Jump to content

Recommended Posts

computer is not slow at all but I still believe critical processes have been hijacked. my HJT log, also, I long-disabled windows live at startup process, but somehow WLIDSVC.exe and WLIDSVCM.exe run I understand it is a windows process but I think this is questionable behavior. AppleMobileDevice in task manager as well, I shutdown that process and it keeps coming back. The HJT log and DDS

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 8:02:55 AM, on 10/19/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Logitech\SetPointP\SetPoint.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\ESET\ESET Smart Security\ekrn.exe

C:\Program Files\ESET\ESET Smart Security\egui.exe

C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirec...amp;gc=1&q=

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local;*.local

R3 - URLSearchHook: (no name) - - (no file)

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll

O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll

O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"

O4 - HKLM\..\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGaming

O4 - HKLM\..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"

O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Startup: PowerReg Scheduler.exe

O4 - Global Startup: TotalMedia Backup Monitor.lnk = C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: ʹ

Link to post
Share on other sites

Hello fkrootkits! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Follow my instructions step by step if there is a problem somewhere, stop and tell me.
  • Stay with the thread until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.
  • Keep me informed about any changes.

my HJT log, also, I long-disabled windows live at startup process, but somehow WLIDSVC.exe and WLIDSVCM.exe run I understand it is a windows process but I think this is questionable behavior. AppleMobileDevice in task manager as well, I shutdown that process and it keeps coming back.

You can shut down them using Microsoft's System Configuration Utility. More information here:

http://netsquirrel.com/msconfig/msconfig_xp.html

I have question for you: Do you have license for ESET Smart Security?

Now:

Step 1

Please, uninstall the following applications:

  1. Uniblue RegistryBooster

You can read, how to do this here:

Step 2

Going over your logs I noticed that you have

Link to post
Share on other sites

Indeed that is what I had done before, I disabled iTunes helper from msconfig but somehow it's still a process in the Task Manager. Will uninstall uniblue. As far as ESET I only installed the Smart Security 30-day trial today so no legit license, prior to running those scans w/updated signatures. Also while said file sharing programs can be easy places to get infected and what not I remember I was browsing and a Java applet started and it launched Windows Media Player -strange behavior no doubt, I went on to uninstall Java the updated version. I will run MB quick scan, will get back to you shortly with the logs.

Link to post
Share on other sites

Ok here are the logs you requested MBAM log:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4884

Windows 5.1.2600 Service Pack 3

Internet Explorer 6.0.2900.5512

10/19/2010 12:56:23 PM

mbam-log-2010-10-19 (12-56-23).txt

Scan type: Quick scan

Objects scanned: 165764

Time elapsed: 7 minute(s), 37 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

AND new DDS log:

DDS (Ver_10-10-10.03) - NTFSx86

Run by Compu at 12:59:29.82 on Tue 10/19/2010

Internet Explorer: 6.0.2900.5512

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1534.988 [GMT -7:00]

AV: ESET Smart Security 4.2 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Logitech\SetPointP\SetPoint.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Microsoft IntelliType Pro\itype.exe

C:\Program Files\ESET\ESET Smart Security\egui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE

c:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\Program Files\ESET\ESET Smart Security\ekrn.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Documents and Settings\Compu\Desktop\PC\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyServer = 127.0.0.1:8080

uInternet Settings,ProxyOverride = local;*.local

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com

uURLSearchHooks: H - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"

mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming

mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [soundMan] SOUNDMAN.EXE

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"

mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice

StartupFolder: c:\docume~1\compu\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\documents and settings\compu\start menu\programs\startup\PowerReg Scheduler.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\totalm~1.lnk - c:\program files\arcsoft\totalmedia backup & record\uBBMonitor.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: ʹ

Link to post
Share on other sites

also, I want to mention the "wdfmgr.exe" running in the background, seems new to me, not sure what this is, but just doing research it seems to have all or most of the characteristics of W32/Agobot-TB link: http://www.sophos.com/security/analyses/viruses-and-spyware/w32agobottb.html

"W32/Agobot-TB is a worm with backdoor functionality for the Windows platform.

W32/Agobot-TB runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer.

When first run W32/Agobot-TB copies itself to <Windows system folder>\wdfmgr.exe.

The following registry entries are created to run wdfmgr.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

MS_Update Check

wdfmgr.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

MS_Update Check

wdfmgr.exe" Not sure what is going now but thought I'd mention it since it seems to overwrite things, has a small footprint but is device-related. It might even cause AppleMobileDevice.exe and aforementioned WLIDSVC.EXE / WLIDSVCM.EXE processes to act as helpers, or could AppleMobileDevice.exe be a Bonjour related process?

Link to post
Share on other sites

Let's check this out!

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites

Hey Borislav the log looks much better, I knew Find3m had infected items and they would not go away. Have a look at the new log. Also, by default Combo-Fix saved the log file to C:\ComboFix and not C:\combo-fix as had instructed.

ComboFix 10-10-19.04 - Compu 10/20/2010 7:06.8.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1534.1021 [GMT -7:00]

Running from: c:\documents and settings\Compu\Desktop\Combo-Fix.exe

AV: ESET Smart Security 4.2 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Compu\My Documents\backup.reg

.

((((((((((((((((((((((((( Files Created from 2010-09-20 to 2010-10-20 )))))))))))))))))))))))))))))))

.

2010-10-20 01:42 . 2010-10-20 01:42 142592 ----a-w- c:\windows\system32\drivers\sp_rsdrv2.sys

2010-10-20 01:42 . 2010-10-20 02:06 -------- d-----w- c:\documents and settings\Compu\Application Data\Spyware Terminator

2010-10-20 01:42 . 2010-10-20 01:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Spyware Terminator

2010-10-20 01:42 . 2010-10-20 02:05 -------- d-----w- c:\program files\Spyware Terminator

2010-10-20 01:04 . 2010-10-20 01:50 -------- d-----w- c:\documents and settings\Compu\Application Data\ScanSpyware

2010-10-19 22:42 . 2001-08-17 20:48 12160 ----a-w- c:\windows\system32\mouhid.sys

2010-10-19 14:09 . 2010-10-19 14:09 -------- d-----w- c:\documents and settings\Compu\Local Settings\Application Data\ESET

2010-10-19 14:09 . 2010-10-19 14:09 -------- d-----w- c:\documents and settings\Compu\Application Data\ESET

2010-10-19 14:08 . 2010-10-19 14:08 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET

2010-10-19 14:07 . 2010-10-19 14:07 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET

2010-10-19 12:22 . 2010-10-19 12:22 2067128 ----a-w- C:\kavremvr.exe

2010-10-19 12:19 . 2010-10-19 12:19 2247352 ----a-w- C:\kavremover.exe

2010-10-18 15:32 . 2010-10-19 14:07 -------- d-----w- c:\program files\ESET

2010-10-17 10:32 . 2010-10-17 10:32 -------- d-----w- c:\documents and settings\Default User\Application Data\Apple Computer

2010-10-17 10:28 . 2010-10-17 10:32 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Apple Computer

2010-10-17 09:01 . 2010-10-17 09:01 -------- d-----w- c:\documents and settings\Compu\Local Settings\Application Data\Help

2010-10-17 09:00 . 2010-10-17 09:00 -------- d-----w- c:\documents and settings\Compu\Local Settings\Application Data\Threat Expert

2010-10-17 08:38 . 2010-01-22 16:56 149456 ----a-w- c:\windows\SGDetectionTool.dll

2010-10-17 08:38 . 2010-01-22 16:56 165840 ----a-w- c:\windows\PCTBDRes.dll

2010-10-17 08:38 . 2010-01-22 16:56 1652688 ----a-w- c:\windows\PCTBDCore.dll

2010-10-17 08:38 . 2010-01-22 16:55 767952 ----a-w- c:\windows\BDTSupport.dll

2010-10-17 08:19 . 2010-02-05 16:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys

2010-10-17 08:19 . 2010-10-17 09:09 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2010-10-17 08:19 . 2009-11-23 20:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2010-10-17 08:19 . 2010-10-17 09:09 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys

2010-10-17 08:19 . 2010-10-19 19:24 -------- d-----w- c:\program files\Spyware Doctor

2010-10-17 08:19 . 2010-10-17 08:38 -------- d-----w- c:\program files\Common Files\PC Tools

2010-10-17 08:19 . 2010-10-17 08:19 -------- d-----w- c:\documents and settings\Compu\Application Data\PC Tools

2010-10-17 08:19 . 2010-10-17 08:19 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2010-10-17 07:40 . 2010-10-17 07:40 388096 ----a-r- c:\documents and settings\Compu\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2010-10-16 18:15 . 2010-10-16 18:15 -------- d-----w- c:\documents and settings\Administrator

2010-10-14 09:03 . 2010-06-02 11:55 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll

2010-10-14 09:03 . 2010-06-02 11:55 527192 ----a-w- c:\windows\system32\XAudio2_7.dll

2010-10-14 09:03 . 2010-06-02 11:55 239960 ----a-w- c:\windows\system32\xactengine3_7.dll

2010-10-14 09:03 . 2010-05-26 18:41 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll

2010-10-14 09:03 . 2010-05-26 18:41 248672 ----a-w- c:\windows\system32\d3dx11_43.dll

2010-10-14 09:03 . 2010-05-26 18:41 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll

2010-10-14 09:03 . 2010-05-26 18:41 470880 ----a-w- c:\windows\system32\d3dx10_43.dll

2010-10-14 09:02 . 2010-05-26 18:41 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll

2010-10-14 06:40 . 2010-08-16 08:45 590848 -c----w- c:\windows\system32\dllcache\rpcrt4.dll

2010-10-14 06:40 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll

2010-10-14 06:40 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll

2010-10-14 06:37 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll

2010-10-14 06:34 . 2010-08-26 13:39 357248 -c----w- c:\windows\system32\dllcache\srv.sys

2010-10-14 06:31 . 2010-02-24 13:11 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys

2010-10-14 06:29 . 2010-08-27 08:02 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll

2010-10-14 06:29 . 2009-10-15 16:28 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll

2010-10-14 06:29 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

2010-10-14 06:26 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll

2010-10-14 06:26 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll

2010-10-14 06:26 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll

2010-10-14 06:26 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe

2010-10-14 06:26 . 2009-06-25 08:25 730112 -c----w- c:\windows\system32\dllcache\lsasrv.dll

2010-10-14 06:26 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll

2010-10-14 06:26 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll

2010-10-14 06:26 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll

2010-10-14 06:26 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe

2010-10-14 06:26 . 2010-04-27 13:59 2146304 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe

2010-10-14 06:26 . 2010-04-28 02:25 2189952 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe

2010-10-14 06:26 . 2010-04-27 13:05 2024448 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe

2010-10-14 06:24 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll

2010-10-14 06:23 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys

2010-10-14 06:23 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys

2010-10-14 05:00 . 2008-04-14 05:57 79872 -c----w- c:\windows\system32\dllcache\msxml6r.dll

2010-10-14 05:00 . 2008-04-14 12:42 1306624 -c----w- c:\windows\system32\dllcache\msxml6.dll

2010-10-14 05:00 . 2008-04-14 05:57 79872 ----a-w- c:\windows\system32\msxml6r.dll

2010-10-14 04:54 . 2008-04-14 12:42 3901 ------w- c:\windows\system32\drivers\siint5.dll

2010-10-14 04:53 . 2006-12-29 07:31 19569 ----a-w- c:\windows\002859_.tmp

2010-10-14 04:44 . 2010-10-14 04:44 -------- d-----w- c:\windows\EHome

2010-10-14 02:44 . 2010-10-14 02:44 -------- d-----w- c:\program files\Microsoft IntelliType Pro

2010-10-13 04:40 . 2010-10-13 04:41 -------- d-----w- c:\program files\Wireshark

2010-10-11 10:06 . 2010-10-11 10:36 -------- d-----w- C:\123

2010-10-10 00:59 . 2010-10-10 00:59 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple

2010-09-28 10:28 . 2006-08-01 22:02 49152 ----a-w- c:\windows\system32\ChCfg.exe

2010-09-28 10:28 . 2008-09-24 17:40 4122368 ----a-r- c:\windows\system32\drivers\alcxwdm.sys

2010-09-28 10:28 . 2010-09-28 10:28 -------- d-----w- c:\program files\Realtek AC97

2010-09-28 10:27 . 2006-12-08 22:20 10528768 ----a-w- c:\windows\system32\RTLCPL.exe

2010-09-28 10:27 . 2007-04-16 22:28 577536 ----a-w- c:\windows\soundman.exe

2010-09-28 10:27 . 2006-11-17 12:40 18804736 ----a-w- c:\windows\system32\alsndmgr.cpl

2010-09-28 10:27 . 2006-10-18 09:53 147456 ----a-w- c:\windows\system32\RtlCPAPI.dll

2010-09-28 10:27 . 2006-07-31 18:27 217088 ----a-w- c:\windows\Alcrmv.exe

2010-09-28 10:27 . 2006-07-31 18:19 315392 ----a-w- c:\windows\alcupd.exe

2010-09-28 08:26 . 2010-09-28 08:27 -------- d-----w- c:\documents and settings\Compu\Application Data\Replay Media Catcher 4

2010-09-28 08:10 . 2010-09-28 08:10 -------- d-----w- c:\documents and settings\Compu\Local Settings\Application Data\Jaksta_Pty_Ltd

2010-09-28 08:07 . 2010-09-28 08:07 -------- d-----w- c:\program files\Applian Technologies

2010-09-26 14:35 . 2010-09-26 14:35 -------- d-----w- c:\program files\iPod

2010-09-25 15:38 . 2010-09-25 15:38 -------- d-----w- c:\windows\UltraDefrag

2010-09-24 07:49 . 2010-09-24 07:49 8704 ----a-w- c:\windows\system32\bootexctrl.exe

2010-09-24 07:49 . 2010-09-24 07:49 11776 ----a-w- c:\windows\system32\wgx.dll

2010-09-24 07:49 . 2010-09-24 07:49 24576 ----a-w- c:\windows\system32\udefrag.exe

2010-09-24 07:49 . 2010-09-24 07:49 14848 ----a-w- c:\windows\system32\lua5.1a_gui.exe

2010-09-24 07:49 . 2010-09-24 07:49 10752 ----a-w- c:\windows\system32\lua5.1a.exe

2010-09-24 07:48 . 2010-09-24 07:48 92160 ----a-w- c:\windows\system32\lua5.1a.dll

2010-09-24 07:48 . 2010-09-24 07:48 8192 ----a-w- c:\windows\system32\udefrag.dll

2010-09-24 07:48 . 2010-09-24 07:48 6144 ----a-w- c:\windows\system32\hibernate4win.exe

2010-09-24 07:48 . 2010-09-24 07:48 48640 ----a-w- c:\windows\system32\udefrag-kernel.dll

2010-09-24 07:48 . 2010-09-24 07:48 47104 ----a-w- c:\windows\system32\zenwinx.dll

2010-09-24 07:48 . 2010-09-24 07:48 88064 ----a-w- c:\windows\system32\defrag_native.exe

2010-09-23 01:10 . 2010-09-23 01:10 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll

2010-09-23 01:10 . 2010-09-23 01:10 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

((((((((((((((((((((((((((((( SnapShot_2010-10-16_12.45.11 )))))))))))))))))))))))))))))))))))))))))

.

+ 2007-11-07 09:19 . 2007-11-07 09:19 54272 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1\vcomp90.dll

- 2007-11-07 10:19 . 2007-11-07 10:19 54272 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1\vcomp90.dll

+ 2008-07-29 15:05 . 2008-07-29 15:05 62976 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll

- 2008-07-29 16:05 . 2008-07-29 16:05 62976 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll

- 2008-07-29 16:05 . 2008-07-29 16:05 46080 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll

+ 2008-07-29 15:05 . 2008-07-29 15:05 46080 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll

+ 2008-07-29 15:05 . 2008-07-29 15:05 46592 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll

- 2008-07-29 16:05 . 2008-07-29 16:05 46592 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll

- 2008-07-29 16:05 . 2008-07-29 16:05 64512 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll

+ 2008-07-29 15:05 . 2008-07-29 15:05 64512 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll

+ 2008-07-29 15:05 . 2008-07-29 15:05 66048 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll

- 2008-07-29 16:05 . 2008-07-29 16:05 66048 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll

+ 2008-07-29 15:05 . 2008-07-29 15:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll

- 2008-07-29 16:05 . 2008-07-29 16:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll

+ 2008-07-29 15:05 . 2008-07-29 15:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll

- 2008-07-29 16:05 . 2008-07-29 16:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll

+ 2008-07-29 15:05 . 2008-07-29 15:05 56832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll

- 2008-07-29 16:05 . 2008-07-29 16:05 56832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll

- 2008-07-29 16:05 . 2008-07-29 16:05 66560 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll

+ 2008-07-29 15:05 . 2008-07-29 15:05 66560 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll

- 2008-07-29 16:05 . 2008-07-29 16:05 39936 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll

+ 2008-07-29 15:05 . 2008-07-29 15:05 39936 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll

+ 2008-07-29 15:05 . 2008-07-29 15:05 38912 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll

- 2008-07-29 16:05 . 2008-07-29 16:05 38912 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll

- 2008-07-29 14:07 . 2008-07-29 14:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll

+ 2008-07-29 13:07 . 2008-07-29 13:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll

- 2008-07-29 14:07 . 2008-07-29 14:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll

+ 2008-07-29 13:07 . 2008-07-29 13:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll

+ 2010-08-03 20:28 . 2010-08-03 20:28 55256 c:\windows\system32\drivers\epfwtdi.sys

+ 2010-07-29 20:31 . 2010-07-29 20:31 32608 c:\windows\system32\drivers\epfwndis.sys

- 2009-05-28 18:17 . 2010-10-16 11:10 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2009-05-28 18:17 . 2010-10-19 13:16 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2009-05-28 18:17 . 2010-10-19 13:16 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2009-05-28 18:17 . 2010-10-16 11:10 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2010-10-18 16:43 . 2010-10-19 13:16 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2010-10-19 14:08 . 2010-10-19 14:08 97384 c:\windows\Installer\{64FDE32B-72F5-445D-939B-8D3CD01CB388}\egui.exe

+ 2010-10-19 14:08 . 2010-10-19 14:08 10134 c:\windows\Installer\{64FDE32B-72F5-445D-939B-8D3CD01CB388}\callmsi.exe

+ 2008-07-29 15:05 . 2008-07-29 15:05 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll

- 2008-07-29 16:05 . 2008-07-29 16:05 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll

- 2008-07-29 16:05 . 2008-07-29 16:05 572928 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll

+ 2008-07-29 15:05 . 2008-07-29 15:05 572928 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll

+ 2008-07-29 10:54 . 2008-07-29 10:54 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll

- 2008-07-29 11:54 . 2008-07-29 11:54 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll

- 2008-07-29 16:05 . 2008-07-29 16:05 161784 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll

+ 2008-07-29 15:05 . 2008-07-29 15:05 161784 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll

+ 2010-07-29 20:31 . 2010-07-29 20:31 134512 c:\windows\system32\drivers\epfw.sys

+ 2010-07-29 20:31 . 2010-07-29 20:31 115008 c:\windows\system32\drivers\ehdrv.sys

+ 2010-08-04 18:50 . 2010-08-04 18:50 140752 c:\windows\system32\drivers\eamon.sys

+ 2010-04-22 18:58 . 2010-10-18 09:31 472808 c:\windows\system32\deployJava1.dll

- 2010-04-22 18:58 . 2010-10-13 11:32 472808 c:\windows\system32\deployJava1.dll

+ 2010-10-19 14:08 . 2010-10-19 14:08 970240 c:\windows\Installer\87319.msi

- 2010-09-26 14:37 . 2010-09-26 15:02 380928 c:\windows\Installer\{2CE5A2E7-3437-4CE7-BCF4-85ED6EEFF9E4}\iTunesIco.exe

+ 2010-09-26 14:37 . 2010-10-17 10:32 380928 c:\windows\Installer\{2CE5A2E7-3437-4CE7-BCF4-85ED6EEFF9E4}\iTunesIco.exe

+ 2010-09-09 05:19 . 2010-10-17 10:34 897024 c:\windows\Installer\{20ACB2F8-3BCA-45A8-80A2-9D3CB5C25F43}\SafariIco.exe

- 2010-09-09 05:19 . 2010-09-09 05:19 897024 c:\windows\Installer\{20ACB2F8-3BCA-45A8-80A2-9D3CB5C25F43}\SafariIco.exe

+ 2008-07-29 15:05 . 2008-07-29 15:05 3783672 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll

- 2008-07-29 16:05 . 2008-07-29 16:05 3783672 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll

+ 2008-07-29 15:05 . 2008-07-29 15:05 3768312 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll

- 2008-07-29 16:05 . 2008-07-29 16:05 3768312 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll

.

-- Snapshot reset to current date --

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Google Update"="c:\documents and settings\Compu\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-05-26 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2010-07-08 49152]

"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-06-26 1311312]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-08-26 98304]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]

"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2010-07-22 1778064]

"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2010-08-12 2215064]

c:\documents and settings\Compu\Start Menu\Programs\Startup\

Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

TotalMedia Backup Monitor.lnk - c:\program files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe [2009-9-19 278528]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2010-05-06 09:29 64592 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk

backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Online Backup Status.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Online Backup Status.lnk

backup=c:\windows\pss\McAfee Online Backup Status.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Compu^Start Menu^Programs^Startup^IDrive Tray.lnk]

path=c:\documents and settings\Compu\Start Menu\Programs\Startup\IDrive Tray.lnk

backup=c:\windows\pss\IDrive Tray.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Compu^Start Menu^Programs^Startup^MagicDisc.lnk]

path=c:\documents and settings\Compu\Start Menu\Programs\Startup\MagicDisc.lnk

backup=c:\windows\pss\MagicDisc.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Compu^Start Menu^Programs^Startup^PPS.lnk]

path=c:\documents and settings\Compu\Start Menu\Programs\Startup\PPS.lnk

backup=c:\windows\pss\PPS.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Compu^Start Menu^Programs^Startup^Secunia PSI.lnk]

path=c:\documents and settings\Compu\Start Menu\Programs\Startup\Secunia PSI.lnk

backup=c:\windows\pss\Secunia PSI.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICustomerCare]

2010-03-04 21:31 311296 ----a-w- c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Diamondback]

2010-07-08 04:26 147456 -c--a-w- c:\program files\Razer\Diamondback 3G\razerhid.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

2010-05-26 21:22 136176 ----atw- c:\documents and settings\Compu\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDriveE Startup]

2010-04-23 02:05 177608 -c--a-w- c:\program files\IDrive\IDrvieEStartup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2010-09-24 09:10 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JumiController]

2010-03-27 10:01 1727488 -c--a-w- c:\program files\Jumi\jumi.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Livestation]

2010-07-08 04:18 4431872 -c--a-w- c:\program files\Livestation\Livestation.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]

2010-07-08 04:20 53248 -c--a-w- c:\program files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]

2010-07-08 04:20 135168 -c--a-w- c:\program files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

2010-04-17 05:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PeerBlock]

2009-09-28 09:02 1524824 ----a-w- c:\program files\PeerBlock\peerblock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPAP]

2010-04-26 09:09 185800 ----a-w- c:\program files\Common Files\PPLiveNetwork\PPAP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recordpad]

2009-11-08 20:27 913412 -c--a-w- c:\program files\NCH Swift Sound\Recordpad\recordpad.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SRS Audio Sandbox]

2010-01-07 17:43 3216664 ----a-w- c:\program files\SRS Labs\Audio Sandbox\SRSSSC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

2010-09-28 08:52 1242448 ----a-w- c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2010-09-01 06:35 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"IDriveWebM"=2 (0x2)

"IDriveE Service"=2 (0x2)

"O&O Defrag"=2 (0x2)

"PnkBstrA"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\NovaLogic\\Delta Force Land Warrior\\Update.exe"=

"c:\\Program Files\\NovaLogic\\Delta Force Land Warrior\\DFLW.EXE"=

"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\PPLive\\PPTV\\PPLive.exe"=

"c:\\Program Files\\Common Files\\PPLiveNetwork\\PPAP.exe"=

"c:\\Program Files\\PPLive\\PPTV\\PPLiveU.exe"=

"c:\\Program Files\\uusee\\UUSeePlayer.exe"=

"c:\\Program Files\\PPStream\\PPStream.exe"=

"c:\\Program Files\\PPStream\\PPSAP.exe"=

"c:\\Program Files\\Opera\\opera.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Steam\\Steam.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\NovaLogic\\Joint Operations Typhoon Rising\\Jointops.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"65533:TCP"= 65533:TCP:Services

"52344:TCP"= 52344:TCP:Services

"3246:TCP"= 3246:TCP:Services

"2479:TCP"= 2479:TCP:Services

"3389:TCP"= 3389:TCP:Remote Desktop

"8000:UDP"= 8000:UDP:SPF Port 8000 UDP

"8000:TCP"= 8000:TCP:SPF Port 8000 TCP

"8001:UDP"= 8001:UDP:SPF Port 8001 UDP

"8001:TCP"= 8001:TCP:SPF Port 8001 TCP

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [10/17/2010 1:19 AM 218592]

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [7/29/2010 1:31 PM 115008]

R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [10/19/2010 6:42 PM 142592]

R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [10/17/2010 1:38 AM 112592]

R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [8/12/2010 2:16 PM 810144]

R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [6/22/2010 6:19 PM 10448]

R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [6/25/2010 10:07 AM 35088]

R3 jumi;%Jumi%;c:\windows\system32\drivers\jumi.sys [7/23/2009 12:07 PM 6528]

R3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\system32\drivers\vcsvad.sys [2/20/2010 9:37 PM 17792]

S2 0018391273802443mcinstcleanup;McAfee Application Installer Cleanup (0018391273802443); [x]

S2 0073951274376103mcinstcleanup;McAfee Application Installer Cleanup (0073951274376103); [x]

S2 0092291273523744mcinstcleanup;McAfee Application Installer Cleanup (0092291273523744); [x]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]

S3 appliandMP;appliandMP; [x]

S3 cpuz133;cpuz133;\??\c:\docume~1\Compu\LOCALS~1\Temp\cpuz133\cpuz133_x32.sys --> c:\docume~1\Compu\LOCALS~1\Temp\cpuz133\cpuz133_x32.sys [?]

S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [3/28/2010 6:55 PM 23456]

S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [6/14/2010 5:13 PM 14424]

S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [7/7/2010 7:05 AM 14904]

S3 Razerlow;Diamondback 3G USB Filter Driver;c:\windows\system32\drivers\DB3G.sys [8/23/2009 7:34 PM 13225]

S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [12/1/2009 4:49 PM 34384]

S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [10/17/2010 1:19 AM 366840]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]

S4 IDriveE Service;IDriveE Service;c:\program files\IDrive\IDriveE Service.exe [12/29/2009 9:08 AM 148936]

S4 IDriveWebM;IDrive WebManager;c:\program files\IDrive\IDriveWebM.exe [7/9/2010 1:18 PM 267720]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [5/13/2010 12:24 AM 691696]

.

Contents of the 'Scheduled Tasks' folder

2010-10-10 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]

2010-10-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1123561945-879983540-839522115-1004Core.job

- c:\documents and settings\Compu\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-26 21:22]

2010-10-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1123561945-879983540-839522115-1004UA.job

- c:\documents and settings\Compu\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-26 21:22]

2010-10-14 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job

- c:\program files\Microsoft IntelliType Pro\itype.exe [2010-07-22 00:07]

2010-10-20 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1123561945-879983540-839522115-1004.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 10:02]

2010-10-20 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1123561945-879983540-839522115-1004.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 10:02]

2010-10-20 c:\windows\Tasks\SDMsgUpdate (TE).job

- c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2010-04-08 04:33]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyServer = 127.0.0.1:8080

uInternet Settings,ProxyOverride = local;*.local

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: ʹ

Link to post
Share on other sites

I also ran a GMER scan and the items are questionable there as well. I don't know how to proceed because running Spyware Doctor it still finds downloader-trojan.Murlo registry entries along the lines of .. HKEY.. LEGACY CATCHME 0000 or something and there are several of these.

It's not malware, it's legitimate file using by ComboFix. I don't recommend you Spyware Doctor!

want to mention that pc locks up @ shutoff during the "Saving settings..." screen and have to manually turn it off (ever since I uninstalled Uniblue). Never did this before unsure what else could be wrong mate.

See here:

http://www.aumha.org/win5/a/shtdwnxp.php

Uniblue is crap! More information here:

Now:

Please download Rootkit Unhooker and save it to your desktop.

  • Double-click RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan
  • Check Drivers, Stealth Code, Files, and Code Hooks
  • Uncheck the rest, then click OK
  • When prompted to Select Disks for Scan, make sure C:\ is checked and click OK
  • Wait till the scanner has finished then go File > Save Report
  • Save the report somewhere you can find it, typically your desktop. Click Close
  • Copy the entire contents of the report and paste it in your next reply.

Note - You may get this warning it is ok, just ignore it."Rootkit Unhooker has detected a parasite inside itself!

It is recommended to remove parasite, okay?"

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.