenix\playonlineviewer\pol.exe:PlayOnline Viewer "UDP Query User{64D3E69A-05B5-409C-AE59-B558FCC925B3}c:\\program files\\playonline\\squareenix\\playonlineviewer\\pol.exe"= TCP:c:\program files\playonline\squareenix\playonlineviewer\pol.exe:PlayOnline Viewer "TCP Query User{709995F6-905F-4CC6-BA66-95F8D836DCC2}c:\\program files\\aim6\\aim6.exe"= UDP:c:\program files\aim6\aim6.exe:AIM "UDP Query User{DD7B15E5-665D-450A-82D3-2835BF6D6B2A}c:\\program files\\aim6\\aim6.exe"= TCP:c:\program files\aim6\aim6.exe:AIM "TCP Query User{4EDD8B9F-CE88-4418-9ABE-2B4A0E1CF83E}c:\\program files\\playonline\\squareenix\\playonlineviewer\\pol.exe"= UDP:c:\program files\playonline\squareenix\playonlineviewer\pol.exe:PlayOnline Viewer "UDP Query User{FF56311D-C7D0-4F6C-8CEB-B2AFD615BDBC}c:\\program files\\playonline\\squareenix\\playonlineviewer\\pol.exe"= TCP:c:\program files\playonline\squareenix\playonlineviewer\pol.exe:PlayOnline Viewer "{C3FAE276-B457-450C-AB86-2916E2464E14}"= UDP:c:\program files\Microsoft LifeCam\LifeCam.exe:LifeCam.exe "{10B333CC-71B8-4BBC-A295-A5F8542216EF}"= TCP:c:\program files\Microsoft LifeCam\LifeCam.exe:LifeCam.exe "{7D4DAC30-121C-4660-9B15-8C41A849B4E3}"= UDP:c:\program files\Microsoft LifeCam\LifeExp.exe:LifeExp.exe "{52598A37-7000-45D0-BC1C-10C2305F0935}"= TCP:c:\program files\Microsoft LifeCam\LifeExp.exe:LifeExp.exe "TCP Query User{E426FA6A-1D16-449F-81DA-8842CA53F32A}c:\\program files\\aim6\\aim6.exe"= UDP:c:\program files\aim6\aim6.exe:AIM "UDP Query User{A84BA074-94A3-4A4C-8088-25A746489CB7}c:\\program files\\aim6\\aim6.exe"= TCP:c:\program files\aim6\aim6.exe:AIM "TCP Query User{FE1C412D-5DA3-45C8-BC63-8BDEE629B3CA}c:\\program files\\yahoo! games\\rock and roll jeopardy!\\rock & roll jeopardy!.exe"= UDP:c:\program files\yahoo! games\rock and roll jeopardy!\rock & roll jeopardy!.exe:Rock & Roll JEOPARDY! "UDP Query User{2C053A59-44B2-4B77-9E3E-B8E3E05CF3E4}c:\\program files\\yahoo! games\\rock and roll jeopardy!\\rock & roll jeopardy!.exe"= TCP:c:\program files\yahoo! games\rock and roll jeopardy!\rock & roll jeopardy!.exe:Rock & Roll JEOPARDY! "TCP Query User{94AF029F-CB61-4A04-939E-6B5FC57A2B0E}c:\\program files\\bittornado\\btdownloadgui.exe"= UDP:c:\program files\bittornado\btdownloadgui.exe:btdownloadgui "UDP Query User{DAC18F2C-FEB5-4B64-8CFF-486487C67233}c:\\program files\\bittornado\\btdownloadgui.exe"= TCP:c:\program files\bittornado\btdownloadgui.exe:btdownloadgui "TCP Query User{9C8A6992-68D2-4090-A8E2-ABF29E1B5233}c:\\program files\\bittornado\\btdownloadgui.exe"= UDP:c:\program files\bittornado\btdownloadgui.exe:btdownloadgui "UDP Query User{B78D621A-877F-4359-9965-EC7D225F30B1}c:\\program files\\bittornado\\btdownloadgui.exe"= TCP:c:\program files\bittornado\btdownloadgui.exe:btdownloadgui "{A90219DC-82E0-4559-802E-350F8F837EA9}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote "{D7D429EC-1F0D-4324-AF91-A3AD4B1ED136}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote "{C544AA85-E85F-4819-A263-66C898C73C9E}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire "{A17B1401-F4A6-4D79-946B-20259BB5B74F}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire "{B1CD4C24-D7A5-4870-AB14-FEC4190EB991}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire "{8618261C-FEF9-4546-8CE6-D0BFD053F642}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire "{C214B0C9-331C-450A-923E-B671D16544C3}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone) "{570BF0AD-3993-497D-B77D-E1D23464A175}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes "{9ECB2525-B34D-4D20-B90F-EB3D899E9E41}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes "{5AE910C4-3638-4E9B-BDC7-472D3C465626}"= TCP:6004\|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook "TCP Query User{01722F1C-90BC-4298-8316-B5725CD7CD3B}c:\\program files\\trillian\\trillian.exe"= UDP:c:\program files\trillian\trillian.exe:Trillian "UDP Query User{D9DC8163-2D95-4BA1-92CE-2EE66484FA11}c:\\program files\\trillian\\trillian.exe"= TCP:c:\program files\trillian\trillian.exe:Trillian "{3FF97F9A-D386-415A-B587-F98E20DF21B9}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe "{94A6E40A-CAD3-42AE-8D92-3125A62CCA8F}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader "{7A92FA1A-8F1C-4C86-8AC4-BD01CC19F0DA}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader "{B9796DE7-355C-4525-AEF7-414E41B1AECF}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote "{C3FDBA85-916A-41EC-ABF3-77A80085F5D6}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote "{0D0BB0BD-4DA8-449C-B88A-65AE970A186C}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour "{43D3860E-2A5C-4711-AD49-3A4512ED58B5}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour "{4903ED70-89D1-4859-8C11-CB160D82E0C0}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes "{F1455237-187D-45D0-8B23-E195618BA0C1}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes "{7FA12038-7BD6-4BAF-9F29-248D4783B175}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In) "{B976F9F7-034E-4BF3-B189-81EAAE7E5FA8}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In) "TCP Query User{83BF3E55-1D01-4107-BDE2-2A4CDB51F485}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:µTorrent "UDP Query User{DA4AB036-71E9-47F7-BA84-D4FC24468C4B}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:µTorrent "TCP Query User{2DA802FE-FF53-4C73-8B2F-6CD094905D36}c:\\program files\\crossloop\\crossloopconnect.exe"= UDP:c:\program files\crossloop\crossloopconnect.exe:CrossLoop - Simple Secure Screen Sharing "UDP Query User{5DA94E35-DABD-4A4D-A3F9-BB2B9E90C146}c:\\program files\\crossloop\\crossloopconnect.exe"= TCP:c:\program files\crossloop\crossloopconnect.exe:CrossLoop - Simple Secure Screen Sharing "TCP Query User{3295AD20-4831-4392-89C5-C27EAD390397}c:\\users\\ally\\appdata\\roaming\\macromedia\\flash player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"= UDP:c:\users\ally\appdata\roaming\macromedia\flash player\http://www.macromedia.com\bin\octosh...:octoshape.exe "UDP Query User{CCB745BE-CC7E-4149-9CF5-CB4026735FD3}c:\\users\\ally\\appdata\\roaming\\macromedia\\flash player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"= TCP:c:\users\ally\appdata\roaming\macromedia\flash player\http://www.macromedia.com\bin\octosh...:octoshape.exe R0 AtiPcie;ATI PCI Express (3GIO) Filter;c:\windows\system32\DRIVERS\AtiPcie.sys [2006-10-30 7680] R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-08-29 97928] R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-08-29 231704] R2 MSCamSvc;MSCamSvc;c:\program files\Microsoft LifeCam\MSCamS32.exe [2007-05-17 271720] R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652] R3 atikmdag;atikmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2007-08-14 2593280] S3 Steam Client Service;Steam Client Service;c:\program files\Common Files\Steam\SteamService.exe [2008-02-20 87288] S3 UMPass;Microsoft UMPass Driver;c:\windows\system32\DRIVERS\umpass.sys [2008-01-19 7680] S3 VX1000;VX-1000;c:\windows\system32\DRIVERS\VX1000.sys [2007-04-10 1966312] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4aa8253e-17ce-11dd-b2b0-001c2399b138}] \shell\AutoRun\command - G:\Autorun.exe /run \shell\Shell00\Command - G:\Autorun.exe /run \shell\Shell01\Command - G:\Autorun.exe /action \shell\Shell02\Command - G:\Autorun.exe /uninstall [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c39115c1-0b2d-11dd-b117-001c2399b138}] \shell\AutoRun\command - F:\SETUP.EXE . Contents of the 'Scheduled Tasks' folder 2008-11-08 c:\windows\Tasks\User_Feed_Synchronization-{29AA11B2-594C-47F7-BCB0-C22DF6A1BF61}.job - c:\windows\system32\msfeedssync.exe [2008-01-19 02:33] . - - - - ORPHANS REMOVED - - - - MSConfigStartUp-RoxWatchTray - c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-08 11:53:56 Windows 6.0.6001 Service Pack 1 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: c:\windows\Explorer.exe -> c:\program files\Unlocker\UnlockerHook.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\System32\Ati2evxx.exe c:\windows\System32\audiodg.exe c:\windows\System32\Ati2evxx.exe c:\windows\System32\WLTRYSVC.EXE c:\windows\System32\BCMWLTRY.EXE c:\program files\Lavasoft\Ad-Aware\aawservice.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\System32\stacsv.exe c:\windows\System32\drivers\XAudio.exe c:\progra~1\AVG\AVG8\avgrsx.exe c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe c:\program files\AVG\AVG8\avgtray.exe c:\program files\iPod\bin\iPodService.exe c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe c:\program files\Windows Media Player\wmpnetwk.exe c:\program files\AIM6\aolsoftware.exe c:\program files\Mozilla Firefox\firefox.exe c:\progra~1\AVG\AVG8\avgscanx.exe c:\windows\System32\dllhost.exe . ************************************************************************ . Completion time: 2008-11-08 12:00:19 - machine was rebooted ComboFix-quarantined-files.txt 2008-11-08 17:00:11 ComboFix2.txt 2008-11-05 18:28:28 Pre-Run: 17,930,432,512 bytes free Post-Run: 17,537,916,928 bytes free 317 --- E O F --- 2008-11-07 20:50:12 New HJT Log:: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:11:35 PM, on 11/8/2008 Platform: Windows Vista SP1 (WinNT 6.00.1905) MSIE: Internet Explorer v7.00 (7.00.6001.18000) Boot mode: Normal Running processes: C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE C:\Windows\System32\WLTRAY.EXE C:\Program Files\Dell\MediaDirect\PCMService.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Windows\sttray.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Unlocker\UnlockerAssistant.exe C:\Program Files\AIM6\aim6.exe C:\Program Files\uTorrent\uTorrent.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Dell\QuickSet\quickset.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe C:\Program Files\AIM6\aolsoftware.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Windows\Explorer.exe C:\Windows\system32\SearchFilterHost.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe" O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe" O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE') O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~4.0_0\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~4.0_0\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O13 - Gopher Prefix: O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: avgrsstx.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Windows\system32\STacSV.exe O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing) O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe -- End of file - 7351 bytes Thanks so much, so far so good other than the items found on CrossLoop :D Seems to be running smoother, and no pop ups in the last 6 hours.