Always get redirected after clicking link in google

Author	All Replies
Siko join:2006-11-27 Mechanicsburg, PA ·Verizon Online DSL ·Comcast edit: April 6th, @09:51AM	Always get redirected after clicking link in google Every other time I click on a link in google I get redirect to 67.29.139.220 which gives me advertising. I click back and reclick on the link and it works. Here is my HJT log. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:01:50 AM, on 4/6/2008 Platform: Windows Vista SP1 (WinNT 6.00.1905) MSIE: Internet Explorer v7.00 (7.00.6001.18000) Boot mode: Normal Running processes: C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\System32\hkcmd.exe C:\Windows\System32\igfxpers.exe C:\Program Files\Grisoft\AVG7\avgcc.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Program Files\uTorrent\uTorrent.exe C:\Program Files\Xfire\xfire.exe C:\Windows\system32\taskeng.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Windows Media Player\wmplayer.exe C:\Program Files\DAEMON Tools Lite\daemon.exe N:\installNY.exe C:\Users\MURLIN~1\AppData\Local\Temp\is-7R5Q8.tmp\is-L77DO.tmp C:\Program Files\Grisoft\AVG7\avgw.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »google.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O1 - Hosts: ::1 localhost O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe" O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll O13 - Gopher Prefix: O16 - DPF: {2E4A92AB-F2C0-456A-9935-B715439790D7} (Setup Class) - »https://www.opinionsquare.com/Config/CSetup.cab O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - »download.divx.com/player/DivXBro···ugin.cab O16 - DPF: {A977FF0C-8757-4E76-8533-482F91946233} (Neowiz Login Control) - »gpdl.pmang.com/sayclub/sayctl/sayax.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{816238D4-1ADE-4801-AF6C-1CB6A0BDC37F}: NameServer = 4.2.2.1,4.2.2.2 O17 - HKLM\System\CS1\Services\Tcpip\..\{816238D4-1ADE-4801-AF6C-1CB6A0BDC37F}: NameServer = 4.2.2.1,4.2.2.2 O20 - AppInit_DLLs: O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - H:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Acronis OS Selector Reinstall Service (AcronisOSSReinstallSvc) - Unknown owner - C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall_svc.exe O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: O&O Defrag - O&O Software GmbH - C:\Windows\system32\oodag.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe -- End of file - 6783 bytes I googled it and they said it is a wareout infection, but they also said there is no wareout for vista...
	to forum · permalink · · 2008-04-06 08:02:37 ·
bcastner Premium,MVM join:2002-09-25 Chevy Chase, MD clubs: ·Verizon Online DSL	First Steps :!: The following instructions are only for this Forum member. Please do not use these instructions on another computer system. You can seriously damage your system by following the instructions below without guided assistance. You assuredly will make a cleanup of your system more difficult. Please download ATF Cleaner http://www.atribune.org/ccount/click.php?id=1 It does not require any installation.. It is set up to clean Windows 2k, XP & Vista TEMP folders, as well as IE, FireFox and Opera, Temporary Internet Files and Cookies. • Double-click ATF-Cleaner.exe to run the program. For all browsers: • Under Main choose: Select All • Click the Empty Selected button. *Next, if you use Firefox (and some* Mozilla-based browsers) • Click Firefox at the top and choose: Select All • Click the Empty Selected button. Next, if you use the Opera browser • Click Opera at the top and choose: Select All • Click the Empty Selected button. :!: Click Exit on the Main menu to close the program. Reconfigure Windows Vista to show hidden files: To enable the viewing of Hidden files follow these steps: •Close all programs so that you are at your desktop. •Open the Control Panel menu and click Folder Options. •After the new window appears select the View tab. •Put a checkmark in the checkbox labeled Display the contents of system folders. •Under the Hidden files and folders section select the radio button labeled Show hidden files and folders. •Remove the checkmark from the checkbox labeled Hide file extensions for known file types. •Remove the checkmark from the checkbox labeled Hide protected operating system files. •Press the Apply button and then the OK button and exit My Computer. •Now your computer is configured to show all hidden files. Malware Removal Steps 1. Please download to your Desktop OT_MOVEIT: http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe Please double-click OTMoveIt2.exe to run the utility. Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy): C:\Users\MURLIN~1\AppData\Local\Temp\is-7R5Q8.tmp\is-L77DO.tmp C:\Users\MURLIN~1\AppData\Local\Temp\is-7R5Q8.tmp\ Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window. IMPORTANT -- Paste only into the bottom input panel (under the Yellow bar), The top panel will not help you. Right-click and choose Paste. Click the red Moveit button. This will not be quick. I am asking it to scan your entire Drive C twice. When it has finished, use your mouse and do a Copy/Paste of the large right-hand panel that shows Results. Save your Clipboard contents in a new Notepad file, as we will want to review these results later. Close OTMoveIt2 when it has finished. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. 2. Download and Run -- ComboFix© Download this file -- to your Desktop -- from any of these sources: http://download.bleepingcomputer.com/sUBs/ComboFix.exe http://www.forospyware.com/sUBs/ComboFix.exe http://subs.geekstogo.com/ComboFix.exe • Disconnect from the Internet. • Disable your Antivirus software -- this includes any Script Blocking Feature it may have. Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser. • A window will open with a warning. Accept any disclaimers to start the fix. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes. A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. 3. Please download MalwareBytes Anti-malware (MBAM) from one of the following links: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html http://www.besttechie.net/tools/mbam-setup.exe Once downloaded, close all programs and Windows on your computer (including this one.) Double-click on the icon on your desktop named Download_mbam-setup.exe. This will start the installation of MBAM onto your computer. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button. MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program. On the Scanner tab, make sure the the Perform quick scan option is selected and then click on the Scan button to start scanning your computer. MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When the scan is finished a message box will appear that it has completed scanning successfully. Click OK. Now click Show Results. Make sure all entries have a checkmark at their far left. You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window. Remember where you saved the log file, as we will want to see it later. 4. Run HijackThis again, and save the log file. Submit to the Forum: • The contents of C:\Combofix.txt; • The MBAM log; • The new HijackThis log. -- ============ MS-MVP 2004 - -2008, ASAP Member Users Helping Users**
	to forum · permalink · · 2008-04-06 14:45:35 ·
Siko join:2006-11-27 Mechanicsburg, PA ·Verizon Online DSL ·Comcast moderated: April 7th, @09:03PM	Sorry for all the spaces stretching this page soo wide. I just directly copied it from the log to here. By the way, after doing this I'm still getting redirected. Combo Fix ComboFix 08-04-06.1 - Murlin Wei 2008-04-06 19:34:17.1 - NTFSx86 Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1277 [GMT -4:00] Running from: C:\Users\Murlin Wei\Desktop\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Windows\system32\x64 . ((((((((((((((((((((((((( Files Created from 2008-03-06 to 2008-04-06 ))))))))))))))))))))))))))))))) . 2008-04-06 19:31 . 2008-04-06 19:31 d-------- C:\_OTMoveIt 2008-04-06 19:10 . 2008-04-06 19:10 d-------- C:\Program Files\Azureus 2008-04-06 10:00 . 2008-04-06 19:32 d-------- C:\Users\Murlin Wei\AppData\Roaming\Azureus 2008-04-06 10:00 . 2008-04-06 10:00 d-------- C:\Users\All Users\Azureus 2008-04-06 10:00 . 2008-04-06 10:00 d-------- C:\ProgramData\Azureus 2008-04-06 09:38 . 2008-04-06 09:38 d-------- C:\fixwareout 2008-04-06 08:03 . 2008-04-06 08:05 178 --a------ C:\megaScenery.ini 2008-04-05 19:34 . 2008-04-06 08:06 d-------- C:\Users\Murlin Wei\AppData\Roaming\AVG7 2008-04-05 19:33 . 2008-04-05 19:33 9,216 --a------ C:\Windows\System32\avgwlntf.dll 2008-04-05 14:50 . 2008-04-05 19:35 d-------- C:\Program Files\COMODO 2008-04-05 14:45 . 2008-04-06 08:06 d-------- C:\Users\All Users\Avg7 2008-04-05 14:45 . 2008-04-06 08:06 d-------- C:\ProgramData\Avg7 2008-04-05 09:07 . 2007-02-22 22:19 172,032 --a------ C:\Windows\System32\igfxres.dll 2008-04-05 09:03 . 2008-04-05 09:03 d-------- C:\Intel 2008-04-05 09:03 . 2006-12-13 03:17 3,276,800 --a------ C:\Windows\System32\igfxress.dll 2008-04-05 09:03 . 2006-12-13 03:16 212,992 --a------ C:\Windows\System32\igfxdev.dll 2008-04-05 09:03 . 2007-02-22 23:44 204,800 --a------ C:\Windows\System32\igfxCoIn_v1214.dll 2008-04-05 09:03 . 2006-12-13 03:16 196,608 --a------ C:\Windows\System32\igfxsrvc.exe 2008-04-05 09:03 . 2006-12-13 03:16 155,648 --a------ C:\Windows\System32\igfxpph.dll 2008-04-04 21:01 . 2008-04-04 21:01 d-------- C:\Users\Murlin Wei\AppData\Roaming\Apple Computer 2008-04-04 21:01 . 2008-04-04 21:01 d-------- C:\Users\All Users\Apple Computer 2008-04-04 21:01 . 2008-04-04 21:01 d-------- C:\ProgramData\Apple Computer 2008-04-04 21:01 . 2008-04-04 21:01 d-------- C:\Program Files\QuickTime 2008-04-04 21:01 . 2008-04-04 21:01 d-------- C:\Program Files\iPod 2008-04-04 21:01 . 2008-04-06 15:58 54,156 --ah----- C:\Windows\QTFont.qfn 2008-04-04 21:01 . 2008-04-04 21:01 1,409 --a------ C:\Windows\QTFont.for 2008-04-04 21:00 . 2008-04-04 21:00 d-------- C:\Users\All Users\Apple 2008-04-04 21:00 . 2008-04-04 21:00 d-------- C:\ProgramData\Apple 2008-04-04 21:00 . 2008-04-04 21:00 d-------- C:\Program Files\Common Files\Apple 2008-04-04 21:00 . 2008-04-04 21:00 d-------- C:\Program Files\Apple Software Update 2008-04-04 20:39 . 2008-04-04 20:39 d-------- C:\Program Files\Real 2008-04-04 20:39 . 2008-04-04 20:39 d-------- C:\Program Files\Common Files\xing shared 2008-04-04 20:39 . 2008-04-04 20:39 d-------- C:\Program Files\Common Files\Real 2008-04-04 15:31 . 2008-04-04 15:31 d-------- C:\Users\Murlin Wei\AppData\Roaming\Microsoft Game Studios 2008-03-31 17:00 . 2008-03-31 17:00 d-------- C:\Users\Murlin Wei\AppData\Roaming\InstallShield 2008-03-29 17:45 . 2008-03-29 17:45 d-------- C:\Program Files\Ken Salter 2008-03-29 16:23 . 2008-03-29 16:23 d-------- C:\Users\Murlin Wei\AppData\Roaming\Ethereal 2008-03-29 16:21 . 2008-03-29 16:21 d-------- C:\Temp 2008-03-29 16:21 . 2008-03-29 16:21 d-------- C:\Program Files\Ethereal 2008-03-29 16:21 . 2008-03-29 16:21 d-------- C:\Program Files\AirSnare 2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\Windows\System32\QuickTimeVR.qtx 2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\Windows\System32\QuickTime.qts 2008-03-27 18:33 . 2008-03-27 18:33 1,024 --a------ C:\Windows\utraffic1.lic 2008-03-26 16:50 . 2008-03-26 16:50 1,107 --a------ C:\Windows\mozver.dat 2008-03-25 18:20 . 2008-03-25 18:20 d-------- C:\Windows\System32\Adobe 2008-03-24 21:04 . 2008-03-24 21:04 d-------- C:\Program Files\7-Zip 2008-03-23 20:33 . 2008-03-23 20:33 2,048 --a------ C:\Windows\atr72-500.lic 2008-03-23 18:44 . 2008-03-23 18:44 d-------- C:\Program Files\Dragonfly 2008-03-23 07:47 . 2008-03-23 07:52 d-------- C:\Windows\Lhsp 2008-03-22 21:21 . 2008-03-22 21:22 d-------- C:\Program Files\FSFDT 2008-03-22 16:27 . 2008-03-22 16:27 d-------- C:\Program Files\XviD 2008-03-22 16:26 . 2008-03-25 16:58 d-------- C:\Program Files\Common Files\GC Install 2008-03-22 14:57 . 2008-04-06 18:09 d-------- C:\Users\Murlin Wei\AppData\Roaming\SiteAdvisor 2008-03-22 14:57 . 2008-03-22 14:57 d-------- C:\Users\All Users\SiteAdvisor 2008-03-22 14:57 . 2008-03-22 14:57 d-------- C:\Users\All Users\McAfee 2008-03-22 14:57 . 2008-03-22 14:57 d-------- C:\ProgramData\SiteAdvisor 2008-03-22 14:57 . 2008-03-22 14:57 d-------- C:\ProgramData\McAfee 2008-03-22 14:20 . 2008-03-22 14:20 d-------- C:\Users\All Users\Adobe 2008-03-22 13:56 . 2008-03-22 13:56 d-------- C:\Program Files\GARMIN 2008-03-22 13:55 . 1997-11-19 15:49 303,616 --a------ C:\Windows\IsUninst.exe 2008-03-22 13:54 . 2008-03-22 13:54 2,048 --a------ C:\Windows\dfa36.lic 2008-03-22 07:49 . 2008-03-22 07:51 3,675 --a------ C:\Windows\aitt.ini 2008-03-21 16:29 . 2008-03-21 16:37 d-------- C:\Users\All Users\Lavasoft 2008-03-21 16:29 . 2008-03-21 16:37 d-------- C:\ProgramData\Lavasoft 2008-03-21 15:51 . 2008-03-21 15:51 d-------- C:\Users\Murlin Wei\AppData\Roaming\Grisoft 2008-03-21 15:51 . 2007-05-30 08:10 10,872 --a------ C:\Windows\System32\drivers\AvgAsCln.sys 2008-03-21 09:49 . 2008-04-05 08:59 d-------- C:\Program Files\Realtek 2008-03-21 09:49 . 2006-09-12 00:34 499,712 --a------ C:\Windows\RtlExUpd.dll 2008-03-20 15:40 . 2008-03-20 15:40 d-------- C:\Users\Murlin Wei\{aa0d5936-10b8-4d4e-b491-2ffd51f2ccbe} 2008-03-20 15:15 . 2008-03-20 15:15 dr-h----- C:\MSOCache 2008-03-19 20:56 . 2008-01-19 03:35 9,847,296 --a------ C:\Windows\System32\NlsData000a.dll 2008-03-19 20:55 . 2008-01-19 02:06 8,147,456 --a------ C:\Windows\System32\wmploc.DLL 2008-03-18 20:32 . 2008-03-18 20:32 d-------- C:\Windows\System32\VC 2008-03-18 20:32 . 2008-03-18 20:32 d-------- C:\Windows\System32\MinGW 2008-03-18 20:32 . 2008-03-18 20:32 d-------- C:\Windows\System32\Builder5 2008-03-18 20:22 . 2008-03-18 20:26 155,648 --a------ C:\Windows\System32\libssl32.dll 2008-03-18 18:32 . 2008-03-18 18:32 286,720 --a------ C:\Windows\iun506.exe 2008-03-17 15:34 . 2008-03-17 15:34 d-------- C:\Users\Murlin Wei\AppData\Roaming\eMule 2008-03-17 15:34 . 2008-04-04 18:16 d-------- C:\Users\All Users\eMule 2008-03-17 15:34 . 2008-04-04 18:16 d-------- C:\ProgramData\eMule 2008-03-16 14:12 . 2008-03-16 14:12 4 --a------ C:\Windows\startup_BBCP.ini 2008-03-16 14:03 . 2008-03-16 14:03 d-------- C:\Users\All Users\Ubisoft 2008-03-16 14:03 . 2008-03-16 14:03 d-------- C:\ProgramData\Ubisoft 2008-03-16 14:03 . 2008-03-16 14:03 d-------- C:\Program Files\Microsoft Speech SDK 5.1 2008-03-16 14:03 . 2008-03-16 14:03 d-------- C:\Program Files\IL2 Sturmovik 2008-03-16 14:03 . 2008-03-16 14:03 d-------- C:\Program Files\IL-2 Sturmovik Forgotten Battles 2008-03-16 14:03 . 2004-03-29 17:23 90,112 --a------ C:\Windows\unvise32.exe 2008-03-16 10:43 . 2008-03-29 16:21 d-------- C:\Program Files\WinPcap 2008-03-15 07:21 . 2008-03-15 07:21 176,937 --a------ C:\Windows\Sky Environment Ultra FS9 Uninstaller.exe 2008-03-13 19:06 . 2008-03-13 19:06 41,296 --a------ C:\Windows\System32\xfcodec.dll 2008-03-13 16:36 . 2008-03-13 16:36 d-------- C:\Program Files\Bevelstone Production 2008-03-13 16:16 . 2008-03-15 18:22 d-------- C:\Program Files\Common Files\InstallShield 2008-03-13 15:11 . 2008-03-13 15:11 d-------- C:\Program Files\Common Files\Macrovision Shared 2008-03-13 15:10 . 2008-03-22 14:20 d-------- C:\Program Files\Common Files\Adobe 2008-03-13 15:09 . 2008-03-13 15:09 d-------- C:\Program Files\Microsoft Silverlight 2008-03-12 20:41 . 2008-03-12 20:41 0 --ah----- C:\Windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf 2008-03-12 16:48 . 2008-03-12 16:48 d-------- C:\Program Files\DocPad 2008-03-12 16:48 . 2008-03-12 16:48 d-------- C:\Program Files\Common Files\System-G 2008-03-10 15:22 . 2008-03-29 09:15 56 --a------ C:\Windows\fs9configurator.ini 2008-03-09 18:11 . 2008-03-09 18:11 d-------- C:\Program Files\Trend Micro . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-04-06 23:11 --------- d-----w C:\Users\Murlin Wei\AppData\Roaming\uTorrent 2008-04-06 17:17 --------- d-----w C:\Program Files\SUPERAntiSpyware 2008-04-06 13:54 --------- d---a-w C:\ProgramData\TEMP 2008-04-06 13:54 --------- d-----w C:\Program Files\SpywareBlaster 2008-04-05 23:33 --------- d-----w C:\ProgramData\Grisoft 2008-04-05 16:42 --------- d-----w C:\Users\Murlin Wei\AppData\Roaming\Xfire 2008-04-05 12:59 319,984 ----a-w C:\Windows\DIFxAPI.dll 2008-04-03 22:26 --------- d-----w C:\ProgramData\Xfire 2008-04-01 20:27 737,280 ----a-w C:\Windows\iun6002.exe 2008-03-31 21:00 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-03-30 22:54 --------- d-----w C:\Program Files\IEPro 2008-03-29 17:25 --------- d-----w C:\Users\Murlin Wei\AppData\Roaming\Winamp 2008-03-23 19:04 1,392,304 ----a-w C:\Windows\System32\AutoPartNt.exe 2008-03-23 19:01 114,048 ----a-w C:\Windows\system32\drivers\snapman.sys 2008-03-23 19:01 --------- d-----w C:\Program Files\Common Files\Acronis 2008-03-23 19:01 --------- d-----w C:\Program Files\Acronis 2008-03-22 18:48 --------- d-----w C:\Program Files\Java 2008-03-22 16:54 --------- d-----w C:\Program Files\FS Real Time 2008-03-21 20:33 12,632 ----a-w C:\Windows\System32\lsdelete.exe 2008-03-21 20:29 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-03-20 01:20 174 --sha-w C:\Program Files\desktop.ini 2008-03-20 01:15 --------- d-----w C:\Program Files\Windows Sidebar 2008-03-20 01:15 --------- d-----w C:\Program Files\Windows Photo Gallery 2008-03-20 01:15 --------- d-----w C:\Program Files\Windows Mail 2008-03-20 01:15 --------- d-----w C:\Program Files\Windows Defender 2008-03-20 01:15 --------- d-----w C:\Program Files\Windows Calendar 2008-03-20 01:05 82,432 ----a-w C:\Windows\System32\axaltocm.dll 2008-03-20 01:05 101,888 ----a-w C:\Windows\System32\ifxcardm.dll 2008-03-20 00:17 --------- d-----w C:\Program Files\Microsoft Games 2008-03-18 19:09 --------- d-----w C:\Program Files\Xfire 2008-03-09 01:03 169,109 ----a-w C:\Windows\system32\drivers\scskusbs.sys 2008-03-09 01:03 11,385 ----a-w C:\Windows\system32\drivers\scskusbf.sys 2008-03-05 21:03 479,752 ----a-w C:\Windows\System32\XAudio2_0.dll 2008-03-05 21:03 238,088 ----a-w C:\Windows\System32\xactengine3_0.dll 2008-03-05 21:00 25,608 ----a-w C:\Windows\System32\X3DAudio1_3.dll 2008-03-05 20:56 3,786,760 ----a-w C:\Windows\System32\D3DX9_37.dll 2008-03-05 20:56 1,420,824 ----a-w C:\Windows\System32\D3DCompiler_37.dll 2008-03-03 00:21 --------- d-----w C:\Program Files\OO Software 2008-03-02 19:51 --------- d-----w C:\Program Files\SwiftSwitch 2008-03-02 19:32 --------- d-----w C:\ProgramData\SwiftSwitch 2008-03-02 16:09 --------- d-----w C:\Users\Murlin Wei\AppData\Roaming\Ventrilo 2008-03-02 12:12 --------- d-----w C:\Program Files\FSFlyingSchool 2008-03-02 02:32 --------- d-----w C:\Users\Murlin Wei\AppData\Roaming\HiFi 2008-03-01 19:37 --------- d-----w C:\Program Files\FOC 2003 2008-02-29 20:20 --------- d-----w C:\Program Files\Runtime Software 2008-02-29 00:23 --------- d-----w C:\Program Files\Recuva 2008-02-28 21:55 --------- d-----w C:\Users\Murlin Wei\AppData\Roaming\SUPERAntiSpyware.com 2008-02-28 21:55 --------- d-----w C:\ProgramData\SUPERAntiSpyware.com 2008-02-28 15:45 230,152 ----a-w C:\Windows\System32\PDBoot.exe 2008-02-27 00:10 --------- d-----w C:\Program Files\RegSeeker 2008-02-26 23:34 --------- d-----w C:\Program Files\Shockwave 3D Lights Redux for FS9 2008-02-24 12:35 --------- d-----w C:\Program Files\DivX 2008-02-21 02:45 --------- d-----w C:\Program Files\SquawkBox3 2008-02-21 02:05 200,704 ----a-w C:\Windows\System32\ssldivx.dll 2008-02-21 02:05 1,044,480 ----a-w C:\Windows\System32\libdivx.dll 2008-02-19 08:24 7,808 ----a-w C:\Windows\system32\drivers\psi_mf.sys 2008-02-19 01:58 316,768 ----a-w C:\Windows\System32\sayax.dll 2008-02-19 00:50 --------- d-----w C:\Program Files\Microsoft Works 2008-02-18 15:14 --------- d-----w C:\Program Files\MSXML 4.0 2008-02-18 11:57 --------- d-----w C:\Program Files\rcv4 2008-02-17 20:15 --------- d-----w C:\Users\Murlin Wei\AppData\Roaming\Flight1 2008-02-17 18:10 202,149 ----a-w C:\Windows\Water Details FS 2004 Uninstaller.exe 2008-02-17 16:21 --------- d-----w C:\Program Files\Flight One Software 2008-02-16 16:43 --------- d-----w C:\Program Files\Intel 2008-02-16 16:40 --------- d-----w C:\Program Files\Belarc 2008-02-15 19:22 59,392 ----a-w C:\Windows\system32\drivers\RTSTOR.sys 2008-02-14 01:17 --------- d-----w C:\Program Files\Microsoft ActiveSync 2008-02-14 01:17 --------- d-----w C:\Program Files\Common Files\L&H 2008-02-14 01:16 --------- d-----w C:\Program Files\Microsoft.NET 2008-02-13 13:01 --------- d-----w C:\Users\Murlin Wei\AppData\Roaming\OpenOffice.org2 2008-02-12 23:40 6,656 ----a-w C:\Windows\System32\kbd106n.dll 2008-02-12 21:59 --------- d-----w C:\ProgramData\Abacus 2008-02-12 18:36 --------- d-----w C:\Program Files\Common Files\InstallShieldCrap 2008-02-11 15:55 147,456 ----a-w C:\Windows\System32\igfxCoIn_v1437.dll 2008-02-11 15:34 29,932 ----a-w C:\Windows\System32\igmedcompkrn.bin 2008-02-11 15:34 2,215,364 ----a-w C:\Windows\System32\igklg400.bin 2008-02-11 15:34 1,971,732 ----a-w C:\Windows\System32\igklg450.bin 2008-02-11 00:19 --------- d-----w C:\Program Files\Ventrilo 2008-02-10 17:11 543 ----a-w C:\Program Files\INSTALL.LOG 2008-02-10 14:03 --------- d-----w C:\Program Files\Common Files\SWF Studio 2008-02-09 19:25 --------- d-----w C:\Program Files\Common Files\INCA Shared 2008-02-07 01:03 --------- d-----w C:\ProgramData\Spybot - Search & Destroy 2008-02-07 00:47 --------- d-----w C:\Program Files\Spybot - Search & Destroy 2008-02-06 04:07 462,864 ----a-w C:\Windows\System32\d3dx10_37.dll 2008-01-29 16:02 107,368 ----a-w C:\Windows\System32\GEARAspi.dll 2008-01-19 07:44 986,680 ----a-w C:\Windows\System32\winload.exe 2008-01-19 07:44 926,776 ----a-w C:\Windows\System32\winresume.exe 2008-01-19 07:43 614,968 ----a-w C:\Windows\System32\ci.dll 2008-01-19 07:43 376,376 ----a-w C:\Windows\System32\mcupdate_GenuineIntel.dll 2008-01-19 07:43 3,600,440 ----a-w C:\Windows\System32\ntkrnlpa.exe 2008-01-19 07:43 3,548,728 ----a-w C:\Windows\System32\ntoskrnl.exe 2008-01-19 07:42 94,776 ----a-w C:\Windows\System32\MigAutoPlay.exe 2008-01-19 07:42 51,768 ----a-w C:\Windows\System32\PSHED.DLL 2008-01-19 07:42 247,352 ----a-w C:\Windows\System32\clfs.sys 2008-01-19 07:42 177,208 ----a-w C:\Windows\System32\halmacpi.dll 2008-01-19 07:42 141,880 ----a-w C:\Windows\System32\halacpi.dll 2008-01-19 07:41 24,120 ----a-w C:\Windows\System32\BOOTVID.DLL 2008-01-19 07:41 21,560 ----a-w C:\Windows\System32\kdusb.dll 2008-01-19 07:41 19,512 ----a-w C:\Windows\System32\kdcom.dll 2008-01-19 07:38 46,080 ----a-w C:\Windows\System32\NAPCRYPT.DLL . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 03:33 202240] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2008-01-19 03:38 1008184] "IgfxTray"="C:\Windows\system32\igfxtray.exe" [2006-12-13 03:17 98304] "HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2006-12-13 03:19 106496] "Persistence"="C:\Windows\system32\igfxpers.exe" [2006-12-13 03:17 81920] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-05 19:33 579072] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-04-05 19:33 219136] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf] avgwlntf.dll 2008-04-05 19:33 9216 C:\Windows\System32\avgwlntf.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"= [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.FPS1"= frapsvid.dll "VIDC.XFR1"= xfcodec.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 relog_ap [HKLM\~\startupfolder\C:^Users^Murlin Wei^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 2.3.lnk] path=C:\Users\Murlin Wei\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk backup=C:\Windows\pss\OpenOffice.org 2.3.lnk.Startup backupExtension=.Startup [HKLM\~\startupfolder\C:^Users^Murlin Wei^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Secunia PSI (RC1).lnk] path=C:\Users\Murlin Wei\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Secunia PSI (RC1).lnk backup=C:\Windows\pss\Secunia PSI (RC1).lnk.Startup backupExtension=.Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware] --a------ 2007-06-11 05:25 6731312 H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service] --a------ 2007-02-16 19:49 149024 C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor] --a------ 2007-02-16 19:57 1945960 C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] --a------ 2008-01-11 22:16 39792 H:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite] --a------ 2008-01-17 12:51 486856 C:\Program Files\DAEMON Tools Lite\daemon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds] --a------ 2006-12-13 03:19 106496 C:\Windows\system32\hkcmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray] --a------ 2006-12-13 03:17 98304 C:\Windows\system32\igfxtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2008-03-30 10:36 267048 H:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OODefragTray] --a------ 2007-05-11 03:08 2512392 C:\Windows\system32\oodtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence] --a------ 2006-12-13 03:17 81920 C:\Windows\system32\igfxpers.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE] --a------ 2007-08-06 20:05 200704 H:\Program Files\PowerISO\PWRISOVM.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Rapget] E:\Flight Simulator Software\rapget140\rapget.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl] --a------ 2006-12-01 00:37 4186112 C:\Windows\RtHDVCpl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2008-02-22 04:25 144784 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware] --a------ 2008-04-06 13:17 1481968 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2008-04-04 20:39 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe] --a------ 2007-02-16 19:45 1169776 C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsWelcomeCenter] --a------ 2008-01-19 03:36 2153472 C:\Windows\System32\oobefldr.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG] --a------ 2008-01-19 03:33 202240 C:\Program Files\Windows Media Player\WMPNSCFG.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2738104663-2755392700-2221383480-1000] "EnableNotificationsRef"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules] "TCP Query User{61455193-5548-4882-BB4F-1FFC86E41172}C:\\ijji\\english\\u_skid.exe"= UDP:C:\ijji\english\u_skid.exe: "UDP Query User{6099BF92-BFC5-416D-AEC6-DA00AFB25A65}C:\\ijji\\english\\u_skid.exe"= TCP:C:\ijji\english\u_skid.exe: "TCP Query User{7E27783F-27CC-4E95-8A1E-47091E0453EF}K:\\program files\\driftcity\\driftcity.exe"= UDP:K:\program files\driftcity\driftcity.exe:DriftCity "UDP Query User{68C2CEBB-F1D1-4589-A707-19610F1F7E77}K:\\program files\\driftcity\\driftcity.exe"= TCP:K:\program files\driftcity\driftcity.exe:DriftCity "TCP Query User{FE38E010-F2C0-4967-83FD-96B25A3F5B30}C:\\ijji\\english\\u_sf\\soldierfront.exe"= UDP:C:\ijji\english\u_sf\soldierfront.exe:soldierfront "UDP Query User{19A69707-47F5-4ED8-A3D4-D983B5833183}C:\\ijji\\english\\u_sf\\soldierfront.exe"= TCP:C:\ijji\english\u_sf\soldierfront.exe:soldierfront "TCP Query User{B66503DB-7D5D-4DE9-9921-A25C9F1EA5AB}H:\\program files\\driftcity\\driftcity.exe"= UDP:H:\program files\driftcity\driftcity.exe:DriftCity "UDP Query User{14612DD0-8A9C-44A2-9B51-5491B5A88018}H:\\program files\\driftcity\\driftcity.exe"= TCP:H:\program files\driftcity\driftcity.exe:DriftCity "TCP Query User{A8D6E0B6-86C5-4D81-9FDF-F0378CD75F37}C:\\program files\\xfire\\xfire.exe"= UDP:C:\program files\xfire\xfire.exe:Xfire "UDP Query User{5DC64609-489B-4CCD-8BDC-DA888571FCC7}C:\\program files\\xfire\\xfire.exe"= TCP:C:\program files\xfire\xfire.exe:Xfire "{17C23B69-DBF2-487A-A532-7D9ABF255A9E}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent "{94906B86-E338-4979-ADE4-B4200BD59672}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent "TCP Query User{30964450-8A26-40BA-A03B-E0D17BDCC6BB}G:\\program files\\microsoft games\\flight simulator 9\\fs9.exe"= UDP:G:\program files\microsoft games\flight simulator 9\fs9.exe:Microsoft Flight Simulator "UDP Query User{426ADF18-258D-442E-B866-DE3813E88673}G:\\program files\\microsoft games\\flight simulator 9\\fs9.exe"= TCP:G:\program files\microsoft games\flight simulator 9\fs9.exe:Microsoft Flight Simulator "{0E586831-FC73-45B0-9F08-096BF0D40C38}"= UDP:80:80 "{34AD0E95-78FA-44A3-A14A-4A598E511536}"= TCP:80:80 "{28CEFC0F-00A3-4EAB-9D8B-9D64D7265705}"= UDP:6112:6112 "{991C1B7E-6DA8-49BB-9C14-B6C74730B50A}"= TCP:6112:6112 "{8A3679AF-CD19-4CE2-A038-9DE3E3E5A34B}"= UDP:54789:54789 "{8C63877E-7C19-4DA5-B287-AA6D0F8CFC28}"= TCP:54789:54789 "TCP Query User{58038DE4-2BB8-41E1-8189-030A5E823718}H:\\nexon\\maplestory\\patcher.exe"= UDP:H:\nexon\maplestory\patcher.exe:Patcher MFC ?? ???? "UDP Query User{41D9A998-FD0B-4C1B-A90E-B0F2BED2BFC4}H:\\nexon\\maplestory\\patcher.exe"= TCP:H:\nexon\maplestory\patcher.exe:Patcher MFC ?? ???? "TCP Query User{57B550CD-25EA-460B-AE48-681C32F87C39}H:\\nexon\\maplestory\\maplestory.exe"= UDP:H:\nexon\maplestory\maplestory.exe:MapleStory "UDP Query User{609320D2-5ECE-4286-8362-B486263DA9E3}H:\\nexon\\maplestory\\maplestory.exe"= TCP:H:\nexon\maplestory\maplestory.exe:MapleStory "TCP Query User{83AB73F7-1946-4300-A08C-DB73E9369C8F}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer "UDP Query User{48ACEBD7-DC97-4FF2-BB6F-704618FB53B2}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer "1c9b3cdd-3bce-43a9-881b-5fb372fe469c"= TCP:2300\|LPort=2301\|LPort=2302\|LPort=2303\|LPort=2304\|LPort=2305\|LPort=2306\|LPort=2307\|LPort=2308\|LPort=2309\|LPort=2310\|LPort=2311\|LPort=2312\|LPort=2313\|LPort=2314\|LPort=2315\|LPort=2316\|LPort=2317\|LPort=2318\|LPort=2319\|LPort=2320\|LPort=2321\|LPort=2322\|LPort=2323\|LPort=2324\|LPort=2325 \|LPort=2326\|LPort=2327\|LPort=2328\|LPort=2329\|LPort=2330\|LPort=2331\|LPort=2332\|LPort=2333\|LPort=2334\|LPort=2335\|LPort=2336\|LPort=2337\|LPort=2338\|LPort=2339\|LPort=2340\|LPort=2341\|LPort=2342\|LPort=2343\|LPort=2344\|LPort=2345\|LPort=2346\|LPort=2347\|LPort=2348\|LPort=2349\|LPort=2350\|LPort=2351\|LPort=2352\|LPort=2353\|LPort=2354\|LPort=2355\|LPort=2356\|LPort=2357\|LPort=2358\|LPort=2359\|LPort=2360\|LPort=2361\|LPort=2362\|LPort=2363\|LPort=2364\|LPort=2365\|LPort=2366\|LPort=2367\|LPort=2368\|LPort=2369\|LPort=2370\|LPort=2371\|LPort=2372\|LPort=2373\|LPort=2374\|LPort=2375\|LPort=2376 \|LPort=2377\|LPort=2378\|LPort=2379\|LPort=2380\|LPort=2381\|LPort=2382\|LPort=2383\|LPort=2384\|LPort=2385\|LPort=2386\|LPort=2387\|LPort=2388\|LPort=2389\|LPort=2390\|LPort=2391\|LPort=2392\|LPort=2393\|LPort=2394\|LPort=2395\|LPort=2396\|LPort=2397\|LPort=2398\|LPort=2399:Wolf Team "TCP Query User{6A3FA9AA-E952-4D4D-8FD7-FC7ED8BD727F}H:\\program files\\america's army\\system\\armyops.exe"= UDP:H:\program files\america's army\system\armyops.exe:ArmyOps "UDP Query User{BEB13D38-D94C-4F4C-9245-7E48245BFA1D}H:\\program files\\america's army\\system\\armyops.exe"= TCP:H:\program files\america's army\system\armyops.exe:ArmyOps "TCP Query User{50F33169-380A-49AF-81BE-7C6E8C8C2451}C:\\windows\\system32\\dpnsvr.exe"= UDP:C:\windows\system32\dpnsvr.exe:Microsoft DirectPlay8 Server "UDP Query User{DF0B00AF-395E-4FA4-B850-2BD9EF20F7ED}C:\\windows\\system32\\dpnsvr.exe"= TCP:C:\windows\system32\dpnsvr.exe:Microsoft DirectPlay8 Server "TCP Query User{5021BF18-01CD-4258-97B4-0C63DB4C1B7E}C:\\program files\\fsfdt\\control panel\\fsfdtcp.exe"= UDP:C:\program files\fsfdt\control panel\fsfdtcp.exe:FSFDT Control Panel "UDP Query User{3DB1FC88-0596-4F01-A186-E39F227CE84D}C:\\program files\\fsfdt\\control panel\\fsfdtcp.exe"= TCP:C:\program files\fsfdt\control panel\fsfdtcp.exe:FSFDT Control Panel "TCP Query User{1AB14382-F73F-48C9-B315-3EE9B8CB2694}C:\\program files\\mozilla firefox\\firefox.exe"= UDP:C:\program files\mozilla firefox\firefox.exe:Firefox "UDP Query User{17CAEFA6-0C1E-42AC-978B-C4A6CBAAC66B}C:\\program files\\mozilla firefox\\firefox.exe"= TCP:C:\program files\mozilla firefox\firefox.exe:Firefox "eb8b0e56-37ab-4db7-9f9e-1a1d6608d4e0"= %ProgramFiles%\FSFDT\FSInn UI\FSInnUI.exe:FSINN "UDP Query User{D86A64A0-98DB-45F2-B30E-9C99810EA427}C:\\program files\\fsfdt\\fwinn\\fwinn.exe"= C:\program files\fsfdt\fwinn\fwinn.exe:FSInn Application "TCP Query User{F3FF54FA-890C-4280-937A-E4B25DFDC64A}C:\\program files\\fsfdt\\fwinn\\fwinn.exe"= C:\program files\fsfdt\fwinn\fwinn.exe:FSInn Application "5d038ed9-b69c-43ca-9e9d-361f03d7074d"= %ProgramFiles%\FSFDT\Control Panel\FSFDTCP.exe:FSUDCP "09c2c1b0-5d17-4e76-8c53-65f0895ca6d1"= UDP:3782\|LPort=3290\|LPort=3783\|LPort=6809:SQ "3a769932-0d65-4226-8f87-9af21c6399fa"= TCP:3782\|LPort=3290\|LPort=3783\|LPort=6809:SQ1 "7bda4004-dec1-4e68-ae03-4b18dca28327"= TCP:32062:FSINN "TCP Query User{7BA25555-49F6-4C6F-A3BE-B1091A7CD7E6}C:\\program files\\swiftswitch\\swiftswitch.exe"= UDP:C:\program files\swiftswitch\swiftswitch.exe:Utility for RuneScape "UDP Query User{F3D3B80D-3F35-4E98-BAE6-FFC8C8B398CB}C:\\program files\\swiftswitch\\swiftswitch.exe"= TCP:C:\program files\swiftswitch\swiftswitch.exe:Utility for RuneScape "TCP Query User{2E3A70D7-0AC2-4254-B11B-0A2EC31E6D05}H:\\program files\\dragonfly\\special force\\specialforce.exe"= UDP:H:\program files\dragonfly\special force\specialforce.exe:SpecialForce "UDP Query User{6137764F-CAE8-4517-AF49-6CB2607C5DB8}H:\\program files\\dragonfly\\special force\\specialforce.exe"= TCP:H:\program files\dragonfly\special force\specialforce.exe:SpecialForce "TCP Query User{0D1EF090-833B-4967-9D45-EAF64C49861F}C:\\ijji\\english\\gunz\\gunz.exe"= UDP:C:\ijji\english\gunz\gunz.exe:Gunz "UDP Query User{560CD26A-B4D8-4DD6-9AF8-BA438C3E071D}C:\\ijji\\english\\gunz\\gunz.exe"= TCP:C:\ijji\english\gunz\gunz.exe:Gunz "TCP Query User{63EC054C-903B-40D8-A36F-D2F80B55FF3D}C:\\users\\murlin wei\\desktop\\fshost32\\fshost32.exe"= UDP:C:\users\murlin wei\desktop\fshost32\fshost32.exe:fshost32.exe "UDP Query User{D8E76696-D62C-4EBD-8A08-5450B40122C9}C:\\users\\murlin wei\\desktop\\fshost32\\fshost32.exe"= TCP:C:\users\murlin wei\desktop\fshost32\fshost32.exe:fshost32.exe "TCP Query User{854A4DB3-1DFB-4B87-A7E0-AEA6B9C0074B}C:\\windows\\system32\\dplaysvr.exe"= UDP:C:\windows\system32\dplaysvr.exe:Microsoft DirectPlay Helper "UDP Query User{A36A3890-68AE-4E2D-BC3B-FDAC339499B3}C:\\windows\\system32\\dplaysvr.exe"= TCP:C:\windows\system32\dplaysvr.exe:Microsoft DirectPlay Helper "TCP Query User{2D0919A8-6553-4CDF-A595-A46EF1D2F4D3}C:\\program files\\dragonfly\\special force\\specialforce.exe"= UDP:C:\program files\dragonfly\special force\specialforce.exe:specialforce "UDP Query User{BC4A08A4-5B7E-4662-810F-1D9F1662B2AC}C:\\program files\\dragonfly\\special force\\specialforce.exe"= TCP:C:\program files\dragonfly\special force\specialforce.exe:specialforce "{73852E8D-6030-4943-9978-138A7E864BD9}"= UDP:C:\Windows\Temp\~osCD95.tmp\ossproxy.exe:ossproxy.exe "{43868274-2029-4933-8F1C-885F387F06D2}"= UDP:C:\Windows\Temp\~osDBBC.tmp\ossproxy.exe:ossproxy.exe "{607558EF-6597-4863-8D25-F007069A2EC9}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent "{46E5FDB3-D48D-4321-B224-C365CF959155}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent "{9B21F62D-DF09-44A2-BD05-BC7EEE8742C9}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour "{68F77BA3-1444-44C8-AC53-D586A7FD787C}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour "{48866029-02D4-420C-AF33-2058433DC7D9}"= UDP:H:\Program Files\iTunes\iTunes.exe:iTunes "{AB169B2B-5F22-47D8-B596-C06720D2E476}"= TCP:H:\Program Files\iTunes\iTunes.exe:iTunes "TCP Query User{37AFDF7F-9FEF-441B-B24D-75F2E325B8C7}H:\\program files\\azureus\\azureus.exe"= UDP:H:\program files\azureus\azureus.exe:Azureus "UDP Query User{2414528D-9012-4CCF-B04D-4D7AC667B755}H:\\program files\\azureus\\azureus.exe"= TCP:H:\program files\azureus\azureus.exe:Azureus "TCP Query User{9225565D-E33E-467E-9533-ED9B2675E3C6}C:\\program files\\azureus\\azureus.exe"= UDP:C:\program files\azureus\azureus.exe:Azureus "UDP Query User{9F98D73A-65DD-4D0E-B968-DC1D3C6EBAA6}C:\\program files\\azureus\\azureus.exe"= TCP:C:\program files\azureus\azureus.exe:Azureus R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 12:43] R3 HPFXBULK;HPFXBULK;C:\Windows\system32\drivers\hpfxbulk.sys [2007-06-20 03:21] R3 igfx;igfx;C:\Windows\system32\DRIVERS\igdkmd32.sys [2006-12-13 04:32] R3 RTSTOR;USB Mass Storage Device;C:\Windows\system32\drivers\RTSTOR.SYS [2008-02-15 15:22] R3 rxpvbus;Reality XP Avionics Bus Driver;C:\Windows\system32\DRIVERS\rxpvbus.sys [2005-11-04 09:35] R3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x86.sys [2006-11-02 03:30] S2 AcronisOSSReinstallSvc;Acronis OS Selector Reinstall Service;"C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall_svc.exe" [2007-02-22 19:53] S3 PSI;PSI;C:\Windows\system32\DRIVERS\psi_mf.sys [2008-02-19 04:24] S3 scskusbf;USB SCSK Filter Driver Service;C:\Windows\system32\drivers\scskusbf.sys [2008-03-08 21:03] S3 scskusbs;USB SCSK Driver Service;C:\Windows\system32\drivers\scskusbs.sys [2008-03-08 21:03] S4 PD91Agent;PD91Agent;"C:\Program Files\Raxco\PerfectDisk\PD91Agent.exe" [] S4 PD91Engine;PD91Engine;"C:\Program Files\Raxco\PerfectDisk\PD91Engine.exe" [] S4 PD91VMDefrag;PD91VMDefrag;"C:\Program Files\Raxco\PerfectDisk\PD91VMDefrag.exe" [] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] rsmsvcs REG_MULTI_SZ ntmssvc . ************************************************************************ catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, »www.gmer.net Rootkit scan 2008-04-06 19:37:56 Windows 6.0.6001 Service Pack 1 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . H:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Program Files\Grisoft\AVG7\avgcc.exe C:\Program Files\Xfire\xfire.exe C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe C:\Windows\system32\oodag.exe C:\Windows\system32\DllHost.exe . ********************************************************************** . Completion time: 2008-04-06 19:40:33 - machine was rebooted ComboFix-quarantined-files.txt 2008-04-06 23:40:27 Pre-Run: 22,094,360,576 bytes free Post-Run: 21,846,478,848 bytes free . 2008-04-06 19:37:25 --- E O F --- MBAM Malwarebytes' Anti-Malware 1.10 Database version: 597 Scan type: Quick Scan Objects scanned: 28169 Time elapsed: 3 minute(s), 0 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 5 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\Interface\{48d78be5-cfb9-4b66-9ac4-96d4cf21de06} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{74d46bba-5638-473a-83b6-97e7804a7411} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\AppID\{d2a8552d-4340-413e-b94e-245827fbc269} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{4340df8e-d7a3-4675-be74-80077b2b3e81} (Rogue.AntiSpamBoy) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\ausctv32a.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) HiJackThis** Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:52:12 PM, on 4/6/2008 Platform: Windows Vista SP1 (WinNT 6.00.1905) MSIE: Internet Explorer v7.00 (7.00.6001.18000) Boot mode: Normal Running processes: C:\Windows\system32\Dwm.exe C:\Windows\system32\taskeng.exe C:\Windows\System32\hkcmd.exe C:\Windows\System32\igfxpers.exe C:\Program Files\Grisoft\AVG7\avgcc.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Program Files\Xfire\xfire.exe C:\Windows\Explorer.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »google.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O4 - Startup: Azureus.exe - Shortcut.lnk = H:\Program Files\Azureus\Azureus.exe O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll O13 - Gopher Prefix: O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - »download.divx.com/player/DivXBro···ugin.cab O16 - DPF: {A977FF0C-8757-4E76-8533-482F91946233} (Neowiz Login Control) - »gpdl.pmang.com/sayclub/sayctl/sayax.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{816238D4-1ADE-4801-AF6C-1CB6A0BDC37F}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CS1\Services\Tcpip\..\{816238D4-1ADE-4801-AF6C-1CB6A0BDC37F}: NameServer = 208.67.220.220,208.67.222.222 O20 - AppInit_DLLs: O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - H:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Acronis OS Selector Reinstall Service (AcronisOSSReinstallSvc) - Unknown owner - C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall_svc.exe O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: O&O Defrag - O&O Software GmbH - C:\Windows\system32\oodag.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe -- End of file - 6062 bytes
	to forum · permalink · · 2008-04-06 19:52:55 ·
bcastner Premium,MVM join:2002-09-25 Chevy Chase, MD clubs: ·Verizon Online DSL	reply to Siko 2. Please double-click OTMoveIt2.exe to run the utility. Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy): %TEMP%\ossproxy.exe /S C:\Users\ossproxy.exe /S Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window. *IMPORTANT --* Paste only into the bottom input panel (under the Yellow bar), The top panel will not help you. Right-click and choose Paste. Click the red Moveit button. This will not be quick. I am asking it to scan your entire Drive C twice. When it has finished, use your mouse and do a Copy/Paste of the large right-hand panel that shows Results. Save your Clipboard contents in a new Notepad file, as we will want to review these results later. Close OTMoveIt2 when it has finished. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. 2. Right-click on the header of the Code box below, where on the right side it says: "Copy to clipboard": File:: C:\Windows\Temp\~osCD95.tmp\ossproxy.exe C:\Windows\Temp\~osCD95.tmp\ossproxy.exe.rvt C:\Windows\System32\entrnd.exe Folder:: C:\Windows\Temp\~osCD95.tmp Registry:: [HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules] "{73852E8D-6030-4943-9978-138A7E864BD9}"=- "{43868274-2029-4933-8F1C-885F387F06D2}"=- Open a new Notepad session - (Do *not* use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click \| Paste the Code box contents from above into Notepad. Click File, *Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt"* . • Disconnect from the Internet. • Disable your Antivirus. If the Antivirus software you use has any Script Blocking features, be certain to disable these as well. Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser. • A window will open with a warning. Accept any Disclaimers to start the fix. Using your mouse, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown in this little picture: When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes. •!• A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. Post back to the Forum the contents of C:\Combofix.txt -- ============ MS-MVP 2004 - -2008, ASAP Member *Users Helping Users*
	to forum · permalink · · 2008-04-07 20:58:52 ·
Siko join:2006-11-27 Mechanicsburg, PA ·Verizon Online DSL ·Comcast moderated: April 8th, @05:54PM	Here they are ComboFix 08-04-08.4 - Murlin Wei 2008-04-08 15:28:56.2 - NTFSx86 Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1299 [GMT -4:00] Running from: C:\Users\Murlin Wei\Desktop\ComboFix.exe Command switches used :: C:\Users\Murlin Wei\Desktop\CFscript.txt . ((((((((((((((((((((((((( Files Created from 2008-03-08 to 2008-04-08 ))))))))))))))))))))))))))))))) . 2008-04-06 19:44 . 2008-04-06 19:44 d-------- C:\Users\Murlin Wei\AppData\Roaming\Malwarebytes 2008-04-06 19:44 . 2008-04-06 19:44 d-------- C:\Users\All Users\Malwarebytes 2008-04-06 19:44 . 2008-04-06 19:44 d-------- C:\ProgramData\Malwarebytes 2008-04-06 19:44 . 2008-04-06 19:44 d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-04-06 19:31 . 2008-04-06 19:31 d-------- C:\_OTMoveIt 2008-04-06 19:10 . 2008-04-06 19:10 d-------- C:\Program Files\Azureus 2008-04-06 10:00 . 2008-04-08 15:27 d-------- C:\Users\Murlin Wei\AppData\Roaming\Azureus 2008-04-06 10:00 . 2008-04-06 10:00 d-------- C:\Users\All Users\Azureus 2008-04-06 10:00 . 2008-04-06 10:00 d-------- C:\ProgramData\Azureus 2008-04-06 08:03 . 2008-04-06 08:05 178 --a------ C:\megaScenery.ini 2008-04-05 19:34 . 2008-04-06 08:06 d-------- C:\Users\Murlin Wei\AppData\Roaming\AVG7 2008-04-05 19:33 . 2008-04-05 19:33 9,216 --a------ C:\Windows\System32\avgwlntf.dll 2008-04-05 14:50 . 2008-04-05 19:35 d-------- C:\Program Files\COMODO 2008-04-05 14:45 . 2008-04-06 08:06 d-------- C:\Users\All Users\Avg7 2008-04-05 14:45 . 2008-04-06 08:06 d-------- C:\ProgramData\Avg7 2008-04-05 09:07 . 2007-02-22 22:19 172,032 --a------ C:\Windows\System32\igfxres.dll 2008-04-05 09:03 . 2008-04-05 09:03 d-------- C:\Intel 2008-04-05 09:03 . 2006-12-13 03:17 3,276,800 --a------ C:\Windows\System32\igfxress.dll 2008-04-05 09:03 . 2006-12-13 03:16 212,992 --a------ C:\Windows\System32\igfxdev.dll 2008-04-05 09:03 . 2007-02-22 23:44 204,800 --a------ C:\Windows\System32\igfxCoIn_v1214.dll 2008-04-05 09:03 . 2006-12-13 03:16 196,608 --a------ C:\Windows\System32\igfxsrvc.exe 2008-04-05 09:03 . 2006-12-13 03:16 155,648 --a------ C:\Windows\System32\igfxpph.dll 2008-04-04 21:01 . 2008-04-04 21:01 d-------- C:\Users\Murlin Wei\AppData\Roaming\Apple Computer 2008-04-04 21:01 . 2008-04-04 21:01 d-------- C:\Users\All Users\Apple Computer 2008-04-04 21:01 . 2008-04-04 21:01 d-------- C:\ProgramData\Apple Computer 2008-04-04 21:01 . 2008-04-04 21:01 d-------- C:\Program Files\QuickTime 2008-04-04 21:01 . 2008-04-04 21:01 d-------- C:\Program Files\iPod 2008-04-04 21:01 . 2008-04-07 16:47 54,156 --ah----- C:\Windows\QTFont.qfn 2008-04-04 21:01 . 2008-04-04 21:01 1,409 --a------ C:\Windows\QTFont.for 2008-04-04 21:00 . 2008-04-04 21:00 d-------- C:\Users\All Users\Apple 2008-04-04 21:00 . 2008-04-04 21:00 d-------- C:\ProgramData\Apple 2008-04-04 21:00 . 2008-04-04 21:00 d-------- C:\Program Files\Common Files\Apple 2008-04-04 21:00 . 2008-04-04 21:00 d-------- C:\Program Files\Apple Software Update 2008-04-04 20:39 . 2008-04-04 20:39 d-------- C:\Program Files\Real 2008-04-04 20:39 . 2008-04-04 20:39 d-------- C:\Program Files\Common Files\xing shared 2008-04-04 20:39 . 2008-04-04 20:39 d-------- C:\Program Files\Common Files\Real 2008-04-04 15:31 . 2008-04-04 15:31 d-------- C:\Users\Murlin Wei\AppData\Roaming\Microsoft Game Studios 2008-04-02 19:26 . 2008-04-02 19:26 41,296 --a------ C:\Windows\System32\xfcodec.dll 2008-03-31 17:00 . 2008-03-31 17:00 d-------- C:\Users\Murlin Wei\AppData\Roaming\InstallShield 2008-03-29 17:45 . 2008-03-29 17:45 d-------- C:\Program Files\Ken Salter 2008-03-29 16:23 . 2008-03-29 16:23 d-------- C:\Users\Murlin Wei\AppData\Roaming\Ethereal 2008-03-29 16:21 . 2008-03-29 16:21 d-------- C:\Temp 2008-03-29 16:21 . 2008-03-29 16:21 d-------- C:\Program Files\Ethereal 2008-03-29 16:21 . 2008-03-29 16:21 d-------- C:\Program Files\AirSnare 2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\Windows\System32\QuickTimeVR.qtx 2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\Windows\System32\QuickTime.qts 2008-03-27 18:33 . 2008-03-27 18:33 1,024 --a------ C:\Windows\utraffic1.lic 2008-03-26 16:50 . 2008-03-26 16:50 1,107 --a------ C:\Windows\mozver.dat 2008-03-25 18:20 . 2008-03-25 18:20 d-------- C:\Windows\System32\Adobe 2008-03-24 21:04 . 2008-03-24 21:04 d-------- C:\Program Files\7-Zip 2008-03-23 20:33 . 2008-03-23 20:33 2,048 --a------ C:\Windows\atr72-500.lic 2008-03-23 18:44 . 2008-03-23 18:44 d-------- C:\Program Files\Dragonfly 2008-03-23 07:47 . 2008-03-23 07:52 d-------- C:\Windows\Lhsp 2008-03-22 21:21 . 2008-03-22 21:22 d-------- C:\Program Files\FSFDT 2008-03-22 16:27 . 2008-03-22 16:27 d-------- C:\Program Files\XviD 2008-03-22 16:26 . 2008-03-25 16:58 d-------- C:\Program Files\Common Files\GC Install 2008-03-22 14:57 . 2008-04-08 15:27 d-------- C:\Users\Murlin Wei\AppData\Roaming\SiteAdvisor 2008-03-22 14:57 . 2008-03-22 14:57 d-------- C:\Users\All Users\SiteAdvisor 2008-03-22 14:57 . 2008-03-22 14:57 d-------- C:\Users\All Users\McAfee 2008-03-22 14:57 . 2008-03-22 14:57 d-------- C:\ProgramData\SiteAdvisor 2008-03-22 14:57 . 2008-03-22 14:57 d-------- C:\ProgramData\McAfee 2008-03-22 14:20 . 2008-03-22 14:20 d-------- C:\Users\All Users\Adobe 2008-03-22 13:56 . 2008-03-22 13:56 d-------- C:\Program Files\GARMIN 2008-03-22 13:55 . 1997-11-19 15:49 303,616 --a------ C:\Windows\IsUninst.exe 2008-03-22 13:54 . 2008-03-22 13:54 2,048 --a------ C:\Windows\dfa36.lic 2008-03-22 07:49 . 2008-03-22 07:51 3,675 --a------ C:\Windows\aitt.ini 2008-03-21 16:29 . 2008-03-21 16:37 d-------- C:\Users\All Users\Lavasoft 2008-03-21 16:29 . 2008-03-21 16:37 d-------- C:\ProgramData\Lavasoft 2008-03-21 15:51 . 2008-03-21 15:51 d-------- C:\Users\Murlin Wei\AppData\Roaming\Grisoft 2008-03-21 15:51 . 2007-05-30 08:10 10,872 --a------ C:\Windows\System32\drivers\AvgAsCln.sys 2008-03-21 09:49 . 2008-04-05 08:59 d-------- C:\Program Files\Realtek 2008-03-21 09:49 . 2006-09-12 00:34 499,712 --a------ C:\Windows\RtlExUpd.dll 2008-03-20 15:40 . 2008-03-20 15:40 d-------- C:\Users\Murlin Wei\{aa0d5936-10b8-4d4e-b491-2ffd51f2ccbe} 2008-03-20 15:15 . 2008-03-20 15:15 dr-h----- C:\MSOCache 2008-03-19 20:56 . 2008-01-19 03:35 9,847,296 --a------ C:\Windows\System32\NlsData000a.dll 2008-03-19 20:55 . 2008-01-19 02:06 8,147,456 --a------ C:\Windows\System32\wmploc.DLL 2008-03-18 20:32 . 2008-03-18 20:32 d-------- C:\Windows\System32\VC 2008-03-18 20:32 . 2008-03-18 20:32 d-------- C:\Windows\System32\MinGW 2008-03-18 20:32 . 2008-03-18 20:32 d-------- C:\Windows\System32\Builder5 2008-03-18 20:22 . 2008-03-18 20:26 155,648 --a------ C:\Windows\System32\libssl32.dll 2008-03-18 18:32 . 2008-03-18 18:32 286,720 --a------ C:\Windows\iun506.exe 2008-03-17 15:34 . 2008-03-17 15:34 d-------- C:\Users\Murlin Wei\AppData\Roaming\eMule 2008-03-17 15:34 . 2008-04-04 18:16 d-------- C:\Users\All Users\eMule 2008-03-17 15:34 . 2008-04-04 18:16 d-------- C:\ProgramData\eMule 2008-03-16 14:12 . 2008-03-16 14:12 4 --a------ C:\Windows\startup_BBCP.ini 2008-03-16 14:03 . 2008-03-16 14:03 d-------- C:\Users\All Users\Ubisoft 2008-03-16 14:03 . 2008-03-16 14:03 d-------- C:\ProgramData\Ubisoft 2008-03-16 14:03 . 2008-03-16 14:03 d-------- C:\Program Files\Microsoft Speech SDK 5.1 2008-03-16 14:03 . 2008-03-16 14:03 d-------- C:\Program Files\IL2 Sturmovik 2008-03-16 14:03 . 2008-03-16 14:03 d-------- C:\Program Files\IL-2 Sturmovik Forgotten Battles 2008-03-16 14:03 . 2004-03-29 17:23 90,112 --a------ C:\Windows\unvise32.exe 2008-03-16 10:43 . 2008-03-29 16:21 d-------- C:\Program Files\WinPcap 2008-03-15 07:21 . 2008-03-15 07:21 176,937 --a------ C:\Windows\Sky Environment Ultra FS9 Uninstaller.exe 2008-03-13 16:36 . 2008-03-13 16:36 d-------- C:\Program Files\Bevelstone Production 2008-03-13 16:16 . 2008-03-15 18:22 d-------- C:\Program Files\Common Files\InstallShield 2008-03-13 15:11 . 2008-03-13 15:11 d-------- C:\Program Files\Common Files\Macrovision Shared 2008-03-13 15:10 . 2008-03-22 14:20 d-------- C:\Program Files\Common Files\Adobe 2008-03-13 15:09 . 2008-03-13 15:09 d-------- C:\Program Files\Microsoft Silverlight 2008-03-12 20:41 . 2008-03-12 20:41 0 --ah----- C:\Windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf 2008-03-12 16:48 . 2008-03-12 16:48 d-------- C:\Program Files\DocPad . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-04-08 19:32 --------- d-----w C:\ProgramData\Xfire 2008-04-08 19:32 --------- d-----w C:\Program Files\Xfire 2008-04-08 00:12 --------- d-----w C:\Users\Murlin Wei\AppData\Roaming\Xfire 2008-04-07 22:27 179,034,213 ----a-w C:\Windows\DUMP449a.tmp 2008-04-06 23:11 --------- d-----w C:\Users\Murlin Wei\AppData\Roaming\uTorrent 2008-04-06 17:17 --------- d-----w C:\Program Files\SUPERAntiSpyware 2008-04-06 13:54 --------- d---a-w C:\ProgramData\TEMP 2008-04-06 13:54 --------- d-----w C:\Program Files\SpywareBlaster 2008-04-05 23:33 --------- d-----w C:\ProgramData\Grisoft 2008-04-05 12:59 319,984 ----a-w C:\Windows\DIFxAPI.dll 2008-04-01 20:27 737,280 ----a-w C:\Windows\iun6002.exe 2008-03-31 21:00 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-03-30 22:54 --------- d-----w C:\Program Files\IEPro 2008-03-29 17:25 --------- d-----w C:\Users\Murlin Wei\AppData\Roaming\Winamp 2008-03-23 19:04 1,392,304 ----a-w C:\Windows\System32\AutoPartNt.exe 2008-03-23 19:01 114,048 ----a-w C:\Windows\system32\drivers\snapman.sys 2008-03-23 19:01 --------- d-----w C:\Program Files\Common Files\Acronis 2008-03-23 19:01 --------- d-----w C:\Program Files\Acronis 2008-03-22 18:48 --------- d-----w C:\Program Files\Java 2008-03-22 16:54 --------- d-----w C:\Program Files\FS Real Time 2008-03-21 20:33 12,632 ----a-w C:\Windows\System32\lsdelete.exe 2008-03-21 20:29 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-03-20 01:20 174 --sha-w C:\Program Files\desktop.ini 2008-03-20 01:15 --------- d-----w C:\Program Files\Windows Sidebar 2008-03-20 01:15 --------- d-----w C:\Program Files\Windows Photo Gallery 2008-03-20 01:15 --------- d-----w C:\Program Files\Windows Mail 2008-03-20 01:15 --------- d-----w C:\Program Files\Windows Defender 2008-03-20 01:15 --------- d-----w C:\Program Files\Windows Calendar 2008-03-20 01:05 82,432 ----a-w C:\Windows\System32\axaltocm.dll 2008-03-20 01:05 101,888 ----a-w C:\Windows\System32\ifxcardm.dll 2008-03-20 00:17 --------- d-----w C:\Program Files\Microsoft Games 2008-03-09 01:03 169,109 ----a-w C:\Windows\system32\drivers\scskusbs.sys 2008-03-09 01:03 11,385 ----a-w C:\Windows\system32\drivers\scskusbf.sys 2008-03-06 21:25 --------- d-----w C:\Users\Murlin Wei\AppData\Roaming\NPLUTO Corporation 2008-03-05 21:03 479,752 ----a-w C:\Windows\System32\XAudio2_0.dll 2008-03-05 21:03 238,088 ----a-w C:\Windows\System32\xactengine3_0.dll 2008-03-05 21:00 25,608 ----a-w C:\Windows\System32\X3DAudio1_3.dll 2008-03-05 20:56 3,786,760 ----a-w C:\Windows\System32\D3DX9_37.dll 2008-03-05 20:56 1,420,824 ----a-w C:\Windows\System32\D3DCompiler_37.dll 2008-03-03 00:21 --------- d-----w C:\Program Files\OO Software 2008-03-02 19:51 --------- d-----w C:\Program Files\SwiftSwitch 2008-03-02 19:32 --------- d-----w C:\ProgramData\SwiftSwitch 2008-03-02 16:09 --------- d-----w C:\Users\Murlin Wei\AppData\Roaming\Ventrilo 2008-03-02 12:12 --------- d-----w C:\Program Files\FSFlyingSchool 2008-03-02 02:32 --------- d-----w C:\Users\Murlin Wei\AppData\Roaming\HiFi 2008-03-01 19:37 --------- d-----w C:\Program Files\FOC 2003 2008-02-29 20:20 --------- d-----w C:\Program Files\Runtime Software 2008-02-29 00:23 --------- d-----w C:\Program Files\Recuva 2008-02-28 21:55 --------- d-----w C:\Users\Murlin Wei\AppData\Roaming\SUPERAntiSpyware.com 2008-02-28 21:55 --------- d-----w C:\ProgramData\SUPERAntiSpyware.com 2008-02-28 15:45 230,152 ----a-w C:\Windows\System32\PDBoot.exe 2008-02-27 00:10 --------- d-----w C:\Program Files\RegSeeker 2008-02-26 23:34 --------- d-----w C:\Program Files\Shockwave 3D Lights Redux for FS9 2008-02-24 12:35 --------- d-----w C:\Program Files\DivX 2008-02-21 02:45 --------- d-----w C:\Program Files\SquawkBox3 2008-02-21 02:05 200,704 ----a-w C:\Windows\System32\ssldivx.dll 2008-02-21 02:05 1,044,480 ----a-w C:\Windows\System32\libdivx.dll 2008-02-19 08:24 7,808 ----a-w C:\Windows\system32\drivers\psi_mf.sys 2008-02-19 01:58 316,768 ----a-w C:\Windows\System32\sayax.dll 2008-02-19 00:50 --------- d-----w C:\Program Files\Microsoft Works 2008-02-18 15:14 --------- d-----w C:\Program Files\MSXML 4.0 2008-02-18 11:57 --------- d-----w C:\Program Files\rcv4 2008-02-17 20:15 --------- d-----w C:\Users\Murlin Wei\AppData\Roaming\Flight1 2008-02-17 18:10 202,149 ----a-w C:\Windows\Water Details FS 2004 Uninstaller.exe 2008-02-17 16:21 --------- d-----w C:\Program Files\Flight One Software 2008-02-16 16:43 --------- d-----w C:\Program Files\Intel 2008-02-16 16:40 --------- d-----w C:\Program Files\Belarc 2008-02-15 19:22 59,392 ----a-w C:\Windows\system32\drivers\RTSTOR.sys 2008-02-14 01:17 --------- d-----w C:\Program Files\Microsoft ActiveSync 2008-02-14 01:17 --------- d-----w C:\Program Files\Common Files\L&H 2008-02-14 01:16 --------- d-----w C:\Program Files\Microsoft.NET 2008-02-13 13:01 --------- d-----w C:\Users\Murlin Wei\AppData\Roaming\OpenOffice.org2 2008-02-12 23:40 6,656 ----a-w C:\Windows\System32\kbd106n.dll 2008-02-12 21:59 --------- d-----w C:\ProgramData\Abacus 2008-02-12 18:36 --------- d-----w C:\Program Files\Common Files\InstallShieldCrap 2008-02-11 15:55 147,456 ----a-w C:\Windows\System32\igfxCoIn_v1437.dll 2008-02-11 15:34 29,932 ----a-w C:\Windows\System32\igmedcompkrn.bin 2008-02-11 15:34 2,215,364 ----a-w C:\Windows\System32\igklg400.bin 2008-02-11 15:34 1,971,732 ----a-w C:\Windows\System32\igklg450.bin 2008-02-11 00:19 --------- d-----w C:\Program Files\Ventrilo 2008-02-10 17:11 543 ----a-w C:\Program Files\INSTALL.LOG 2008-02-10 14:03 --------- d-----w C:\Program Files\Common Files\SWF Studio 2008-02-09 19:25 --------- d-----w C:\Program Files\Common Files\INCA Shared 2008-02-06 04:07 462,864 ----a-w C:\Windows\System32\d3dx10_37.dll 2008-01-29 16:02 107,368 ----a-w C:\Windows\System32\GEARAspi.dll 2008-01-19 07:44 986,680 ----a-w C:\Windows\System32\winload.exe 2008-01-19 07:44 926,776 ----a-w C:\Windows\System32\winresume.exe 2008-01-19 07:43 614,968 ----a-w C:\Windows\System32\ci.dll 2008-01-19 07:43 376,376 ----a-w C:\Windows\System32\mcupdate_GenuineIntel.dll 2008-01-19 07:43 3,600,440 ----a-w C:\Windows\System32\ntkrnlpa.exe 2008-01-19 07:43 3,548,728 ----a-w C:\Windows\System32\ntoskrnl.exe 2008-01-19 07:42 94,776 ----a-w C:\Windows\System32\MigAutoPlay.exe 2008-01-19 07:42 51,768 ----a-w C:\Windows\System32\PSHED.DLL 2008-01-19 07:42 247,352 ----a-w C:\Windows\System32\clfs.sys 2008-01-19 07:42 177,208 ----a-w C:\Windows\System32\halmacpi.dll 2008-01-19 07:42 141,880 ----a-w C:\Windows\System32\halacpi.dll 2008-01-19 07:41 24,120 ----a-w C:\Windows\System32\BOOTVID.DLL 2008-01-19 07:41 21,560 ----a-w C:\Windows\System32\kdusb.dll 2008-01-19 07:41 19,512 ----a-w C:\Windows\System32\kdcom.dll 2008-01-19 07:38 46,080 ----a-w C:\Windows\System32\NAPCRYPT.DLL . ((((((((((((((((((((((((((((( snapshot@2008-04-06_19.39.55.30 ))))))))))))))))))))))))))))))))))))))))) . - 2008-04-06 23:37:39 67,584 --s-a-w C:\Windows\bootstat.dat + 2008-04-08 19:32:09 67,584 --s-a-w C:\Windows\bootstat.dat - 2008-04-06 23:17:13 262,144 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\usrclass.dat + 2008-04-08 18:42:55 262,144 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\usrclass.dat - 2008-04-06 23:37:49 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT + 2008-04-08 19:32:33 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT + 2008-04-08 19:32:33 262,144 ---ha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1 - 2008-04-06 23:33:53 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\usrclass.dat + 2008-04-08 19:28:41 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\usrclass.dat - 2008-04-06 23:37:49 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT + 2008-04-08 19:32:33 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT + 2008-04-08 19:32:33 262,144 ---ha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1 - 2008-04-06 23:34:10 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat + 2008-04-08 19:28:50 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat - 2008-04-06 18:06:50 108,178 ----a-w C:\Windows\System32\perfc009.dat + 2008-04-07 22:34:13 108,178 ----a-w C:\Windows\System32\perfc009.dat - 2008-04-06 18:06:50 629,252 ----a-w C:\Windows\System32\perfh009.dat + 2008-04-07 22:34:13 629,252 ----a-w C:\Windows\System32\perfh009.dat - 2008-04-06 18:04:09 8,110 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2738104663-2755392700-2221383480-1000_UserData.bin + 2008-04-07 22:29:38 8,468 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2738104663-2755392700-2221383480-1000_UserData.bin - 2008-04-06 18:04:08 59,130 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin + 2008-04-07 22:29:38 59,434 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 03:33 202240] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2008-01-19 03:38 1008184] "IgfxTray"="C:\Windows\system32\igfxtray.exe" [2006-12-13 03:17 98304] "HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2006-12-13 03:19 106496] "Persistence"="C:\Windows\system32\igfxpers.exe" [2006-12-13 03:17 81920] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-05 19:33 579072] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-04-05 19:33 219136] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf] avgwlntf.dll 2008-04-05 19:33 9216 C:\Windows\System32\avgwlntf.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"= [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.XFR1"= xfcodec.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 relog_ap [HKLM\~\startupfolder\C:^Users^Murlin Wei^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 2.3.lnk] path=C:\Users\Murlin Wei\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk backup=C:\Windows\pss\OpenOffice.org 2.3.lnk.Startup backupExtension=.Startup [HKLM\~\startupfolder\C:^Users^Murlin Wei^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Secunia PSI (RC1).lnk] path=C:\Users\Murlin Wei\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Secunia PSI (RC1).lnk backup=C:\Windows\pss\Secunia PSI (RC1).lnk.Startup backupExtension=.Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware] --a------ 2007-06-11 05:25 6731312 H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service] --a------ 2007-02-16 19:49 149024 C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor] --a------ 2007-02-16 19:57 1945960 C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] --a------ 2008-01-11 22:16 39792 H:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite] --a------ 2008-01-17 12:51 486856 C:\Program Files\DAEMON Tools Lite\daemon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds] --a------ 2006-12-13 03:19 106496 C:\Windows\system32\hkcmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray] --a------ 2006-12-13 03:17 98304 C:\Windows\system32\igfxtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2008-03-30 10:36 267048 H:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OODefragTray] --a------ 2007-05-11 03:08 2512392 C:\Windows\system32\oodtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence] --a------ 2006-12-13 03:17 81920 C:\Windows\system32\igfxpers.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE] --a------ 2007-08-06 20:05 200704 H:\Program Files\PowerISO\PWRISOVM.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Rapget] E:\Flight Simulator Software\rapget140\rapget.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl] --a------ 2006-12-01 00:37 4186112 C:\Windows\RtHDVCpl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2008-02-22 04:25 144784 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware] --a------ 2008-04-06 13:17 1481968 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2008-04-04 20:39 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe] --a------ 2007-02-16 19:45 1169776 C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsWelcomeCenter] --a------ 2008-01-19 03:36 2153472 C:\Windows\System32\oobefldr.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG] --a------ 2008-01-19 03:33 202240 C:\Program Files\Windows Media Player\WMPNSCFG.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2738104663-2755392700-2221383480-1000] "EnableNotificationsRef"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules] "TCP Query User{61455193-5548-4882-BB4F-1FFC86E41172}C:\\ijji\\english\\u_skid.exe"= UDP:C:\ijji\english\u_skid.exe: "UDP Query User{6099BF92-BFC5-416D-AEC6-DA00AFB25A65}C:\\ijji\\english\\u_skid.exe"= TCP:C:\ijji\english\u_skid.exe: "TCP Query User{7E27783F-27CC-4E95-8A1E-47091E0453EF}K:\\program files\\driftcity\\driftcity.exe"= UDP:K:\program files\driftcity\driftcity.exe:DriftCity "UDP Query User{68C2CEBB-F1D1-4589-A707-19610F1F7E77}K:\\program files\\driftcity\\driftcity.exe"= TCP:K:\program files\driftcity\driftcity.exe:DriftCity "TCP Query User{FE38E010-F2C0-4967-83FD-96B25A3F5B30}C:\\ijji\\english\\u_sf\\soldierfront.exe"= UDP:C:\ijji\english\u_sf\soldierfront.exe:soldierfront "UDP Query User{19A69707-47F5-4ED8-A3D4-D983B5833183}C:\\ijji\\english\\u_sf\\soldierfront.exe"= TCP:C:\ijji\english\u_sf\soldierfront.exe:soldierfront "TCP Query User{B66503DB-7D5D-4DE9-9921-A25C9F1EA5AB}H:\\program files\\driftcity\\driftcity.exe"= UDP:H:\program files\driftcity\driftcity.exe:DriftCity "UDP Query User{14612DD0-8A9C-44A2-9B51-5491B5A88018}H:\\program files\\driftcity\\driftcity.exe"= TCP:H:\program files\driftcity\driftcity.exe:DriftCity "TCP Query User{A8D6E0B6-86C5-4D81-9FDF-F0378CD75F37}C:\\program files\\xfire\\xfire.exe"= UDP:C:\program files\xfire\xfire.exe:Xfire "UDP Query User{5DC64609-489B-4CCD-8BDC-DA888571FCC7}C:\\program files\\xfire\\xfire.exe"= TCP:C:\program files\xfire\xfire.exe:Xfire "{17C23B69-DBF2-487A-A532-7D9ABF255A9E}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent "{94906B86-E338-4979-ADE4-B4200BD59672}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent "TCP Query User{30964450-8A26-40BA-A03B-E0D17BDCC6BB}G:\\program files\\microsoft games\\flight simulator 9\\fs9.exe"= UDP:G:\program files\microsoft games\flight simulator 9\fs9.exe:Microsoft Flight Simulator "UDP Query User{426ADF18-258D-442E-B866-DE3813E88673}G:\\program files\\microsoft games\\flight simulator 9\\fs9.exe"= TCP:G:\program files\microsoft games\flight simulator 9\fs9.exe:Microsoft Flight Simulator "{0E586831-FC73-45B0-9F08-096BF0D40C38}"= UDP:80:80 "{34AD0E95-78FA-44A3-A14A-4A598E511536}"= TCP:80:80 "{28CEFC0F-00A3-4EAB-9D8B-9D64D7265705}"= UDP:6112:6112 "{991C1B7E-6DA8-49BB-9C14-B6C74730B50A}"= TCP:6112:6112 "{8A3679AF-CD19-4CE2-A038-9DE3E3E5A34B}"= UDP:54789:54789 "{8C63877E-7C19-4DA5-B287-AA6D0F8CFC28}"= TCP:54789:54789 "TCP Query User{58038DE4-2BB8-41E1-8189-030A5E823718}H:\\nexon\\maplestory\\patcher.exe"= UDP:H:\nexon\maplestory\patcher.exe:Patcher MFC ?? ???? "UDP Query User{41D9A998-FD0B-4C1B-A90E-B0F2BED2BFC4}H:\\nexon\\maplestory\\patcher.exe"= TCP:H:\nexon\maplestory\patcher.exe:Patcher MFC ?? ???? "TCP Query User{57B550CD-25EA-460B-AE48-681C32F87C39}H:\\nexon\\maplestory\\maplestory.exe"= UDP:H:\nexon\maplestory\maplestory.exe:MapleStory "UDP Query User{609320D2-5ECE-4286-8362-B486263DA9E3}H:\\nexon\\maplestory\\maplestory.exe"= TCP:H:\nexon\maplestory\maplestory.exe:MapleStory "TCP Query User{83AB73F7-1946-4300-A08C-DB73E9369C8F}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer "UDP Query User{48ACEBD7-DC97-4FF2-BB6F-704618FB53B2}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer "1c9b3cdd-3bce-43a9-881b-5fb372fe469c"= TCP:2300\|LPort=2301\|LPort=2302\|LPort=2303\|LPort=2304\|LPort=2305\|LPort=2306\|LPort=2307\|LPort=2308\|LPort=2309\|LPort=2310\|LPort=2311\|LPort=2312\|LPort=2313\|LPort=2314\|LPort=2315\|LPort=2316\|LPort=2317\|LPort=2318\|LPort=2319\|LPort=2320\|LPort=2321\|LPort=2322\|LPort=2323\|LPort=2324\|LPort=2325\|LPort=2326\|LPort=2327\|LPort=2328\|LPort=2329\|LPort=2330\|LPort=2331\|LPort=2332\|LPort=2333\|LPort=2334\|LPort=2335\|LPort=2336\|LPort=2337\|LPort=2338\|LPort=2339\|LPort=2340\|LPort=2341\|LPort=2342\|LPort=2343\|LPort=2344\|LPort=2345\|LPort=2346\|LPort=2347\|LPort=2348\|LPort=2349\|LPort=2350\|LPort=2351\|LPort=2352\|LPort=2353\|LPort=2354\|LPort=2355\|LPort=2356\|LPort=2357\|LPort=2358\|LPort=2359\|LPort=2360\|LPort=2361\|LPort=2362\|LPort=2363\|LPort=2364\|LPort=2365\|LPort=2366\|LPort=2367\|LPort=2368\|LPort=2369\|LPort=2370\|LPort=2371\|LPort=2372\|LPort=2373\|LPort=2374\|LPort=2375\|LPort=2376\|LPort=2377\|LPort=2378\|LPort=2379\|LPort=2380\|LPort=2381\|LPort=2382\|LPort=2383\|LPort=2384\|LPort=2385\|LPort=2386\|LPort=2387\|LPort=2388\|LPort=2389\|LPort=2390\|LPort=2391\|LPort=2392\|LPort=2393\|LPort=2394\|LPort=2395\|LPort=2396\|LPort=2397\|LPort=2398\|LPort=2399:Wolf Team "TCP Query User{6A3FA9AA-E952-4D4D-8FD7-FC7ED8BD727F}H:\\program files\\america's army\\system\\armyops.exe"= UDP:H:\program files\america's army\system\armyops.exe:ArmyOps "UDP Query User{BEB13D38-D94C-4F4C-9245-7E48245BFA1D}H:\\program files\\america's army\\system\\armyops.exe"= TCP:H:\program files\america's army\system\armyops.exe:ArmyOps "TCP Query User{50F33169-380A-49AF-81BE-7C6E8C8C2451}C:\\windows\\system32\\dpnsvr.exe"= UDP:C:\windows\system32\dpnsvr.exe:Microsoft DirectPlay8 Server "UDP Query User{DF0B00AF-395E-4FA4-B850-2BD9EF20F7ED}C:\\windows\\system32\\dpnsvr.exe"= TCP:C:\windows\system32\dpnsvr.exe:Microsoft DirectPlay8 Server "TCP Query User{5021BF18-01CD-4258-97B4-0C63DB4C1B7E}C:\\program files\\fsfdt\\control panel\\fsfdtcp.exe"= UDP:C:\program files\fsfdt\control panel\fsfdtcp.exe:FSFDT Control Panel "UDP Query User{3DB1FC88-0596-4F01-A186-E39F227CE84D}C:\\program files\\fsfdt\\control panel\\fsfdtcp.exe"= TCP:C:\program files\fsfdt\control panel\fsfdtcp.exe:FSFDT Control Panel "TCP Query User{1AB14382-F73F-48C9-B315-3EE9B8CB2694}C:\\program files\\mozilla firefox\\firefox.exe"= UDP:C:\program files\mozilla firefox\firefox.exe:Firefox "UDP Query User{17CAEFA6-0C1E-42AC-978B-C4A6CBAAC66B}C:\\program files\\mozilla firefox\\firefox.exe"= TCP:C:\program files\mozilla firefox\firefox.exe:Firefox "eb8b0e56-37ab-4db7-9f9e-1a1d6608d4e0"= %ProgramFiles%\FSFDT\FSInn UI\FSInnUI.exe:FSINN "UDP Query User{D86A64A0-98DB-45F2-B30E-9C99810EA427}C:\\program files\\fsfdt\\fwinn\\fwinn.exe"= C:\program files\fsfdt\fwinn\fwinn.exe:FSInn Application "TCP Query User{F3FF54FA-890C-4280-937A-E4B25DFDC64A}C:\\program files\\fsfdt\\fwinn\\fwinn.exe"= C:\program files\fsfdt\fwinn\fwinn.exe:FSInn Application "5d038ed9-b69c-43ca-9e9d-361f03d7074d"= %ProgramFiles%\FSFDT\Control Panel\FSFDTCP.exe:FSUDCP "09c2c1b0-5d17-4e76-8c53-65f0895ca6d1"= UDP:3782\|LPort=3290\|LPort=3783\|LPort=6809:SQ "3a769932-0d65-4226-8f87-9af21c6399fa"= TCP:3782\|LPort=3290\|LPort=3783\|LPort=6809:SQ1 "7bda4004-dec1-4e68-ae03-4b18dca28327"= TCP:32062:FSINN "TCP Query User{7BA25555-49F6-4C6F-A3BE-B1091A7CD7E6}C:\\program files\\swiftswitch\\swiftswitch.exe"= UDP:C:\program files\swiftswitch\swiftswitch.exe:Utility for RuneScape "UDP Query User{F3D3B80D-3F35-4E98-BAE6-FFC8C8B398CB}C:\\program files\\swiftswitch\\swiftswitch.exe"= TCP:C:\program files\swiftswitch\swiftswitch.exe:Utility for RuneScape "TCP Query User{2E3A70D7-0AC2-4254-B11B-0A2EC31E6D05}H:\\program files\\dragonfly\\special force\\specialforce.exe"= UDP:H:\program files\dragonfly\special force\specialforce.exe:SpecialForce "UDP Query User{6137764F-CAE8-4517-AF49-6CB2607C5DB8}H:\\program files\\dragonfly\\special force\\specialforce.exe"= TCP:H:\program files\dragonfly\special force\specialforce.exe:SpecialForce "TCP Query User{0D1EF090-833B-4967-9D45-EAF64C49861F}C:\\ijji\\english\\gunz\\gunz.exe"= UDP:C:\ijji\english\gunz\gunz.exe:Gunz "UDP Query User{560CD26A-B4D8-4DD6-9AF8-BA438C3E071D}C:\\ijji\\english\\gunz\\gunz.exe"= TCP:C:\ijji\english\gunz\gunz.exe:Gunz "TCP Query User{63EC054C-903B-40D8-A36F-D2F80B55FF3D}C:\\users\\murlin wei\\desktop\\fshost32\\fshost32.exe"= UDP:C:\users\murlin wei\desktop\fshost32\fshost32.exe:fshost32.exe "UDP Query User{D8E76696-D62C-4EBD-8A08-5450B40122C9}C:\\users\\murlin wei\\desktop\\fshost32\\fshost32.exe"= TCP:C:\users\murlin wei\desktop\fshost32\fshost32.exe:fshost32.exe "TCP Query User{854A4DB3-1DFB-4B87-A7E0-AEA6B9C0074B}C:\\windows\\system32\\dplaysvr.exe"= UDP:C:\windows\system32\dplaysvr.exe:Microsoft DirectPlay Helper "UDP Query User{A36A3890-68AE-4E2D-BC3B-FDAC339499B3}C:\\windows\\system32\\dplaysvr.exe"= TCP:C:\windows\system32\dplaysvr.exe:Microsoft DirectPlay Helper "TCP Query User{2D0919A8-6553-4CDF-A595-A46EF1D2F4D3}C:\\program files\\dragonfly\\special force\\specialforce.exe"= UDP:C:\program files\dragonfly\special force\specialforce.exe:specialforce "UDP Query User{BC4A08A4-5B7E-4662-810F-1D9F1662B2AC}C:\\program files\\dragonfly\\special force\\specialforce.exe"= TCP:C:\program files\dragonfly\special force\specialforce.exe:specialforce "{73852E8D-6030-4943-9978-138A7E864BD9}"= UDP:C:\Windows\Temp\~osCD95.tmp\ossproxy.exe:ossproxy.exe "{43868274-2029-4933-8F1C-885F387F06D2}"= UDP:C:\Windows\Temp\~osDBBC.tmp\ossproxy.exe:ossproxy.exe "{607558EF-6597-4863-8D25-F007069A2EC9}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent "{46E5FDB3-D48D-4321-B224-C365CF959155}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent "{9B21F62D-DF09-44A2-BD05-BC7EEE8742C9}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour "{68F77BA3-1444-44C8-AC53-D586A7FD787C}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour "{48866029-02D4-420C-AF33-2058433DC7D9}"= UDP:H:\Program Files\iTunes\iTunes.exe:iTunes "{AB169B2B-5F22-47D8-B596-C06720D2E476}"= TCP:H:\Program Files\iTunes\iTunes.exe:iTunes "TCP Query User{37AFDF7F-9FEF-441B-B24D-75F2E325B8C7}H:\\program files\\azureus\\azureus.exe"= UDP:H:\program files\azureus\azureus.exe:Azureus "UDP Query User{2414528D-9012-4CCF-B04D-4D7AC667B755}H:\\program files\\azureus\\azureus.exe"= TCP:H:\program files\azureus\azureus.exe:Azureus "TCP Query User{9225565D-E33E-467E-9533-ED9B2675E3C6}C:\\program files\\azureus\\azureus.exe"= UDP:C:\program files\azureus\azureus.exe:Azureus "UDP Query User{9F98D73A-65DD-4D0E-B968-DC1D3C6EBAA6}C:\\program files\\azureus\\azureus.exe"= TCP:C:\program files\azureus\azureus.exe:Azureus "TCP Query User{BC712732-FEB9-4EDA-8C73-9FC226F9DB1A}H:\\program files\\counter-strike source\\hl2.exe"= UDP:H:\program files\counter-strike source\hl2.exe:hl2 "UDP Query User{57A7C5E6-CBE4-4652-AFEF-DCFD72CBE342}H:\\program files\\counter-strike source\\hl2.exe"= TCP:H:\program files\counter-strike source\hl2.exe:hl2 R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 12:43] R3 igfx;igfx;C:\Windows\system32\DRIVERS\igdkmd32.sys [2006-12-13 04:32] R3 RTSTOR;USB Mass Storage Device;C:\Windows\system32\drivers\RTSTOR.SYS [2008-02-15 15:22] R3 rxpvbus;Reality XP Avionics Bus Driver;C:\Windows\system32\DRIVERS\rxpvbus.sys [2005-11-04 09:35] S2 AcronisOSSReinstallSvc;Acronis OS Selector Reinstall Service;"C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall_svc.exe" [2007-02-22 19:53] S3 HPFXBULK;HPFXBULK;C:\Windows\system32\drivers\hpfxbulk.sys [2007-06-20 03:21] S3 PSI;PSI;C:\Windows\system32\DRIVERS\psi_mf.sys [2008-02-19 04:24] S3 scskusbf;USB SCSK Filter Driver Service;C:\Windows\system32\drivers\scskusbf.sys [2008-03-08 21:03] S3 scskusbs;USB SCSK Driver Service;C:\Windows\system32\drivers\scskusbs.sys [2008-03-08 21:03] S3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x86.sys [2006-11-02 03:30] S4 PD91Agent;PD91Agent;"C:\Program Files\Raxco\PerfectDisk\PD91Agent.exe" [] S4 PD91Engine;PD91Engine;"C:\Program Files\Raxco\PerfectDisk\PD91Engine.exe" [] S4 PD91VMDefrag;PD91VMDefrag;"C:\Program Files\Raxco\PerfectDisk\PD91VMDefrag.exe" [] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] rsmsvcs REG_MULTI_SZ ntmssvc . ************************************************************************ catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, »www.gmer.net Rootkit scan 2008-04-08 15:32:40 Windows 6.0.6001 Service Pack 1 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . H:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Windows\system32\oodag.exe C:\Program Files\Grisoft\AVG7\avgcc.exe C:\Program Files\Xfire\xfire.exe C:\Windows\system32\DllHost.exe . ************************************************************************ . Completion time: 2008-04-08 15:33:44 - machine was rebooted ComboFix-quarantined-files.txt 2008-04-08 19:33:39 ComboFix2.txt 2008-04-06 23:40:34 Pre-Run: 20,452,012,032 bytes free Post-Run: 20,367,503,360 bytes free . 2008-04-06 19:37:25 --- E O F --- and MoveIt didn't find anything to move. File/Folder # %TEMP%\ossproxy.exe not found. File/Folder # C:\Users\ossproxy.exe not found. OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04082008_152529
	to forum · permalink · · 2008-04-08 15:36:58 ·
Siko join:2006-11-27 Mechanicsburg, PA	reply to Siko I'm sorry, but this is still going on.
	to forum · permalink · · 2008-04-19 19:21:06 ·