Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page perfs.exe, routing.exe - how do I get rid of them?
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 01-05-2008, 06:50 PM   #1 (permalink)
Registered User
 
Join Date: Jan 2008
Posts: 6
OS: Windows XP Home SP2


perfs.exe, routing.exe - how do I get rid of them?
I was running a NOD32 scan in which they were detected and removed... once I rebooted however they showed up again. From the searching I've done I'm pretty sure this is a trojan (most likely for botnets etc). How do I remove it?

HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 14:20:07, on 05.1.2008 г.
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\HP\KBD\KBD.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Eraser\eraser.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\ActiveState Perl Dev Kit 6.0\bin\pdkdebug.exe
C:\WINDOWS\system32\perfs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\routing.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 62.204.143.153:6588
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [MP10_EnsureFileVer] C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersions
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/reso...scbase8460.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1187647958218
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1187647921421
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary...o.cab56649.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary...t.cab57213.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{17B9F30C-35BA-4A5C-9214-6EA033243EDA}: NameServer = 192.168.1.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: PDK Debug Listener (pdkdebug) - ActiveState - C:\Program Files\ActiveState Perl Dev Kit 6.0\bin\pdkdebug.exe
O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfs.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PRTG Service - Paessler Router Traffic Grapher (PRTGService) - Unknown owner - C:\Program Files\PRTG Traffic Grapher\PRTG Traffic Grapher.exe (file missing)
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\rapapp.exe
O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINDOWS\system32\routing.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe


------------

Thanks in advance. I hope I don't need to reinstall windows X_X
gotosleep is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 01-10-2008, 11:06 AM   #2 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,237
OS: 2000 Pro; XP Pro; XP Home


Re: perfs.exe, routing.exe - how do I get rid of them?
Hello and Welcome. Apologies for any delay in replying, but we have been rather busy lately.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Looks like ComboFix got rid of most of the issues.

I need more information before continuing, please. If you still require assistance with your issue, and since it has been a few days since you first posted, please do this:

---------------------------------------------------------------------------------------------

You are using an outdated version of HijackThis. Please uninstall from Add/Remove programs, and delete your current version.

Next, download HijackThis to your desktop

Alternate link

Double-click on the file you just downloaded.
Click on the "Unzip" button to install. It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis

Upon install, HijackThis should open for you.

When it does, just close it.

---------------------------------------------------------------------------------------------


Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt here.
  5. Please attach extra.txt to your post.
To attach a file to a new post, simply
  1. Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
  2. copy and paste the following into the "Upload File from your Computer" box:
    C:\Deckard\System Scanner\extra.txt
  3. Click Upload.

What DSS will do:
  • create a new System Restore point in Windows XP and Vista.
  • clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
  • check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

---------------------------------------------------------------------------------------------

Thank you.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-10-2008, 10:13 PM   #3 (permalink)
Registered User
 
Join Date: Jan 2008
Posts: 6
OS: Windows XP Home SP2


Re: perfs.exe, routing.exe - how do I get rid of them?
Deckard's System Scanner v20071014.68
Run by Owner on 2008-01-10 21:10:47
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:10:52, on 10.1.2008 г.
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Last.fm\LastFM.exe
C:\Program Files\Last.fm\LastFmHelper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 62.204.143.153:6588
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/reso...scbase8460.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1187647958218
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1187647921421
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary...o.cab56649.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary...t.cab57213.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{17B9F30C-35BA-4A5C-9214-6EA033243EDA}: NameServer = 192.168.1.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PDK Debug Listener (pdkdebug) - ActiveState - C:\Program Files\ActiveState Perl Dev Kit 6.0\bin\pdkdebug.exe
O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfs.exe (file missing)
O23 - Service: PRTG Service - Paessler Router Traffic Grapher (PRTGService) - Unknown owner - C:\Program Files\PRTG Traffic Grapher\PRTG Traffic Grapher.exe (file missing)
O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINDOWS\system32\routing.exe (file missing)
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe

--
End of file - 8449 bytes

-- Files created between 2007-12-10 and 2008-01-10 -----------------------------

2008-01-10 21:05:46 0 d-------- C:\Program Files\Trend Micro
2008-01-10 15:50:27 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-01-09 18:08:45 593920 -----n--- C:\WINDOWS\system32\ati2sgag.exe <Not Verified; ; ATI Smart>
2008-01-09 18:02:08 6144 --a------ C:\WINDOWS\system32\atiicdxx.sys <Not Verified; ATI Technologies Inc.; ATI Graphics Accelerators>
2008-01-09 18:02:06 122880 --a------ C:\WINDOWS\system32\Oemdspif.dll <Not Verified; ATI Technologies, Inc.; ATI Driver Interface Component>
2008-01-09 18:02:05 24064 --a------ C:\WINDOWS\system32\ativcoxx.dll <Not Verified; ATI Technologies, Inc.; >
2008-01-09 18:02:05 17408 --a------ C:\WINDOWS\system32\atitvo32.dll <Not Verified; ATI Technologies Inc.; ATI RageTheater/ImpacTV COM interface>
2008-01-09 18:02:05 2060288 --a------ C:\WINDOWS\system32\atipuixx.dll <Not Verified; ATI Technologies, Inc.; ATI Desktop Component>
2008-01-09 18:02:05 114688 --a------ C:\WINDOWS\system32\atippaxx.dll <Not Verified; ATI Technologies, Inc.; ATI Desktop Component>
2008-01-09 18:02:05 274432 --a------ C:\WINDOWS\system32\atipdsxx.dll <Not Verified; ATI Technologies, Inc.; ATI Desktop Component>
2008-01-09 18:02:05 147456 --a------ C:\WINDOWS\system32\atipdlxx.dll <Not Verified; ATI Technologies, Inc.; ATI Desktop Component>
2008-01-09 18:02:05 180224 --a------ C:\WINDOWS\system32\atiok3x2.dll <Not Verified; ATI Technologies Inc.; Ring 0 x2 Component>
2008-01-09 18:02:04 5435392 --a------ C:\WINDOWS\system32\atioglxx.dll <Not Verified; ATI Technologies Inc.; ATI OpenGL driver>
2008-01-09 18:02:03 49152 --a------ C:\WINDOWS\system32\drivers\ati2erec.dll <Not Verified; ATI Technologies Inc.; eRecord>
2008-01-09 18:02:03 344064 --a------ C:\WINDOWS\system32\atiptaxx.exe <Not Verified; ATI Technologies, Inc.; ATI Desktop Component>
2008-01-09 18:02:03 139264 --a------ C:\WINDOWS\system32\atiprbxx.exe <Not Verified; ATI Technologies, Inc.; ATI Desktop Component>
2008-01-09 18:02:03 61440 --a------ C:\WINDOWS\system32\atiphexx.exe <Not Verified; ATI Technologies, Inc.; ATI Desktop Component>
2008-01-09 18:02:03 9535488 --a------ C:\WINDOWS\system32\atioglx2.dll <Not Verified; ATI Technologies Inc.; ATI OpenGL driver>
2008-01-09 18:02:03 385024 --a------ C:\WINDOWS\system32\atikvmag.dll <Not Verified; ATI Technologies Inc.; Virtual Command And Memory Manager>
2008-01-09 18:02:03 36864 --a------ C:\WINDOWS\system32\atiiprxx.exe
2008-01-09 18:02:03 307200 --a------ C:\WINDOWS\system32\atiiiexx.dll <Not Verified; ATI Technologies Inc.; ATI Display Driver Utilities>
2008-01-09 18:02:03 380928 --a------ C:\WINDOWS\system32\atiicdxx.dll <Not Verified; ATI Technologies Inc.; ATI Graphics Accelerators>
2008-01-09 18:02:03 368640 --a------ C:\WINDOWS\system32\ATIDEMGX.dll <Not Verified; Advanced Micro Devices, Inc.; Catalyst® Control Centre>
2008-01-09 18:02:03 53248 --a------ C:\WINDOWS\system32\ATIDDC.DLL <Not Verified; ATI Technologies Inc.; ATI Radeon Family>
2008-01-09 18:02:03 348160 --a------ C:\WINDOWS\system32\aticds10.dll <Not Verified; ATI Technologies Inc.; ATI Graphics Accelerators>
2008-01-09 18:02:03 1830912 --a------ C:\WINDOWS\system32\atiadaxx.exe <Not Verified; ATI Technologies, Inc.; ATI Desktop Component>
2008-01-09 18:02:03 26112 --a------ C:\WINDOWS\system32\Ati2mdxx.exe <Not Verified; ATI Technologies, Inc.; ATI Default Resolution Update>
2008-01-09 18:02:03 495616 --a------ C:\WINDOWS\system32\ati2evxx.exe <Not Verified; ATI Technologies Inc.; ATI External Event Utility for Windows>
2008-01-09 18:02:03 122880 --a------ C:\WINDOWS\system32\ati2evxx.dll <Not Verified; ATI Technologies Inc.; ATI External Event Utility for Windows>
2008-01-09 18:02:03 43520 --a------ C:\WINDOWS\system32\ati2edxx.dll <Not Verified; ATI Technologies, Inc.; ATI External Device Utility>
2008-01-09 18:02:01 3107788 --a------ C:\WINDOWS\system32\ativvaxx.dat
2008-01-09 18:02:01 887724 --a------ C:\WINDOWS\system32\ativva6x.dat
2008-01-09 18:02:01 3107788 --a------ C:\WINDOWS\system32\ativva5x.dat
2008-01-09 18:02:01 158080 --a------ C:\WINDOWS\system32\atiicdxx.dat
2008-01-09 17:54:48 0 d-------- C:\Program Files\Driver Cleaner Pro
2008-01-08 18:28:33 0 d-------- C:\Program Files\Microsoft SQL Server
2008-01-08 18:28:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Sony
2008-01-06 01:15:32 0 dr-h----- C:\Documents and Settings\Owner\Recent
2008-01-06 01:08:05 0 d-------- C:\Documents and Settings\Owner\Application Data\URSoft
2008-01-06 00:12:19 0 d-------- C:\Program Files\Sophos
2008-01-05 18:18:47 0 d-------- C:\Program Files\SpywareBlaster
2008-01-05 14:43:26 44928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS <Not Verified; Panda Software; Panda® Antivirus>
2008-01-05 14:23:48 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-12-28 18:50:55 0 d-------- C:\Program Files\Ventrilo
2007-12-25 20:17:09 0 d-------- C:\Program Files\iPod
2007-12-25 20:17:03 0 d-------- C:\Program Files\iTunes
2007-12-25 20:15:43 0 d-------- C:\Program Files\Apple Software Update
2007-12-25 20:15:10 0 d-------- C:\Program Files\Common Files\Apple
2007-12-25 20:15:09 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-12-25 10:13:48 0 d-------- C:\Program Files\Alcohol Soft
2007-12-25 10:11:10 685816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-12-25 00:36:36 0 d-------- C:\Documents and Settings\Owner\.housecall6.6
2007-12-21 16:17:57 0 d-------- C:\World of Warcraft
2007-12-21 00:30:53 9619393 --a------ C:\WINDOWS\system32\FHCSECMJTNHSFD
2007-12-21 00:24:00 4 --a------ C:\WINDOWS\system32\0BEBB8
2007-12-21 00:18:47 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2007-12-21 00:17:03 8413 --a------ C:\WINDOWS\system32\drivers\mcstrm.sys <Not Verified; RealNetworks, Inc.; RealNetworks Virtual Path Manager® (32-bit)>
2007-12-20 23:56:38 0 d-------- C:\Program Files\Best Buy Rhapsody
2007-12-20 23:42:18 0 d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2007-12-20 19:10:29 0 d-------- C:\Program Files\Western Digital
2007-12-20 19:10:13 0 d-------- C:\Program Files\Western Digital Technologies


-- Find3M Report ---------------------------------------------------------------

2008-01-10 19:14:55 0 d-------- C:\Documents and Settings\Owner\Application Data\uTorrent
2008-01-09 18:07:00 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-09 1831 0 d-------- C:\Program Files\MultiRes
2008-01-09 18:01:52 0 d-------- C:\Program Files\Radeon Omega Drivers
2008-01-09 18:00:49 1324 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-01-09 17:56:01 0 d-------- C:\Documents and Settings\Owner\Application Data\ATI
2008-01-08 23:27:14 0 d-------- C:\Documents and Settings\Owner\Application Data\FileZilla
2008-01-08 19:10:34 0 d-------- C:\Documents and Settings\Owner\Application Data\Sony
2008-01-08 18:27:26 0 d-------- C:\Program Files\VstPlugins
2008-01-08 18:26:57 0 d-------- C:\Program Files\Sony
2008-01-07 19:57:14 0 d-------- C:\Program Files\Cheat Engine
2008-01-07 19:57:14 0 d-------- C:\Program Files\BandwidthMeterPro
2008-01-07 16:02:33 0 d-------- C:\Documents and Settings\Owner\Application Data\Skype
2008-01-07 16:02:17 0 d-------- C:\Program Files\mIRC
2008-01-06 02:30:48 0 d-------- C:\Program Files\SmartFTP Client
2008-01-06 01:05:32 0 d-------- C:\Program Files\Eraser
2008-01-05 16:20:04 0 d-------- C:\Program Files\Winamp
2008-01-05 16:01:19 0 d-------- C:\Program Files\PowerISO
2008-01-05 15:39:15 0 d-------- C:\Program Files\Last.fm
2008-01-05 15:15:58 0 d-------- C:\Program Files\FileZilla Client
2008-01-05 15:10:11 0 d-------- C:\Program Files\AIM
2008-01-05 02:08:24 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2008-01-05 0246 0 d-------- C:\Program Files\Common Files\Adobe
2008-01-03 15:30:36 0 d-------- C:\Documents and Settings\Owner\Application Data\Xfire
2007-12-31 01:59:14 0 d-------- C:\Documents and Settings\Owner\Application Data\Hamachi
2007-12-30 16:33:34 0 d-------- C:\Documents and Settings\Owner\Application Data\Aim
2007-12-28 18:45:39 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-27 22:13:54 0 d-------- C:\Program Files\DC++
2007-12-26 00:56:43 0 d-------- C:\Program Files\ICQ
2007-12-25 22:46:14 0 d-------- C:\Program Files\SHOUTcast
2007-12-25 20:16:37 0 d-------- C:\Program Files\QuickTime Alternative
2007-12-25 20:15:10 0 d-------- C:\Program Files\Common Files
2007-12-24 00:00:36 253440 --a------ C:\WINDOWS\system32\ndt2.sys
2007-12-21 16:17:57 0 d-------- C:\Program Files\Common Files\Blizzard Entertainment
2007-12-21 01:13:46 0 d-------- C:\Program Files\Real
2007-12-21 01:12:34 0 d-------- C:\Program Files\Heroes
2007-12-21 01:12:27 0 d-------- C:\Program Files\Doomsday
2007-12-21 00:17:30 0 d-------- C:\Program Files\Common Files\Real
2007-12-21 00:17:04 0 d-------- C:\Documents and Settings\Owner\Application Data\Real
2007-12-20 23:42:16 0 d-------- C:\Program Files\Common Files\InstallShield
2007-12-19 19:03:58 0 d---s---- C:\Program Files\Xfire
2007-12-06 20:28:24 0 d-------- C:\Documents and Settings\Owner\Application Data\foobar2000
2007-12-04 19:04:08 269312 --a------ C:\WINDOWS\system32\ati2dvag.dll <Not Verified; ATI Technologies Inc.; ATI Radeon WindowsNT Display Driver>
2007-12-04 18:33:47 1640192 --a------ C:\WINDOWS\system32\ativvaxx.dll <Not Verified; ATI Technologies Inc.; ATI Technologies Inc. Radeon Video Acceleration Universal Driver>
2007-12-04 18:11:18 499712 --a------ C:\WINDOWS\system32\ati2cqag.dll <Not Verified; ATI Technologies Inc.; ATI Radeon Family>
2007-12-02 11:21:29 0 d-------- C:\Program Files\Exact Audio Copy
2007-12-02 11:21:25 0 d-------- C:\Documents and Settings\Owner\Application Data\AccurateRip
2007-11-25 17:05:22 0 d-------- C:\Program Files\GuerillaSoft
2007-11-25 01:18:03 1 --a------ C:\WINDOWS\system32\SI.bin
2007-11-22 13:24:48 0 d-------- C:\Documents and Settings\Owner\Application Data\Mount&Blade
2007-11-16 21:13:50 0 d-------- C:\Program Files\middle_man


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KBD"="C:\HP\KBD\KBD.EXE" [11.02.2003 Ј. 18:02]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [13.09.2002 Ј. 20:42]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [11.05.2000 Ј. 01:00]
"PS2"="C:\WINDOWS\system32\ps2.exe" [16.10.2002 Ј. 14:57]
"QuickTime Task"="C:\Program Files\QuickTime Alternative\QTTask.exe" [11.12.2007 Ј. 10:56]
"AtiPTA"="atiptaxx.exe" [21.02.2006 Ј. 17:05 C:\WINDOWS\system32\atiptaxx.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [03.08.2004 Ј. 23:56]
"AIM"="C:\Program Files\AIM\aim.exe" [18.06.2003 Ј. 12:54]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [10.8.2007 Ј. 00:37:28]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLowDiskSpaceChecks"=1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ WinCinema Manager.lnk
backup=C:\WINDOWS\pss\ WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlackICE PC Protection.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BlackICE PC Protection.lnk
backup=C:\WINDOWS\pss\BlackICE PC Protection.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^FlexType 2K.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\FlexType 2K.lnk
backup=C:\WINDOWS\pss\FlexType 2K.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GetRight - Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GetRight - Tray Icon.lnk
backup=C:\WINDOWS\pss\GetRight - Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Last.fm Helper.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Last.fm Helper.lnk
backup=C:\WINDOWS\pss\Last.fm Helper.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MagicTune 3.6.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MagicTune 3.6.lnk
backup=C:\WINDOWS\pss\MagicTune 3.6.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Privoxy.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Privoxy.lnk
backup=C:\WINDOWS\pss\Privoxy.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Run Google Web Accelerator.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Run Google Web Accelerator.lnk
backup=C:\WINDOWS\pss\Run Google Web Accelerator.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^ATI Tray Tools.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\ATI Tray Tools.lnk
backup=C:\WINDOWS\pss\ATI Tray Tools.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^check-ip-changed.bat]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\check-ip-changed.bat
backup=C:\WINDOWS\pss\check-ip-changed.batStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BandwidthMeterPro]
C:\Program Files\BandwidthMeterPro\BWMeterPro.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BOC-425]
C:\PROGRA~1\Comodo\CBOClean\BOC425.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
CTXFIHLP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eraser]
C:\Program Files\Eraser\eraser.exe -hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
"C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mirabilis ICQ]
C:\PROGRA~1\ICQ\ICQNet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 9.0]
C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"d:\wares-mp3s-games-etc\games\steam\steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vidalia]
"C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RichVideo"=2 (0x2)
"BlackICE"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Eraser"=C:\Program Files\Eraser\eraser.exe -hide

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"razer"=C:\Program Files\Razer\Copperhead\razerhid.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e0804dd6-b5fc-11d9-a9fe-806d6172696f}]
AutoRun\command- G:\autoplay.exe




-- End of Deckard's System Scanner: finished at 2008-01-10 21:11:15 ------------

I closed extra.txt once and on the next scan it didnt pop up. Oops :(
gotosleep is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-10-2008, 10:16 PM   #4 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,237
OS: 2000 Pro; XP Pro; XP Home


Re: perfs.exe, routing.exe - how do I get rid of them?
If that's the second run of DSS, I want the first main.txt, as it has different information.

That main.txt log, and extra.txt will be located at C:\Deckard\System Scanner inside a numbered folder. Please locate and post both.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-10-2008, 11:28 PM   #5 (permalink)
Registered User
 
Join Date: Jan 2008
Posts: 6
OS: Windows XP Home SP2


Re: perfs.exe, routing.exe - how do I get rid of them?
Sorry about that, I didn't know the program kept logs. Here is the original:

--------------------

Deckard's System Scanner v20071014.68
Run by Owner on 2008-01-10 2151
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
45: 2008-01-11 0556 UTC - RP916 - Deckard's System Scanner Restore Point
44: 2008-01-11 03:00:30 UTC - RP915 - Ad-Aware Restore Point 2008-01-10 19:00:24
43: 2008-01-10 23:50:27 UTC - RP914 - Installed AVG 7.5
42: 2008-01-10 23:48:45 UTC - RP913 - Removed AVG 7.5
41: 2008-01-10 01:56:55 UTC - RP912 - Removed ATI Catalyst Control Center


-- First Restore Point --
1: 2007-12-21 06:11:41 UTC - RP872 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:08:29, on 10.1.2008 г.
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Last.fm\LastFM.exe
C:\Program Files\Last.fm\LastFmHelper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\WINDOWS\system32\taskmgr.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe
C:\WINDOWS\system32\dumprep.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 62.204.143.153:6588
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/reso...scbase8460.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1187647958218
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1187647921421
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary...o.cab56649.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary...t.cab57213.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{17B9F30C-35BA-4A5C-9214-6EA033243EDA}: NameServer = 192.168.1.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PDK Debug Listener (pdkdebug) - ActiveState - C:\Program Files\ActiveState Perl Dev Kit 6.0\bin\pdkdebug.exe
O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfs.exe (file missing)
O23 - Service: PRTG Service - Paessler Router Traffic Grapher (PRTGService) - Unknown owner - C:\Program Files\PRTG Traffic Grapher\PRTG Traffic Grapher.exe (file missing)
O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINDOWS\system32\routing.exe (file missing)
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe

--
End of file - 8584 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - "regedit.exe" "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 fasttx2k - c:\windows\system32\drivers\fasttx2k.sys <Not Verified; Promise Technology, Inc.; Promise FastTrak Series Driver>
R0 PQV2i - c:\windows\system32\drivers\pqv2i.sys <Not Verified; StorageCraft; V2i Protector>
R1 atitray - c:\program files\ngoatiod172\att\atitray.sys
R1 MagicTune - c:\windows\system32\drivers\mtictwl.sys
R1 PQIMount - c:\windows\system32\drivers\pqimount.sys <Not Verified; PowerQuest Corporation; V2i Protector>
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R1 truecrypt - c:\windows\system32\drivers\truecrypt.sys <Not Verified; TrueCrypt Foundation; TrueCrypt>
R2 MCSTRM - c:\windows\system32\drivers\mcstrm.sys <Not Verified; RealNetworks, Inc.; RealNetworks Virtual Path Manager® (32-bit)>
R3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>
R4 Avg7RsW (AVG7 Wrap Driver) - c:\windows\system32\drivers\avg7rsw.sys (file missing)

S2 zntport (NTPort Library Driver) - c:\windows\system32\zntport.sys (file missing)
S3 ALCXWDM (Service for Realtek AC97 Audio (WDM)) - c:\windows\system32\drivers\alcxwdm.sys (file missing)
S3 HWACCESS - c:\windows\system32\hwaccess.sys
S3 MEMSWEEP2 - c:\windows\system32\45f5.tmp (file missing)
S3 ProtoWall (ProtoWall Network Service) - c:\windows\system32\drivers\protowall.sys (file missing)
S3 RapDrv - c:\windows\system32\drivers\rapdrv.sys <Not Verified; Internet Security Systems, Inc.; Rap Protection System>
S3 RapFile - c:\windows\system32\drivers\rapfile.sys <Not Verified; Internet Security Systems, Inc.; Rap Protection System>
S3 RapNet - c:\windows\system32\drivers\rapnet.sys <Not Verified; Internet Security Systems, Inc.; Rap Protection System>
S3 Razerlow (Razer Copperhead Driver) - c:\windows\system32\drivers\razerlow.sys <Not Verified; Razer (Asia-Pacific) Pte Ltd; Diamondback USB Optical Mouse>
S3 SDTHOOK - c:\windows\system32\drivers\sdthook.sys <Not Verified; Panda Software; Panda® Antivirus>
S3 UfasoftSnifDriver4 (Ufasoft Snif Driver v4) - c:\program files\ufasoft\sniffer\usft_sn4.sys (file missing)
S3 UKS11LDR (M-Audio USB Keystation Loader) - c:\windows\system32\drivers\uks11ldr.sys <Not Verified; MIDIMAN; Midiman USB Keystation Loader>
S3 USBKT1X1 (M-Audio USB Keystation) - c:\windows\system32\drivers\usbkt1x1.sys <Not Verified; Doug Fetter Software Wizardry; Midiman USB Keystation Midi Interface>
S3 XDva013 - c:\windows\system32\xdva013.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>

S2 BOCore - c:\program files\comodo\cboclean\bocore.exe <Not Verified; COMODO; COMODO BOClean - Anti-Malware>
S2 GEARSecurity - c:\windows\system32\gearsec.exe <Not Verified; GEAR Software; gearsec>
S2 pdkdebug (PDK Debug Listener) - "c:\program files\activestate perl dev kit 6.0\bin\pdkdebug.exe" <Not Verified; ActiveState; Perl Dev Kit>
S2 perfmons (perfmons Service) - c:\windows\system32\perfs.exe (file missing)
S2 PRTGService (PRTG Service - Paessler Router Traffic Grapher) - c:\program files\prtg traffic grapher\prtg traffic grapher.exe (file missing)
S2 Routing (Routing Service) - c:\windows\system32\routing.exe (file missing)
S3 TUWinStylerThemeSvc (TuneUp WinStyler Theme Service) - "c:\program files\tuneup utilities 2004\winstylerthemesvc.exe" <Not Verified; TuneUp Software GmbH; TuneUp Utilities>
S4 BlackICE - "c:\program files\iss\blackice\blackd.exe" <Not Verified; Internet Security Systems, Inc.; Network ICE Corporation blackd>
S4 RapApp - "c:\program files\iss\blackice\rapapp.exe" <Not Verified; Internet Security Systems, Inc.; Rap Protection System>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\E0180027FDC3
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\E0180027FDC3
Service: NIC1394

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Hamachi Network Interface
Device ID: ROOT\NET\0000
Manufacturer: LogMeIn, Inc.
Name: Hamachi Network Interface
PNP Device ID: ROOT\NET\0000
Service: hamachi


-- Scheduled Tasks -------------------------------------------------------------

2008-01-05 19:05:03 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2008-01-04 17:16:42 394 --a------ C:\WINDOWS\Tasks\1-Click Maintenance.job


-- Files created between 2007-12-10 and 2008-01-10 -----------------------------

2008-01-10 21:05:46 0 d-------- C:\Program Files\Trend Micro
2008-01-10 15:50:27 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-01-09 18:08:45 593920 -----n--- C:\WINDOWS\system32\ati2sgag.exe <Not Verified; ; ATI Smart>
2008-01-09 18:02:08 6144 --a------ C:\WINDOWS\system32\atiicdxx.sys <Not Verified; ATI Technologies Inc.; ATI Graphics Accelerators>
2008-01-09 18:02:06 122880 --a------ C:\WINDOWS\system32\Oemdspif.dll <Not Verified; ATI Technologies, Inc.; ATI Driver Interface Component>
2008-01-09 18:02:05 24064 --a------ C:\WINDOWS\system32\ativcoxx.dll <Not Verified; ATI Technologies, Inc.; >
2008-01-09 18:02:05 17408 --a------ C:\WINDOWS\system32\atitvo32.dll <Not Verified; ATI Technologies Inc.; ATI RageTheater/ImpacTV COM interface>
2008-01-09 18:02:05 2060288 --a------ C:\WINDOWS\system32\atipuixx.dll <Not Verified; ATI Technologies, Inc.; ATI Desktop Component>
2008-01-09 18:02:05 114688 --a------ C:\WINDOWS\system32\atippaxx.dll <Not Verified; ATI Technologies, Inc.; ATI Desktop Component>
2008-01-09 18:02:05 274432 --a------ C:\WINDOWS\system32\atipdsxx.dll <Not Verified; ATI Technologies, Inc.; ATI Desktop Component>
2008-01-09 18:02:05 147456 --a------ C:\WINDOWS\system32\atipdlxx.dll <Not Verified; ATI Technologies, Inc.; ATI Desktop Component>
2008-01-09 18:02:05 180224 --a------ C:\WINDOWS\system32\atiok3x2.dll <Not Verified; ATI Technologies Inc.; Ring 0 x2 Component>
2008-01-09 18:02:04 5435392 --a------ C:\WINDOWS\system32\atioglxx.dll <Not Verified; ATI Technologies Inc.; ATI OpenGL driver>
2008-01-09 18:02:03 49152 --a------ C:\WINDOWS\system32\drivers\ati2erec.dll <Not Verified; ATI Technologies Inc.; eRecord>
2008-01-09 18:02:03 344064 --a------ C:\WINDOWS\system32\atiptaxx.exe <Not Verified; ATI Technologies, Inc.; ATI Desktop Component>
2008-01-09 18:02:03 139264 --a------ C:\WINDOWS\system32\atiprbxx.exe <Not Verified; ATI Technologies, Inc.; ATI Desktop Component>
2008-01-09 18:02:03 61440 --a------ C:\WINDOWS\system32\atiphexx.exe <Not Verified; ATI Technologies, Inc.; ATI Desktop Component>
2008-01-09 18:02:03 9535488 --a------ C:\WINDOWS\system32\atioglx2.dll <Not Verified; ATI Technologies Inc.; ATI OpenGL driver>
2008-01-09 18:02:03 385024 --a------ C:\WINDOWS\system32\atikvmag.dll <Not Verified; ATI Technologies Inc.; Virtual Command And Memory Manager>
2008-01-09 18:02:03 36864 --a------ C:\WINDOWS\system32\atiiprxx.exe
2008-01-09 18:02:03 307200 --a------ C:\WINDOWS\system32\atiiiexx.dll <Not Verified; ATI Technologies Inc.; ATI Display Driver Utilities>
2008-01-09 18:02:03 380928 --a------ C:\WINDOWS\system32\atiicdxx.dll <Not Verified; ATI Technologies Inc.; ATI Graphics Accelerators>
2008-01-09 18:02:03 368640 --a------ C:\WINDOWS\system32\ATIDEMGX.dll <Not Verified; Advanced Micro Devices, Inc.; Catalyst® Control Centre>
2008-01-09 18:02:03 53248 --a------ C:\WINDOWS\system32\ATIDDC.DLL <Not Verified; ATI Technologies Inc.; ATI Radeon Family>
2008-01-09 18:02:03 348160 --a------ C:\WINDOWS\system32\aticds10.dll <Not Verified; ATI Technologies Inc.; ATI Graphics Accelerators>
2008-01-09 18:02:03 1830912 --a------ C:\WINDOWS\system32\atiadaxx.exe <Not Verified; ATI Technologies, Inc.; ATI Desktop Component>
2008-01-09 18:02:03 26112 --a------ C:\WINDOWS\system32\Ati2mdxx.exe <Not Verified; ATI Technologies, Inc.; ATI Default Resolution Update>
2008-01-09 18:02:03 495616 --a------ C:\WINDOWS\system32\ati2evxx.exe <Not Verified; ATI Technologies Inc.; ATI External Event Utility for Windows>
2008-01-09 18:02:03 122880 --a------ C:\WINDOWS\system32\ati2evxx.dll <Not Verified; ATI Technologies Inc.; ATI External Event Utility for Windows>
2008-01-09 18:02:03 43520 --a------ C:\WINDOWS\system32\ati2edxx.dll <Not Verified; ATI Technologies, Inc.; ATI External Device Utility>
2008-01-09 18:02:01 3107788 --a------ C:\WINDOWS\system32\ativvaxx.dat
2008-01-09 18:02:01 887724 --a------ C:\WINDOWS\system32\ativva6x.dat
2008-01-09 18:02:01 3107788 --a------ C:\WINDOWS\system32\ativva5x.dat
2008-01-09 18:02:01 158080 --a------ C:\WINDOWS\system32\atiicdxx.dat
2008-01-09 17:54:48 0 d-------- C:\Program Files\Driver Cleaner Pro
2008-01-08 18:28:33 0 d-------- C:\Program Files\Microsoft SQL Server
2008-01-08 18:28:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Sony
2008-01-06 01:15:32 0 dr-h----- C:\Documents and Settings\Owner\Recent
2008-01-06 01:08:05 0 d-------- C:\Documents and Settings\Owner\Application Data\URSoft
2008-01-06 00:12:19 0 d-------- C:\Program Files\Sophos
2008-01-05 18:18:47 0 d-------- C:\Program Files\SpywareBlaster
2008-01-05 14:43:26 44928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS <Not Verified; Panda Software; Panda® Antivirus>
2008-01-05 14:23:48 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-12-28 18:50:55 0 d-------- C:\Program Files\Ventrilo
2007-12-25 20:17:09 0 d-------- C:\Program Files\iPod
2007-12-25 20:17:03 0 d-------- C:\Program Files\iTunes
2007-12-25 20:15:43 0 d-------- C:\Program Files\Apple Software Update
2007-12-25 20:15:10 0 d-------- C:\Program Files\Common Files\Apple
2007-12-25 20:15:09 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-12-25 10:13:48 0 d-------- C:\Program Files\Alcohol Soft
2007-12-25 10:11:10 685816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-12-25 00:36:36 0 d-------- C:\Documents and Settings\Owner\.housecall6.6
2007-12-21 16:17:57 0 d-------- C:\World of Warcraft
2007-12-21 00:30:53 9619393 --a------ C:\WINDOWS\system32\FHCSECMJTNHSFD
2007-12-21 00:24:00 4 --a------ C:\WINDOWS\system32\0BEBB8
2007-12-21 00:18:47 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2007-12-21 00:17:03 8413 --a------ C:\WINDOWS\system32\drivers\mcstrm.sys <Not Verified; RealNetworks, Inc.; RealNetworks Virtual Path Manager® (32-bit)>
2007-12-20 23:56:38 0 d-------- C:\Program Files\Best Buy Rhapsody
2007-12-20 23:42:18 0 d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2007-12-20 19:10:29 0 d-------- C:\Program Files\Western Digital
2007-12-20 19:10:13 0 d-------- C:\Program Files\Western Digital Technologies


-- Find3M Report ---------------------------------------------------------------

2008-01-10 19:14:55 0 d-------- C:\Documents and Settings\Owner\Application Data\uTorrent
2008-01-09 18:07:00 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-09 1831 0 d-------- C:\Program Files\MultiRes
2008-01-09 18:01:52 0 d-------- C:\Program Files\Radeon Omega Drivers
2008-01-09 18:00:49 1324 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-01-09 17:56:01 0 d-------- C:\Documents and Settings\Owner\Application Data\ATI
2008-01-08 23:27:14 0 d-------- C:\Documents and Settings\Owner\Application Data\FileZilla
2008-01-08 19:10:34 0 d-------- C:\Documents and Settings\Owner\Application Data\Sony
2008-01-08 18:27:26 0 d-------- C:\Program Files\VstPlugins
2008-01-08 18:26:57 0 d-------- C:\Program Files\Sony
2008-01-07 19:57:14 0 d-------- C:\Program Files\Cheat Engine
2008-01-07 19:57:14 0 d-------- C:\Program Files\BandwidthMeterPro
2008-01-07 16:02:33 0 d-------- C:\Documents and Settings\Owner\Application Data\Skype
2008-01-07 16:02:17 0 d-------- C:\Program Files\mIRC
2008-01-06 02:30:48 0 d-------- C:\Program Files\SmartFTP Client
2008-01-06 01:05:32 0 d-------- C:\Program Files\Eraser
2008-01-05 16:20:04 0 d-------- C:\Program Files\Winamp
2008-01-05 16:01:19 0 d-------- C:\Program Files\PowerISO
2008-01-05 15:39:15 0 d-------- C:\Program Files\Last.fm
2008-01-05 15:15:58 0 d-------- C:\Program Files\FileZilla Client
2008-01-05 15:10:11 0 d-------- C:\Program Files\AIM
2008-01-05 02:08:24 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2008-01-05 0246 0 d-------- C:\Program Files\Common Files\Adobe
2008-01-03 15:30:36 0 d-------- C:\Documents and Settings\Owner\Application Data\Xfire
2007-12-31 01:59:14 0 d-------- C:\Documents and Settings\Owner\Application Data\Hamachi
2007-12-30 16:33:34 0 d-------- C:\Documents and Settings\Owner\Application Data\Aim
2007-12-28 18:45:39 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-27 22:13:54 0 d-------- C:\Program Files\DC++
2007-12-26 00:56:43 0 d-------- C:\Program Files\ICQ
2007-12-25 22:46:14 0 d-------- C:\Program Files\SHOUTcast
2007-12-25 20:16:37 0 d-------- C:\Program Files\QuickTime Alternative
2007-12-25 20:15:10 0 d-------- C:\Program Files\Common Files
2007-12-24 00:00:36 253440 --a------ C:\WINDOWS\system32\ndt2.sys
2007-12-21 16:17:57 0 d-------- C:\Program Files\Common Files\Blizzard Entertainment
2007-12-21 01:13:46 0 d-------- C:\Program Files\Real
2007-12-21 01:12:34 0 d-------- C:\Program Files\Heroes
2007-12-21 01:12:27 0 d-------- C:\Program Files\Doomsday
2007-12-21 00:17:30 0 d-------- C:\Program Files\Common Files\Real
2007-12-21 00:17:04 0 d-------- C:\Documents and Settings\Owner\Application Data\Real
2007-12-20 23:42:16 0 d-------- C:\Program Files\Common Files\InstallShield
2007-12-19 19:03:58 0 d---s---- C:\Program Files\Xfire
2007-12-06 20:28:24 0 d-------- C:\Documents and Settings\Owner\Application Data\foobar2000
2007-12-04 19:04:08 269312 --a------ C:\WINDOWS\system32\ati2dvag.dll <Not Verified; ATI Technologies Inc.; ATI Radeon WindowsNT Display Driver>
2007-12-04 18:33:47 1640192 --a------ C:\WINDOWS\system32\ativvaxx.dll <Not Verified; ATI Technologies Inc.; ATI Technologies Inc. Radeon Video Acceleration Universal Driver>
2007-12-04 18:11:18 499712 --a------ C:\WINDOWS\system32\ati2cqag.dll <Not Verified; ATI Technologies Inc.; ATI Radeon Family>
2007-12-02 11:21:29 0 d-------- C:\Program Files\Exact Audio Copy
2007-12-02 11:21:25 0 d-------- C:\Documents and Settings\Owner\Application Data\AccurateRip
2007-11-25 17:05:22 0 d-------- C:\Program Files\GuerillaSoft
2007-11-25 01:18:03 1 --a------ C:\WINDOWS\system32\SI.bin
2007-11-22 13:24:48 0 d-------- C:\Documents and Settings\Owner\Application Data\Mount&Blade
2007-11-16 21:13:50 0 d-------- C:\Program Files\middle_man


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KBD"="C:\HP\KBD\KBD.EXE" [11.02.2003 Ј. 18:02]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [13.09.2002 Ј. 20:42]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [11.05.2000 Ј. 01:00]
"PS2"="C:\WINDOWS\system32\ps2.exe" [16.10.2002 Ј. 14:57]
"QuickTime Task"="C:\Program Files\QuickTime Alternative\QTTask.exe" [11.12.2007 Ј. 10:56]
"AtiPTA"="atiptaxx.exe" [21.02.2006 Ј. 17:05 C:\WINDOWS\system32\atiptaxx.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [03.08.2004 Ј. 23:56]
"AIM"="C:\Program Files\AIM\aim.exe" [18.06.2003 Ј. 12:54]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [10.8.2007 Ј. 00:37:28]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLowDiskSpaceChecks"=1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ WinCinema Manager.lnk
backup=C:\WINDOWS\pss\ WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlackICE PC Protection.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BlackICE PC Protection.lnk
backup=C:\WINDOWS\pss\BlackICE PC Protection.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^FlexType 2K.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\FlexType 2K.lnk
backup=C:\WINDOWS\pss\FlexType 2K.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GetRight - Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GetRight - Tray Icon.lnk
backup=C:\WINDOWS\pss\GetRight - Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Last.fm Helper.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Last.fm Helper.lnk
backup=C:\WINDOWS\pss\Last.fm Helper.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MagicTune 3.6.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MagicTune 3.6.lnk
backup=C:\WINDOWS\pss\MagicTune 3.6.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Privoxy.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Privoxy.lnk
backup=C:\WINDOWS\pss\Privoxy.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Run Google Web Accelerator.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Run Google Web Accelerator.lnk
backup=C:\WINDOWS\pss\Run Google Web Accelerator.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^ATI Tray Tools.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\ATI Tray Tools.lnk
backup=C:\WINDOWS\pss\ATI Tray Tools.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^check-ip-changed.bat]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\check-ip-changed.bat
backup=C:\WINDOWS\pss\check-ip-changed.batStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BandwidthMeterPro]
C:\Program Files\BandwidthMeterPro\BWMeterPro.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BOC-425]
C:\PROGRA~1\Comodo\CBOClean\BOC425.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
CTXFIHLP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eraser]
C:\Program Files\Eraser\eraser.exe -hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
"C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mirabilis ICQ]
C:\PROGRA~1\ICQ\ICQNet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 9.0]
C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"d:\wares-mp3s-games-etc\games\steam\steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vidalia]
"C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RichVideo"=2 (0x2)
"BlackICE"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Eraser"=C:\Program Files\Eraser\eraser.exe -hide

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"razer"=C:\Program Files\Razer\Copperhead\razerhid.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e0804dd6-b5fc-11d9-a9fe-806d6172696f}]
AutoRun\command- G:\autoplay.exe



-- End of Deckard's System Scanner: finished at 2008-01-10 21:09:24 ------------
Attached Files
File Type: txt extra.txt (32.3 KB, 3 views)
Last edited by gotosleep; 01-10-2008 at 11:29 PM.
gotosleep is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-11-2008, 12:01 AM   #6 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,237
OS: 2000 Pro; XP Pro; XP Home


Re: perfs.exe, routing.exe - how do I get rid of them?
It looks to me like the files are already deleted.

Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad. Save it as "All Files" and name it FixServices.bat. Please save it on your desktop.

Quote:
@echo off
sc stop perfmons
sc stop Routing
sc delete perfmons
sc delete Routing
exit
Double click FixServices.bat. A window will open and close. This is normal.

I don't see a dedicated AntiVirus application on the machine. May I ask why?
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-12-2008, 01:11 AM   #7 (permalink)
Registered User
 
Join Date: Jan 2008
Posts: 6
OS: Windows XP Home SP2


Re: perfs.exe, routing.exe - how do I get rid of them?
My copy of NOD32 was giving me problems. I tried AVG and avast! individually and was unhappy with both of them so I uninstalled and was gonna reinstall NOD32 later that night. Both perfs/routing.exe are removed because I read a guide on another site where I used some program called OTMoveIt (or something along those lines) and another fix but the files remained in my HijackThis reports as "O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfs.exe (file missing)". After running your fix they don't appear there anymore in HijackThis logs.

I wasn't sure if this would return to give me problems yet again since this infection is allegedly caused by a rootkit. I didn't think deleting both files from the SYSTEM32 directory is all I need to do to stop the rootkit.

Thanks!
Last edited by gotosleep; 01-12-2008 at 01:15 AM.
gotosleep is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-12-2008, 07:52 AM   #8 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,237
OS: 2000 Pro; XP Pro; XP Home


Re: perfs.exe, routing.exe - how do I get rid of them?
Connecting to the Internet without antivirus protection is a "Welcome" doormat for malware. It can take as little as eight seconds to infect an unprotected computer.

Reinstall NOD32, or choose another, but install an AntiVirus application now please. Even with BO Clean installed, your machine needs an AntiVirus application.

I use NOD32 and have never had any troubles with it. You may want to give Kaspersky a try.

After you've installed, updated and run a full system scan with an AntiVirus, please do this:


Next, establish an internet connection & perform an online scan using Internet Explorer at Kaspersky Second Opinion Scanner


Instructions are on the page:

Download and Install the kav6.0.3.837_sosen.exe package on the local machine with default settings. (Click Next on every option to accept default settings and choose the Complete button for a full install)

Run an Update in the Kaspersky SOS software. (This is the virus signature definitions update and needs internet connection)

Disable your AntiVirus application

Run a full scan to detect and remove any malware that has not been found or disinfected by the other vendor’s anti-virus.

Save that log and post it. Also post a new HijackThis log.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-12-2008, 10:11 PM   #9 (permalink)
Registered User
 
Join Date: Jan 2008
Posts: 6
OS: Windows XP Home SP2


Re: perfs.exe, routing.exe - how do I get rid of them?
Kaspersky SOS Log:

Scan
----
Scanned: 735317
Detected: 0
Untreated: 0
Start time: 12.1.2008 г. 11:23:20
Duration: 03:59:09
Finish time: 12.1.2008 г. 15:22:29
Signatures published: 12.1.2008 г. 07:48:15


Detected
--------
Status Object
------ ------


Events
------
Time Name Status Reason
---- ---- ------ ------


Statistics
----------
Object Scanned Detected Untreated Deleted Moved to Quarantine Archives Packed files Password protected Corrupted
------ ------- -------- --------- ------- ------------------- -------- ------------ ------------------ ---------


Settings
--------
Parameter Value
--------- -----
Security Level Recommended
Action Prompt for action when the scan is complete
Run mode Manually
File types Scan all files
Scan only new and changed files No
Scan archives All
Scan embedded OLE objects All
Skip if object is larger than No
Skip if scan takes longer than No
Parse email formats No
Scan password-protected archives No
Enable iChecker technology Yes
Enable iSwift technology Yes
Record information about dangerous objects to program statistics Yes


HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:11:58, on 12.1.2008 г.
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\ActiveState Perl Dev Kit 6.0\bin\pdkdebug.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 62.204.143.153:6588
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/reso...scbase8460.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1187647958218
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1187647921421
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary...o.cab56649.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary...t.cab57213.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{17B9F30C-35BA-4A5C-9214-6EA033243EDA}: NameServer = 192.168.1.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: PDK Debug Listener (pdkdebug) - ActiveState - C:\Program Files\ActiveState Perl Dev Kit 6.0\bin\pdkdebug.exe
O23 - Service: PRTG Service - Paessler Router Traffic Grapher (PRTGService) - Unknown owner - C:\Program Files\PRTG Traffic Grapher\PRTG Traffic Grapher.exe (file missing)
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe

--
End of file - 8543 bytes


~~~~~~~~~~~~~

NOD32 was disabled for the duration of the HijackThis and Kaspersky scans.
Last edited by gotosleep; 01-12-2008 at 10:13 PM.
gotosleep is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-12-2008, 10:56 PM   #10 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,237
OS: 2000 Pro; XP Pro; XP Home


Re: perfs.exe, routing.exe - how do I get rid of them?
Clean log!


Your logs appear clean.You should be good to go. We still have a few items to address.

C:\Deckard is DSS working folder. You can safely delete it. Also delete dss.exe

C:\System Volume Information\ is where System Restore's cache is stored. Whatever is in there can't harm you unless you choose to perform a manual restore. Nevertheless, we shall be resetting/clearing the cache in a little while.


Reset hidden/system files and folders
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Deselect the Show hidden files and folders option.
  • Select the Hide file extensions for known types option.
  • Select the Hide protected operating system files option.
  • Click Yes to confirm.
  • Click OK.

Clear & Reset System Restore's Cache
  • click Start >> Run - type SYSDM.CPL & press Enter
  • select the System Restore Tab
  • tick on the checkbox - "Turn off System Restore on all drives"
  • click Apply
  • then untick the same checkbox & click OK


Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs if you don't have them already:
  • SpywareBlaster to help prevent spyware from installing in the first place.
    • Install & update SpywareBlaster with the latest definitions.
      After you have updated, click the button - enable protection for all unprotected items
  • IE-SpyAd - IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impairs attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. An installation tutorial is available here.

  • MVPS HOST FILE
    The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
    • Download Host.zip to your desktop.
    • From your Desktop right-click (hosts.zip) and select:
      Extract All from the menu.
    • Click Next, click Next, select the option:
      "Show Extracted files", click Finish
    • This will open the newly created hosts folder on your Desktop.
    • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
    • Once updated you should see another prompt that the task was completed.
  • ANTIVIRUS SOFTWARE
    It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.

    See this link for a listing of some online antivirus scanners:

    Anti-Spyware Tutorial
  • FIREWALL
    If you do not have a firewall, here are a couple of great free ones available for personal use. Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here

    Do not install more than one firewall program because they will conflict with each other.

Here are some additional utilities that will further enhance your safety.
  • http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

  • http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. While Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.

  • http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.

  • http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.

    ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

    NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.


In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles
If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-12-2008, 11:14 PM   #11 (permalink)
Registered User
 
Join Date: Jan 2008
Posts: 6
OS: Windows XP Home SP2


Re: perfs.exe, routing.exe - how do I get rid of them?
Thank you.
gotosleep is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 04:02 AM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85