Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Backdoor Trojan Possible Infection


  • Please log in to reply
11 replies to this topic

#1 admsupport

admsupport

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Location:Japan
  • Local time:08:09 PM

Posted 19 October 2008 - 10:22 PM

Anyone with falcon eyes?
EST Smart Security scan returns nothing, Malwarebytes scan returns nothing. I see nothing in the HJT Logs.
However, under some circumstances my internet connection go awry. There is an abnormal extended list of connections when I do a NETSTAT command, and my PC keeps rebooting. Could be a backdoor Trojan? I used the switch /Ihateblacklists. Since my hosts file is heavily edited you can skip the lines 01-

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:14:00, on 2008-10-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\BUFFALO\Client Manager3\bwsvc\bwsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\VolumeTray\VolumeTray.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Start Killer\StartKiller.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\Eraser\eraser.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\BUFFALO\Client Manager3\cm3_tray.exe
C:\Program Files\DateInTray\DateInTray.exe
C:\Program Files\Lowrie Associates Ltd\dynamicIP\dynamicIP.exe
C:\Program Files\TechSmith\SnagIt 9\SnagIt32.exe
C:\Program Files\BUFFALO\HDManage\HDManage.exe
D:\My Documents\3. PC\Tools Dow\XP Desktop Tools and Themes\Mute and Setvol\mute.exe
D:\My Documents\3. PC\Tools Dow\Process Explorer\ProcessExplorer\procexp.exe
D:\My Documents\3. PC\Tools Dow\XP Desktop Tools and Themes\PureText\PureText.exe
C:\Program Files\TechSmith\SnagIt 9\TSCHelp.exe
C:\Program Files\TechSmith\SnagIt 9\SnagPriv.exe
C:\Program Files\TechSmith\SnagIt 9\snagiteditor.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\IrfanView\i_view32.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Miranda IM\miranda32.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\My Documents\3. PC\Tools Dow\Antivirus\HostsXpert\HostsXpert\HostsXpert.exe
D:\My Documents\3. PC\Tools Dow\Antivirus\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 ___id___.c.mystat-in.net
O1 - Hosts: 127.0.0.1 0.r.msn.com
O1 - Hosts: 127.0.0.1 000dom.revenuedirect.com
O1 - Hosts: 127.0.0.1 00a0-f0d5-a44e-33s6.cnc-inc.cn
O1 - Hosts: 127.0.0.1 00fun.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 011707160008.c.mystat-in.net
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 061606084448.c.mystat-in.net
O1 - Hosts: 127.0.0.1 070806142521.c.mystat-in.net
O1 - Hosts: 127.0.0.1 090906042103.c.mystat-in.net
O1 - Hosts: 127.0.0.1 092706152958.c.mystat-in.net
O1 - Hosts: 127.0.0.1 093qpeuqpmz6ebfa.com
O1 - Hosts: 127.0.0.1 0ki.ru
O1 - Hosts: 127.0.0.1 0ml.net
O1 - Hosts: 127.0.0.1 0texkax7c6hzuidk.com
O1 - Hosts: 127.0.0.1 1.9797aiai.com
O1 - Hosts: 127.0.0.1 1.adbrite.com
O1 - Hosts: 127.0.0.1 1.marketbanker.com
O1 - Hosts: 127.0.0.1 1.primaryads.com
O1 - Hosts: 127.0.0.1 1.xqhgm.com
O1 - Hosts: 127.0.0.1 100.mbn.com.ua
O1 - Hosts: 127.0.0.1 100.topnews.ru
O1 - Hosts: 127.0.0.1 10000hits.net
O1 - Hosts: 127.0.0.1 10006.hittail.com
O1 - Hosts: 127.0.0.1 10016.searchmiracle.com
O1 - Hosts: 127.0.0.1 100webads.com
O1 - Hosts: 127.0.0.1 10168.hittail.com
O1 - Hosts: 127.0.0.1 102.112.207.net
O1 - Hosts: 127.0.0.1 102.112.2o7.net
O1 - Hosts: 127.0.0.1 102.122.2o7.net
O1 - Hosts: 127.0.0.1 102106151057.c.mystat-in.net
O1 - Hosts: 127.0.0.1 103bees.com
O1 - Hosts: 127.0.0.1 1047.www1.p0rt2.com
O1 - Hosts: 127.0.0.1 10661.kit.carpediem.fr
O1 - Hosts: 127.0.0.1 10xhellometro.112.2o7.net
O1 - Hosts: 127.0.0.1 11.rtcode.com
O1 - Hosts: 127.0.0.1 11.rtstats.com
O1 - Hosts: 127.0.0.1 112006133326.c.mystat-in.net
O1 - Hosts: 127.0.0.1 117.mylongtail.com
O1 - Hosts: 127.0.0.1 11731.kit.carpediem.fr
O1 - Hosts: 127.0.0.1 1188224372.com
O1 - Hosts: 127.0.0.1 11968.www1.p0rt2.com
O1 - Hosts: 127.0.0.1 11qe.com
O1 - Hosts: 127.0.0.1 11zz.com
O1 - Hosts: 127.0.0.1 120.mbn.com.ua
O1 - Hosts: 127.0.0.1 123.fluxads.com
O1 - Hosts: 127.0.0.1 1234.2bro.com
O1 - Hosts: 127.0.0.1 12345dns.net
O1 - Hosts: 127.0.0.1 123ads.nl
O1 - Hosts: 127.0.0.1 123count.com
O1 - Hosts: 127.0.0.1 123go.com
O1 - Hosts: 127.0.0.1 123mania.com
O1 - Hosts: 127.0.0.1 123stat.com
O1 - Hosts: 127.0.0.1 123topsearch.com
O1 - Hosts: 127.0.0.1 124365.com
O1 - Hosts: 127.0.0.1 1262.hittail.com
O1 - Hosts: 127.0.0.1 12877.hittail.com
O1 - Hosts: 127.0.0.1 13175.com
O1 - Hosts: 127.0.0.1 13223.hittail.com
O1 - Hosts: 127.0.0.1 14228.hittail.com
O1 - Hosts: 127.0.0.1 14713804a.l2m.net
O1 - Hosts: 127.0.0.1 15141.hittail.com
O1 - Hosts: 127.0.0.1 1559.stats.misstrends.com
O1 - Hosts: 127.0.0.1 15694.hittail.com
O1 - Hosts: 127.0.0.1 160.mbn.com.ua
O1 - Hosts: 127.0.0.1 16565.hittail.com
O1 - Hosts: 127.0.0.1 16643.kit.carpediem.fr
O1 - Hosts: 127.0.0.1 16755.dialer.lincassa.com
O1 - Hosts: 127.0.0.1 17067.dialer.lincassa.com
O1 - Hosts: 127.0.0.1 1800.stats.misstrends.com
O1 - Hosts: 127.0.0.1 180solutions.com
O1 - Hosts: 127.0.0.1 181.365soft.info
O1 - Hosts: 127.0.0.1 1866.www1.p0rt2.com
O1 - Hosts: 127.0.0.1 1867.stats.misstrends.com
O1 - Hosts: 127.0.0.1 18girl-av.com
O1 - Hosts: 127.0.0.1 19097.hittail.com
O1 - Hosts: 127.0.0.1 192.168.112.2o7.net
O1 - Hosts: 127.0.0.1 192.168.122.2o7.net
O1 - Hosts: 127.0.0.1 19500.hittail.com
O1 - Hosts: 127.0.0.1 1amanda.info
O1 - Hosts: 127.0.0.1 1au.cqcounter.com
O1 - Hosts: 127.0.0.1 1bm.cqcounter.com
O1 - Hosts: 127.0.0.1 1ca.cqcounter.com
O1 - Hosts: 127.0.0.1 1cat.com
O1 - Hosts: 127.0.0.1 1ce18.cash-ddt.net
O1 - Hosts: 127.0.0.1 1de.cqcounter.com
O1 - Hosts: 127.0.0.1 1es.cqcounter.com
O1 - Hosts: 127.0.0.1 1fr.cqcounter.com
O1 - Hosts: 127.0.0.1 1in.cqcounter.com
O1 - Hosts: 127.0.0.1 1it.cqcounter.com
O1 - Hosts: 127.0.0.1 1jo.cqcounter.com
O1 - Hosts: 127.0.0.1 1mov.net
O1 - Hosts: 127.0.0.1 1nl.cqcounter.com
O1 - Hosts: 127.0.0.1 1pop.ru
O1 - Hosts: 127.0.0.1 1pt.cqcounter.com
O1 - Hosts: 127.0.0.1 1-se.com
O1 - Hosts: 127.0.0.1 1se.cqcounter.com
O1 - Hosts: 127.0.0.1 1sense.info
O1 - Hosts: 127.0.0.1 1speed.info
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 9\SnagItBHO.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 9\SnagItIEAddin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [IMJPMIG9.0] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMJP9\IMJPMIG.EXE /Preload /Migration32
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [VolumeTray] C:\Program Files\VolumeTray\VolumeTray.exe
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\system32\oodtray.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TrueCrypt] "C:\Program Files\TrueCrypt\TrueCrypt.exe" /q preferences /a favorites
O4 - HKCU\..\Run: [Start Killer] C:\Program Files\Start Killer\StartKiller.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: BUFFALO Power Save Utility for HD.lnk = C:\Program Files\BUFFALO\HDManage\HDManage.exe
O4 - Startup: Mute at Exit.lnk = D:\My Documents\3. PC\Tools Dow\XP Desktop Tools and Themes\Mute and Setvol\mute.exe
O4 - Startup: procexp.exe.lnk = D:\My Documents\3. PC\Tools Dow\Process Explorer\ProcessExplorer\procexp.exe
O4 - Startup: PureText.lnk = D:\My Documents\3. PC\Tools Dow\XP Desktop Tools and Themes\PureText\PureText.exe
O4 - Global Startup: ClientManager3.lnk = C:\Program Files\BUFFALO\Client Manager3\cm3_tray.exe
O4 - Global Startup: DateInTray.lnk = C:\Program Files\DateInTray\DateInTray.exe
O4 - Global Startup: Shortcut to dynamicIP.lnk = C:\Program Files\Lowrie Associates Ltd\dynamicIP\dynamicIP.exe
O4 - Global Startup: SnagIt 9.lnk = C:\Program Files\TechSmith\SnagIt 9\SnagIt32.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winrnr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rsvpsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rsvpsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll
O18 - Protocol: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll
O18 - Filter: application/octet-stream - {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll
O18 - Filter: application/x-complus - {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll
O18 - Filter: application/x-microsoft-rpmsg-message - {DFF82902-0B96-3B98-6F62-D655E146A23A} - (no file)
O18 - Filter: application/x-msdownload - {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll
O18 - Filter: Class Install Handler - {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\system32\urlmon.dll
O18 - Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll
O18 - Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll
O18 - Filter: lzdhtml - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll
O18 - Filter: text/webviewhtml - {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\system32\SHELL32.dll
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\SHELL32.dll
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\SHELL32.dll
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Alerter - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Application Layer Gateway Service (ALG) - Microsoft Corporation - C:\WINDOWS\System32\alg.exe
O23 - Service: Application Management (AppMgmt) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Microsoft Corporation - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Windows Audio (AudioSrv) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Computer Browser (Browser) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Bwsvc - BUFFALO INC. - C:\Program Files\BUFFALO\Client Manager3\bwsvc\bwsvc.exe
O23 - Service: Indexing Service (CiSvc) - Microsoft Corporation - C:\WINDOWS\system32\cisvc.exe
O23 - Service: .NET Runtime Optimization Service v2.0.50727_X86 (clr_optimization_v2.0.50727_32) - Microsoft Corporation - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
O23 - Service: COM+ System Application (COMSysApp) - Microsoft Corporation - C:\WINDOWS\system32\dllhost.exe
O23 - Service: Cryptographic Services (CryptSvc) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: DCOM Server Process Launcher (DcomLaunch) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: DHCP Client (Dhcp) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Microsoft Corp., Veritas Software - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Logical Disk Manager (dmserver) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: DNS Client (Dnscache) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Error Reporting Service (ERSvc) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Event Log (Eventlog) - Microsoft Corporation - C:\WINDOWS\system32\services.exe
O23 - Service: COM+ Event System (EventSystem) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Fast User Switching Compatibility (FastUserSwitchingCompatibility) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Fax - Microsoft Corporation - C:\WINDOWS\system32\fxssvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Windows Presentation Foundation Font Cache 3.0.0.0 (FontCache3.0.0.0) - Microsoft Corporation - C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
O23 - Service: Help and Support (helpsvc) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: HID Input Service (HidServ) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: HTTP SSL (HTTPFilter) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Windows CardSpace (idsvc) - Microsoft Corporation - C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
O23 - Service: IIS Admin (IISADMIN) - Microsoft Corporation - C:\WINDOWS\system32\inetsrv\inetinfo.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Microsoft Corporation - C:\WINDOWS\system32\imapi.exe
O23 - Service: Server (lanmanserver) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Workstation (lanmanworkstation) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: TCP/IP NetBIOS Helper (LmHosts) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Machine Debug Manager (MDM) - Microsoft Corporation - C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
O23 - Service: Messenger - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Microsoft Corporation - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Microsoft Corporation - C:\WINDOWS\system32\msdtc.exe
O23 - Service: FTP Publishing (MSFtpsvc) - Microsoft Corporation - C:\WINDOWS\system32\inetsrv\inetinfo.exe
O23 - Service: Windows Installer (MSIServer) - Microsoft Corporation - C:\WINDOWS\system32\msiexec.exe
O23 - Service: Net Logon (Netlogon) - Microsoft Corporation - C:\WINDOWS\system32\lsass.exe
O23 - Service: Network Connections (Netman) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Network Location Awareness (NLA) (Nla) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Microsoft Corporation - C:\WINDOWS\system32\lsass.exe
O23 - Service: Removable Storage (NtmsSvc) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Microsoft Office Diagnostics Service (odserv) - Microsoft Corporation - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
O23 - Service: Office Source Engine (ose) - Microsoft Corporation - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
O23 - Service: Plug and Play (PlugPlay) - Microsoft Corporation - C:\WINDOWS\system32\services.exe
O23 - Service: IPSEC Services (PolicyAgent) - Microsoft Corporation - C:\WINDOWS\system32\lsass.exe
O23 - Service: Protected Storage (ProtectedStorage) - Microsoft Corporation - C:\WINDOWS\system32\lsass.exe
O23 - Service: Remote Access Auto Connection Manager (RasAuto) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Remote Access Connection Manager (RasMan) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Microsoft Corporation - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Remote Registry (RemoteRegistry) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Microsoft Corporation - C:\WINDOWS\system32\locator.exe
O23 - Service: Remote Procedure Call (RPC) (RpcSs) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: QoS RSVP (RSVP) - Microsoft Corporation - C:\WINDOWS\system32\rsvp.exe
O23 - Service: Security Accounts Manager (SamSs) - Microsoft Corporation - C:\WINDOWS\system32\lsass.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: Smart Card (SCardSvr) - Microsoft Corporation - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Task Scheduler (Schedule) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Secondary Logon (seclogon) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: System Event Notification (SENS) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Windows Firewall/Internet Connection Sharing (ICS) (SharedAccess) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Shell Hardware Detection (ShellHWDetection) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Print Spooler (Spooler) - Microsoft Corporation - C:\WINDOWS\system32\spoolsv.exe
O23 - Service: System Restore Service (srservice) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: SSDP Discovery Service (SSDPSRV) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Windows Image Acquisition (WIA) (stisvc) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: MS Software Shadow Copy Provider (SwPrv) - Microsoft Corporation - C:\WINDOWS\system32\dllhost.exe
O23 - Service: Performance Logs and Alerts (SysmonLog) - Microsoft Corporation - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Telephony (TapiSrv) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Terminal Services (TermService) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Themes - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Distributed Link Tracking Client (TrkWks) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Universal Plug and Play Device Host (upnphost) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Uninterruptible Power Supply (UPS) - Microsoft Corporation - C:\WINDOWS\System32\ups.exe
O23 - Service: Volume Shadow Copy (VSS) - Microsoft Corporation - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Windows Time (W32Time) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: World Wide Web Publishing (W3SVC) - Microsoft Corporation - C:\WINDOWS\system32\inetsrv\inetinfo.exe
O23 - Service: WebClient - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Windows Defender (WinDefend) - Microsoft Corporation - C:\Program Files\Windows Defender\MsMpEng.exe
O23 - Service: Windows Management Instrumentation (winmgmt) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Portable Media Serial Number Service (WmdmPmSN) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Windows Management Instrumentation Driver Extensions (Wmi) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: WMI Performance Adapter (WmiApSrv) - Microsoft Corporation - C:\WINDOWS\system32\wbem\wmiapsrv.exe
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Microsoft Corporation - C:\Program Files\Windows Media Player\WMPNetwk.exe
O23 - Service: Security Center (wscsvc) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Automatic Updates (wuauserv) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Windows Driver Foundation - User-mode Driver Framework (WudfSvc) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Network Provisioning Service (xmlprov) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe

--
End of file - 32527 bytes

***************************************

StartupList report, 2008-10-20, 12:15:02
StartupList version: 1.52.2
Started from : D:\My Documents\3. PC\Tools Dow\Antivirus\Hijack This\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v8.00 (8.00.6001.18241)
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\BUFFALO\Client Manager3\bwsvc\bwsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\VolumeTray\VolumeTray.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Start Killer\StartKiller.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\Eraser\eraser.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\BUFFALO\Client Manager3\cm3_tray.exe
C:\Program Files\DateInTray\DateInTray.exe
C:\Program Files\Lowrie Associates Ltd\dynamicIP\dynamicIP.exe
C:\Program Files\TechSmith\SnagIt 9\SnagIt32.exe
C:\Program Files\BUFFALO\HDManage\HDManage.exe
D:\My Documents\3. PC\Tools Dow\XP Desktop Tools and Themes\Mute and

Setvol\mute.exe
D:\My Documents\3. PC\Tools Dow\Process Explorer\ProcessExplorer\procexp.exe
D:\My Documents\3. PC\Tools Dow\XP Desktop Tools and Themes\PureText\PureText.exe
C:\Program Files\TechSmith\SnagIt 9\TSCHelp.exe
C:\Program Files\TechSmith\SnagIt 9\SnagPriv.exe
C:\Program Files\TechSmith\SnagIt 9\snagiteditor.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\IrfanView\i_view32.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Miranda IM\miranda32.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\My Documents\3. PC\Tools Dow\Antivirus\HostsXpert\HostsXpert\HostsXpert.exe
D:\My Documents\3. PC\Tools Dow\Antivirus\Hijack This\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\PCG-K66P\Start Menu\Programs\Startup]
BUFFALO Power Save Utility for HD.lnk = C:\Program

Files\BUFFALO\HDManage\HDManage.exe
Mute at Exit.lnk = D:\My Documents\3. PC\Tools Dow\XP Desktop Tools and Themes\Mute

and Setvol\mute.exe
procexp.exe.lnk = D:\My Documents\3. PC\Tools Dow\Process

Explorer\ProcessExplorer\procexp.exe
PureText.lnk = D:\My Documents\3. PC\Tools Dow\XP Desktop Tools and

Themes\PureText\PureText.exe

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
ClientManager3.lnk = C:\Program Files\BUFFALO\Client Manager3\cm3_tray.exe
DateInTray.lnk = C:\Program Files\DateInTray\DateInTray.exe
Shortcut to dynamicIP.lnk = C:\Program Files\Lowrie Associates

Ltd\dynamicIP\dynamicIP.exe
SnagIt 9.lnk = C:\Program Files\TechSmith\SnagIt 9\SnagIt32.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = c:\windows\system32\userinit.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

IMJPMIG8.1 = "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef

/Migration32
PHIME2002ASync = C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
PHIME2002A = C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
ATIModeChange = Ati2mdxx.exe
ATIPTA = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
SynTPLpr = C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
SynTPEnh = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
HKSERV.EXE = C:\Program Files\Sony\HotKey Utility\HKserv.exe
IMJPMIG9.0 = C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMJP9\IMJPMIG.EXE /Preload

/Migration32
UnlockerAssistant = "C:\Program Files\Unlocker\UnlockerAssistant.exe"
Windows Defender = "C:\Program Files\Windows Defender\MSASCui.exe" -hide
IMEKRMIG6.1 = C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
MSPY2002 = C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
VolumeTray = C:\Program Files\VolumeTray\VolumeTray.exe
Adobe Acrobat Speed Launcher = "C:\Program Files\Adobe\Acrobat 9.0

\Acrobat\Acrobat_sl.exe"
(Default) =
Acrobat Assistant 8.0 = "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
OODefragTray = C:\WINDOWS\system32\oodtray.exe
egui = "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
Malwarebytes' Anti-Malware = "C:\Program Files\Malwarebytes' Anti-

Malware\mbamgui.exe" /starttray

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
TrueCrypt = "C:\Program Files\TrueCrypt\TrueCrypt.exe" /q preferences /a favorites
Start Killer = C:\Program Files\Start Killer\StartKiller.exe
AlcoholAutomount = "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
SandboxieControl = "C:\Program Files\Sandboxie\SbieCtrl.exe"
Eraser = C:\Program Files\Eraser\eraser.exe -hide
SpybotSD TeaTimer = C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\system32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

btorbit.com - C:\Program Files\Orbitdownloader\orbitcth.dll - {000123B4-9B42-4900-B3F7

-F4B073EFC214}
(no name) - C:\Program Files\TechSmith\SnagIt 9\SnagItBHO.dll - {00C6482D-C502-44C8-

8409-FCE54AD9C208}
AcroIEHelperStub - C:\Program Files\Common

Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll - {18DF081C-E8AD-4283-A596-

FA578C2EBDC3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-

206D7942484F}
(no name) - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll -

{AE7CD045-E861-484f-8273-0445EE161910}
SmartSelect - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll -

{F4971EE7-DAA0-4053-9964-665D8EE6A077}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Malwarebytes' Scheduled Update for MarkTecoz.job
MP Scheduled Scan.job
RegCure Program Check.job
RegCure.job

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll
UPnPMonitor: C:\WINDOWS\system32\upnpui.dll

--------------------------------------------------
End of report, 9,192 bytes
Report generated in 0.060 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


***************************************

Process list saved on 12:17:19, on 2008-10-20
Platform: Windows XP SP2 (WinNT 5.01.2600)

[pid] [full path to filename] [file version] [company name]
596 C:\WINDOWS\System32\smss.exe 5.1.2600.2180 Microsoft Corporation
700 C:\WINDOWS\system32\winlogon.exe 5.1.2600.2180 Microsoft Corporation
744 C:\WINDOWS\system32\services.exe 5.1.2600.2180 Microsoft Corporation
756 C:\WINDOWS\system32\lsass.exe 5.1.2600.2180 Microsoft Corporation
912 C:\WINDOWS\system32\Ati2evxx.exe 6.14.10.4091
924 C:\WINDOWS\system32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1116 C:\Program Files\Windows Defender\MsMpEng.exe 1.1.1592.0 Microsoft Corporation
1156 C:\WINDOWS\System32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1676 C:\WINDOWS\system32\spoolsv.exe 5.1.2600.2696 Microsoft Corporation
1820 C:\Program Files\BUFFALO\Client Manager3\bwsvc\bwsvc.exe 2.0.3.2 BUFFALO INC.
1832 C:\WINDOWS\system32\cisvc.exe 5.1.2600.2180 Microsoft Corporation
1852 C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe 3.0.667.0 ESET
1908 C:\WINDOWS\system32\inetsrv\inetinfo.exe 5.1.2600.2180 Microsoft Corporation
1988 C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe 1.0.0.0 Malwarebytes Corporation
176 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe 7.10.3077.0 Microsoft Corporation
252 C:\WINDOWS\system32\oodag.exe 11.0.3265.0 O&O Software GmbH
440 C:\Program Files\Sandboxie\SbieSvc.exe 3.30.0.0 tzuk
504 C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe 3.2.0.1319 Rocket Division Software
1092 C:\WINDOWS\system32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1296 C:\WINDOWS\system32\fxssvc.exe 5.2.2600.2180 Microsoft Corporation
2884 C:\WINDOWS\system32\Ati2evxx.exe 6.14.10.4091
2996 C:\WINDOWS\Explorer.EXE 6.0.2900.3156 Microsoft Corporation
3008 C:\WINDOWS\system32\ctfmon.exe 5.1.2600.2180 Microsoft Corporation
3208 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe 6.14.10.5073 ATI Technologies, Inc.
3224 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe 8.3.4.0 Synaptics, Inc.
3232 C:\Program Files\Sony\HotKey Utility\HKserv.exe 4.0.0.12020 Sony Corporation
3256 C:\Program Files\Unlocker\UnlockerAssistant.exe
3312 C:\Program Files\Sony\HotKey Utility\HKWnd.exe 4.0.0.11190 Sony Corporation
3344 C:\Program Files\Windows Defender\MSASCui.exe 1.1.1592.0 Microsoft Corporation
3576 C:\Program Files\VolumeTray\VolumeTray.exe
3664 C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe 9.0.0.332 Adobe Systems Inc.
3716 C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe 3.0.667.0 ESET
3984 C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe 1.0.0.0 Malwarebytes Corporation
824 C:\WINDOWS\System32\svchost.exe 5.1.2600.2180 Microsoft Corporation
2256 C:\Program Files\Start Killer\StartKiller.exe 2.3.0.0 TrueSoft
3368 C:\Program Files\Sandboxie\SbieCtrl.exe 3.30.0.0 tzuk
2116 C:\Program Files\Eraser\eraser.exe 5.8.6.0 The Eraser Project
3676 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe 1.6.3.25 Safer Networking Limited
2748 C:\Program Files\BUFFALO\Client Manager3\cm3_tray.exe 1.0.1.8 BUFFALO INC.
3432 C:\Program Files\DateInTray\DateInTray.exe 1.5.0.0 CrispyBytes Development
3324 C:\Program Files\Lowrie Associates Ltd\dynamicIP\dynamicIP.exe 3.0.7.5 Lowrie Assoicates Ltd
3016 C:\Program Files\TechSmith\SnagIt 9\SnagIt32.exe 9.0.2.9 TechSmith Corporation
2536 C:\Program Files\BUFFALO\HDManage\HDManage.exe 1.0.2.1 BUFFALO INC.
2776 D:\My Documents\3. PC\Tools Dow\XP Desktop Tools and Themes\Mute and Setvol\mute.exe 1.1.0.9
2540 D:\My Documents\3. PC\Tools Dow\Process Explorer\ProcessExplorer\procexp.exe 11.21.0.0 Sysinternals - www.sysinternals.com
2504 D:\My Documents\3. PC\Tools Dow\XP Desktop Tools and Themes\PureText\PureText.exe 2.0.0.0 http://www.SteveMiller.net
3756 C:\Program Files\TechSmith\SnagIt 9\TSCHelp.exe 9.0.2.9 TechSmith Corporation
1456 C:\Program Files\TechSmith\SnagIt 9\SnagPriv.exe 9.0.2.9 TechSmith Corporation
648 C:\Program Files\TechSmith\SnagIt 9\snagiteditor.exe 9.0.2.9 TechSmith Corporation
4064 C:\Program Files\Internet Explorer\iexplore.exe 8.0.6001.18241 Microsoft Corporation
1352 C:\Program Files\Internet Explorer\iexplore.exe 8.0.6001.18241 Microsoft Corporation
1956 C:\WINDOWS\system32\cidaemon.exe 5.1.2600.0 Microsoft Corporation
2172 C:\WINDOWS\system32\cidaemon.exe 5.1.2600.0 Microsoft Corporation
3412 C:\Program Files\IrfanView\i_view32.exe 4.2.0.0 Irfan Skiljan
2084 C:\WINDOWS\system32\notepad.exe 5.1.2600.2180 Microsoft Corporation
3616 C:\Program Files\Miranda IM\miranda32.exe 0.7.10.0
428 C:\WINDOWS\system32\wbem\wmiapsrv.exe 5.1.2600.2180 Microsoft Corporation
612 C:\Program Files\Internet Explorer\iexplore.exe 8.0.6001.18241 Microsoft Corporation
2820 D:\My Documents\3. PC\Tools Dow\Antivirus\HostsXpert\HostsXpert\HostsXpert.exe 4.3.0.0 funkytoad.com
2760 D:\My Documents\3. PC\Tools Dow\Antivirus\Hijack This\HijackThis.exe 2.0.0.2 Trend Micro Inc.
3760 C:\WINDOWS\system32\NOTEPAD.EXE 5.1.2600.2180 Microsoft Corporation
4016 C:\WINDOWS\system32\notepad.exe 5.1.2600.2180 Microsoft Corporation

*****************************************************************************
CMD.EXE, NETSTAT COMMAND LOG
Port 26548: Open Port for uTorrent, 1 (ONE) active download at the time of the log
*****************************************************************************
Microsoft Windows XP [Version 5.1.2600]
© Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\PCG-K66P>netstat

Active Connections

Proto Local Address Foreign Address State
TCP Sony1:http localhost:2712 TIME_WAIT
TCP Sony1:1032 localhost:50300 ESTABLISHED
TCP Sony1:2189 localhost:30606 CLOSE_WAIT
TCP Sony1:2409 localhost:30606 TIME_WAIT
TCP Sony1:2522 localhost:30606 TIME_WAIT
TCP Sony1:2533 localhost:30606 TIME_WAIT
TCP Sony1:2536 localhost:30606 TIME_WAIT
TCP Sony1:2555 localhost:30606 TIME_WAIT
TCP Sony1:2562 localhost:30606 TIME_WAIT
TCP Sony1:2563 localhost:30606 TIME_WAIT
TCP Sony1:2571 localhost:30606 TIME_WAIT
TCP Sony1:2573 localhost:30606 TIME_WAIT
TCP Sony1:2575 localhost:30606 TIME_WAIT
TCP Sony1:2579 localhost:30606 TIME_WAIT
TCP Sony1:2596 localhost:30606 TIME_WAIT
TCP Sony1:2605 localhost:30606 TIME_WAIT
TCP Sony1:2606 localhost:30606 TIME_WAIT
TCP Sony1:2607 localhost:30606 TIME_WAIT
TCP Sony1:2610 localhost:30606 TIME_WAIT
TCP Sony1:2613 localhost:30606 TIME_WAIT
TCP Sony1:2621 localhost:30606 TIME_WAIT
TCP Sony1:2633 localhost:30606 TIME_WAIT
TCP Sony1:2634 localhost:30606 TIME_WAIT
TCP Sony1:2636 localhost:30606 TIME_WAIT
TCP Sony1:2641 localhost:30606 TIME_WAIT
TCP Sony1:2642 localhost:30606 TIME_WAIT
TCP Sony1:2646 localhost:30606 TIME_WAIT
TCP Sony1:2647 localhost:30606 TIME_WAIT
TCP Sony1:2651 localhost:30606 TIME_WAIT
TCP Sony1:2652 localhost:30606 TIME_WAIT
TCP Sony1:2656 localhost:30606 TIME_WAIT
TCP Sony1:2658 localhost:30606 TIME_WAIT
TCP Sony1:2662 localhost:30606 TIME_WAIT
TCP Sony1:2668 localhost:30606 TIME_WAIT
TCP Sony1:2679 localhost:30606 TIME_WAIT
TCP Sony1:2680 localhost:30606 TIME_WAIT
TCP Sony1:2682 localhost:30606 TIME_WAIT
TCP Sony1:2691 localhost:30606 TIME_WAIT
TCP Sony1:2692 localhost:30606 TIME_WAIT
TCP Sony1:2700 localhost:30606 TIME_WAIT
TCP Sony1:2703 localhost:30606 TIME_WAIT
TCP Sony1:2704 localhost:30606 TIME_WAIT
TCP Sony1:2715 localhost:30606 TIME_WAIT
TCP Sony1:2716 localhost:30606 TIME_WAIT
TCP Sony1:2718 localhost:30606 ESTABLISHED
TCP Sony1:2722 localhost:30606 TIME_WAIT
TCP Sony1:2727 localhost:30606 TIME_WAIT
TCP Sony1:2735 localhost:30606 TIME_WAIT
TCP Sony1:2736 localhost:30606 TIME_WAIT
TCP Sony1:2739 localhost:30606 TIME_WAIT
TCP Sony1:2743 localhost:30606 TIME_WAIT
TCP Sony1:2746 localhost:30606 TIME_WAIT
TCP Sony1:2747 localhost:30606 TIME_WAIT
TCP Sony1:2753 localhost:30606 TIME_WAIT
TCP Sony1:2754 localhost:30606 TIME_WAIT
TCP Sony1:2759 localhost:30606 TIME_WAIT
TCP Sony1:2766 localhost:30606 TIME_WAIT
TCP Sony1:2771 localhost:30606 TIME_WAIT
TCP Sony1:2772 localhost:30606 TIME_WAIT
TCP Sony1:2776 localhost:30606 TIME_WAIT
TCP Sony1:2783 localhost:30606 TIME_WAIT
TCP Sony1:2784 localhost:30606 TIME_WAIT
TCP Sony1:2790 localhost:30606 TIME_WAIT
TCP Sony1:2791 localhost:30606 TIME_WAIT
TCP Sony1:2798 localhost:30606 TIME_WAIT
TCP Sony1:2805 localhost:30606 TIME_WAIT
TCP Sony1:2806 localhost:30606 TIME_WAIT
TCP Sony1:2807 localhost:30606 TIME_WAIT
TCP Sony1:2808 localhost:30606 TIME_WAIT
TCP Sony1:2812 localhost:30606 TIME_WAIT
TCP Sony1:2813 localhost:30606 TIME_WAIT
TCP Sony1:2817 localhost:30606 TIME_WAIT
TCP Sony1:2820 localhost:30606 TIME_WAIT
TCP Sony1:2823 localhost:30606 TIME_WAIT
TCP Sony1:2830 localhost:30606 TIME_WAIT
TCP Sony1:2831 localhost:30606 TIME_WAIT
TCP Sony1:2832 localhost:30606 FIN_WAIT_2
TCP Sony1:2833 localhost:30606 TIME_WAIT
TCP Sony1:2837 localhost:30606 TIME_WAIT
TCP Sony1:2842 localhost:30606 FIN_WAIT_2
TCP Sony1:2843 localhost:30606 TIME_WAIT
TCP Sony1:2846 localhost:30606 FIN_WAIT_2
TCP Sony1:2849 localhost:30606 FIN_WAIT_2
TCP Sony1:2850 localhost:30606 FIN_WAIT_2
TCP Sony1:2853 localhost:30606 TIME_WAIT
TCP Sony1:2855 localhost:30606 FIN_WAIT_2
TCP Sony1:2857 localhost:30606 TIME_WAIT
TCP Sony1:2860 localhost:30606 TIME_WAIT
TCP Sony1:2864 localhost:30606 FIN_WAIT_2
TCP Sony1:2868 localhost:30606 FIN_WAIT_2
TCP Sony1:2870 localhost:30606 FIN_WAIT_2
TCP Sony1:2871 localhost:30606 FIN_WAIT_2
TCP Sony1:2873 localhost:30606 ESTABLISHED
TCP Sony1:2877 localhost:30606 FIN_WAIT_2
TCP Sony1:2879 localhost:30606 FIN_WAIT_2
TCP Sony1:2882 localhost:30606 TIME_WAIT
TCP Sony1:2886 localhost:30606 TIME_WAIT
TCP Sony1:2892 localhost:30606 TIME_WAIT
TCP Sony1:2893 localhost:30606 FIN_WAIT_2
TCP Sony1:2896 localhost:30606 TIME_WAIT
TCP Sony1:2900 localhost:30606 FIN_WAIT_2
TCP Sony1:2901 localhost:30606 FIN_WAIT_2
TCP Sony1:2906 localhost:30606 FIN_WAIT_2
TCP Sony1:2907 localhost:30606 FIN_WAIT_2
TCP Sony1:2908 localhost:30606 FIN_WAIT_2
TCP Sony1:2915 localhost:30606 FIN_WAIT_2
TCP Sony1:2916 localhost:30606 FIN_WAIT_2
TCP Sony1:2918 localhost:30606 FIN_WAIT_2
TCP Sony1:2919 localhost:30606 FIN_WAIT_2
TCP Sony1:2923 localhost:30606 FIN_WAIT_2
TCP Sony1:2924 localhost:30606 FIN_WAIT_2
TCP Sony1:2925 localhost:30606 FIN_WAIT_2
TCP Sony1:2929 localhost:30606 FIN_WAIT_2
TCP Sony1:2930 localhost:30606 FIN_WAIT_2
TCP Sony1:2933 localhost:30606 FIN_WAIT_2
TCP Sony1:2939 localhost:30606 FIN_WAIT_2
TCP Sony1:2940 localhost:30606 FIN_WAIT_2
TCP Sony1:2941 localhost:30606 FIN_WAIT_2
TCP Sony1:2945 localhost:30606 FIN_WAIT_2
TCP Sony1:2946 localhost:30606 FIN_WAIT_2
TCP Sony1:2950 localhost:30606 FIN_WAIT_2
TCP Sony1:2953 localhost:30606 FIN_WAIT_2
TCP Sony1:2957 localhost:30606 FIN_WAIT_2
TCP Sony1:2964 localhost:30606 FIN_WAIT_2
TCP Sony1:2965 localhost:30606 FIN_WAIT_2
TCP Sony1:2966 localhost:30606 FIN_WAIT_2
TCP Sony1:2967 localhost:30606 FIN_WAIT_2
TCP Sony1:2968 localhost:30606 FIN_WAIT_2
TCP Sony1:2970 localhost:30606 ESTABLISHED
TCP Sony1:2971 localhost:30606 ESTABLISHED
TCP Sony1:2972 localhost:30606 ESTABLISHED
TCP Sony1:2973 localhost:30606 ESTABLISHED
TCP Sony1:2977 localhost:30606 ESTABLISHED
TCP Sony1:2978 localhost:30606 ESTABLISHED
TCP Sony1:2983 localhost:30606 ESTABLISHED
TCP Sony1:2984 localhost:30606 ESTABLISHED
TCP Sony1:2996 localhost:30606 FIN_WAIT_2
TCP Sony1:2997 localhost:30606 FIN_WAIT_2
TCP Sony1:2998 localhost:30606 FIN_WAIT_2
TCP Sony1:2999 localhost:30606 FIN_WAIT_2
TCP Sony1:3000 localhost:30606 FIN_WAIT_2
TCP Sony1:3001 localhost:30606 FIN_WAIT_2
TCP Sony1:3003 localhost:30606 FIN_WAIT_2
TCP Sony1:3008 localhost:30606 FIN_WAIT_2
TCP Sony1:3011 localhost:30606 FIN_WAIT_2
TCP Sony1:3014 localhost:30606 FIN_WAIT_2
TCP Sony1:3017 localhost:30606 FIN_WAIT_2
TCP Sony1:3018 localhost:30606 FIN_WAIT_2
TCP Sony1:3021 localhost:30606 FIN_WAIT_2
TCP Sony1:3025 localhost:30606 FIN_WAIT_2
TCP Sony1:3027 localhost:30606 FIN_WAIT_2
TCP Sony1:3030 localhost:30606 FIN_WAIT_2
TCP Sony1:3033 localhost:30606 FIN_WAIT_2
TCP Sony1:3041 localhost:30606 FIN_WAIT_2
TCP Sony1:3042 localhost:30606 FIN_WAIT_2
TCP Sony1:3043 localhost:30606 FIN_WAIT_2
TCP Sony1:3044 localhost:30606 FIN_WAIT_2
TCP Sony1:3050 localhost:30606 FIN_WAIT_2
TCP Sony1:3051 localhost:30606 FIN_WAIT_2
TCP Sony1:3052 localhost:30606 FIN_WAIT_2
TCP Sony1:3058 localhost:30606 FIN_WAIT_2
TCP Sony1:3059 localhost:30606 FIN_WAIT_2
TCP Sony1:3060 localhost:30606 FIN_WAIT_2
TCP Sony1:30606 localhost:2718 ESTABLISHED
TCP Sony1:30606 localhost:2832 CLOSE_WAIT
TCP Sony1:30606 localhost:2842 CLOSE_WAIT
TCP Sony1:30606 localhost:2846 CLOSE_WAIT
TCP Sony1:30606 localhost:2849 CLOSE_WAIT
TCP Sony1:30606 localhost:2850 CLOSE_WAIT
TCP Sony1:30606 localhost:2855 CLOSE_WAIT
TCP Sony1:30606 localhost:2864 CLOSE_WAIT
TCP Sony1:30606 localhost:2868 CLOSE_WAIT
TCP Sony1:30606 localhost:2870 CLOSE_WAIT
TCP Sony1:30606 localhost:2871 CLOSE_WAIT
TCP Sony1:30606 localhost:2873 ESTABLISHED
TCP Sony1:30606 localhost:2877 CLOSE_WAIT
TCP Sony1:30606 localhost:2879 CLOSE_WAIT
TCP Sony1:30606 localhost:2893 CLOSE_WAIT
TCP Sony1:30606 localhost:2900 CLOSE_WAIT
TCP Sony1:30606 localhost:2901 CLOSE_WAIT
TCP Sony1:30606 localhost:2906 CLOSE_WAIT
TCP Sony1:30606 localhost:2907 CLOSE_WAIT
TCP Sony1:30606 localhost:2908 CLOSE_WAIT
TCP Sony1:30606 localhost:2915 CLOSE_WAIT
TCP Sony1:30606 localhost:2916 CLOSE_WAIT
TCP Sony1:30606 localhost:2918 CLOSE_WAIT
TCP Sony1:30606 localhost:2919 CLOSE_WAIT
TCP Sony1:30606 localhost:2923 CLOSE_WAIT
TCP Sony1:30606 localhost:2924 CLOSE_WAIT
TCP Sony1:30606 localhost:2925 CLOSE_WAIT
TCP Sony1:30606 localhost:2929 CLOSE_WAIT
TCP Sony1:30606 localhost:2930 CLOSE_WAIT
TCP Sony1:30606 localhost:2933 CLOSE_WAIT
TCP Sony1:30606 localhost:2939 CLOSE_WAIT
TCP Sony1:30606 localhost:2940 CLOSE_WAIT
TCP Sony1:30606 localhost:2941 CLOSE_WAIT
TCP Sony1:30606 localhost:2945 CLOSE_WAIT
TCP Sony1:30606 localhost:2946 CLOSE_WAIT
TCP Sony1:30606 localhost:2950 CLOSE_WAIT
TCP Sony1:30606 localhost:2953 CLOSE_WAIT
TCP Sony1:30606 localhost:2957 CLOSE_WAIT
TCP Sony1:30606 localhost:2964 CLOSE_WAIT
TCP Sony1:30606 localhost:2965 CLOSE_WAIT
TCP Sony1:30606 localhost:2966 CLOSE_WAIT
TCP Sony1:30606 localhost:2967 CLOSE_WAIT
TCP Sony1:30606 localhost:2968 CLOSE_WAIT
TCP Sony1:30606 localhost:2970 ESTABLISHED
TCP Sony1:30606 localhost:2971 ESTABLISHED
TCP Sony1:30606 localhost:2972 ESTABLISHED
TCP Sony1:30606 localhost:2973 ESTABLISHED
TCP Sony1:30606 localhost:2977 ESTABLISHED
TCP Sony1:30606 localhost:2978 ESTABLISHED
TCP Sony1:30606 localhost:2983 ESTABLISHED
TCP Sony1:30606 localhost:2984 ESTABLISHED
TCP Sony1:30606 localhost:2996 CLOSE_WAIT
TCP Sony1:30606 localhost:2997 CLOSE_WAIT
TCP Sony1:30606 localhost:2998 CLOSE_WAIT
TCP Sony1:30606 localhost:2999 CLOSE_WAIT
TCP Sony1:30606 localhost:3000 CLOSE_WAIT
TCP Sony1:30606 localhost:3001 CLOSE_WAIT
TCP Sony1:30606 localhost:3003 CLOSE_WAIT
TCP Sony1:30606 localhost:3008 CLOSE_WAIT
TCP Sony1:30606 localhost:3011 CLOSE_WAIT
TCP Sony1:30606 localhost:3014 CLOSE_WAIT
TCP Sony1:30606 localhost:3017 CLOSE_WAIT
TCP Sony1:30606 localhost:3018 CLOSE_WAIT
TCP Sony1:30606 localhost:3021 CLOSE_WAIT
TCP Sony1:30606 localhost:3025 CLOSE_WAIT
TCP Sony1:30606 localhost:3027 CLOSE_WAIT
TCP Sony1:30606 localhost:3030 CLOSE_WAIT
TCP Sony1:30606 localhost:3033 CLOSE_WAIT
TCP Sony1:30606 localhost:3041 CLOSE_WAIT
TCP Sony1:30606 localhost:3042 CLOSE_WAIT
TCP Sony1:30606 localhost:3043 CLOSE_WAIT
TCP Sony1:30606 localhost:3044 CLOSE_WAIT
TCP Sony1:30606 localhost:3050 CLOSE_WAIT
TCP Sony1:30606 localhost:3051 CLOSE_WAIT
TCP Sony1:30606 localhost:3052 CLOSE_WAIT
TCP Sony1:30606 localhost:3058 CLOSE_WAIT
TCP Sony1:30606 localhost:3059 CLOSE_WAIT
TCP Sony1:30606 localhost:3060 CLOSE_WAIT
TCP Sony1:50300 localhost:1032 ESTABLISHED
TCP Sony1:1769 81-235-236-74-no92.tbcn.telia.com:33342 FIN_WAIT_1
TCP Sony1:2353 81-235-236-74-no92.tbcn.telia.com:33342 FIN_WAIT_1
TCP Sony1:2419 c213-89-152-119.bredband.comhem.se:47092 TIME_WAIT
TCP Sony1:2500 ti211110a081-5386.bb.online.no:26573 FIN_WAIT_1
TCP Sony1:2547 bb-81-175-217-228.dsl.phnet.fi:51052 TIME_WAIT
TCP Sony1:2577 179-242.adsl.lpoy.dnainternet.fi:39712 FIN_WAIT_1
TCP Sony1:2588 91.100.63.71.generic-hostname.arrownet.dk:49979 TIME_WAIT
TCP Sony1:2623 a84-230-73-150.elisa-laajakaista.fi:11086 TIME_WAIT
TCP Sony1:2626 cm-84.212.53.145.getinternet.no:6899 TIME_WAIT
TCP Sony1:2630 a88-113-14-174.elisa-laajakaista.fi:23963 FIN_WAIT_2
TCP Sony1:2643 ti211110a081-5386.bb.online.no:26573 FIN_WAIT_1
TCP Sony1:2650 92-238-36-155.cable.ubr13.nmal.blueyonder.co.uk:15871 TIME_WAIT
TCP Sony1:2654 a91-154-73-175.elisa-laajakaista.fi:33229 TIME_WAIT
TCP Sony1:2657 71.84-49-133.nextgentel.com:6881 TIME_WAIT
TCP Sony1:2660 a88-115-183-176.elisa-laajakaista.fi:21698 TIME_WAIT
TCP Sony1:2665 c-39f7e255.127-15-64736c14.cust.bredbandsbolaget.se:55555 TIME_WAIT
TCP Sony1:2667 0x573b8a98.hhnqu1.dynamic.dsl.tele.dk:12134 TIME_WAIT
TCP Sony1:2672 c59B300C3.dhcp.bluecom.no:6890 FIN_WAIT_2
TCP Sony1:2676 host86-136-1-113.range86-136.btcentralplus.com:21300 FIN_WAIT_2
TCP Sony1:2688 91-150-20-197.customer.karistelefon.fi:10157 TIME_WAIT
TCP Sony1:2696 ti511220a080-0941.bb.online.no:13173 TIME_WAIT
TCP Sony1:2708 ip165.trandansen.se:15032 TIME_WAIT
TCP Sony1:2719 by1msg2093108.gateway.edge.messenger.live.com:1863 ESTABLISHED
TCP Sony1:2724 0x535dc06e.abnxx13.dynamic.dsl.tele.dk:13119 TIME_WAIT
TCP Sony1:2755 81-235-236-74-no92.tbcn.telia.com:33342 FIN_WAIT_1
TCP Sony1:2773 0x573a6478.ronnqu1.dynamic.dsl.tele.dk:50786 TIME_WAIT
TCP Sony1:2774 x1-6-00-0b-6a-9b-b9-72.k717.webspeed.dk:26830 TIME_WAIT
TCP Sony1:2780 c-a7b670d5.09-31-67766c2.cust.bredbandsbolaget.se:11415 TIME_WAIT
TCP Sony1:2789 91-150-20-197.customer.karistelefon.fi:10157 TIME_WAIT
TCP Sony1:2802 h136235.gprs.dnafinland.fi:6881 TIME_WAIT
TCP Sony1:2803 host86-136-1-113.range86-136.btcentralplus.com:21300 TIME_WAIT
TCP Sony1:2811 ti511220a080-0941.bb.online.no:13173 TIME_WAIT
TCP Sony1:2821 a91-155-182-7.elisa-laajakaista.fi:62300 TIME_WAIT
TCP Sony1:2825 ti300720a080-0889.bb.online.no:54400 TIME_WAIT
TCP Sony1:2826 0x535dc06e.abnxx13.dynamic.dsl.tele.dk:13119 TIME_WAIT
TCP Sony1:2828 90-231-1-137-no69.tbcn.telia.com:56242 TIME_WAIT
TCP Sony1:2835 c-d7cbe255.26-2-64736c10.cust.bredbandsbolaget.se:17796 TIME_WAIT
TCP Sony1:2840 92-32-106-234.tn.glocalnet.net:34833 TIME_WAIT
TCP Sony1:2851 host-212-149-231-17.kpylaajakaista.net:22728 SYN_SENT
TCP Sony1:2854 179-242.adsl.lpoy.dnainternet.fi:39712 TIME_WAIT
TCP Sony1:2859 host86-151-156-217.range86-151.btcentralplus.com:46580 SYN_SENT
TCP Sony1:2862 dsl-lmammlgw1-fe76fa00-44.dhcp.inet.fi:64648 TIME_WAIT
TCP Sony1:2865 ti0028a380-dhcp0240.bb.online.no:12408 SYN_SENT
TCP Sony1:2866 ip0xe78d9.customer.smilenet.dk:58715 SYN_SENT
TCP Sony1:2867 cpc1-norw2-0-0-cust723.pete.cable.ntl.com:54161 SYN_SENT
TCP Sony1:2869 local.gateway:50381 CLOSE_WAIT
TCP Sony1:2874 cs106.msg.mud.yahoo.com:5050 ESTABLISHED
TCP Sony1:2875 h55eb1361.c45-01-04.dyn.perspektivbredband.net:44267 TIME_WAIT
TCP Sony1:2878 5ac96a38.bb.sky.com:19154 SYN_SENT
TCP Sony1:2884 a84-230-73-150.elisa-laajakaista.fi:11086 TIME_WAIT
TCP Sony1:2887 c213-89-106-205.bredband.comhem.se:33286 SYN_SENT
TCP Sony1:2890 213-64-153-157-no75.tbcn.telia.com:37437 SYN_SENT
TCP Sony1:2891 212251159039.customer.cdi.no:28106 SYN_SENT
TCP Sony1:2894 177.84-49-198.nextgentel.com:53330 SYN_SENT
TCP Sony1:2897 cp943384-a.tilbu1.nb.home.nl:6882 SYN_SENT
TCP Sony1:2898 c83-255-196-130.bredband.comhem.se:47373 SYN_SENT
TCP Sony1:2909 c59B300C3.dhcp.bluecom.no:6890 FIN_WAIT_2
TCP Sony1:2910 194.19.60.4:47035 SYN_SENT
TCP Sony1:2913 a88-112-161-128.elisa-laajakaista.fi:15541 SYN_SENT
TCP Sony1:26548 64-184-11-109.bb.hrtc.net:50176 TIME_WAIT
TCP Sony1:26548 64-184-11-109.bb.hrtc.net:50361 TIME_WAIT
TCP Sony1:26548 bas10-montrealak-1128582267.dsl.bell.ca:60648 TIME_WAIT
TCP Sony1:26548 50A2F9D2.flatrate.dk:62000 TIME_WAIT
TCP Sony1:26548 force10.plus.com:37726 TIME_WAIT
TCP Sony1:26548 h22n3fls312o1049.telia.com:2105 FIN_WAIT_1
TCP Sony1:26548 athedsl-114917.home.otenet.gr:2004 TIME_WAIT
TCP Sony1:26548 213-65-109-227-no158.tbcn.telia.com:1555 TIME_WAIT
TCP Sony1:26548 c-09d972d5.09-182-73746f44.cust.bredbandsbolaget.se:3368 TIME_WAIT

C:\Documents and Settings\PCG-K66P>

Thanks!

Edited by admsupport, 20 October 2008 - 07:10 PM.


BC AdBot (Login to Remove)

 


#2 admsupport

admsupport
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Location:Japan
  • Local time:08:09 PM

Posted 25 October 2008 - 11:58 PM

Hi, need help.

XP Pro SP2
ESET Smart Security
Spybot
Antimalwarebytes (pay version)
Wired connection

Symptom: Anytime I use utorrent, the internet connection becomes gradually unresponsive, the PC disconnect and reconnect. I have a huge internal connection list when I do the command netstat. ESET Smart Security firewall log also shows numerous attack (DNS tempering) and alerts. However the AV and antispyware do not report anything but some false positives.

I guess a download was not safe and opened a door or a well hidden process/service on my system. Can you take a look at the log and return me with your findings.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:40:19, on 2008-10-26
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\BUFFALO\Client Manager3\bwsvc\bwsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\VolumeTray\VolumeTray.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\oodtray.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Start Killer\StartKiller.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\Eraser\eraser.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\GPSoftware\Directory Opus\dopusrt.exe
C:\Program Files\BUFFALO\Client Manager3\cm3_tray.exe
C:\Program Files\DateInTray\DateInTray.exe
C:\Program Files\Lowrie Associates Ltd\dynamicIP\dynamicIP.exe
C:\Program Files\TechSmith\SnagIt 9\SnagIt32.exe
C:\Program Files\BUFFALO\HDManage\HDManage.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TechSmith\SnagIt 9\TSCHelp.exe
C:\Program Files\TechSmith\SnagIt 9\SnagPriv.exe
C:\Program Files\TechSmith\SnagIt 9\snagiteditor.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\TrueCrypt\TrueCrypt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Miranda IM\miranda32.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\My Documents\4. PC\Tools Dow\Antivirus\Hijack This\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 ___id___.c.mystat-in.net
O1 - Hosts: 127.0.0.1 0.r.msn.com
O1 - Hosts: 127.0.0.1 000dom.revenuedirect.com
O1 - Hosts: 127.0.0.1 00a0-f0d5-a44e-33s6.cnc-inc.cn
O1 - Hosts: 127.0.0.1 00fun.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 011707160008.c.mystat-in.net
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 061606084448.c.mystat-in.net
O1 - Hosts: 127.0.0.1 070806142521.c.mystat-in.net
O1 - Hosts: 127.0.0.1 090906042103.c.mystat-in.net
O1 - Hosts: 127.0.0.1 092706152958.c.mystat-in.net
O1 - Hosts: 127.0.0.1 093qpeuqpmz6ebfa.com
O1 - Hosts: 127.0.0.1 0ki.ru
O1 - Hosts: 127.0.0.1 0ml.net
O1 - Hosts: 127.0.0.1 0texkax7c6hzuidk.com
O1 - Hosts: 127.0.0.1 1.9797aiai.com
O1 - Hosts: 127.0.0.1 1.adbrite.com
O1 - Hosts: 127.0.0.1 1.marketbanker.com
O1 - Hosts: 127.0.0.1 1.primaryads.com
O1 - Hosts: 127.0.0.1 1.xqhgm.com
O1 - Hosts: 127.0.0.1 100.mbn.com.ua
O1 - Hosts: 127.0.0.1 100.topnews.ru
O1 - Hosts: 127.0.0.1 10000hits.net
O1 - Hosts: 127.0.0.1 10006.hittail.com
O1 - Hosts: 127.0.0.1 10016.searchmiracle.com
O1 - Hosts: 127.0.0.1 100webads.com
O1 - Hosts: 127.0.0.1 10168.hittail.com
O1 - Hosts: 127.0.0.1 102.112.207.net
O1 - Hosts: 127.0.0.1 102.112.2o7.net
O1 - Hosts: 127.0.0.1 102.122.2o7.net
O1 - Hosts: 127.0.0.1 102106151057.c.mystat-in.net
O1 - Hosts: 127.0.0.1 103bees.com
O1 - Hosts: 127.0.0.1 1047.www1.p0rt2.com
O1 - Hosts: 127.0.0.1 10661.kit.carpediem.fr
O1 - Hosts: 127.0.0.1 10xhellometro.112.2o7.net
O1 - Hosts: 127.0.0.1 11.rtcode.com
O1 - Hosts: 127.0.0.1 11.rtstats.com
O1 - Hosts: 127.0.0.1 112006133326.c.mystat-in.net
O1 - Hosts: 127.0.0.1 117.mylongtail.com
O1 - Hosts: 127.0.0.1 11731.kit.carpediem.fr
O1 - Hosts: 127.0.0.1 1188224372.com
O1 - Hosts: 127.0.0.1 11968.www1.p0rt2.com
O1 - Hosts: 127.0.0.1 11qe.com
O1 - Hosts: 127.0.0.1 11zz.com
O1 - Hosts: 127.0.0.1 120.mbn.com.ua
O1 - Hosts: 127.0.0.1 123.fluxads.com
O1 - Hosts: 127.0.0.1 1234.2bro.com
O1 - Hosts: 127.0.0.1 12345dns.net
O1 - Hosts: 127.0.0.1 123ads.nl
O1 - Hosts: 127.0.0.1 123count.com
O1 - Hosts: 127.0.0.1 123go.com
O1 - Hosts: 127.0.0.1 123mania.com
O1 - Hosts: 127.0.0.1 123stat.com
O1 - Hosts: 127.0.0.1 123topsearch.com
O1 - Hosts: 127.0.0.1 124365.com
O1 - Hosts: 127.0.0.1 1262.hittail.com
O1 - Hosts: 127.0.0.1 12877.hittail.com
O1 - Hosts: 127.0.0.1 13175.com
O1 - Hosts: 127.0.0.1 13223.hittail.com
O1 - Hosts: 127.0.0.1 14228.hittail.com
O1 - Hosts: 127.0.0.1 14713804a.l2m.net
O1 - Hosts: 127.0.0.1 15141.hittail.com
O1 - Hosts: 127.0.0.1 1559.stats.misstrends.com
O1 - Hosts: 127.0.0.1 15694.hittail.com
O1 - Hosts: 127.0.0.1 160.mbn.com.ua
O1 - Hosts: 127.0.0.1 16565.hittail.com
O1 - Hosts: 127.0.0.1 16643.kit.carpediem.fr
O1 - Hosts: 127.0.0.1 16755.dialer.lincassa.com
O1 - Hosts: 127.0.0.1 17067.dialer.lincassa.com
O1 - Hosts: 127.0.0.1 1800.stats.misstrends.com
O1 - Hosts: 127.0.0.1 180solutions.com
O1 - Hosts: 127.0.0.1 181.365soft.info
O1 - Hosts: 127.0.0.1 1866.www1.p0rt2.com
O1 - Hosts: 127.0.0.1 1867.stats.misstrends.com
O1 - Hosts: 127.0.0.1 18girl-av.com
O1 - Hosts: 127.0.0.1 19097.hittail.com
O1 - Hosts: 127.0.0.1 192.168.112.2o7.net
O1 - Hosts: 127.0.0.1 192.168.122.2o7.net
O1 - Hosts: 127.0.0.1 19500.hittail.com
O1 - Hosts: 127.0.0.1 1amanda.info
O1 - Hosts: 127.0.0.1 1au.cqcounter.com
O1 - Hosts: 127.0.0.1 1bm.cqcounter.com
O1 - Hosts: 127.0.0.1 1ca.cqcounter.com
O1 - Hosts: 127.0.0.1 1cat.com
O1 - Hosts: 127.0.0.1 1ce18.cash-ddt.net
O1 - Hosts: 127.0.0.1 1de.cqcounter.com
O1 - Hosts: 127.0.0.1 1es.cqcounter.com
O1 - Hosts: 127.0.0.1 1fr.cqcounter.com
O1 - Hosts: 127.0.0.1 1in.cqcounter.com
O1 - Hosts: 127.0.0.1 1it.cqcounter.com
O1 - Hosts: 127.0.0.1 1jo.cqcounter.com
O1 - Hosts: 127.0.0.1 1mov.net
O1 - Hosts: 127.0.0.1 1nl.cqcounter.com
O1 - Hosts: 127.0.0.1 1pop.ru
O1 - Hosts: 127.0.0.1 1pt.cqcounter.com
O1 - Hosts: 127.0.0.1 1-se.com
O1 - Hosts: 127.0.0.1 1se.cqcounter.com
O1 - Hosts: 127.0.0.1 1sense.info
O1 - Hosts: 127.0.0.1 1speed.info
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 9\SnagItBHO.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 9\SnagItIEAddin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [IMJPMIG9.0] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMJP9\IMJPMIG.EXE /Preload /Migration32
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [VolumeTray] C:\Program Files\VolumeTray\VolumeTray.exe
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\system32\oodtray.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TrueCrypt] "C:\Program Files\TrueCrypt\TrueCrypt.exe" /q preferences /a favorites
O4 - HKCU\..\Run: [Start Killer] C:\Program Files\Start Killer\StartKiller.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Directory Opus Desktop Dblclk] "C:\Program Files\GPSoftware\Directory Opus\dopusrt.exe" /dblclk
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: BUFFALO Power Save Utility for HD.lnk = C:\Program Files\BUFFALO\HDManage\HDManage.exe
O4 - Startup: Mute at Exit.lnk = D:\My Documents\3. PC\Tools Dow\XP Desktop Tools and Themes\Mute and Setvol\mute.exe
O4 - Startup: procexp.exe.lnk = D:\My Documents\3. PC\Tools Dow\Process Explorer\ProcessExplorer\procexp.exe
O4 - Startup: PureText.lnk = D:\My Documents\3. PC\Tools Dow\XP Desktop Tools and Themes\PureText\PureText.exe
O4 - Global Startup: ClientManager3.lnk = C:\Program Files\BUFFALO\Client Manager3\cm3_tray.exe
O4 - Global Startup: DateInTray.lnk = C:\Program Files\DateInTray\DateInTray.exe
O4 - Global Startup: Shortcut to dynamicIP.lnk = C:\Program Files\Lowrie Associates Ltd\dynamicIP\dynamicIP.exe
O4 - Global Startup: SnagIt 9.lnk = C:\Program Files\TechSmith\SnagIt 9\SnagIt32.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winrnr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rsvpsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rsvpsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll
O18 - Protocol: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll
O18 - Filter: application/octet-stream - {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll
O18 - Filter: application/x-complus - {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll
O18 - Filter: application/x-microsoft-rpmsg-message - {DFF82902-0B96-3B98-6F62-D655E146A23A} - (no file)
O18 - Filter: application/x-msdownload - {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll
O18 - Filter: Class Install Handler - {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\system32\urlmon.dll
O18 - Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll
O18 - Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll
O18 - Filter: lzdhtml - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll
O18 - Filter: text/webviewhtml - {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\system32\SHELL32.dll
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\SHELL32.dll
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\SHELL32.dll
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Alerter - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Application Layer Gateway Service (ALG) - Microsoft Corporation - C:\WINDOWS\System32\alg.exe
O23 - Service: Application Management (AppMgmt) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Microsoft Corporation - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Windows Audio (AudioSrv) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Computer Browser (Browser) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Bwsvc - BUFFALO INC. - C:\Program Files\BUFFALO\Client Manager3\bwsvc\bwsvc.exe
O23 - Service: Indexing Service (CiSvc) - Microsoft Corporation - C:\WINDOWS\system32\cisvc.exe
O23 - Service: .NET Runtime Optimization Service v2.0.50727_X86 (clr_optimization_v2.0.50727_32) - Microsoft Corporation - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
O23 - Service: COM+ System Application (COMSysApp) - Microsoft Corporation - C:\WINDOWS\system32\dllhost.exe
O23 - Service: Cryptographic Services (CryptSvc) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: DCOM Server Process Launcher (DcomLaunch) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: DHCP Client (Dhcp) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Microsoft Corp., Veritas Software - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Logical Disk Manager (dmserver) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: DNS Client (Dnscache) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Error Reporting Service (ERSvc) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Event Log (Eventlog) - Microsoft Corporation - C:\WINDOWS\system32\services.exe
O23 - Service: COM+ Event System (EventSystem) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Fast User Switching Compatibility (FastUserSwitchingCompatibility) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Fax - Microsoft Corporation - C:\WINDOWS\system32\fxssvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Windows Presentation Foundation Font Cache 3.0.0.0 (FontCache3.0.0.0) - Microsoft Corporation - C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
O23 - Service: Help and Support (helpsvc) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: HID Input Service (HidServ) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: HTTP SSL (HTTPFilter) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Windows CardSpace (idsvc) - Microsoft Corporation - C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
O23 - Service: IIS Admin (IISADMIN) - Microsoft Corporation - C:\WINDOWS\system32\inetsrv\inetinfo.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Microsoft Corporation - C:\WINDOWS\system32\imapi.exe
O23 - Service: Server (lanmanserver) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Workstation (lanmanworkstation) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: TCP/IP NetBIOS Helper (LmHosts) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Machine Debug Manager (MDM) - Microsoft Corporation - C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
O23 - Service: Messenger - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Microsoft Corporation - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Microsoft Corporation - C:\WINDOWS\system32\msdtc.exe
O23 - Service: FTP Publishing (MSFtpsvc) - Microsoft Corporation - C:\WINDOWS\system32\inetsrv\inetinfo.exe
O23 - Service: Windows Installer (MSIServer) - Microsoft Corporation - C:\WINDOWS\system32\msiexec.exe
O23 - Service: Net Logon (Netlogon) - Microsoft Corporation - C:\WINDOWS\system32\lsass.exe
O23 - Service: Network Connections (Netman) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Network Location Awareness (NLA) (Nla) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Microsoft Corporation - C:\WINDOWS\system32\lsass.exe
O23 - Service: Removable Storage (NtmsSvc) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Microsoft Office Diagnostics Service (odserv) - Microsoft Corporation - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
O23 - Service: Office Source Engine (ose) - Microsoft Corporation - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
O23 - Service: Plug and Play (PlugPlay) - Microsoft Corporation - C:\WINDOWS\system32\services.exe
O23 - Service: IPSEC Services (PolicyAgent) - Microsoft Corporation - C:\WINDOWS\system32\lsass.exe
O23 - Service: Protected Storage (ProtectedStorage) - Microsoft Corporation - C:\WINDOWS\system32\lsass.exe
O23 - Service: Remote Access Auto Connection Manager (RasAuto) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Remote Access Connection Manager (RasMan) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Microsoft Corporation - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Remote Registry (RemoteRegistry) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Microsoft Corporation - C:\WINDOWS\system32\locator.exe
O23 - Service: Remote Procedure Call (RPC) (RpcSs) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: QoS RSVP (RSVP) - Microsoft Corporation - C:\WINDOWS\system32\rsvp.exe
O23 - Service: Security Accounts Manager (SamSs) - Microsoft Corporation - C:\WINDOWS\system32\lsass.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: Smart Card (SCardSvr) - Microsoft Corporation - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Task Scheduler (Schedule) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Secondary Logon (seclogon) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: System Event Notification (SENS) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Windows Firewall/Internet Connection Sharing (ICS) (SharedAccess) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Shell Hardware Detection (ShellHWDetection) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Print Spooler (Spooler) - Microsoft Corporation - C:\WINDOWS\system32\spoolsv.exe
O23 - Service: System Restore Service (srservice) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: SSDP Discovery Service (SSDPSRV) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Windows Image Acquisition (WIA) (stisvc) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: MS Software Shadow Copy Provider (SwPrv) - Microsoft Corporation - C:\WINDOWS\system32\dllhost.exe
O23 - Service: Performance Logs and Alerts (SysmonLog) - Microsoft Corporation - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Telephony (TapiSrv) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Terminal Services (TermService) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Themes - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Distributed Link Tracking Client (TrkWks) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Universal Plug and Play Device Host (upnphost) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Uninterruptible Power Supply (UPS) - Microsoft Corporation - C:\WINDOWS\System32\ups.exe
O23 - Service: Volume Shadow Copy (VSS) - Microsoft Corporation - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Windows Time (W32Time) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: World Wide Web Publishing (W3SVC) - Microsoft Corporation - C:\WINDOWS\system32\inetsrv\inetinfo.exe
O23 - Service: WebClient - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Windows Management Instrumentation (winmgmt) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Portable Media Serial Number Service (WmdmPmSN) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Windows Management Instrumentation Driver Extensions (Wmi) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: WMI Performance Adapter (WmiApSrv) - Microsoft Corporation - C:\WINDOWS\system32\wbem\wmiapsrv.exe
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Microsoft Corporation - C:\Program Files\Windows Media Player\WMPNetwk.exe
O23 - Service: Security Center (wscsvc) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Automatic Updates (wuauserv) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Windows Driver Foundation - User-mode Driver Framework (WudfSvc) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Network Provisioning Service (xmlprov) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe

--
End of file - 32237 bytes

Edited by Orange Blossom, 26 October 2008 - 12:49 AM.
Merged topics. ~ OB


#3 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:09 AM

Posted 02 November 2008 - 09:33 PM

I apologize for the very long delay. We have a huge backlog of HijackThis Logs to handle and it has been taking us greater time than normal to get caught up. If you are still having a problem, and want us to analyze your information, please reply to this topic stating that you still need help and I will work with you on resolving your computer problems. If your problem has been resolved, please post a reply letting us know so we can close your topic.

Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, feel free to create a new one.

Once again, I apologize for the delay in responding to this topic.

#4 admsupport

admsupport
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Location:Japan
  • Local time:08:09 PM

Posted 07 November 2008 - 12:08 AM

Hi, I had a CPU crash. I ve replaced it. Took me some time to find a second hand CPU + working fan (not easy to fix old laptops, especially to get the parts).

And yes, I still have the same problem. I am not good with firewall logs & ports (I mean not the basic stuff as opening them, but to interpret an attack). I have got a few apps which give false positive with my AV. Mostly cracking tools (i.e. SAMinside, PWdumps). and some keygen.exe (nothing scary there). apart from that, any times I connect to a p2p server (utorrent) I got a HUGE number of connections, it freeze my internet connection and shut down the PC. There is some signs of DNS attack in the firewall log.

I understand you are overloaded with all the help requests. So thank you warmly for your support. Tell me what helps best and I will send you the new logs. I have been wondering if the firewall was not in cause. It is my understanding that ESET (NOD firewall) scan all incoming connection and redirect them on a different port (EKRN.EXE) but that does not change with or without firewall.

It could be also (but that is not likely) that one of the soft was tempered with a malware? But really, really I get nothing either with KAV (kaspersky) scan, NOD (unless my NOD holds the malware? Which I doubt-unless to be paranoid), SPybot nothing, Malwarebytes nothing... Working mode or Safe mode = same result:nothing.

And this is not a setting. It worked fine before when I used utorrent. Suddenly after installing some soft (which one???) the connections to, and the addresses IP who connect were strange. It is like if the PC was turned into a ZOMBIE. So glad if you can help, I am afraid it goes beyond my level of competence.

#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:09 AM

Posted 07 November 2008 - 01:38 PM

Please visit the following link and use the instructions there to post a ComboFix log as a reply to this topic:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

When following the instructions please install the Windows XP Recovery Console if you are using XP.

After running ComboFix, please post the ComboFix log as well as a brand new HijackThis as a reply to this topic.

#6 admsupport

admsupport
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Location:Japan
  • Local time:08:09 PM

Posted 12 November 2008 - 10:15 PM

CombFix Log

ComboFix 08-11-11.01 - 2008-11-13 12:01:15.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.448 [GMT 9:00]
Running from: d:\my documents\4. PC\Tools Dow\Antivirus\ComboFix\ComboFix.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\Quarantine
c:\windows\IE4 Error Log.txt
c:\windows\system32\Cache
c:\windows\Tasks\JkDefragCmd.exe
c:\windows\Tasks\timeout.exe

.
((((((((((((((((((((((((( Files Created from 2008-10-13 to 2008-11-13 )))))))))))))))))))))))))))))))
.

2008-11-12 18:19 . 2008-11-12 18:19 <DIR> d-------- c:\program files\MSXML 4.0
2008-11-11 17:53 . 2008-11-11 17:53 33,846 --a------ c:\windows\system32\SpoonUninstall-dBpoweramp mp3 (Fraunhofer IIS) Codec.bmp
2008-11-11 17:53 . 2008-11-11 17:55 33,846 --a------ c:\windows\system32\SpoonUninstall-dBpoweramp Monkeys Audio Codec.bmp
2008-11-11 17:53 . 2008-11-11 17:57 33,846 --a------ c:\windows\system32\SpoonUninstall-dBpoweramp FLAC Codec.bmp
2008-11-11 17:53 . 2008-11-11 17:53 33,846 --a------ c:\windows\system32\SpoonUninstall-dBpoweramp [Calculate Audio CRC] Codec.bmp
2008-11-11 17:53 . 2008-11-11 17:53 3,153 --a------ c:\windows\system32\SpoonUninstall-dBpoweramp mp3 (Fraunhofer IIS) Codec.dat
2008-11-11 17:53 . 2008-11-11 17:55 3,107 --a------ c:\windows\system32\SpoonUninstall-dBpoweramp Monkeys Audio Codec.dat
2008-11-11 17:53 . 2008-11-11 17:57 2,987 --a------ c:\windows\system32\SpoonUninstall-dBpoweramp FLAC Codec.dat
2008-11-11 17:53 . 2008-11-11 17:53 2,843 --a------ c:\windows\system32\SpoonUninstall-dBpoweramp [Calculate Audio CRC] Codec.dat
2008-11-11 17:52 . 2008-11-11 17:51 33,846 --a------ c:\windows\system32\SpoonUninstall-dBpoweramp Music Converter.bmp
2008-11-11 17:52 . 2008-11-11 17:52 13,853 --a------ c:\windows\system32\SpoonUninstall-dBpoweramp Music Converter.dat
2008-11-11 16:11 . 2008-11-11 16:11 <DIR> d-------- c:\program files\PowerISO
2008-11-09 21:10 . 2008-11-09 21:10 <DIR> d-------- c:\program files\Webteh
2008-11-09 21:10 . 2008-11-09 22:11 <DIR> d-------- c:\documents and settings\PCG-K66P\Application Data\BSplayer PRO
2008-11-09 00:48 . 2008-11-09 00:48 <DIR> d-------- c:\program files\DAMN NFO Viewer
2008-11-08 09:00 . 2008-11-08 09:00 2,015 -r-h----- c:\windows\system32\drivers\hosts
2008-11-08 08:59 . 2008-11-08 08:59 <DIR> d-------- c:\program files\Common Files\Download Manager
2008-11-07 16:47 . 2008-11-07 16:47 <DIR> d-------- c:\program files\zabkat
2008-10-30 08:29 . 2008-10-30 08:29 <DIR> d-------- c:\documents and settings\PCG-K66P\Application Data\JAM Software
2008-10-27 09:31 . 2007-03-05 20:37 54,272 -ra------ c:\windows\system32\drivers\OXUDIDRV_I64.sys
2008-10-27 09:31 . 2007-03-05 20:37 29,696 -ra------ c:\windows\system32\drivers\OXUDIDRV_X64.sys
2008-10-27 09:31 . 2007-03-05 20:37 21,248 -ra------ c:\windows\system32\drivers\OXUDIDRV_X32.sys
2008-10-27 09:31 . 2006-05-18 19:41 8,064 -ra------ c:\windows\system32\drivers\oxusb.sys
2008-10-25 16:01 . 2008-10-25 16:01 <DIR> d-------- c:\program files\PowerQuest
2008-10-25 08:56 . 2008-10-25 10:21 <DIR> d-------- c:\program files\SpywareBlaster
2008-10-25 07:51 . 2008-10-25 07:51 80 --a------ c:\windows\wininit.ini
2008-10-24 18:38 . 2008-10-24 18:38 <DIR> d-------- c:\documents and settings\PCG-K66P\Application Data\TechSmith
2008-10-24 10:40 . 2008-10-24 10:40 <DIR> d-------- c:\program files\Easy CD-DA Extractor 11
2008-10-24 08:48 . 2008-11-11 13:59 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-10-24 08:47 . 2008-10-24 08:47 <DIR> d-------- c:\windows\Easy CD-DA Extractor 11.5
2008-10-24 07:06 . 2008-10-24 07:06 <DIR> d-------- c:\documents and settings\PCG-K66P\Application Data\dBpoweramp
2008-10-24 06:37 . 2008-10-24 06:37 <DIR> d-------- c:\program files\Illustrate
2008-10-24 06:37 . 2008-11-11 17:58 652,152 --a------ c:\windows\system32\SpoonUninstall.exe
2008-10-23 21:35 . 2008-10-23 22:43 <DIR> d-------- c:\program files\uTorrent
2008-10-23 21:35 . 2008-11-13 11:58 <DIR> d-------- c:\documents and settings\PCG-K66P\Application Data\uTorrent
2008-10-23 13:25 . 2008-10-23 13:26 <DIR> d-------- c:\documents and settings\PCG-K66P\Application Data\Audio Recorder Titanium
2008-10-23 13:24 . 2008-10-23 13:25 <DIR> d-------- c:\program files\Audio Recorder Titanium
2008-10-21 15:47 . 2008-10-21 15:47 <DIR> d-------- c:\windows\system32\inf32
2008-10-21 15:47 . 2008-10-21 15:47 <DIR> d-------- c:\documents and settings\PCG-K66P\Application Data\GPSoftware
2008-10-21 15:22 . 2008-10-21 15:22 <DIR> d-------- c:\program files\GPSoftware
2008-10-21 15:22 . 2008-10-21 15:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\GPSoftware
2008-10-21 09:18 . 2008-10-21 16:07 <DIR> d-------- c:\program files\SpeedProject
2008-10-21 00:14 . 2008-10-21 00:14 <DIR> d-------- c:\program files\2BrightSparks
2008-10-21 00:14 . 2008-10-21 00:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\2BrightSparks
2008-10-21 00:14 . 2007-10-29 13:52 886,008 --a------ c:\windows\system32\SNU.dll
2008-10-20 22:58 . 2008-10-21 01:32 <DIR> d-------- c:\program files\ophcrack
2008-10-20 21:19 . 2008-10-20 21:19 <DIR> d-------- c:\program files\Miranda IM
2008-10-20 21:19 . 2008-10-20 21:20 <DIR> d-------- c:\documents and settings\PCG-K66P\Application Data\Miranda
2008-10-20 19:38 . 2008-11-12 16:45 <DIR> d-------- C:\[Folder C]
2008-10-20 16:40 . 2008-10-20 16:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\Equation Wizard
2008-10-20 12:55 . 2008-10-25 10:22 <DIR> d-------- c:\documents and settings\SONY1\ASPNET
2008-10-20 12:55 . 2008-10-20 12:55 <DIR> d-------- c:\documents and settings\SONY1
2008-10-20 10:05 . 2008-10-23 10:17 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-10-20 10:05 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-20 10:05 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-10-20 09:59 . 2008-11-11 10:00 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-10-20 09:59 . 2008-10-20 11:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-18 23:47 . 2008-10-18 23:55 <DIR> d-------- c:\program files\RegCure
2008-10-17 15:46 . 2008-10-17 15:46 <DIR> d-------- c:\program files\Eraser
2008-10-17 15:46 . 2008-10-17 15:46 <DIR> d--h----- c:\documents and settings\All Users\Application Data\{A25FEDC1-F6D7-440C-BCE2-B71F595F6646}
2008-10-16 18:51 . 2008-10-16 18:51 <DIR> d-------- c:\documents and settings\PCG-K66P\Application Data\ESET
2008-10-16 18:50 . 2008-10-16 18:50 <DIR> d-------- c:\program files\ESET
2008-10-16 18:47 . 2008-10-16 18:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\ESET
2008-10-16 07:36 . 2008-10-16 07:36 <DIR> d-------- c:\program files\Intelore
2008-10-15 13:52 . 2008-10-15 13:52 <DIR> d-------- c:\documents and settings\PCG-K66P\Application Data\Thinstall
2008-10-15 09:57 . 2008-11-12 18:21 1,393 --a------ c:\windows\imsins.BAK
2008-10-15 08:54 . 2008-10-15 08:54 <DIR> d-------- c:\documents and settings\PCG-K66P\Application Data\USBSafelyRemove
2008-10-15 00:07 . 2008-10-15 00:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\MailFrontier
2008-10-15 00:07 . 2008-10-15 10:19 4,212 --ah----- c:\windows\system32\zllictbl.dat
2008-10-15 00:06 . 2004-04-27 04:40 11,264 --a------ c:\windows\system32\SpOrder.dll
2008-10-15 00:05 . 2008-10-16 18:42 <DIR> d-------- c:\windows\system32\ZoneLabs
2008-10-15 00:04 . 2008-10-16 18:42 <DIR> d-------- c:\windows\Internet Logs
2008-10-14 14:56 . 2008-10-15 00:14 <DIR> d-------- c:\program files\Camouflage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-13 02:21 --------- d-----w c:\program files\OO Software
2008-11-12 09:25 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-12 08:43 --------- d-----w c:\documents and settings\PCG-K66P\Application Data\foobar2000
2008-11-11 08:36 --------- d-----w c:\program files\The KMPlayer1431
2008-11-09 13:02 --------- d-----w c:\documents and settings\PCG-K66P\Application Data\RapidUploader
2008-11-07 23:52 --------- d-----w c:\documents and settings\PCG-K66P\Application Data\TrueCrypt
2008-11-07 09:29 --------- d-----w c:\documents and settings\PCG-K66P\Application Data\Orbit
2008-11-07 03:23 --------- d-----w c:\program files\Orbitdownloader
2008-10-31 03:12 --------- d-----w c:\program files\Free Unit Converter
2008-10-28 22:05 --------- d-----w c:\program files\BUFFALO
2008-10-27 01:10 235,840 ----a-w c:\windows\system32\drivers\truecrypt.sys
2008-10-25 08:01 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2008-10-25 07:02 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-25 02:07 --------- d-----w c:\program files\TrueCrypt
2008-10-25 01:04 --------- d-----w c:\documents and settings\PCG-K66P\Application Data\dvdcss
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 13:17 --------- d-----w c:\program files\foobar2000
2008-10-23 04:19 --------- d-----w c:\documents and settings\PCG-K66P\Application Data\Audacity
2008-10-14 23:40 5,632 ----a-w c:\windows\system32\cisvc.exe
2008-10-14 09:23 --------- d-----w c:\documents and settings\PCG-K66P\Application Data\Any Video Converter
2008-10-13 01:33 --------- d-----w c:\program files\Cain
2008-10-12 22:02 --------- d-----w c:\program files\Common Files\InstallShield
2008-10-12 22:00 --------- d-----w c:\program files\JkDefragGUI
2008-10-12 08:39 --------- d-----w c:\program files\Foundstone Free Tools
2008-10-12 00:09 --------- d-----w c:\program files\Sandboxie
2008-10-10 22:10 --------- d-----w c:\documents and settings\PCG-K66P\Application Data\ieSpell
2008-10-09 23:55 --------- d-----w c:\program files\WinPcap
2008-10-09 06:54 --------- d-----w c:\program files\Common Files\Adobe
2008-10-09 04:20 --------- d-----w c:\program files\BurnAware Professional
2008-10-09 01:28 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-10-08 10:37 --------- d-----w c:\program files\DivX
2008-10-08 08:51 --------- d-----w c:\program files\VideoLAN
2008-10-08 08:20 --------- d-----w c:\documents and settings\PCG-K66P\Application Data\DivX
2008-10-08 04:00 --------- d-----w c:\program files\URLSnooper2
2008-10-08 03:59 --------- d-----w c:\program files\ScreenshotCaptor
2008-10-08 03:31 --------- d-----w c:\documents and settings\PCG-K66P\Application Data\DVD Flick
2008-10-08 02:06 --------- d-----w c:\documents and settings\PCG-K66P\Application Data\Ashampoo
2008-10-07 14:32 --------- d-----w c:\program files\LeConjugueur
2008-10-07 03:39 --------- d---a-w c:\program files\Canon
2008-10-07 03:39 --------- d-----w c:\program files\Real Alternative
2008-10-07 03:39 --------- d-----w c:\documents and settings\PCG-K66P\Application Data\OfficeUpdate12
2008-10-06 13:15 --------- d-----w c:\program files\UnicodeImageMaker
2008-10-06 08:34 --------- d-----w c:\program files\Common Files\Macrovision Shared
2008-10-06 07:30 --------- d-----w c:\documents and settings\All Users\Application Data\ashampoo
2008-10-06 07:28 --------- d-----w c:\program files\Ashampoo
2008-10-06 03:45 --------- d-----w c:\documents and settings\All Users\Application Data\TechSmith
2008-10-06 03:44 --------- d-----w c:\program files\TechSmith
2008-10-06 01:56 --------- d-----w c:\program files\RegEditX
2008-10-05 02:09 --------- d-----w c:\program files\Alcohol Soft
2008-10-02 10:19 --------- d-----w c:\documents and settings\PCG-K66P\Application Data\BatchRename
2008-10-02 05:27 --------- d-----w c:\program files\BatchRename Pro
2008-10-02 04:25 --------- d-----w c:\program files\metamorphose-2
2008-10-02 04:25 --------- d-----w c:\documents and settings\PCG-K66P\Application Data\.metamorphose2
2008-09-30 07:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-30 05:18 --------- d-----w c:\program files\DVD Flick
2008-09-29 06:37 --------- d-----w c:\program files\VolumeTray
2008-09-29 02:14 --------- d-----w c:\program files\MSECache
2008-09-27 00:42 --------- d-----w c:\program files\IrfanView
2008-09-23 01:26 --------- d-----w c:\program files\Any Video Converter
2008-09-22 21:36 --------- d-----w c:\documents and settings\PCG-K66P\Application Data\SolidDocuments
2008-09-22 21:17 --------- d-----w c:\documents and settings\PCG-K66P\Application Data\GlarySoft
2008-09-22 13:15 --------- d-----w c:\program files\Glary Utilities
2008-09-18 12:04 --------- d-----w c:\program files\Medieval Software
2008-09-18 10:59 --------- d-----w c:\program files\SyncToy 2.0
2008-09-18 10:56 --------- d-----w c:\program files\Microsoft Sync Framework
2008-09-18 09:39 --------- d-----w c:\program files\ieSpell
2008-09-17 08:05 794,906 ----a-w c:\windows\unins000.exe
2008-09-17 08:05 --------- d-----w c:\documents and settings\PCG-K66P\Application Data\FFSJ
2008-09-17 06:18 --------- d-----w c:\documents and settings\PCG-K66P\Application Data\DonationCoder
2008-09-17 06:18 --------- d-----w c:\documents and settings\All Users\Application Data\DonationCoder
2008-09-16 00:11 161,096 ----a-w c:\windows\system32\DivXCodecVersionChecker.exe
2008-09-15 22:39 --------- d-----w c:\documents and settings\PCG-K66P\Application Data\Hulubulu
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys
2008-09-15 06:18 --------- d-----w c:\program files\ReNamer
2008-09-15 04:41 --------- d-----w c:\program files\metamorphose
2008-09-15 04:41 --------- d-----w c:\documents and settings\PCG-K66P\Application Data\.metamorphose
2008-09-14 10:28 --------- d-----w c:\documents and settings\PCG-K66P\Application Data\Mp3tag
2008-09-04 16:42 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-09-03 21:02 730,368 ----a-w c:\windows\system32\oodsvct.exe
2008-09-03 21:02 1,295,616 ----a-w c:\windows\system32\oodag.exe
2008-09-03 21:01 2,524,416 ----a-w c:\windows\system32\oodtray.exe
2008-09-03 21:01 194,816 ----a-w c:\windows\system32\oodbs.exe
2008-09-03 20:58 9,984 ----a-w c:\windows\system32\oodbsrs.dll
2008-09-03 20:58 894,208 ----a-w c:\windows\system32\oodtrrs.dll
2008-09-03 20:58 8,448 ----a-w c:\windows\system32\oodagrs.dll
2008-09-03 20:58 15,616 ----a-w c:\windows\system32\oodagmg.dll
2008-08-31 12:47 98,304 ----a-w c:\windows\system32\JkDefragScreenSaver.scr
2008-08-31 12:47 238,592 ----a-w c:\windows\system32\JkDefragScreenSaver.exe
2008-08-29 20:20 15,104 ----a-w c:\windows\system32\ootmapi.dll
2008-08-29 11:06 1,350,664 ----a-w c:\windows\system32\msxml6.dll
2008-08-28 08:00 74,752 ----a-w c:\windows\system32\msw3prt.dll
2008-08-28 08:00 104,448 ----a-w c:\windows\system32\win32spl.dll
2008-08-21 18:08 878,592 ----a-w c:\windows\system32\wininet.dll
2008-08-21 18:08 43,008 ----a-w c:\windows\system32\licmgr10.dll
2008-08-21 18:07 18,944 ----a-w c:\windows\system32\corpol.dll
2008-08-21 18:06 72,704 ----a-w c:\windows\system32\admparse.dll
2008-08-21 18:06 71,680 ----a-w c:\windows\system32\iesetup.dll
2008-08-21 18:06 434,176 ----a-w c:\windows\system32\vbscript.dll
2008-08-21 18:05 48,640 ------w c:\windows\system32\PrivacIE.dll
2008-08-21 18:05 48,128 ----a-w c:\windows\system32\mshtmler.dll
2007-06-29 05:21 108 --sha-r c:\windows\neoqaz2.dll
2007-03-21 08:57 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Start Killer"="c:\program files\Start Killer\StartKiller.exe" [2004-02-04 57344]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-10-06 4608]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2008-09-02 716800]
"Eraser"="c:\program files\Eraser\eraser.exe" [2007-12-23 916240]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"Directory Opus Desktop Dblclk"="c:\program files\GPSoftware\Directory Opus\dopusrt.exe" [2008-02-23 275952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-12-19 335872]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2007-01-10 86105]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-10 774233]
"HKSERV.EXE"="c:\program files\Sony\HotKey Utility\HKserv.exe" [2003-12-02 94208]
"IMJPMIG9.0"="c:\progra~1\COMMON~1\MICROS~1\IME\IMJP9\IMJPMIG.EXE" [2007-04-19 125792]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2006-09-08 15872]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"VolumeTray"="c:\program files\VolumeTray\VolumeTray.exe" [2003-02-19 180224]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-11 640376]
"OODefragTray"="c:\windows\system32\oodtray.exe" [2008-09-04 2524416]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-06-10 1447168]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2008-10-22 399504]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-07-07 167936]
"ooccctrl.exe"="c:\program files\OO Software\CleverCache\ooccctrl.exe" [2007-01-28 1911568]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 c:\windows\system32\Ati2mdxx.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 c:\windows\system32\narrator.exe]

c:\documents and settings\PCG-K66P\Start Menu\Programs\Startup\
BUFFALO Power Save Utility for HD.lnk - c:\program files\BUFFALO\HDManage\HDManage.exe [2006-09-11 69632]
Mute at Exit.lnk - d:\my documents\4. PC\Tools Dow\XP Desktop Tools and Themes\Mute and Setvol\mute.exe [2008-09-29 325632]
procexp.exe.lnk - d:\my documents\4. PC\Tools Dow\Process Explorer\ProcessExplorer\procexp.exe [2008-10-14 3520552]
PureText.lnk - d:\my documents\4. PC\Tools Dow\XP Desktop Tools and Themes\PureText\PureText.exe [2008-09-16 28672]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ClientManager3.lnk - c:\program files\BUFFALO\Client Manager3\cm3_tray.exe [2006-02-10 466944]
DateInTray.lnk - c:\program files\DateInTray\DateInTray.exe [2006-02-15 78848]
Shortcut to dynamicIP.lnk - c:\program files\Lowrie Associates Ltd\dynamicIP\dynamicIP.exe [2006-02-24 458752]
SnagIt 9.lnk - c:\program files\TechSmith\SnagIt 9\SnagIt32.exe [2008-09-22 6825288]
TrueCrypt.lnk - c:\program files\TrueCrypt\TrueCrypt.exe [2008-01-07 1225920]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStrCmpLogical"= 01000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"msacm.ivimp3en"= ivimp3en.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\BUFFALO\\Client Manager3\\BWSVC\\bwsvc.exe"=
"c:\\Program Files\\BUFFALO\\Client Manager3\\AOSS\\aoss.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=
"c:\\Program Files\\Miranda IM\\miranda32.exe"=
"c:\\Program Files\\Ratajik Software\\StationRipper\\StationRipperConsole.exe"=
"c:\\Program Files\\IrfanView\\i_view32.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"465:TCP"= 465:TCP:Gmail 465

R1 BUFADPT;BUFADPT;c:\windows\system32\BUFADPT.SYS [2006-09-12 9600]
R1 Cinemsup;Cinemsup;c:\windows\system32\drivers\Cinemsup.sys [2003-12-19 6656]
R1 OxFWLF;OxFWLF;c:\windows\system32\drivers\OxFWLF.sys [2003-12-03 12043]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [2001-12-19 8576]
R2 Audsub3;Audsub3;c:\windows\SYSTEM32\Drivers\Audsub3.sys [2005-04-06 2785]
R2 Jcpacket;Fldp Packet Driver;c:\windows\system32\DRIVERS\Jcpacket.sys [2002-04-24 10880]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2008-10-22 170640]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2008-10-22 15504]
R3 SbieDrv;SbieDrv;c:\program files\Sandboxie\SbieDrv.sys [2008-09-02 100352]
S3 CBBCM43;BUFFALO WLI-CB-XXX Series Wireless LAN Adapter;c:\windows\system32\DRIVERS\CBG54.sys [2005-11-01 372480]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-07 34064]
S3 OXUDIDRV;OXUDIDRV;c:\windows\system32\Drivers\OXUDIDRV_X32.sys [2007-03-05 21248]
S3 OxUSBLF;OxUSBLF;c:\windows\system32\drivers\OxUSBLF.sys [2005-06-01 7296]

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-11-12 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-10-18 23:48]

2008-10-18 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-10-18 23:48]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\PCG-K66P\Application Data\Mozilla\Firefox\Profiles\1s0lw5mv.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/
FF -: plugin - c:\program files\Adobe\Acrobat 9.0\Acrobat\browser\nppdf32.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-13 12:05:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: c:\windows\system32\winlogon.exe
-> c:\windows\system32\Ati2evxx.dll
.
Completion time: 2008-11-13 12:06:59
ComboFix-quarantined-files.txt 2008-11-13 03:06:28

Pre-Run: 10,163,113,984 bytes free
Post-Run: 10,257,698,816 bytes free

323 --- E O F --- 2008-11-12 09:27:57


HijackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:13:18, on 2008-11-13
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\BUFFALO\Client Manager3\bwsvc\bwsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\OO Software\CleverCache\ooccag.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\VolumeTray\VolumeTray.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\oodtray.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\OO Software\CleverCache\ooccctrl.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Start Killer\StartKiller.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\GPSoftware\Directory Opus\dopusrt.exe
C:\Program Files\BUFFALO\Client Manager3\cm3_tray.exe
C:\Program Files\DateInTray\DateInTray.exe
C:\Program Files\Lowrie Associates Ltd\dynamicIP\dynamicIP.exe
C:\Program Files\TechSmith\SnagIt 9\SnagIt32.exe
C:\Program Files\TrueCrypt\TrueCrypt.exe
C:\Program Files\BUFFALO\HDManage\HDManage.exe
D:\My Documents\4. PC\Tools Dow\XP Desktop Tools and Themes\Mute and Setvol\mute.exe
D:\My Documents\4. PC\Tools Dow\Process Explorer\ProcessExplorer\procexp.exe
D:\My Documents\4. PC\Tools Dow\XP Desktop Tools and Themes\PureText\PureText.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TechSmith\SnagIt 9\TSCHelp.exe
C:\Program Files\TechSmith\SnagIt 9\SnagPriv.exe
C:\Program Files\TechSmith\SnagIt 9\snagiteditor.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
D:\My Documents\4. PC\Tools Dow\Antivirus\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 ___id___.c.mystat-in.net
O1 - Hosts: 127.0.0.1 0.r.msn.com
O1 - Hosts: 127.0.0.1 000dom.revenuedirect.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 00a0-f0d5-a44e-33s6.cnc-inc.cn
O1 - Hosts: 127.0.0.1 00fun.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 011707160008.c.mystat-in.net
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 061606084448.c.mystat-in.net
O1 - Hosts: 127.0.0.1 070806142521.c.mystat-in.net
O1 - Hosts: 127.0.0.1 090906042103.c.mystat-in.net
O1 - Hosts: 127.0.0.1 092706152958.c.mystat-in.net
O1 - Hosts: 127.0.0.1 093qpeuqpmz6ebfa.com
O1 - Hosts: 127.0.0.1 0ki.ru
O1 - Hosts: 127.0.0.1 0ml.net
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 0texkax7c6hzuidk.com
O1 - Hosts: 127.0.0.1 1.9797aiai.com
O1 - Hosts: 127.0.0.1 1.adbrite.com
O1 - Hosts: 127.0.0.1 1.marketbanker.com
O1 - Hosts: 127.0.0.1 1.primaryads.com
O1 - Hosts: 127.0.0.1 1.xqhgm.com
O1 - Hosts: 127.0.0.1 100.mbn.com.ua
O1 - Hosts: 127.0.0.1 100.topnews.ru
O1 - Hosts: 127.0.0.1 10000hits.net
O1 - Hosts: 127.0.0.1 10006.hittail.com
O1 - Hosts: 127.0.0.1 10016.searchmiracle.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 100webads.com
O1 - Hosts: 127.0.0.1 10168.hittail.com
O1 - Hosts: 127.0.0.1 102.112.207.net
O1 - Hosts: 127.0.0.1 102.112.2o7.net
O1 - Hosts: 127.0.0.1 102.122.2o7.net
O1 - Hosts: 127.0.0.1 102106151057.c.mystat-in.net
O1 - Hosts: 127.0.0.1 103bees.com
O1 - Hosts: 127.0.0.1 1047.www1.p0rt2.com
O1 - Hosts: 127.0.0.1 10661.kit.carpediem.fr
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 10xhellometro.112.2o7.net
O1 - Hosts: 127.0.0.1 11.rtcode.com
O1 - Hosts: 127.0.0.1 11.rtstats.com
O1 - Hosts: 127.0.0.1 112006133326.c.mystat-in.net
O1 - Hosts: 127.0.0.1 117.mylongtail.com
O1 - Hosts: 127.0.0.1 11731.kit.carpediem.fr
O1 - Hosts: 127.0.0.1 1188224372.com
O1 - Hosts: 127.0.0.1 11968.www1.p0rt2.com
O1 - Hosts: 127.0.0.1 11qe.com
O1 - Hosts: 127.0.0.1 11zz.com
O1 - Hosts: 127.0.0.1 120.mbn.com.ua
O1 - Hosts: 127.0.0.1 123.fluxads.com
O1 - Hosts: 127.0.0.1 1234.2bro.com
O1 - Hosts: 127.0.0.1 12345dns.net
O1 - Hosts: 127.0.0.1 123ads.nl
O1 - Hosts: 127.0.0.1 123count.com
O1 - Hosts: 127.0.0.1 123go.com
O1 - Hosts: 127.0.0.1 123mania.com
O1 - Hosts: 127.0.0.1 123stat.com
O1 - Hosts: 127.0.0.1 123topsearch.com
O1 - Hosts: 127.0.0.1 124365.com
O1 - Hosts: 127.0.0.1 1262.hittail.com
O1 - Hosts: 127.0.0.1 12877.hittail.com
O1 - Hosts: 127.0.0.1 13175.com
O1 - Hosts: 127.0.0.1 132.com
O1 - Hosts: 127.0.0.1 13223.hittail.com
O1 - Hosts: 127.0.0.1 136136.net
O1 - Hosts: 127.0.0.1 14228.hittail.com
O1 - Hosts: 127.0.0.1 14713804a.l2m.net
O1 - Hosts: 127.0.0.1 15141.hittail.com
O1 - Hosts: 127.0.0.1 1559.stats.misstrends.com
O1 - Hosts: 127.0.0.1 15694.hittail.com
O1 - Hosts: 127.0.0.1 160.mbn.com.ua
O1 - Hosts: 127.0.0.1 163ns.com
O1 - Hosts: 127.0.0.1 16565.hittail.com
O1 - Hosts: 127.0.0.1 16643.kit.carpediem.fr
O1 - Hosts: 127.0.0.1 16755.dialer.lincassa.com
O1 - Hosts: 127.0.0.1 17067.dialer.lincassa.com
O1 - Hosts: 127.0.0.1 171203.com
O1 - Hosts: 127.0.0.1 17-plus.com
O1 - Hosts: 127.0.0.1 1800.stats.misstrends.com
O1 - Hosts: 127.0.0.1 1800searchonline.com
O1 - Hosts: 127.0.0.1 180searchassistant.com
O1 - Hosts: 127.0.0.1 180solutions.com
O1 - Hosts: 127.0.0.1 181.365soft.info
O1 - Hosts: 127.0.0.1 1866.www1.p0rt2.com
O1 - Hosts: 127.0.0.1 1867.stats.misstrends.com
O1 - Hosts: 127.0.0.1 18girl-av.com
O1 - Hosts: 127.0.0.1 19097.hittail.com
O1 - Hosts: 127.0.0.1 192.168.112.2o7.net
O1 - Hosts: 127.0.0.1 192.168.122.2o7.net
O1 - Hosts: 127.0.0.1 19500.hittail.com
O1 - Hosts: 127.0.0.1 1987324.com
O1 - Hosts: 127.0.0.1 1amanda.info
O1 - Hosts: 127.0.0.1 1au.cqcounter.com
O1 - Hosts: 127.0.0.1 1bm.cqcounter.com
O1 - Hosts: 127.0.0.1 1ca.cqcounter.com
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 9\SnagItBHO.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 9\SnagItIEAddin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [IMJPMIG9.0] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMJP9\IMJPMIG.EXE /Preload /Migration32
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [VolumeTray] C:\Program Files\VolumeTray\VolumeTray.exe
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\system32\oodtray.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [ooccctrl.exe] C:\Program Files\OO Software\CleverCache\ooccctrl.exe /tasktray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Start Killer] C:\Program Files\Start Killer\StartKiller.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Directory Opus Desktop Dblclk] "C:\Program Files\GPSoftware\Directory Opus\dopusrt.exe" /dblclk
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: BUFFALO Power Save Utility for HD.lnk = C:\Program Files\BUFFALO\HDManage\HDManage.exe
O4 - Startup: Mute at Exit.lnk = D:\My Documents\4. PC\Tools Dow\XP Desktop Tools and Themes\Mute and Setvol\mute.exe
O4 - Startup: procexp.exe.lnk = D:\My Documents\4. PC\Tools Dow\Process Explorer\ProcessExplorer\procexp.exe
O4 - Startup: PureText.lnk = D:\My Documents\4. PC\Tools Dow\XP Desktop Tools and Themes\PureText\PureText.exe
O4 - Global Startup: ClientManager3.lnk = C:\Program Files\BUFFALO\Client Manager3\cm3_tray.exe
O4 - Global Startup: DateInTray.lnk = C:\Program Files\DateInTray\DateInTray.exe
O4 - Global Startup: Shortcut to dynamicIP.lnk = C:\Program Files\Lowrie Associates Ltd\dynamicIP\dynamicIP.exe
O4 - Global Startup: SnagIt 9.lnk = C:\Program Files\TechSmith\SnagIt 9\SnagIt32.exe
O4 - Global Startup: TrueCrypt.lnk = C:\Program Files\TrueCrypt\TrueCrypt.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winrnr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rsvpsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rsvpsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll
O18 - Protocol: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll
O18 - Filter: application/octet-stream - {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll
O18 - Filter: application/x-complus - {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll
O18 - Filter: application/x-microsoft-rpmsg-message - {DFF82902-0B96-3B98-6F62-D655E146A23A} - (no file)
O18 - Filter: application/x-msdownload - {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll
O18 - Filter: Class Install Handler - {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\system32\urlmon.dll
O18 - Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll
O18 - Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll
O18 - Filter: lzdhtml - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll
O18 - Filter: text/webviewhtml - {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\system32\SHELL32.dll
O18 - Filter: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\SHELL32.dll
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\SHELL32.dll
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Alerter - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Application Layer Gateway Service (ALG) - Microsoft Corporation - C:\WINDOWS\System32\alg.exe
O23 - Service: Application Management (AppMgmt) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Microsoft Corporation - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Windows Audio (AudioSrv) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Computer Browser (Browser) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Bwsvc - BUFFALO INC. - C:\Program Files\BUFFALO\Client Manager3\bwsvc\bwsvc.exe
O23 - Service: Indexing Service (CiSvc) - Microsoft Corporation - C:\WINDOWS\system32\cisvc.exe
O23 - Service: .NET Runtime Optimization Service v2.0.50727_X86 (clr_optimization_v2.0.50727_32) - Microsoft Corporation - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
O23 - Service: COM+ System Application (COMSysApp) - Microsoft Corporation - C:\WINDOWS\system32\dllhost.exe
O23 - Service: Cryptographic Services (CryptSvc) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: DCOM Server Process Launcher (DcomLaunch) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: DHCP Client (Dhcp) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Microsoft Corp., Veritas Software - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Logical Disk Manager (dmserver) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: DNS Client (Dnscache) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Error Reporting Service (ERSvc) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Event Log (Eventlog) - Microsoft Corporation - C:\WINDOWS\system32\services.exe
O23 - Service: COM+ Event System (EventSystem) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Fast User Switching Compatibility (FastUserSwitchingCompatibility) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Fax - Microsoft Corporation - C:\WINDOWS\system32\fxssvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Windows Presentation Foundation Font Cache 3.0.0.0 (FontCache3.0.0.0) - Microsoft Corporation - C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
O23 - Service: Help and Support (helpsvc) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: HID Input Service (HidServ) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: HTTP SSL (HTTPFilter) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Windows CardSpace (idsvc) - Microsoft Corporation - C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Microsoft Corporation - C:\WINDOWS\system32\imapi.exe
O23 - Service: Server (lanmanserver) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Workstation (lanmanworkstation) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: TCP/IP NetBIOS Helper (LmHosts) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Machine Debug Manager (MDM) - Microsoft Corporation - C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Microsoft Corporation - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Microsoft Corporation - C:\WINDOWS\system32\msdtc.exe
O23 - Service: FTP Publishing (MSFtpsvc) - Microsoft Corporation - C:\WINDOWS\system32\inetsrv\inetinfo.exe
O23 - Service: Windows Installer (MSIServer) - Microsoft Corporation - C:\WINDOWS\system32\msiexec.exe
O23 - Service: Net Logon (Netlogon) - Microsoft Corporation - C:\WINDOWS\system32\lsass.exe
O23 - Service: Network Connections (Netman) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Network Location Awareness (NLA) (Nla) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Microsoft Corporation - C:\WINDOWS\system32\lsass.exe
O23 - Service: Removable Storage (NtmsSvc) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Microsoft Office Diagnostics Service (odserv) - Microsoft Corporation - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
O23 - Service: O&O CleverCache Agent (OOCleverCacheAgent) - O&O Software GmbH - C:\Program Files\OO Software\CleverCache\ooccag.exe
O23 - Service: Office Source Engine (ose) - Microsoft Corporation - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
O23 - Service: Plug and Play (PlugPlay) - Microsoft Corporation - C:\WINDOWS\system32\services.exe
O23 - Service: IPSEC Services (PolicyAgent) - Microsoft Corporation - C:\WINDOWS\system32\lsass.exe
O23 - Service: Protected Storage (ProtectedStorage) - Microsoft Corporation - C:\WINDOWS\system32\lsass.exe
O23 - Service: Remote Access Auto Connection Manager (RasAuto) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Remote Access Connection Manager (RasMan) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Microsoft Corporation - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Remote Registry (RemoteRegistry) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Microsoft Corporation - C:\WINDOWS\system32\locator.exe
O23 - Service: Remote Procedure Call (RPC) (RpcSs) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: QoS RSVP (RSVP) - Microsoft Corporation - C:\WINDOWS\system32\rsvp.exe
O23 - Service: Security Accounts Manager (SamSs) - Microsoft Corporation - C:\WINDOWS\system32\lsass.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: Smart Card (SCardSvr) - Microsoft Corporation - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Task Scheduler (Schedule) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Secondary Logon (seclogon) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: System Event Notification (SENS) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Windows Firewall/Internet Connection Sharing (ICS) (SharedAccess) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Shell Hardware Detection (ShellHWDetection) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Print Spooler (Spooler) - Microsoft Corporation - C:\WINDOWS\system32\spoolsv.exe
O23 - Service: System Restore Service (srservice) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: SSDP Discovery Service (SSDPSRV) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Windows Image Acquisition (WIA) (stisvc) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: MS Software Shadow Copy Provider (SwPrv) - Microsoft Corporation - C:\WINDOWS\system32\dllhost.exe
O23 - Service: Performance Logs and Alerts (SysmonLog) - Microsoft Corporation - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Telephony (TapiSrv) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Terminal Services (TermService) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Themes - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Distributed Link Tracking Client (TrkWks) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Universal Plug and Play Device Host (upnphost) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Uninterruptible Power Supply (UPS) - Microsoft Corporation - C:\WINDOWS\System32\ups.exe
O23 - Service: Volume Shadow Copy (VSS) - Microsoft Corporation - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Windows Time (W32Time) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: World Wide Web Publishing (W3SVC) - Microsoft Corporation - C:\WINDOWS\system32\inetsrv\inetinfo.exe
O23 - Service: WebClient - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Windows Management Instrumentation (winmgmt) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Portable Media Serial Number Service (WmdmPmSN) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Windows Management Instrumentation Driver Extensions (Wmi) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: WMI Performance Adapter (WmiApSrv) - Microsoft Corporation - C:\WINDOWS\system32\wbem\wmiapsrv.exe
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Microsoft Corporation - C:\Program Files\Windows Media Player\WMPNetwk.exe
O23 - Service: Security Center (wscsvc) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Automatic Updates (wuauserv) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Windows Driver Foundation - User-mode Driver Framework (WudfSvc) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Network Provisioning Service (xmlprov) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe

--
End of file - 32072 bytes


=================================================================
Thanks to get back to me with your findings.

admsupport

Edited by admsupport, 13 November 2008 - 07:21 AM.


#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:09 AM

Posted 14 November 2008 - 10:15 AM

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
c:\windows\imsins.BAK

Dirlook::
c:\windows\system32\inf32


Save this as the txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

#8 admsupport

admsupport
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Location:Japan
  • Local time:08:09 PM

Posted 14 November 2008 - 07:44 PM

Hi,

I post the new logs in the following message. I have time now and I will check daily for your answer.

I understand you are busy, but do you mind taking some time and explaining what (if) you have found and where.
A fix will not help much if I re-install an infected program.

I run my keygens in a sandbox, I see it when it is not genuine (it seldom happens though) they are not in cause. and I am still perplex with the HUGE amount of connection and the internet disconnection-freezing anytime I am using P2P app software i.e. uTorrent. There again uTorrent is not in/the cause.

There are the attacks I am under anytime I use uTorrent (click on the thumbnail).
Posted ImagePosted Image

My information (to relate the print sceen-firewall log)
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek RTL8139/810x Family Fast Et
Physical Address. . . . . . . . . : 08-00-46-CF-00-D9
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.3.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.3.1
DHCP Server . . . . . . . . . . . : 192.168.3.1
DNS Servers . . . . . . . . . . . : 192.168.3.1

If an application was modifying my system, my AV or of Soft like SpyBot would kick in. So the way I see it, I probably (knowingly or not) authorized an application to genuinely operate?

Thank you.

Edited by admsupport, 15 November 2008 - 02:14 AM.


#9 admsupport

admsupport
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Location:Japan
  • Local time:08:09 PM

Posted 14 November 2008 - 07:49 PM

ComboFix 08-11-11.01 - 2008-11-15 9:14:51.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.481 [GMT 9:00]
Running from: d:\my documents\4. PC\Tools Dow\Antivirus\ComboFix\ComboFix.exe
Command switches used :: c:\documents and settings\PCG-K66P\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


FILE ::
c:\windows\imsins.BAK
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\imsins.BAK

.
((((((((((((((((((((((((( Files Created from 2008-10-15 to 2008-11-15 )))))))))))))))))))))))))))))))
.

2008-11-14 13:06 . 2008-11-14 13:06 <DIR> d-------- c:\program files\Common Files\Acronis
2008-11-14 13:06 . 2008-11-14 13:06 <DIR> d-------- c:\program files\Acronis
2008-11-14 13:06 . 2008-11-14 13:06 114,048 --a------ c:\windows\system32\drivers\snapman.sys
2008-11-13 18:29 . 2008-11-13 18:29 <DIR> d-------- c:\documents and settings\PCG-K66P\Application Data\ACD Systems
2008-11-13 18:28 . 2008-11-13 18:28 <DIR> d-------- c:\program files\Common Files\ACD Systems
2008-11-13 18:28 . 2008-11-13 18:28 <DIR> d-------- c:\program files\ACD Systems
2008-11-13 18:28 . 2008-11-13 18:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\ACD Systems
2008-11-12 18:19 . 2008-11-12 18:19 <DIR> d-------- c:\program files\MSXML 4.0
2008-11-11 17:53 . 2008-11-11 17:53 33,846 --a------ c:\windows\system32\SpoonUninstall-dBpoweramp mp3 (Fraunhofer IIS) Codec.bmp
2008-11-11 17:53 . 2008-11-11 17:55 33,846 --a------ c:\windows\system32\SpoonUninstall-dBpoweramp Monkeys Audio Codec.bmp
2008-11-11 17:53 . 2008-11-11 17:57 33,846 --a------ c:\windows\system32\SpoonUninstall-dBpoweramp FLAC Codec.bmp
2008-11-11 17:53 . 2008-11-11 17:53 33,846 --a------ c:\windows\system32\SpoonUninstall-dBpoweramp [Calculate Audio CRC] Codec.bmp
2008-11-11 17:53 . 2008-11-11 17:53 3,153 --a------ c:\windows\system32\SpoonUninstall-dBpoweramp mp3 (Fraunhofer IIS) Codec.dat
2008-11-11 17:53 . 2008-11-11 17:55 3,107 --a------ c:\windows\system32\SpoonUninstall-dBpoweramp Monkeys Audio Codec.dat
2008-11-11 17:53 . 2008-11-11 17:57 2,987 --a------ c:\windows\system32\SpoonUninstall-dBpoweramp FLAC Codec.dat
2008-11-11 17:53 . 2008-11-11 17:53 2,843 --a------ c:\windows\system32\SpoonUninstall-dBpoweramp [Calculate Audio CRC] Codec.dat
2008-11-11 17:52 . 2008-11-11 17:51 33,846 --a------ c:\windows\system32\SpoonUninstall-dBpoweramp Music Converter.bmp
2008-11-11 17:52 . 2008-11-11 17:52 13,853 --a------ c:\windows\system32\SpoonUninstall-dBpoweramp Music Converter.dat
2008-11-11 16:11 . 2008-11-14 15:02 <DIR> d-------- c:\program files\PowerISO
2008-11-09 21:10 . 2008-11-09 21:10 <DIR> d-------- c:\program files\Webteh
2008-11-09 21:10 . 2008-11-09 22:11 <DIR> d-------- c:\documents and settings\PCG-K66P\Application Data\BSplayer PRO
2008-11-09 00:48 . 2008-11-09 00:48 <DIR> d-------- c:\program files\DAMN NFO Viewer
2008-11-08 09:00 . 2008-11-08 09:00 2,015 -r-h----- c:\windows\system32\drivers\hosts
2008-11-08 08:59 . 2008-11-08 08:59 <DIR> d-------- c:\program files\Common Files\Download Manager
2008-11-07 16:47 . 2008-11-07 16:47 <DIR> d-------- c:\program files\zabkat
2008-11-02 17:44 . 2008-11-02 17:44 56,572 --a------ c:\windows\system32\drivers\scdemu.sys
2008-10-30 08:29 . 2008-10-30 08:29 <DIR> d-------- c:\documents and settings\PCG-K66P\Application Data\JAM Software
2008-10-27 09:31 . 2007-03-05 20:37 54,272 -ra------ c:\windows\system32\drivers\OXUDIDRV_I64.sys
2008-10-27 09:31 . 2007-03-05 20:37 29,696 -ra------ c:\windows\system32\drivers\OXUDIDRV_X64.sys
2008-10-27 09:31 . 2007-03-05 20:37 21,248 -ra------ c:\windows\system32\drivers\OXUDIDRV_X32.sys
2008-10-27 09:31 . 2006-05-18 19:41 8,064 -ra------ c:\windows\system32\drivers\oxusb.sys
2008-10-25 16:01 . 2008-10-25 16:01 <DIR> d-------- c:\program files\PowerQuest
2008-10-25 08:56 . 2008-11-14 12:06 <DIR> d-------- c:\program files\SpywareBlaster
2008-10-25 07:51 . 2008-10-25 07:51 80 --a------ c:\windows\wininit.ini
2008-10-24 18:38 . 2008-10-24 18:38 <DIR> d-------- c:\documents and settings\PCG-K66P\Application Data\TechSmith
2008-10-24 10:40 . 2008-10-24 10:40 <DIR> d-------- c:\program files\Easy CD-DA Extractor 11
2008-10-24 08:48 . 2008-11-14 12:07 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-10-24 08:47 . 2008-10-24 08:47 <DIR> d-------- c:\windows\Easy CD-DA Extractor 11.5
2008-10-24 07:06 . 2008-10-24 07:06 <DIR> d-------- c:\documents and settings\PCG-K66P\Application Data\dBpoweramp
2008-10-24 06:37 . 2008-10-24 06:37 <DIR> d-------- c:\program files\Illustrate
2008-10-24 06:37 . 2008-11-11 17:58 652,152 --a------ c:\windows\system32\SpoonUninstall.exe
2008-10-23 21:35 . 2008-10-23 22:43 <DIR> d-------- c:\program files\uTorrent
2008-10-23 21:35 . 2008-11-14 18:31 <DIR> d-------- c:\documents and settings\PCG-K66P\Application Data\uTorrent
2008-10-23 13:25 . 2008-10-23 13:26 <DIR> d-------- c:\documents and settings\PCG-K66P\Application Data\Audio Recorder Titanium
2008-10-23 13:24 . 2008-10-23 13:25 <DIR> d-------- c:\program files\Audio Recorder Titanium
2008-10-21 15:47 . 2008-10-21 15:47 <DIR> d-------- c:\windows\system32\inf32
2008-10-21 15:47 . 2008-10-21 15:47 <DIR> d-------- c:\documents and settings\PCG-K66P\Application Data\GPSoftware
2008-10-21 15:22 . 2008-10-21 15:22 <DIR> d-------- c:\program files\GPSoftware
2008-10-21 15:22 . 2008-10-21 15:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\GPSoftware
2008-10-21 09:18 . 2008-10-21 16:07 <DIR> d-------- c:\program files\SpeedProject
2008-10-21 00:14 . 2008-10-21 00:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\2BrightSparks
2008-10-20 22:58 . 2008-10-21 01:32 <DIR> d-------- c:\program files\ophcrack
2008-10-20 21:19 . 2008-10-20 21:19 <DIR> d-------- c:\program files\Miranda IM
2008-10-20 21:19 . 2008-10-20 21:20 <DIR> d-------- c:\documents and settings\PCG-K66P\Application Data\Miranda
2008-10-20 19:38 . 2008-11-12 16:45 <DIR> d-------- C:\[Folder C]
2008-10-20 16:40 . 2008-10-20 16:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\Equation Wizard
2008-10-20 12:55 . 2008-10-25 10:22 <DIR> d-------- c:\documents and settings\SONY1\ASPNET
2008-10-20 12:55 . 2008-10-20 12:55 <DIR> d-------- c:\documents and settings\SONY1
2008-10-20 10:05 . 2008-10-23 10:17 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-10-20 10:05 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-20 10:05 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-10-20 09:59 . 2008-11-11 10:00 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-10-20 09:59 . 2008-10-20 11:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-18 23:47 . 2008-10-18 23:55 <DIR> d-------- c:\program files\RegCure
2008-10-16 18:51 . 2008-10-16 18:51 <DIR> d-------- c:\documents and settings\PCG-K66P\Application Data\ESET
2008-10-16 18:50 . 2008-10-16 18:50 <DIR> d-------- c:\program files\ESET
2008-10-16 18:47 . 2008-10-16 18:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\ESET
2008-10-16 07:36 . 2008-10-16 07:36 <DIR> d-------- c:\program files\Intelore
2008-10-15 13:52 . 2008-10-15 13:52 <DIR> d-------- c:\documents and settings\PCG-K66P\Application Data\Thinstall
2008-10-15 08:54 . 2008-10-15 08:54 <DIR> d-------- c:\documents and settings\PCG-K66P\Application Data\USBSafelyRemove
2008-10-15 00:07 . 2008-10-15 00:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\MailFrontier
2008-10-15 00:07 . 2008-10-15 10:19 4,212 --ah----- c:\windows\system32\zllictbl.dat
2008-10-15 00:06 . 2004-04-27 04:40 11,264 --a------ c:\windows\system32\SpOrder.dll
2008-10-15 00:05 . 2008-10-16 18:42 <DIR> d-------- c:\windows\system32\ZoneLabs
2008-10-15 00:04 . 2008-10-16 18:42 <DIR> d-------- c:\windows\Internet Logs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-13 09:19 --------- d-----w c:\program files\OO Software
2008-11-12 09:25 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-12 08:43 --------- d-----w c:\documents and settings\PCG-K66P\Application Data\foobar2000
2008-11-11 08:36 --------- d-----w c:\program files\The KMPlayer1431
2008-11-09 13:02 --------- d-----w c:\documents and settings\PCG-K66P\Application Data\RapidUploader
2008-11-07 23:52 --------- d-----w c:\documents and settings\PCG-K66P\Application Data\TrueCrypt
2008-11-07 09:29 --------- d-----w c:\documents and settings\PCG-K66P\Application Data\Orbit
2008-11-07 03:23 --------- d-----w c:\program files\Orbitdownloader
2008-10-31 03:12 --------- d-----w c:\program files\Free Unit Converter
2008-10-28 22:05 --------- d-----w c:\program files\BUFFALO
2008-10-27 01:10 235,840 ----a-w c:\windows\system32\drivers\truecrypt.sys
2008-10-25 08:01 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2008-10-25 07:02 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-25 02:07 --------- d-----w c:\program files\TrueCrypt
2008-10-25 01:04 --------- d-----w c:\documents and settings\PCG-K66P\Application Data\dvdcss
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 13:17 --------- d-----w c:\program files\foobar2000
2008-10-23 04:19 --------- d-----w c:\documents and settings\PCG-K66P\Application Data\Audacity
2008-10-16 05:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 05:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 05:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 05:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 05:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 05:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 05:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 05:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 05:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 05:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-14 23:40 5,632 ----a-w c:\windows\system32\cisvc.exe
2008-10-14 15:14 --------- d-----w c:\program files\Camouflage
2008-10-14 09:23 --------- d-----w c:\documents and settings\PCG-K66P\Application Data\Any Video Converter
2008-10-13 01:33 --------- d-----w c:\program files\Cain
2008-10-12 22:02 --------- d-----w c:\program files\Common Files\InstallShield
2008-10-12 22:00 --------- d-----w c:\program files\JkDefragGUI
2008-10-12 08:39 --------- d-----w c:\program files\Foundstone Free Tools
2008-10-12 00:09 --------- d-----w c:\program files\Sandboxie
2008-10-10 22:10 --------- d-----w c:\documents and settings\PCG-K66P\Application Data\ieSpell
2008-10-09 23:55 --------- d-----w c:\program files\WinPcap
2008-10-09 06:54 --------- d-----w c:\program files\Common Files\Adobe
2008-10-09 04:20 --------- d-----w c:\program files\BurnAware Professional
2008-10-09 01:28 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-10-08 10:37 --------- d-----w c:\program files\DivX
2008-10-08 08:51 --------- d-----w c:\program files\VideoLAN
2008-10-08 08:20 --------- d-----w c:\documents and settings\PCG-K66P\Application Data\DivX
2008-10-08 04:00 --------- d-----w c:\program files\URLSnooper2
2008-10-08 03:59 --------- d-----w c:\program files\ScreenshotCaptor
2008-10-08 03:31 --------- d-----w c:\documents and settings\PCG-K66P\Application Data\DVD Flick
2008-10-08 02:06 --------- d-----w c:\documents and settings\PCG-K66P\Application Data\Ashampoo
2008-10-07 14:32 --------- d-----w c:\program files\LeConjugueur
2008-10-07 03:39 --------- d---a-w c:\program files\Canon
2008-10-07 03:39 --------- d-----w c:\program files\Real Alternative
2008-10-07 03:39 --------- d-----w c:\documents and settings\PCG-K66P\Application Data\OfficeUpdate12
2008-10-06 13:15 --------- d-----w c:\program files\UnicodeImageMaker
2008-10-06 08:34 --------- d-----w c:\program files\Common Files\Macrovision Shared
2008-10-06 07:30 --------- d-----w c:\documents and settings\All Users\Application Data\ashampoo
2008-10-06 07:28 --------- d-----w c:\program files\Ashampoo
2008-10-06 03:45 --------- d-----w c:\documents and settings\All Users\Application Data\TechSmith
2008-10-06 03:44 --------- d-----w c:\program files\TechSmith
2008-10-06 01:56 --------- d-----w c:\program files\RegEditX
2008-10-05 02:09 --------- d-----w c:\program files\Alcohol Soft
2008-10-02 10:19 --------- d-----w c:\documents and settings\PCG-K66P\Application Data\BatchRename
2008-10-02 04:25 --------- d-----w c:\program files\metamorphose-2
2008-10-02 04:25 --------- d-----w c:\documents and settings\PCG-K66P\Application Data\.metamorphose2
2008-09-30 07:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-30 05:18 --------- d-----w c:\program files\DVD Flick
2008-09-29 06:37 --------- d-----w c:\program files\VolumeTray
2008-09-29 02:14 --------- d-----w c:\program files\MSECache
2008-09-27 00:42 --------- d-----w c:\program files\IrfanView
2008-09-23 01:26 --------- d-----w c:\program files\Any Video Converter
2008-09-22 21:36 --------- d-----w c:\documents and settings\PCG-K66P\Application Data\SolidDocuments
2008-09-22 21:17 --------- d-----w c:\documents and settings\PCG-K66P\Application Data\GlarySoft
2008-09-22 13:15 --------- d-----w c:\program files\Glary Utilities
2008-09-18 12:04 --------- d-----w c:\program files\Medieval Software
2008-09-18 10:59 --------- d-----w c:\program files\SyncToy 2.0
2008-09-18 10:56 --------- d-----w c:\program files\Microsoft Sync Framework
2008-09-18 09:39 --------- d-----w c:\program files\ieSpell
2008-09-17 08:05 794,906 ----a-w c:\windows\unins000.exe
2008-09-17 08:05 --------- d-----w c:\documents and settings\PCG-K66P\Application Data\FFSJ
2008-09-17 06:18 --------- d-----w c:\documents and settings\PCG-K66P\Application Data\DonationCoder
2008-09-17 06:18 --------- d-----w c:\documents and settings\All Users\Application Data\DonationCoder
2008-09-16 00:11 161,096 ----a-w c:\windows\system32\DivXCodecVersionChecker.exe
2008-09-15 22:39 --------- d-----w c:\documents and settings\PCG-K66P\Application Data\Hulubulu
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys
2008-09-15 06:18 --------- d-----w c:\program files\ReNamer
2008-09-15 04:41 --------- d-----w c:\program files\metamorphose
2008-09-15 04:41 --------- d-----w c:\documents and settings\PCG-K66P\Application Data\.metamorphose
2008-09-04 16:42 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-09-03 21:02 730,368 ----a-w c:\windows\system32\oodsvct.exe
2008-09-03 21:02 1,295,616 ----a-w c:\windows\system32\oodag.exe
2008-09-03 21:01 2,524,416 ----a-w c:\windows\system32\oodtray.exe
2008-09-03 21:01 194,816 ----a-w c:\windows\system32\oodbs.exe
2008-09-03 20:58 9,984 ----a-w c:\windows\system32\oodbsrs.dll
2008-09-03 20:58 894,208 ----a-w c:\windows\system32\oodtrrs.dll
2008-09-03 20:58 8,448 ----a-w c:\windows\system32\oodagrs.dll
2008-09-03 20:58 15,616 ----a-w c:\windows\system32\oodagmg.dll
2008-08-31 12:47 98,304 ----a-w c:\windows\system32\JkDefragScreenSaver.scr
2008-08-31 12:47 238,592 ----a-w c:\windows\system32\JkDefragScreenSaver.exe
2008-08-29 20:20 15,104 ----a-w c:\windows\system32\ootmapi.dll
2008-08-29 11:06 1,350,664 ----a-w c:\windows\system32\msxml6.dll
2008-08-28 08:00 74,752 ----a-w c:\windows\system32\msw3prt.dll
2007-06-29 05:21 108 --sha-r c:\windows\neoqaz2.dll
2007-03-21 08:57 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\windows\system32\inf32 ----

2002-10-22 14:07 80 ---hs---- c:\windows\system32\inf32\{64F7406E-5BA5-4BFC-93AC-1DAFC869C5BF}
2002-02-27 06:09 80 ---hs---- c:\windows\system32\inf32\{98DCBA3E-99C5-4BD5-8EA4-DC864E9D67E6}
2002-02-18 17:43 80 ---hs---- c:\windows\system32\inf32\{62257FF2-F836-472B-94F8-0E0B6B0F76E2}
2001-11-22 07:12 80 ---hs---- c:\windows\system32\inf32\{05433058-B37E-45DE-B331-A789E18841B3}
2001-02-09 02:14 80 ---hs---- c:\windows\system32\inf32\{E78ED99B-B810-47BC-A903-914AB282E9CD}
2000-12-25 03:15 80 ---hs---- c:\windows\system32\inf32\{A99C65A0-AC2E-4EB1-8A9E-0E563D51291A}
2000-11-18 15:29 80 ---hs---- c:\windows\system32\inf32\{AF45DFCA-5BAE-40F6-98A8-BF6EF586F36A}
2000-08-22 03:19 80 ---hs---- c:\windows\system32\inf32\{3F7F1CC5-DCDA-4FC7-B90E-581125726FC3}
1999-06-15 01:14 80 ---hs---- c:\windows\system32\inf32\{DE386624-C951-4624-965D-C35E1A552834}
1999-04-24 20:09 80 ---hs---- c:\windows\system32\inf32\{AAFF3A8C-1DE4-48BE-BC52-3D00231F02D0}
1998-05-25 14:55 80 ---hs---- c:\windows\system32\inf32\{AF421DAF-0586-4987-83D4-ADFD570EC2D3}
1998-03-17 22:35 80 ---hs---- c:\windows\system32\inf32\{779A7357-A929-4BD8-B906-7DD6A90C8454}


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Start Killer"="c:\program files\Start Killer\StartKiller.exe" [2004-02-04 57344]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-10-06 4608]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2008-09-02 716800]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"Directory Opus Desktop Dblclk"="c:\program files\GPSoftware\Directory Opus\dopusrt.exe" [2008-02-23 275952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-12-19 335872]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2007-01-10 86105]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-10 774233]
"HKSERV.EXE"="c:\program files\Sony\HotKey Utility\HKserv.exe" [2003-12-02 94208]
"IMJPMIG9.0"="c:\progra~1\COMMON~1\MICROS~1\IME\IMJP9\IMJPMIG.EXE" [2007-04-19 125792]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2006-09-08 15872]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"VolumeTray"="c:\program files\VolumeTray\VolumeTray.exe" [2003-02-19 180224]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-11 640376]
"OODefragTray"="c:\windows\system32\oodtray.exe" [2008-09-04 2524416]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-06-10 1447168]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2008-10-22 399504]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-11-02 167936]
"ooccctrl.exe"="c:\program files\OO Software\CleverCache\ooccctrl.exe" [2007-01-28 1911568]
"OSSelectorReinstall"="c:\program files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe" [2007-02-22 2209224]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 c:\windows\system32\Ati2mdxx.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 c:\windows\system32\narrator.exe]

c:\documents and settings\PCG-K66P\Start Menu\Programs\Startup\
BUFFALO Power Save Utility for HD.lnk - c:\program files\BUFFALO\HDManage\HDManage.exe [2006-09-11 69632]
Mute at Exit.lnk - d:\my documents\4. PC\Tools Dow\XP Desktop Tools and Themes\Mute and Setvol\mute.exe [2008-09-29 325632]
procexp.exe.lnk - d:\my documents\4. PC\Tools Dow\Process Explorer\ProcessExplorer\procexp.exe [2008-10-14 3520552]
PureText.lnk - d:\my documents\4. PC\Tools Dow\XP Desktop Tools and Themes\PureText\PureText.exe [2008-09-16 28672]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ClientManager3.lnk - c:\program files\BUFFALO\Client Manager3\cm3_tray.exe [2006-02-10 466944]
DateInTray.lnk - c:\program files\DateInTray\DateInTray.exe [2006-02-15 78848]
Shortcut to dynamicIP.lnk - c:\program files\Lowrie Associates Ltd\dynamicIP\dynamicIP.exe [2006-02-24 458752]
SnagIt 9.lnk - c:\program files\TechSmith\SnagIt 9\SnagIt32.exe [2008-09-22 6825288]
TrueCrypt.lnk - c:\program files\TrueCrypt\TrueCrypt.exe [2008-01-07 1225920]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStrCmpLogical"= 01000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"msacm.ivimp3en"= ivimp3en.acm
"VIDC.ACDV"= ACDV.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\BUFFALO\\Client Manager3\\BWSVC\\bwsvc.exe"=
"c:\\Program Files\\BUFFALO\\Client Manager3\\AOSS\\aoss.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=
"c:\\Program Files\\Miranda IM\\miranda32.exe"=
"c:\\Program Files\\Ratajik Software\\StationRipper\\StationRipperConsole.exe"=
"c:\\Program Files\\IrfanView\\i_view32.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"465:TCP"= 465:TCP:Gmail 465

R1 BUFADPT;BUFADPT;c:\windows\system32\BUFADPT.SYS [2006-09-12 9600]
R1 Cinemsup;Cinemsup;c:\windows\system32\drivers\Cinemsup.sys [2003-12-19 6656]
R1 OxFWLF;OxFWLF;c:\windows\system32\drivers\OxFWLF.sys [2003-12-03 12043]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [2001-12-19 8576]
R2 Audsub3;Audsub3;c:\windows\SYSTEM32\Drivers\Audsub3.sys [2005-04-06 2785]
R2 Jcpacket;Fldp Packet Driver;c:\windows\system32\DRIVERS\Jcpacket.sys [2002-04-24 10880]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2008-10-22 170640]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2008-10-22 15504]
R3 SbieDrv;SbieDrv;c:\program files\Sandboxie\SbieDrv.sys [2008-09-02 100352]
S3 CBBCM43;BUFFALO WLI-CB-XXX Series Wireless LAN Adapter;c:\windows\system32\DRIVERS\CBG54.sys [2005-11-01 372480]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-07 34064]
S3 OXUDIDRV;OXUDIDRV;c:\windows\system32\Drivers\OXUDIDRV_X32.sys [2007-03-05 21248]
S3 OxUSBLF;OxUSBLF;c:\windows\system32\drivers\OxUSBLF.sys [2005-06-01 7296]
.
Contents of the 'Scheduled Tasks' folder

2008-11-14 c:\windows\Tasks\Malwarebytes' Scheduled Update for MarkTecoz.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2008-10-22 16:10]

2008-11-14 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-10-18 23:48]

2008-11-15 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-10-18 23:48]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Device Detector - DevDetect.exe



**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-15 09:17:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: c:\windows\system32\winlogon.exe
-> c:\windows\system32\Ati2evxx.dll
.
Completion time: 2008-11-15 9:18:44
ComboFix-quarantined-files.txt 2008-11-15 00:18:36
ComboFix2.txt 2008-11-13 03:07:01

Pre-Run: 10,723,692,544 bytes free
Post-Run: 10,759,254,016 bytes free

335 --- E O F --- 2008-11-12 09:27:57

======================================================================

WARNING!!!! anytime I run HijackThis (scan) I receive this error message in an Alert Window (see below)

---------------------------
HijackThis
---------------------------
Please help us improve HijackThis by reporting this error



Click 'Yes' to submit



Error Details:



An unexpected error has occurred at procedure: modRegistry_IniGetString(sFile=system.ini, sSection=boot, sValue=Shell)

Error #5 - Invalid procedure call or argument



Windows version: Windows NT 5.01.2600

MSIE version: 8.0.6001.18241

HijackThis version: 2.0.2
---------------------------
Yes No
---------------------------

Then I can proceed with the scan

=========================================================================


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:48:07, on 2008-11-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\BUFFALO\Client Manager3\bwsvc\bwsvc.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\OO Software\CleverCache\ooccag.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\VolumeTray\VolumeTray.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\oodtray.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\OO Software\CleverCache\ooccctrl.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\Start Killer\StartKiller.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\GPSoftware\Directory Opus\dopusrt.exe
C:\Program Files\BUFFALO\Client Manager3\cm3_tray.exe
C:\Program Files\DateInTray\DateInTray.exe
C:\Program Files\Lowrie Associates Ltd\dynamicIP\dynamicIP.exe
C:\Program Files\TechSmith\SnagIt 9\SnagIt32.exe
C:\Program Files\TrueCrypt\TrueCrypt.exe
C:\Program Files\BUFFALO\HDManage\HDManage.exe
D:\My Documents\4. PC\Tools Dow\XP Desktop Tools and Themes\Mute and Setvol\mute.exe
D:\My Documents\4. PC\Tools Dow\Process Explorer\ProcessExplorer\procexp.exe
C:\WINDOWS\System32\svchost.exe
D:\My Documents\4. PC\Tools Dow\XP Desktop Tools and Themes\PureText\PureText.exe
C:\Program Files\TechSmith\SnagIt 9\TSCHelp.exe
C:\Program Files\TechSmith\SnagIt 9\SnagPriv.exe
C:\Program Files\TechSmith\SnagIt 9\snagiteditor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\My Documents\4. PC\Tools Dow\Antivirus\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 ___id___.c.mystat-in.net
O1 - Hosts: 127.0.0.1 0.r.msn.com
O1 - Hosts: 127.0.0.1 000dom.revenuedirect.com
O1 - Hosts: 127.0.0.1 000x.us
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 00a0-f0d5-a44e-33s6.cnc-inc.cn
O1 - Hosts: 127.0.0.1 00fun.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 011707160008.c.mystat-in.net
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 061606084448.c.mystat-in.net
O1 - Hosts: 127.0.0.1 070806142521.c.mystat-in.net
O1 - Hosts: 127.0.0.1 08search.com
O1 - Hosts: 127.0.0.1 090906042103.c.mystat-in.net
O1 - Hosts: 127.0.0.1 092706152958.c.mystat-in.net
O1 - Hosts: 127.0.0.1 093qpeuqpmz6ebfa.com
O1 - Hosts: 127.0.0.1 0bucksforpornmovie.com
O1 - Hosts: 127.0.0.1 0ki.ru
O1 - Hosts: 127.0.0.1 0ml.net
O1 - Hosts: 127.0.0.1 0nline-porno.info
O1 - Hosts: 127.0.0.1 0nline-sex.info
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 0scanner.com
O1 - Hosts: 127.0.0.1 0texkax7c6hzuidk.com
O1 - Hosts: 127.0.0.1 1.9797aiai.com
O1 - Hosts: 127.0.0.1 1.adbrite.com
O1 - Hosts: 127.0.0.1 1.marketbanker.com
O1 - Hosts: 127.0.0.1 1.primaryads.com
O1 - Hosts: 127.0.0.1 1.xqhgm.com
O1 - Hosts: 127.0.0.1 100.mbn.com.ua
O1 - Hosts: 127.0.0.1 100.topnews.ru
O1 - Hosts: 127.0.0.1 10000hits.net
O1 - Hosts: 127.0.0.1 10006.hittail.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 10016.searchmiracle.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 100-celebrities.com
O1 - Hosts: 127.0.0.1 100freeteenseries.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 100webads.com
O1 - Hosts: 127.0.0.1 10168.hittail.com
O1 - Hosts: 127.0.0.1 101mortgages.net
O1 - Hosts: 127.0.0.1 101sexmovies.com
O1 - Hosts: 127.0.0.1 101teengirls.com
O1 - Hosts: 127.0.0.1 102.112.207.net
O1 - Hosts: 127.0.0.1 102.112.2o7.net
O1 - Hosts: 127.0.0.1 102.122.2o7.net
O1 - Hosts: 127.0.0.1 102106151057.c.mystat-in.net
O1 - Hosts: 127.0.0.1 103bees.com
O1 - Hosts: 127.0.0.1 1047.www1.p0rt2.com
O1 - Hosts: 127.0.0.1 10661.kit.carpediem.fr
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 10xhellometro.112.2o7.net
O1 - Hosts: 127.0.0.1 11.rtcode.com
O1 - Hosts: 127.0.0.1 11.rtstats.com
O1 - Hosts: 127.0.0.1 112006133326.c.mystat-in.net
O1 - Hosts: 127.0.0.1 117.mylongtail.com
O1 - Hosts: 127.0.0.1 11731.kit.carpediem.fr
O1 - Hosts: 127.0.0.1 1188224372.com
O1 - Hosts: 127.0.0.1 11968.www1.p0rt2.com
O1 - Hosts: 127.0.0.1 11qe.com
O1 - Hosts: 127.0.0.1 11zz.com
O1 - Hosts: 127.0.0.1 120.mbn.com.ua
O1 - Hosts: 127.0.0.1 123.fluxads.com
O1 - Hosts: 127.0.0.1 1234.2bro.com
O1 - Hosts: 127.0.0.1 12345dns.net
O1 - Hosts: 127.0.0.1 123ads.nl
O1 - Hosts: 127.0.0.1 123count.com
O1 - Hosts: 127.0.0.1 123go.com
O1 - Hosts: 127.0.0.1 123haustiereundmehr.com
O1 - Hosts: 127.0.0.1 123latex4free.com
O1 - Hosts: 127.0.0.1 123mania.com
O1 - Hosts: 127.0.0.1 123-music-video.info
O1 - Hosts: 127.0.0.1 123simsen.com
O1 - Hosts: 127.0.0.1 123spywar.com
O1 - Hosts: 127.0.0.1 123stat.com
O1 - Hosts: 127.0.0.1 123topsearch.com
O1 - Hosts: 127.0.0.1 124365.com
O1 - Hosts: 127.0.0.1 125sms.co.uk
O1 - Hosts: 127.0.0.1 125sms.com
O1 - Hosts: 127.0.0.1 1262.hittail.com
O1 - Hosts: 127.0.0.1 12877.hittail.com
O1 - Hosts: 127.0.0.1 13175.com
O1 - Hosts: 127.0.0.1 132.com
O1 - Hosts: 127.0.0.1 13223.hittail.com
O1 - Hosts: 127.0.0.1 136136.net
O1 - Hosts: 127.0.0.1 14228.hittail.com
O1 - Hosts: 127.0.0.1 14713804a.l2m.net
O1 - Hosts: 127.0.0.1 150freesms.de
O1 - Hosts: 127.0.0.1 150teengalleries.com
O1 - Hosts: 127.0.0.1 15141.hittail.com
O1 - Hosts: 127.0.0.1 1559.stats.misstrends.com
O1 - Hosts: 127.0.0.1 15694.hittail.com
O1 - Hosts: 127.0.0.1 160.mbn.com.ua
O1 - Hosts: 127.0.0.1 163ns.com
O1 - Hosts: 127.0.0.1 16565.hittail.com
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 9\SnagItBHO.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 9\SnagItIEAddin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [IMJPMIG9.0] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMJP9\IMJPMIG.EXE /Preload /Migration32
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [VolumeTray] C:\Program Files\VolumeTray\VolumeTray.exe
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\system32\oodtray.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [ooccctrl.exe] C:\Program Files\OO Software\CleverCache\ooccctrl.exe /tasktray
O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Start Killer] C:\Program Files\Start Killer\StartKiller.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Directory Opus Desktop Dblclk] "C:\Program Files\GPSoftware\Directory Opus\dopusrt.exe" /dblclk
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: BUFFALO Power Save Utility for HD.lnk = C:\Program Files\BUFFALO\HDManage\HDManage.exe
O4 - Startup: Mute at Exit.lnk = D:\My Documents\4. PC\Tools Dow\XP Desktop Tools and Themes\Mute and Setvol\mute.exe
O4 - Startup: procexp.exe.lnk = D:\My Documents\4. PC\Tools Dow\Process Explorer\ProcessExplorer\procexp.exe
O4 - Startup: PureText.lnk = D:\My Documents\4. PC\Tools Dow\XP Desktop Tools and Themes\PureText\PureText.exe
O4 - Global Startup: ClientManager3.lnk = C:\Program Files\BUFFALO\Client Manager3\cm3_tray.exe
O4 - Global Startup: DateInTray.lnk = C:\Program Files\DateInTray\DateInTray.exe
O4 - Global Startup: Shortcut to dynamicIP.lnk = C:\Program Files\Lowrie Associates Ltd\dynamicIP\dynamicIP.exe
O4 - Global Startup: SnagIt 9.lnk = C:\Program Files\TechSmith\SnagIt 9\SnagIt32.exe
O4 - Global Startup: TrueCrypt.lnk = C:\Program Files\TrueCrypt\TrueCrypt.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winrnr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rsvpsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rsvpsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll
O18 - Protocol: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll
O18 - Filter: application/octet-stream - {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll
O18 - Filter: application/x-complus - {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll
O18 - Filter: application/x-microsoft-rpmsg-message - {DFF82902-0B96-3B98-6F62-D655E146A23A} - (no file)
O18 - Filter: application/x-msdownload - {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll
O18 - Filter: Class Install Handler - {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\system32\urlmon.dll
O18 - Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll
O18 - Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll
O18 - Filter: lzdhtml - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll
O18 - Filter: text/webviewhtml - {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\system32\SHELL32.dll
O18 - Filter: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\SHELL32.dll
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\SHELL32.dll
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Alerter - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Application Layer Gateway Service (ALG) - Microsoft Corporation - C:\WINDOWS\System32\alg.exe
O23 - Service: Application Management (AppMgmt) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Microsoft Corporation - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Windows Audio (AudioSrv) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Computer Browser (Browser) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Bwsvc - BUFFALO INC. - C:\Program Files\BUFFALO\Client Manager3\bwsvc\bwsvc.exe
O23 - Service: Indexing Service (CiSvc) - Microsoft Corporation - C:\WINDOWS\system32\cisvc.exe
O23 - Service: .NET Runtime Optimization Service v2.0.50727_X86 (clr_optimization_v2.0.50727_32) - Microsoft Corporation - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
O23 - Service: COM+ System Application (COMSysApp) - Microsoft Corporation - C:\WINDOWS\system32\dllhost.exe
O23 - Service: Cryptographic Services (CryptSvc) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: DCOM Server Process Launcher (DcomLaunch) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: DHCP Client (Dhcp) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Microsoft Corp., Veritas Software - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Logical Disk Manager (dmserver) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: DNS Client (Dnscache) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Error Reporting Service (ERSvc) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Event Log (Eventlog) - Microsoft Corporation - C:\WINDOWS\system32\services.exe
O23 - Service: COM+ Event System (EventSystem) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Fast User Switching Compatibility (FastUserSwitchingCompatibility) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Fax - Microsoft Corporation - C:\WINDOWS\system32\fxssvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Windows Presentation Foundation Font Cache 3.0.0.0 (FontCache3.0.0.0) - Microsoft Corporation - C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
O23 - Service: Help and Support (helpsvc) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: HID Input Service (HidServ) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: HTTP SSL (HTTPFilter) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Windows CardSpace (idsvc) - Microsoft Corporation - C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Microsoft Corporation - C:\WINDOWS\system32\imapi.exe
O23 - Service: Server (lanmanserver) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Workstation (lanmanworkstation) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: TCP/IP NetBIOS Helper (LmHosts) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Machine Debug Manager (MDM) - Microsoft Corporation - C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Microsoft Corporation - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Microsoft Corporation - C:\WINDOWS\system32\msdtc.exe
O23 - Service: FTP Publishing (MSFtpsvc) - Microsoft Corporation - C:\WINDOWS\system32\inetsrv\inetinfo.exe
O23 - Service: Windows Installer (MSIServer) - Microsoft Corporation - C:\WINDOWS\system32\msiexec.exe
O23 - Service: Net Logon (Netlogon) - Microsoft Corporation - C:\WINDOWS\system32\lsass.exe
O23 - Service: Network Connections (Netman) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Network Location Awareness (NLA) (Nla) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Microsoft Corporation - C:\WINDOWS\system32\lsass.exe
O23 - Service: Removable Storage (NtmsSvc) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Microsoft Office Diagnostics Service (odserv) - Microsoft Corporation - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
O23 - Service: O&O CleverCache Agent (OOCleverCacheAgent) - O&O Software GmbH - C:\Program Files\OO Software\CleverCache\ooccag.exe
O23 - Service: Office Source Engine (ose) - Microsoft Corporation - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
O23 - Service: Plug and Play (PlugPlay) - Microsoft Corporation - C:\WINDOWS\system32\services.exe
O23 - Service: IPSEC Services (PolicyAgent) - Microsoft Corporation - C:\WINDOWS\system32\lsass.exe
O23 - Service: Protected Storage (ProtectedStorage) - Microsoft Corporation - C:\WINDOWS\system32\lsass.exe
O23 - Service: Remote Access Auto Connection Manager (RasAuto) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Remote Access Connection Manager (RasMan) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Microsoft Corporation - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Remote Registry (RemoteRegistry) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Microsoft Corporation - C:\WINDOWS\system32\locator.exe
O23 - Service: Remote Procedure Call (RPC) (RpcSs) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: QoS RSVP (RSVP) - Microsoft Corporation - C:\WINDOWS\system32\rsvp.exe
O23 - Service: Security Accounts Manager (SamSs) - Microsoft Corporation - C:\WINDOWS\system32\lsass.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: Smart Card (SCardSvr) - Microsoft Corporation - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Task Scheduler (Schedule) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Secondary Logon (seclogon) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: System Event Notification (SENS) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Windows Firewall/Internet Connection Sharing (ICS) (SharedAccess) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Shell Hardware Detection (ShellHWDetection) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Print Spooler (Spooler) - Microsoft Corporation - C:\WINDOWS\system32\spoolsv.exe
O23 - Service: System Restore Service (srservice) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: SSDP Discovery Service (SSDPSRV) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Windows Image Acquisition (WIA) (stisvc) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: MS Software Shadow Copy Provider (SwPrv) - Microsoft Corporation - C:\WINDOWS\system32\dllhost.exe
O23 - Service: Performance Logs and Alerts (SysmonLog) - Microsoft Corporation - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Telephony (TapiSrv) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Terminal Services (TermService) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Themes - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Distributed Link Tracking Client (TrkWks) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Universal Plug and Play Device Host (upnphost) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Uninterruptible Power Supply (UPS) - Microsoft Corporation - C:\WINDOWS\System32\ups.exe
O23 - Service: Volume Shadow Copy (VSS) - Microsoft Corporation - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Windows Time (W32Time) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: World Wide Web Publishing (W3SVC) - Microsoft Corporation - C:\WINDOWS\system32\inetsrv\inetinfo.exe
O23 - Service: WebClient - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Windows Management Instrumentation (winmgmt) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Portable Media Serial Number Service (WmdmPmSN) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Windows Management Instrumentation Driver Extensions (Wmi) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: WMI Performance Adapter (WmiApSrv) - Microsoft Corporation - C:\WINDOWS\system32\wbem\wmiapsrv.exe
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Microsoft Corporation - C:\Program Files\Windows Media Player\WMPNetwk.exe
O23 - Service: Security Center (wscsvc) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Automatic Updates (wuauserv) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Windows Driver Foundation - User-mode Driver Framework (WudfSvc) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Network Provisioning Service (xmlprov) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe

--
End of file - 31952 bytes

#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:09 AM

Posted 18 November 2008 - 04:34 PM

Sorry for the delay in getting back to you.

To be honest, I am not 100% sure what the specific malware infections are or where they came from. Combofix removes a large variety of infections automatically. If you want to see what was removed, you can do so by opening this file:

C:\Qoobox\ComboFix-quarantined-files.txt

You can then submit the files to http://www.virustotal.com to see what infections they are. If you are using keygens, which are illegal btw, then you are most likely getting infected via them. Keygens and cracks are a HUGE source of malware infections.

At this point I am not seeing anything else. As for your firewall, there are alot of script kiddies out there, so it is not unusual to see a lot of activity on the firewall. Also there could be a lot of false positives in firewall alerts.

#11 admsupport

admsupport
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Location:Japan
  • Local time:08:09 PM

Posted 22 November 2008 - 12:54 AM

At this point I am not seeing anything else. As for your firewall, there are alot of script kiddies out there, so it is not unusual to see a lot of activity on the firewall. Also there could be a lot of false positives in firewall alerts.


Thank you very much for your help and return emails (another similar site never answered). What would have interest me in your answers to my logs, would have to know what line of what log was suspicious or infected:

e.g. Log X, Line X (+ copy of the line) is = infected/ or suspicious

I have spent a great deal of time reading all the logs and watching the changes (first log vs. following), and trying to find/understand (with the help one a tutorial of your) if and what was good and what was wrong. I would really have enjoy reading the result of your analyze, to compare with mine.

Anyway, thanks again and let me come back in new thread if something is wrong.

#12 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:09 AM

Posted 23 November 2008 - 10:54 PM

These were the files/folders that were bad:

c:\windows\Downloaded Program Files\Quarantine
c:\windows\IE4 Error Log.txt
c:\windows\system32\Cache
c:\windows\Tasks\JkDefragCmd.exe
c:\windows\Tasks\timeout.exe


If you run those against virustotal from the Combofix quarantine, it will tell you what they are.

When you are to uninstall combofix, and erase the quarantine, do this:


Let's uninstall ComboFix

Please navigate to, and delete the following:
  • Click on : Start >> Run...
  • Type: Combofix /u and hit Enter

Last but not least,

Now that your clean:

Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and reenable system restore here for your particular Windows Version:

Managing Windows Millenium System Restore

or

Windows XP System Restore Guide

or

Windows Vista System Restore Guide


Renable system restore with instructions from tutorial above


Next,

This process will clean out your Temp files and your Temporary Internet Files. Please do both steps:

Step 1:Delete Temp Files
To clean out your temp files, click on Start and then run, and type %temp% and press the ok button.

This should open up the temp directory that your machine uses. Please delete all files that are found there. If you get an error when deleting a file, skip that file and delete all the others. If you had trouble deleting a file, reboot into Safe Mode and follow this step again. You should now be able to delete all the files.

Step 2: Delete Temporary Internet Files
Now I want you to open up Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button. This may take quite a while, so do not be alarmed with how long it takes. When it is done, your Temporary Internet Files will now be deleted.

Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet


I am closing this topic. Please message a moderator if you need it reopened.

Glad I was able to help and if there any other problems related to your computer please feel free to post them in the appropriate forum. Though we help people with spyware and viruses here at BC, we also help people with other computer problems! Do not forget to tell your friends about us!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users