fkrootkits Posted October 19, 2010 ID:329828 Share Posted October 19, 2010 computer is not slow at all but I still believe critical processes have been hijacked. my HJT log, also, I long-disabled windows live at startup process, but somehow WLIDSVC.exe and WLIDSVCM.exe run I understand it is a windows process but I think this is questionable behavior. AppleMobileDevice in task manager as well, I shutdown that process and it keeps coming back. The HJT log and DDS Logfile of Trend Micro HijackThis v2.0.4Scan saved at 8:02:55 AM, on 10/19/2010Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Bonjour\mDNSResponder.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Logitech\SetPointP\SetPoint.exeC:\WINDOWS\SOUNDMAN.EXEC:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exeC:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXEC:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exeC:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exeC:\Program Files\ESET\ESET Smart Security\ekrn.exeC:\Program Files\ESET\ESET Smart Security\egui.exeC:\Program Files\Trend Micro\HiJackThis\HiJackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirec...amp;gc=1&q=R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.comR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local;*.localR3 - URLSearchHook: (no name) - - (no file)O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllO2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dllO2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dllO2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dllO4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"O4 - HKLM\..\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGamingO4 - HKLM\..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRunO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXEO4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitserviceO4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /autoO4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Startup: PowerReg Scheduler.exeO4 - Global Startup: TotalMedia Backup Monitor.lnk = C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O8 - Extra context menu item: ʹ Link to post Share on other sites More sharing options...
fkrootkits Posted October 19, 2010 Author ID:329848 Share Posted October 19, 2010 attached both "attach.txt" and "ark.txt" gmer logs hereAttach.zip Link to post Share on other sites More sharing options...
Maniac Posted October 19, 2010 ID:329908 Share Posted October 19, 2010 Hello fkrootkits! Welcome to Malwarebytes' Anti-Malware Forums!My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following: The process of cleaning your system may take some time, so please be patient.Follow my instructions step by step if there is a problem somewhere, stop and tell me.Stay with the thread until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.Instructions that I give are for your system only!If you don't know or can't understand something please ask. Do not install or uninstall any software or hardware, while work on.Keep me informed about any changes.my HJT log, also, I long-disabled windows live at startup process, but somehow WLIDSVC.exe and WLIDSVCM.exe run I understand it is a windows process but I think this is questionable behavior. AppleMobileDevice in task manager as well, I shutdown that process and it keeps coming back.You can shut down them using Microsoft's System Configuration Utility. More information here:http://netsquirrel.com/msconfig/msconfig_xp.htmlI have question for you: Do you have license for ESET Smart Security?Now:Step 1Please, uninstall the following applications:Uniblue RegistryBoosterYou can read, how to do this here:Windows XPWindows VistaWindows 7Step 2Going over your logs I noticed that you have Link to post Share on other sites More sharing options...
fkrootkits Posted October 19, 2010 Author ID:329935 Share Posted October 19, 2010 Indeed that is what I had done before, I disabled iTunes helper from msconfig but somehow it's still a process in the Task Manager. Will uninstall uniblue. As far as ESET I only installed the Smart Security 30-day trial today so no legit license, prior to running those scans w/updated signatures. Also while said file sharing programs can be easy places to get infected and what not I remember I was browsing and a Java applet started and it launched Windows Media Player -strange behavior no doubt, I went on to uninstall Java the updated version. I will run MB quick scan, will get back to you shortly with the logs. Link to post Share on other sites More sharing options...
fkrootkits Posted October 19, 2010 Author ID:329970 Share Posted October 19, 2010 Ok here are the logs you requested MBAM log:Malwarebytes' Anti-Malware 1.46www.malwarebytes.orgDatabase version: 4884Windows 5.1.2600 Service Pack 3Internet Explorer 6.0.2900.551210/19/2010 12:56:23 PMmbam-log-2010-10-19 (12-56-23).txtScan type: Quick scanObjects scanned: 165764Time elapsed: 7 minute(s), 37 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)AND new DDS log:DDS (Ver_10-10-10.03) - NTFSx86 Run by Compu at 12:59:29.82 on Tue 10/19/2010Internet Explorer: 6.0.2900.5512Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1534.988 [GMT -7:00]AV: ESET Smart Security 4.2 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}============== Running Processes ===============C:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exesvchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Logitech\SetPointP\SetPoint.exeC:\WINDOWS\SOUNDMAN.EXEC:\Program Files\Microsoft IntelliType Pro\itype.exeC:\Program Files\ESET\ESET Smart Security\egui.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exeC:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXEc:\Program Files\Microsoft IntelliType Pro\dpupdchk.exesvchost.exeC:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exeC:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exeC:\Program Files\ESET\ESET Smart Security\ekrn.exeC:\WINDOWS\system32\svchost.exe -k imgsvcC:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXEC:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exeC:\Documents and Settings\Compu\Desktop\PC\dds.com============== Pseudo HJT Report ===============uStart Page = hxxp://www.google.com/uInternet Settings,ProxyServer = 127.0.0.1:8080uInternet Settings,ProxyOverride = local;*.localuSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.comuURLSearchHooks: H - No FileBHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dllBHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dllBHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dllBHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dllTB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dlluRun: [ctfmon.exe] c:\windows\system32\ctfmon.exemRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGamingmRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRunmRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottimemRun: [soundMan] SOUNDMAN.EXEmRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitserviceStartupFolder: c:\docume~1\compu\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exeStartupFolder: c:\documents and settings\compu\start menu\programs\startup\PowerReg Scheduler.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\totalm~1.lnk - c:\program files\arcsoft\totalmedia backup & record\uBBMonitor.exeIE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000IE: ʹ Link to post Share on other sites More sharing options...
fkrootkits Posted October 19, 2010 Author ID:330000 Share Posted October 19, 2010 also, I want to mention the "wdfmgr.exe" running in the background, seems new to me, not sure what this is, but just doing research it seems to have all or most of the characteristics of W32/Agobot-TB link: http://www.sophos.com/security/analyses/viruses-and-spyware/w32agobottb.html "W32/Agobot-TB is a worm with backdoor functionality for the Windows platform.W32/Agobot-TB runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer.When first run W32/Agobot-TB copies itself to <Windows system folder>\wdfmgr.exe.The following registry entries are created to run wdfmgr.exe on startup:HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunMS_Update Checkwdfmgr.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesMS_Update Checkwdfmgr.exe" Not sure what is going now but thought I'd mention it since it seems to overwrite things, has a small footprint but is device-related. It might even cause AppleMobileDevice.exe and aforementioned WLIDSVC.EXE / WLIDSVCM.EXE processes to act as helpers, or could AppleMobileDevice.exe be a Bonjour related process? Link to post Share on other sites More sharing options...
Maniac Posted October 20, 2010 ID:330285 Share Posted October 20, 2010 Let's check this out!**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate. Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete. Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper. Please download ComboFix from Here or Here to your Desktop. **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop** If you are using Firefox, make sure that your download settings are as follows: Open Tools -> Options -> Main tab Set to Always ask me where to Save the files. [*]During the download, rename Combofix to Combo-Fix as follows: [*]It is important you rename Combofix during the download, but not after. [*]Please do not rename Combofix to other names, but only to the one indicated. [*]Close any open browsers. [*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. ----------------------------------------------------------- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results. Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask. ----------------------------------------------------------- Close any open browsers. WARNING: Combofix will disconnect your machine from the Internet as soon as it starts Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished. If there is no internet connection after running Combofix, then restart your computer to restore back your connection. ----------------------------------------------------------- [*]Double click on combo-Fix.exe & follow the prompts. [*]When finished, it will produce a report for you. [*]Please post the C:\Combo-Fix.txt for further review. **Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall** Link to post Share on other sites More sharing options...
fkrootkits Posted October 20, 2010 Author ID:330415 Share Posted October 20, 2010 Hey Borislav the log looks much better, I knew Find3m had infected items and they would not go away. Have a look at the new log. Also, by default Combo-Fix saved the log file to C:\ComboFix and not C:\combo-fix as had instructed.ComboFix 10-10-19.04 - Compu 10/20/2010 7:06.8.1 - x86Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1534.1021 [GMT -7:00]Running from: c:\documents and settings\Compu\Desktop\Combo-Fix.exeAV: ESET Smart Security 4.2 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\documents and settings\Compu\My Documents\backup.reg.((((((((((((((((((((((((( Files Created from 2010-09-20 to 2010-10-20 ))))))))))))))))))))))))))))))).2010-10-20 01:42 . 2010-10-20 01:42 142592 ----a-w- c:\windows\system32\drivers\sp_rsdrv2.sys2010-10-20 01:42 . 2010-10-20 02:06 -------- d-----w- c:\documents and settings\Compu\Application Data\Spyware Terminator2010-10-20 01:42 . 2010-10-20 01:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Spyware Terminator2010-10-20 01:42 . 2010-10-20 02:05 -------- d-----w- c:\program files\Spyware Terminator2010-10-20 01:04 . 2010-10-20 01:50 -------- d-----w- c:\documents and settings\Compu\Application Data\ScanSpyware2010-10-19 22:42 . 2001-08-17 20:48 12160 ----a-w- c:\windows\system32\mouhid.sys2010-10-19 14:09 . 2010-10-19 14:09 -------- d-----w- c:\documents and settings\Compu\Local Settings\Application Data\ESET2010-10-19 14:09 . 2010-10-19 14:09 -------- d-----w- c:\documents and settings\Compu\Application Data\ESET2010-10-19 14:08 . 2010-10-19 14:08 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET2010-10-19 14:07 . 2010-10-19 14:07 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET2010-10-19 12:22 . 2010-10-19 12:22 2067128 ----a-w- C:\kavremvr.exe2010-10-19 12:19 . 2010-10-19 12:19 2247352 ----a-w- C:\kavremover.exe2010-10-18 15:32 . 2010-10-19 14:07 -------- d-----w- c:\program files\ESET2010-10-17 10:32 . 2010-10-17 10:32 -------- d-----w- c:\documents and settings\Default User\Application Data\Apple Computer2010-10-17 10:28 . 2010-10-17 10:32 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Apple Computer2010-10-17 09:01 . 2010-10-17 09:01 -------- d-----w- c:\documents and settings\Compu\Local Settings\Application Data\Help2010-10-17 09:00 . 2010-10-17 09:00 -------- d-----w- c:\documents and settings\Compu\Local Settings\Application Data\Threat Expert2010-10-17 08:38 . 2010-01-22 16:56 149456 ----a-w- c:\windows\SGDetectionTool.dll2010-10-17 08:38 . 2010-01-22 16:56 165840 ----a-w- c:\windows\PCTBDRes.dll2010-10-17 08:38 . 2010-01-22 16:56 1652688 ----a-w- c:\windows\PCTBDCore.dll2010-10-17 08:38 . 2010-01-22 16:55 767952 ----a-w- c:\windows\BDTSupport.dll2010-10-17 08:19 . 2010-02-05 16:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys2010-10-17 08:19 . 2010-10-17 09:09 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys2010-10-17 08:19 . 2009-11-23 20:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys2010-10-17 08:19 . 2010-10-17 09:09 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys2010-10-17 08:19 . 2010-10-19 19:24 -------- d-----w- c:\program files\Spyware Doctor2010-10-17 08:19 . 2010-10-17 08:38 -------- d-----w- c:\program files\Common Files\PC Tools2010-10-17 08:19 . 2010-10-17 08:19 -------- d-----w- c:\documents and settings\Compu\Application Data\PC Tools2010-10-17 08:19 . 2010-10-17 08:19 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools2010-10-17 07:40 . 2010-10-17 07:40 388096 ----a-r- c:\documents and settings\Compu\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe2010-10-16 18:15 . 2010-10-16 18:15 -------- d-----w- c:\documents and settings\Administrator2010-10-14 09:03 . 2010-06-02 11:55 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll2010-10-14 09:03 . 2010-06-02 11:55 527192 ----a-w- c:\windows\system32\XAudio2_7.dll2010-10-14 09:03 . 2010-06-02 11:55 239960 ----a-w- c:\windows\system32\xactengine3_7.dll2010-10-14 09:03 . 2010-05-26 18:41 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll2010-10-14 09:03 . 2010-05-26 18:41 248672 ----a-w- c:\windows\system32\d3dx11_43.dll2010-10-14 09:03 . 2010-05-26 18:41 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll2010-10-14 09:03 . 2010-05-26 18:41 470880 ----a-w- c:\windows\system32\d3dx10_43.dll2010-10-14 09:02 . 2010-05-26 18:41 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll2010-10-14 06:40 . 2010-08-16 08:45 590848 -c----w- c:\windows\system32\dllcache\rpcrt4.dll2010-10-14 06:40 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll2010-10-14 06:40 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll2010-10-14 06:37 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll2010-10-14 06:34 . 2010-08-26 13:39 357248 -c----w- c:\windows\system32\dllcache\srv.sys2010-10-14 06:31 . 2010-02-24 13:11 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys2010-10-14 06:29 . 2010-08-27 08:02 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll2010-10-14 06:29 . 2009-10-15 16:28 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll2010-10-14 06:29 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll2010-10-14 06:26 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll2010-10-14 06:26 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll2010-10-14 06:26 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll2010-10-14 06:26 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe2010-10-14 06:26 . 2009-06-25 08:25 730112 -c----w- c:\windows\system32\dllcache\lsasrv.dll2010-10-14 06:26 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll2010-10-14 06:26 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll2010-10-14 06:26 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll2010-10-14 06:26 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe2010-10-14 06:26 . 2010-04-27 13:59 2146304 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe2010-10-14 06:26 . 2010-04-28 02:25 2189952 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe2010-10-14 06:26 . 2010-04-27 13:05 2024448 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe2010-10-14 06:24 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll2010-10-14 06:23 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys2010-10-14 06:23 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys2010-10-14 05:00 . 2008-04-14 05:57 79872 -c----w- c:\windows\system32\dllcache\msxml6r.dll2010-10-14 05:00 . 2008-04-14 12:42 1306624 -c----w- c:\windows\system32\dllcache\msxml6.dll2010-10-14 05:00 . 2008-04-14 05:57 79872 ----a-w- c:\windows\system32\msxml6r.dll2010-10-14 04:54 . 2008-04-14 12:42 3901 ------w- c:\windows\system32\drivers\siint5.dll2010-10-14 04:53 . 2006-12-29 07:31 19569 ----a-w- c:\windows\002859_.tmp2010-10-14 04:44 . 2010-10-14 04:44 -------- d-----w- c:\windows\EHome2010-10-14 02:44 . 2010-10-14 02:44 -------- d-----w- c:\program files\Microsoft IntelliType Pro2010-10-13 04:40 . 2010-10-13 04:41 -------- d-----w- c:\program files\Wireshark2010-10-11 10:06 . 2010-10-11 10:36 -------- d-----w- C:\1232010-10-10 00:59 . 2010-10-10 00:59 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple2010-09-28 10:28 . 2006-08-01 22:02 49152 ----a-w- c:\windows\system32\ChCfg.exe2010-09-28 10:28 . 2008-09-24 17:40 4122368 ----a-r- c:\windows\system32\drivers\alcxwdm.sys2010-09-28 10:28 . 2010-09-28 10:28 -------- d-----w- c:\program files\Realtek AC972010-09-28 10:27 . 2006-12-08 22:20 10528768 ----a-w- c:\windows\system32\RTLCPL.exe2010-09-28 10:27 . 2007-04-16 22:28 577536 ----a-w- c:\windows\soundman.exe2010-09-28 10:27 . 2006-11-17 12:40 18804736 ----a-w- c:\windows\system32\alsndmgr.cpl2010-09-28 10:27 . 2006-10-18 09:53 147456 ----a-w- c:\windows\system32\RtlCPAPI.dll2010-09-28 10:27 . 2006-07-31 18:27 217088 ----a-w- c:\windows\Alcrmv.exe2010-09-28 10:27 . 2006-07-31 18:19 315392 ----a-w- c:\windows\alcupd.exe2010-09-28 08:26 . 2010-09-28 08:27 -------- d-----w- c:\documents and settings\Compu\Application Data\Replay Media Catcher 42010-09-28 08:10 . 2010-09-28 08:10 -------- d-----w- c:\documents and settings\Compu\Local Settings\Application Data\Jaksta_Pty_Ltd2010-09-28 08:07 . 2010-09-28 08:07 -------- d-----w- c:\program files\Applian Technologies2010-09-26 14:35 . 2010-09-26 14:35 -------- d-----w- c:\program files\iPod2010-09-25 15:38 . 2010-09-25 15:38 -------- d-----w- c:\windows\UltraDefrag2010-09-24 07:49 . 2010-09-24 07:49 8704 ----a-w- c:\windows\system32\bootexctrl.exe2010-09-24 07:49 . 2010-09-24 07:49 11776 ----a-w- c:\windows\system32\wgx.dll2010-09-24 07:49 . 2010-09-24 07:49 24576 ----a-w- c:\windows\system32\udefrag.exe2010-09-24 07:49 . 2010-09-24 07:49 14848 ----a-w- c:\windows\system32\lua5.1a_gui.exe2010-09-24 07:49 . 2010-09-24 07:49 10752 ----a-w- c:\windows\system32\lua5.1a.exe2010-09-24 07:48 . 2010-09-24 07:48 92160 ----a-w- c:\windows\system32\lua5.1a.dll2010-09-24 07:48 . 2010-09-24 07:48 8192 ----a-w- c:\windows\system32\udefrag.dll2010-09-24 07:48 . 2010-09-24 07:48 6144 ----a-w- c:\windows\system32\hibernate4win.exe2010-09-24 07:48 . 2010-09-24 07:48 48640 ----a-w- c:\windows\system32\udefrag-kernel.dll2010-09-24 07:48 . 2010-09-24 07:48 47104 ----a-w- c:\windows\system32\zenwinx.dll2010-09-24 07:48 . 2010-09-24 07:48 88064 ----a-w- c:\windows\system32\defrag_native.exe2010-09-23 01:10 . 2010-09-23 01:10 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll2010-09-23 01:10 . 2010-09-23 01:10 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll.(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))..((((((((((((((((((((((((((((( SnapShot_2010-10-16_12.45.11 ))))))))))))))))))))))))))))))))))))))))).+ 2007-11-07 09:19 . 2007-11-07 09:19 54272 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1\vcomp90.dll- 2007-11-07 10:19 . 2007-11-07 10:19 54272 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1\vcomp90.dll+ 2008-07-29 15:05 . 2008-07-29 15:05 62976 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll- 2008-07-29 16:05 . 2008-07-29 16:05 62976 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll- 2008-07-29 16:05 . 2008-07-29 16:05 46080 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll+ 2008-07-29 15:05 . 2008-07-29 15:05 46080 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll+ 2008-07-29 15:05 . 2008-07-29 15:05 46592 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll- 2008-07-29 16:05 . 2008-07-29 16:05 46592 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll- 2008-07-29 16:05 . 2008-07-29 16:05 64512 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll+ 2008-07-29 15:05 . 2008-07-29 15:05 64512 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll+ 2008-07-29 15:05 . 2008-07-29 15:05 66048 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll- 2008-07-29 16:05 . 2008-07-29 16:05 66048 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll+ 2008-07-29 15:05 . 2008-07-29 15:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll- 2008-07-29 16:05 . 2008-07-29 16:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll+ 2008-07-29 15:05 . 2008-07-29 15:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll- 2008-07-29 16:05 . 2008-07-29 16:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll+ 2008-07-29 15:05 . 2008-07-29 15:05 56832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll- 2008-07-29 16:05 . 2008-07-29 16:05 56832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll- 2008-07-29 16:05 . 2008-07-29 16:05 66560 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll+ 2008-07-29 15:05 . 2008-07-29 15:05 66560 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll- 2008-07-29 16:05 . 2008-07-29 16:05 39936 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll+ 2008-07-29 15:05 . 2008-07-29 15:05 39936 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll+ 2008-07-29 15:05 . 2008-07-29 15:05 38912 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll- 2008-07-29 16:05 . 2008-07-29 16:05 38912 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll- 2008-07-29 14:07 . 2008-07-29 14:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll+ 2008-07-29 13:07 . 2008-07-29 13:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll- 2008-07-29 14:07 . 2008-07-29 14:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll+ 2008-07-29 13:07 . 2008-07-29 13:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll+ 2010-08-03 20:28 . 2010-08-03 20:28 55256 c:\windows\system32\drivers\epfwtdi.sys+ 2010-07-29 20:31 . 2010-07-29 20:31 32608 c:\windows\system32\drivers\epfwndis.sys- 2009-05-28 18:17 . 2010-10-16 11:10 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat+ 2009-05-28 18:17 . 2010-10-19 13:16 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat+ 2009-05-28 18:17 . 2010-10-19 13:16 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat- 2009-05-28 18:17 . 2010-10-16 11:10 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat+ 2010-10-18 16:43 . 2010-10-19 13:16 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat+ 2010-10-19 14:08 . 2010-10-19 14:08 97384 c:\windows\Installer\{64FDE32B-72F5-445D-939B-8D3CD01CB388}\egui.exe+ 2010-10-19 14:08 . 2010-10-19 14:08 10134 c:\windows\Installer\{64FDE32B-72F5-445D-939B-8D3CD01CB388}\callmsi.exe+ 2008-07-29 15:05 . 2008-07-29 15:05 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll- 2008-07-29 16:05 . 2008-07-29 16:05 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll- 2008-07-29 16:05 . 2008-07-29 16:05 572928 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll+ 2008-07-29 15:05 . 2008-07-29 15:05 572928 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll+ 2008-07-29 10:54 . 2008-07-29 10:54 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll- 2008-07-29 11:54 . 2008-07-29 11:54 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll- 2008-07-29 16:05 . 2008-07-29 16:05 161784 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll+ 2008-07-29 15:05 . 2008-07-29 15:05 161784 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll+ 2010-07-29 20:31 . 2010-07-29 20:31 134512 c:\windows\system32\drivers\epfw.sys+ 2010-07-29 20:31 . 2010-07-29 20:31 115008 c:\windows\system32\drivers\ehdrv.sys+ 2010-08-04 18:50 . 2010-08-04 18:50 140752 c:\windows\system32\drivers\eamon.sys+ 2010-04-22 18:58 . 2010-10-18 09:31 472808 c:\windows\system32\deployJava1.dll- 2010-04-22 18:58 . 2010-10-13 11:32 472808 c:\windows\system32\deployJava1.dll+ 2010-10-19 14:08 . 2010-10-19 14:08 970240 c:\windows\Installer\87319.msi- 2010-09-26 14:37 . 2010-09-26 15:02 380928 c:\windows\Installer\{2CE5A2E7-3437-4CE7-BCF4-85ED6EEFF9E4}\iTunesIco.exe+ 2010-09-26 14:37 . 2010-10-17 10:32 380928 c:\windows\Installer\{2CE5A2E7-3437-4CE7-BCF4-85ED6EEFF9E4}\iTunesIco.exe+ 2010-09-09 05:19 . 2010-10-17 10:34 897024 c:\windows\Installer\{20ACB2F8-3BCA-45A8-80A2-9D3CB5C25F43}\SafariIco.exe- 2010-09-09 05:19 . 2010-09-09 05:19 897024 c:\windows\Installer\{20ACB2F8-3BCA-45A8-80A2-9D3CB5C25F43}\SafariIco.exe+ 2008-07-29 15:05 . 2008-07-29 15:05 3783672 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll- 2008-07-29 16:05 . 2008-07-29 16:05 3783672 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll+ 2008-07-29 15:05 . 2008-07-29 15:05 3768312 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll- 2008-07-29 16:05 . 2008-07-29 16:05 3768312 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll.-- Snapshot reset to current date --.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Google Update"="c:\documents and settings\Compu\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-05-26 136176][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2010-07-08 49152]"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-06-26 1311312]"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-08-26 98304]"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2010-07-22 1778064]"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2010-08-12 2215064]c:\documents and settings\Compu\Start Menu\Programs\Startup\Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]c:\documents and settings\All Users\Start Menu\Programs\Startup\TotalMedia Backup Monitor.lnk - c:\program files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe [2009-9-19 278528][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]2010-05-06 09:29 64592 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]@=""[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]@="Driver"[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnkbackup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Online Backup Status.lnk]path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Online Backup Status.lnkbackup=c:\windows\pss\McAfee Online Backup Status.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^Compu^Start Menu^Programs^Startup^IDrive Tray.lnk]path=c:\documents and settings\Compu\Start Menu\Programs\Startup\IDrive Tray.lnkbackup=c:\windows\pss\IDrive Tray.lnkStartup[HKLM\~\startupfolder\C:^Documents and Settings^Compu^Start Menu^Programs^Startup^MagicDisc.lnk]path=c:\documents and settings\Compu\Start Menu\Programs\Startup\MagicDisc.lnkbackup=c:\windows\pss\MagicDisc.lnkStartup[HKLM\~\startupfolder\C:^Documents and Settings^Compu^Start Menu^Programs^Startup^PPS.lnk]path=c:\documents and settings\Compu\Start Menu\Programs\Startup\PPS.lnkbackup=c:\windows\pss\PPS.lnkStartup[HKLM\~\startupfolder\C:^Documents and Settings^Compu^Start Menu^Programs^Startup^Secunia PSI.lnk]path=c:\documents and settings\Compu\Start Menu\Programs\Startup\Secunia PSI.lnkbackup=c:\windows\pss\Secunia PSI.lnkStartup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICustomerCare]2010-03-04 21:31 311296 ----a-w- c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Diamondback]2010-07-08 04:26 147456 -c--a-w- c:\program files\Razer\Diamondback 3G\razerhid.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]2010-05-26 21:22 136176 ----atw- c:\documents and settings\Compu\Local Settings\Application Data\Google\Update\GoogleUpdate.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDriveE Startup]2010-04-23 02:05 177608 -c--a-w- c:\program files\IDrive\IDrvieEStartup.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]2010-09-24 09:10 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JumiController]2010-03-27 10:01 1727488 -c--a-w- c:\program files\Jumi\jumi.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Livestation]2010-07-08 04:18 4431872 -c--a-w- c:\program files\Livestation\Livestation.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]2010-07-08 04:20 53248 -c--a-w- c:\program files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]2010-07-08 04:20 135168 -c--a-w- c:\program files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]2010-04-17 05:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PeerBlock]2009-09-28 09:02 1524824 ----a-w- c:\program files\PeerBlock\peerblock.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPAP]2010-04-26 09:09 185800 ----a-w- c:\program files\Common Files\PPLiveNetwork\PPAP.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recordpad]2009-11-08 20:27 913412 -c--a-w- c:\program files\NCH Swift Sound\Recordpad\recordpad.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SRS Audio Sandbox]2010-01-07 17:43 3216664 ----a-w- c:\program files\SRS Labs\Audio Sandbox\SRSSSC.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]2010-09-28 08:52 1242448 ----a-w- c:\program files\Steam\Steam.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]2010-09-01 06:35 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]"IDriveWebM"=2 (0x2)"IDriveE Service"=2 (0x2)"O&O Defrag"=2 (0x2)"PnkBstrA"=2 (0x2)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\NovaLogic\\Delta Force Land Warrior\\Update.exe"="c:\\Program Files\\NovaLogic\\Delta Force Land Warrior\\DFLW.EXE"="c:\\Program Files\\Ventrilo\\Ventrilo.exe"="c:\\Program Files\\Messenger\\msmsgs.exe"="c:\\Program Files\\uTorrent\\uTorrent.exe"="c:\\Program Files\\PPLive\\PPTV\\PPLive.exe"="c:\\Program Files\\Common Files\\PPLiveNetwork\\PPAP.exe"="c:\\Program Files\\PPLive\\PPTV\\PPLiveU.exe"="c:\\Program Files\\uusee\\UUSeePlayer.exe"="c:\\Program Files\\PPStream\\PPStream.exe"="c:\\Program Files\\PPStream\\PPSAP.exe"="c:\\Program Files\\Opera\\opera.exe"="c:\\WINDOWS\\system32\\PnkBstrA.exe"="c:\\WINDOWS\\system32\\PnkBstrB.exe"="c:\\Program Files\\Bonjour\\mDNSResponder.exe"="c:\\Program Files\\Steam\\Steam.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="c:\\Program Files\\NovaLogic\\Joint Operations Typhoon Rising\\Jointops.exe"="c:\\Program Files\\iTunes\\iTunes.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"65533:TCP"= 65533:TCP:Services"52344:TCP"= 52344:TCP:Services"3246:TCP"= 3246:TCP:Services"2479:TCP"= 2479:TCP:Services"3389:TCP"= 3389:TCP:Remote Desktop"8000:UDP"= 8000:UDP:SPF Port 8000 UDP"8000:TCP"= 8000:TCP:SPF Port 8000 TCP"8001:UDP"= 8001:UDP:SPF Port 8001 UDP"8001:TCP"= 8001:TCP:SPF Port 8001 TCPR0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [10/17/2010 1:19 AM 218592]R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [7/29/2010 1:31 PM 115008]R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [10/19/2010 6:42 PM 142592]R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [10/17/2010 1:38 AM 112592]R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [8/12/2010 2:16 PM 810144]R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [6/22/2010 6:19 PM 10448]R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [6/25/2010 10:07 AM 35088]R3 jumi;%Jumi%;c:\windows\system32\drivers\jumi.sys [7/23/2009 12:07 PM 6528]R3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\system32\drivers\vcsvad.sys [2/20/2010 9:37 PM 17792]S2 0018391273802443mcinstcleanup;McAfee Application Installer Cleanup (0018391273802443); [x]S2 0073951274376103mcinstcleanup;McAfee Application Installer Cleanup (0073951274376103); [x]S2 0092291273523744mcinstcleanup;McAfee Application Installer Cleanup (0092291273523744); [x]S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]S3 appliandMP;appliandMP; [x]S3 cpuz133;cpuz133;\??\c:\docume~1\Compu\LOCALS~1\Temp\cpuz133\cpuz133_x32.sys --> c:\docume~1\Compu\LOCALS~1\Temp\cpuz133\cpuz133_x32.sys [?]S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [3/28/2010 6:55 PM 23456]S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [6/14/2010 5:13 PM 14424]S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [7/7/2010 7:05 AM 14904]S3 Razerlow;Diamondback 3G USB Filter Driver;c:\windows\system32\drivers\DB3G.sys [8/23/2009 7:34 PM 13225]S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [12/1/2009 4:49 PM 34384]S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [10/17/2010 1:19 AM 366840]S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]S4 IDriveE Service;IDriveE Service;c:\program files\IDrive\IDriveE Service.exe [12/29/2009 9:08 AM 148936]S4 IDriveWebM;IDrive WebManager;c:\program files\IDrive\IDriveWebM.exe [7/9/2010 1:18 PM 267720]S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [5/13/2010 12:24 AM 691696].Contents of the 'Scheduled Tasks' folder2010-10-10 c:\windows\Tasks\AppleSoftwareUpdate.job- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]2010-10-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1123561945-879983540-839522115-1004Core.job- c:\documents and settings\Compu\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-26 21:22]2010-10-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1123561945-879983540-839522115-1004UA.job- c:\documents and settings\Compu\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-26 21:22]2010-10-14 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job- c:\program files\Microsoft IntelliType Pro\itype.exe [2010-07-22 00:07]2010-10-20 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1123561945-879983540-839522115-1004.job- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 10:02]2010-10-20 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1123561945-879983540-839522115-1004.job- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 10:02]2010-10-20 c:\windows\Tasks\SDMsgUpdate (TE).job- c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2010-04-08 04:33]..------- Supplementary Scan -------.uStart Page = hxxp://www.google.com/uInternet Settings,ProxyServer = 127.0.0.1:8080uInternet Settings,ProxyOverride = local;*.localuSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.comIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000IE: ʹ Link to post Share on other sites More sharing options...
fkrootkits Posted October 20, 2010 Author ID:330431 Share Posted October 20, 2010 I also ran a GMER scan and the items are questionable there as well. I don't know how to proceed because running Spyware Doctor it still finds downloader-trojan.Murlo registry entries along the lines of .. HKEY.. LEGACY CATCHME 0000 or something and there are several of these.ark.zip Link to post Share on other sites More sharing options...
fkrootkits Posted October 20, 2010 Author ID:330435 Share Posted October 20, 2010 want to mention that pc locks up @ shutoff during the "Saving settings..." screen and have to manually turn it off (ever since I uninstalled Uniblue). Never did this before unsure what else could be wrong mate. Link to post Share on other sites More sharing options...
Maniac Posted October 23, 2010 ID:332216 Share Posted October 23, 2010 I also ran a GMER scan and the items are questionable there as well. I don't know how to proceed because running Spyware Doctor it still finds downloader-trojan.Murlo registry entries along the lines of .. HKEY.. LEGACY CATCHME 0000 or something and there are several of these.It's not malware, it's legitimate file using by ComboFix. I don't recommend you Spyware Doctor!want to mention that pc locks up @ shutoff during the "Saving settings..." screen and have to manually turn it off (ever since I uninstalled Uniblue). Never did this before unsure what else could be wrong mate.See here:http://www.aumha.org/win5/a/shtdwnxp.phpUniblue is crap! More information here: Now:Please download Rootkit Unhooker and save it to your desktop.Double-click RKUnhookerLE.exe to run it.Click the Report tab, then click ScanCheck Drivers, Stealth Code, Files, and Code HooksUncheck the rest, then click OKWhen prompted to Select Disks for Scan, make sure C:\ is checked and click OKWait till the scanner has finished then go File > Save ReportSave the report somewhere you can find it, typically your desktop. Click CloseCopy the entire contents of the report and paste it in your next reply.Note - You may get this warning it is ok, just ignore it."Rootkit Unhooker has detected a parasite inside itself!It is recommended to remove parasite, okay?" Link to post Share on other sites More sharing options...
Recommended Posts