Sniken_123 Skrevet 12. april 2008 Del Skrevet 12. april 2008 (endret) Har i det siste lagt merke til at services.exe prosessen har begynt å kjøre i windows hele tiden. Men det som jeg syntes var litt merkelig var at den tar 20-30% av prosessor kapasiteten. Er dette normalt? Jeg kan foresten ikke se denne prosessen i oppgavebehandlingen, men jeg ser den i ett sidebar program som heter "top processes" som viser de prosessene som bruker mest CPU. Jeg ser den også i programmet "Process Explorer" Jeg leste litt på internett om denne prosessen, der står det et det er en helt vanelig windows tjeneste, men det sto også at det kan vere spyware eller lignenede. Northon finner ingenting muffens med denne filen og når jeg prøvde å avslutte den med "Process Explorer" så måtte pcen starte på nytt. Er denne "services.exe" noe å bekjymre seg over? Eller skal den ta 20-30% av CPU? Endret 13. april 2008 av Sniken_123 Lenke til kommentar
r2d290 Skrevet 12. april 2008 Del Skrevet 12. april 2008 (endret) Det kommer litt an på hvor den kjører ifra... Det er normalt en trygg fil, men det er mange som bruker trygge navn som dekknavn kjør kortversonen av https://www.diskusjon.no/index.php?showtopic=691246 så får vi se edit: loggen det blir spurt etter, poster du her, i denne tråden... Endret 12. april 2008 av r2d290 Lenke til kommentar
fenderebest Skrevet 12. april 2008 Del Skrevet 12. april 2008 (endret) Services.exe er Service Control Manager som kontrollerer Tjenester i Windows. Dette er en kritisk Systemtjenste som du ikke kan avslutte. Du kan sjekke om filen er verifisert med Microsoft sin digitale signatur for å sjekke ektheten av filen. (Om et virus har infisert filen blir den digitale signaturen ødelagt) Siden du allerede har Process Explorer kan du sjekke hva den holder på med med å gå sjekke Threads fanen og videre se på stakken. Endret 12. april 2008 av fenderebest Lenke til kommentar
Sniken_123 Skrevet 12. april 2008 Forfatter Del Skrevet 12. april 2008 Her er loggen... Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 22:10:37, on 12.04.2008 Platform: Windows Vista (WinNT 6.00.1904) MSIE: Internet Explorer v7.00 (7.00.6000.16643) Boot mode: Normal Running processes: C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\system32\taskeng.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Windows\RtHDVCpl.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Program Files\Microsoft IntelliPoint\ipoint.exe C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\PowerISO\PWRISOVM.EXE C:\Program Files\Windows Sidebar\sidebar.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\DAEMON Tools\daemon.exe C:\Program Files\GetSmile\getsmile.exe C:\Windows\ehome\ehtray.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Program Files\Xfire\xfire.exe C:\Windows\ehome\ehmsas.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Windows\system32\wbem\unsecapp.exe C:\Windows\System32\mobsync.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Windows\system32\SearchFilterHost.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll O2 - BHO: PimpFish Toolbar Opcode Handler - {29C88E20-4234-41B9-A9DB-982958C95FB1} - C:\Program Files\PimpFish\PimpFish.dll O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file) O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - (no file) O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll O2 - BHO: PimpFish FloatBar - {75B1A646-CDCE-4C06-B52F-84F4463B4FC8} - C:\Program Files\PimpFish\FloatBar.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file) O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll O3 - Toolbar: PimpFish - {D593DE91-7B41-45C2-830E-E9A99AB142AA} - C:\Program Files\PimpFish\PimpFish.dll O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [ElbyCheckAnyDVD] "C:\Program Files\SlySoft\AnyDVD\ElbyCheck.exe" /L AnyDVD O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe" O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKLM\..\Run: [AgataSoft ShutDown Pro] C:\Program Files\AgataSoft\AgataSoft ShutDown Pro\AgataSoft_ShutDown_Pro.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKCU\..\Run: [GetSmile] C:\Program Files\GetSmile\GetSmile.exe O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETTVERKSTJENESTE') O4 - Startup: Password Keeper.lnk = C:\Program Files\Software by Design\PassKeep.exe O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 O8 - Extra context menu item: PimpFish Grab movies on this page - res://C:\Program Files\PimpFish\PimpFish.dll/GRABPAGEMOVIES.HTM O8 - Extra context menu item: PimpFish Grab pictures on this page - res://C:\Program Files\PimpFish\PimpFish.dll/GRABPAGEPICS.HTM O8 - Extra context menu item: PimpFish Grab pictures this page links to - res://C:\Program Files\PimpFish\PimpFish.dll/GRABPAGELINKS.HTM O8 - Extra context menu item: PimpFish Grab Target File - res://C:\Program Files\PimpFish\PimpFish.dll/GRABLINK.HTM O8 - Extra context menu item: PimpFish Grab This Picture - res://C:\Program Files\PimpFish\PimpFish.dll/GRABPIC.HTM O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Send til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL O9 - Extra button: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler2\Fiddler.exe" (file missing) O9 - Extra 'Tools' menuitem: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler2\Fiddler.exe" (file missing) O13 - Gopher Prefix: O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ss/sa...abs/tgctlsr.cab O16 - DPF: {5CD4310E-88FB-43C1-BE24-5F3FA9C5C9D1} (KooPlayer Control) - http://www.euchannels.net/KooPlayer.ocx O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab O16 - DPF: {A903E5AB-C67E-40FB-94F1-E1305982F6E0} (KooPlayer Control) - http://www.tvkoo.com/update/UKooPlayer.ocx O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.12) - http://www.yougamers.com/systeminfo/MSC3.cab O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{938F512F-60B8-4B7D-B366-7CDFF9E3D677}: NameServer = 62.97.193.3,62.97.193.53 O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll O23 - Service: Avira Premium Security Suite Firewall (AntiVirFirewallService) - Unknown owner - C:\Program Files\Avira\Avira Premium Security Suite\avfwsvc.exe (file missing) O23 - Service: Avira Premium Security Suite MailGuard (AntiVirMailService) - Unknown owner - C:\Program Files\Avira\Avira Premium Security Suite\avmailc.exe (file missing) O23 - Service: Avira Premium Security Suite Scheduler (AntiVirScheduler) - Unknown owner - C:\Program Files\Avira\Avira Premium Security Suite\sched.exe (file missing) O23 - Service: Avira Premium Security Suite Guard (AntiVirService) - Unknown owner - C:\Program Files\Avira\Avira Premium Security Suite\avguard.exe (file missing) O23 - Service: Avira Premium Security Suite WebGuard (antivirwebservice) - Unknown owner - C:\Program Files\Avira\Avira Premium Security Suite\AVWEBGRD.EXE (file missing) O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Avira Premium Security Suite MailGuard helper service (AVEService) - Avira GmbH - C:\Program Files\Avira\Avira Premium Security Suite\avesvc.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe O23 - Service: DiRT Drivers Auto Removal (pr2ah4nb) (pr2ah4nb) - CODEMASTERS - C:\Windows\system32\pr2ah4nb.exe O23 - Service: DiRT Drivers Auto Removal (pr2ah4nc) (pr2ah4nc) - CODEMASTERS - C:\Windows\system32\pr2ah4nc.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: Start BT in service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe -- End of file - 13577 bytes Lenke til kommentar
Sniken_123 Skrevet 12. april 2008 Forfatter Del Skrevet 12. april 2008 Her er et bilde av Process Explorer... Lenke til kommentar
fenderebest Skrevet 12. april 2008 Del Skrevet 12. april 2008 Vel som jeg sa bør du sjekke om den har en verifisert digital signatur og se på hvilken tråd som forbruker ytelsen og stakken til denne tråden. (Dobbeltklikker du på prosessnavnet får du opp denne infoen) Lenke til kommentar
snippsat Skrevet 12. april 2008 Del Skrevet 12. april 2008 (endret) "services.exe"er ok. Du har mange tjenster(services)som må fjernes. Kommer av at alle tjenester for "Avira Premium Security Suite" Som du har hatt før forsatt kjører. Tar en logg fra combofix,så lager vi en fix for dette. Last Combofix ned ,legg på skrivebordet. Ikke klikk på vindu mens programet kjører. post logg C:\combofix.txt Endret 12. april 2008 av SNIPPSAT Lenke til kommentar
Sniken_123 Skrevet 12. april 2008 Forfatter Del Skrevet 12. april 2008 Combofix log... ComboFix 08-04-12.1 - Daniel 2008-04-12 23:04:18.1 - NTFSx86 Microsoft® Windows Vista™ Ultimate 6.0.6000.0.1252.1.1044.18.1003 [GMT 2:00] Running from: C:\Users\Daniel\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Program Files\internetgamebox C:\Program Files\internetgamebox\InternetGameBox.exe C:\Program Files\internetgamebox\language C:\Program Files\internetgamebox\ressources\AttenteOff.html C:\Program Files\internetgamebox\ressources\AttenteOn.html C:\Program Files\internetgamebox\ressources\configv2_en.xml C:\Program Files\internetgamebox\ressources\configv2_es.xml C:\Program Files\internetgamebox\ressources\configv2_fr.xml C:\Program Files\internetgamebox\ressources\favoris\defaultv2.swf C:\Program Files\internetgamebox\skins\skinv2.skn C:\Program Files\internetgamebox\uninst.exe C:\ProgramData\Microsoft\Windows\Start Menu\Programs\InternetGameBox C:\ProgramData\Microsoft\Windows\Start Menu\Programs\InternetGameBox\InternetGameBox.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\InternetGameBox\Privacy Policy.url C:\ProgramData\Microsoft\Windows\Start Menu\Programs\InternetGameBox\Terms and Conditions.url C:\ProgramData\Microsoft\Windows\Start Menu\Programs\InternetGameBox\Uninstall.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\InternetGameBox\Website.url C:\Users\Daniel\AppData\Local\ukbhck.dat c:\users\daniel\appdata\local\ukbhck.exe C:\Users\Daniel\AppData\Local\ukbhck_nav.dat c:\Users\Daniel\AppData\Local\ukbhck_navps.dat C:\Users\Daniel\AppData\Roaming\inst.exe C:\Windows\clofghls.dll C:\Windows\system32\nvs2.inf . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_ccEvtMgr -------\Service_PortProxy -------\Service_tunmp ((((((((((((((((((((((((( Files Created from 2008-03-12 to 2008-04-12 ))))))))))))))))))))))))))))))) . 2008-04-12 23:04 . 2008-04-12 23:04 6,736 --a------ C:\Windows\System32\drivers\PROCEXP90.SYS 2008-04-12 22:10 . 2008-04-12 22:10 <DIR> d-------- C:\Program Files\Trend Micro 2008-04-09 15:49 . 2008-02-15 01:19 944,184 --a------ C:\Windows\System32\winload.exe 2008-04-09 15:49 . 2008-02-19 07:10 620,088 --a------ C:\Windows\System32\ci.dll 2008-04-09 15:49 . 2008-02-29 08:39 371,712 --a------ C:\Windows\System32\srcore.dll 2008-04-09 15:49 . 2008-02-29 08:38 313,856 --a------ C:\Windows\System32\rstrui.exe 2008-04-09 15:49 . 2008-02-29 08:39 40,960 --a------ C:\Windows\System32\srclient.dll 2008-04-09 15:49 . 2008-02-29 08:51 19,000 --a------ C:\Windows\System32\kd1394.dll 2008-04-09 15:49 . 2008-02-29 08:38 16,384 --a------ C:\Windows\System32\srdelayed.exe 2008-04-09 15:49 . 2008-02-29 08:34 7,168 --a------ C:\Windows\System32\f3ahvoas.dll 2008-04-09 15:49 . 2008-02-29 08:35 6,656 --a------ C:\Windows\System32\kbd106n.dll 2008-04-03 23:18 . 2008-04-03 23:18 <DIR> d-------- C:\Users\Daniel\AppData\Roaming\dvdcss 2008-04-03 18:04 . 2008-04-03 23:15 <DIR> d-------- C:\temp_dvd 2008-04-03 18:02 . 2008-04-03 23:03 <DIR> d-------- C:\Program Files\Dvd-cloner 2008-04-03 17:59 . 2008-04-03 17:59 <DIR> d-------- C:\Users\Daniel\AppData\Roaming\Download Manager 2008-04-03 16:02 . 2008-04-03 16:03 <DIR> d-------- C:\Users\Daniel\dwhelper 2008-04-03 01:26 . 2008-04-03 01:26 41,296 --a------ C:\Windows\System32\xfcodec.dll 2008-04-01 18:05 . 2008-04-01 18:18 36 --a------ C:\Windows\mafosav.INI 2008-03-29 23:37 . 2008-03-29 23:37 <DIR> d-------- C:\Program Files\7-Zip 2008-03-29 23:22 . 2008-03-29 23:23 <DIR> d-------- C:\Users\All Users\Bluetooth 2008-03-29 23:22 . 2008-03-29 23:23 <DIR> d-------- C:\PROGRA~2\Bluetooth 2008-03-29 23:20 . 2008-03-29 23:20 <DIR> d-------- C:\Program Files\IVT Corporation 2008-03-29 22:22 . 2008-03-29 22:22 <DIR> d-------- C:\Program Files\Kwyshell 2008-03-23 01:40 . 2008-03-24 14:50 139,264 --a------ C:\Windows\War3Unin.exe 2008-03-23 01:40 . 2008-03-24 14:56 81,818 --a------ C:\Windows\War3Unin.dat 2008-03-23 01:40 . 2008-03-24 14:50 2,829 --a------ C:\Windows\War3Unin.pif 2008-03-22 22:09 . 2008-04-05 15:54 <DIR> d-------- C:\Program Files\WC3Banlist 2008-03-21 02:19 . 2008-03-21 02:19 <DIR> d-------- C:\Users\Daniel\AppData\Roaming\Zabersoft 2008-03-20 19:24 . 2008-04-01 20:56 <DIR> d-------- C:\TEMP 2008-03-20 18:53 . 2008-03-20 18:53 <DIR> d-------- C:\Program Files\KnockOut 2 2008-03-18 01:32 . 2008-03-18 01:32 <DIR> d-------- C:\Users\Daniel\AppData\Roaming\Talkback 2008-03-18 01:25 . 2008-03-18 01:31 <DIR> d-------- C:\Program Files\Mozilla Firefox 3 Beta 4 2008-03-12 16:02 . 2007-12-17 00:50 1,060,920 --a------ C:\Windows\System32\drivers\ntfs.sys 2008-03-12 16:02 . 2007-12-16 11:56 41,984 --a------ C:\Windows\System32\drivers\monitor.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-04-12 19:36 --------- d-----w C:\PROGRA~2\Symantec 2008-04-12 19:08 --------- d---a-w C:\PROGRA~2\TEMP 2008-04-12 17:29 --------- d-----w C:\Program Files\Warcraft III 2008-04-12 14:22 --------- d-----w C:\Users\Daniel\AppData\Roaming\uTorrent 2008-04-11 15:43 --------- d-----w C:\PROGRA~2\Xfire 2008-04-10 15:03 --------- d-----w C:\Users\Daniel\AppData\Roaming\LimeWire 2008-04-09 20:56 --------- d-----w C:\Program Files\Windows Mail 2008-04-09 16:32 --------- d-----w C:\PROGRA~2\Microsoft Help 2008-04-08 19:55 --------- d-----w C:\Users\Daniel\AppData\Roaming\Vso 2008-04-08 15:41 --------- d-----w C:\Program Files\StepMania 2008-04-08 12:55 --------- d-----w C:\Users\Daniel\AppData\Roaming\Xfire 2008-04-08 12:55 --------- d-----w C:\Program Files\Xfire 2008-04-06 13:35 --------- d-----w C:\Program Files\Common Files\Steam 2008-04-06 11:38 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-04-05 19:22 --------- d-----w C:\Users\Daniel\AppData\Roaming\Bioshock 2008-04-05 15:35 98,304 ----a-w C:\Windows\System32\CmdLineExt.dll 2008-04-04 20:20 22,328 ----a-w C:\Windows\system32\drivers\PnkBstrK.sys 2008-04-04 20:20 107,832 ----a-w C:\Windows\System32\PnkBstrB.exe 2008-04-03 15:31 --------- d-----w C:\Users\Daniel\AppData\Roaming\Winamp 2008-04-03 14:33 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-04-03 13:57 --------- d-----w C:\Program Files\WMR11 2008-04-01 18:56 --------- d-----w C:\Users\Daniel\AppData\Roaming\Hamachi 2008-03-21 00:19 --------- d-----w C:\Program Files\PimpFish 2008-03-21 00:19 --------- d-----w C:\PROGRA~2\Zabersoft 2008-03-20 17:18 --------- d-----w C:\Users\Daniel\AppData\Roaming\Alien Skin 2008-03-20 01:29 --------- d-----w C:\Program Files\GetSmile 2008-03-11 15:38 --------- d-----w C:\Program Files\Norton Internet Security 2008-03-10 22:48 --------- d-----w C:\PROGRA~2\vsosdk 2008-03-09 17:32 --------- d-----w C:\PROGRA~2\Trymedia 2008-03-07 12:40 13,035 ----a-w C:\Windows\system32\drivers\SymRedir.cat 2008-03-07 12:40 1,358 ----a-w C:\Windows\system32\drivers\SymRedir.inf 2008-03-07 12:39 39,984 ----a-w C:\Windows\system32\drivers\symids.sys 2008-03-07 12:39 37,936 ----a-w C:\Windows\system32\drivers\symndisv.sys 2008-03-07 12:39 27,696 ----a-w C:\Windows\system32\drivers\symredrv.sys 2008-03-07 12:39 191,536 ----a-w C:\Windows\system32\drivers\symtdi.sys 2008-03-07 12:39 145,968 ----a-w C:\Windows\system32\drivers\symfw.sys 2008-03-07 12:39 12,848 ----a-w C:\Windows\system32\drivers\symdns.sys 2008-03-06 20:32 706 ----a-w C:\Windows\system32\drivers\COH_Mon.inf 2008-03-06 20:32 23,904 ----a-w C:\Windows\system32\drivers\COH_Mon.sys 2008-03-06 20:32 10,537 ----a-w C:\Windows\system32\drivers\COH_Mon.cat 2008-02-29 16:50 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-02-29 16:50 --------- d-----w C:\Program Files\AGEIA Technologies 2008-02-29 16:39 --------- d-----w C:\Program Files\Sony 2008-02-29 16:39 --------- d-----w C:\Program Files\Flying Lab Software 2008-02-29 04:16 2,027,008 ----a-w C:\Windows\System32\win32k.sys 2008-02-26 21:21 --------- d-----w C:\Program Files\Common Files\Adobe 2008-02-26 20:46 --------- d-----w C:\Users\Daniel\AppData\Roaming\Notepad++ 2008-02-26 20:46 --------- d-----w C:\Program Files\Notepad++ 2008-02-25 15:06 --------- d-----w C:\Program Files\OpenTTD 2008-02-25 14:24 --------- d-----w C:\Program Files\Hamachi 2008-02-25 14:23 25,280 ----a-w C:\Windows\system32\drivers\hamachi.sys 2008-02-23 15:08 --------- d-----w C:\Users\Daniel\AppData\Roaming\UseNeXT 2008-02-23 14:24 --------- d-----w C:\Program Files\Cheat Engine 2008-02-21 04:43 826,368 ----a-w C:\Windows\System32\wininet.dll 2008-02-21 04:43 56,320 ----a-w C:\Windows\System32\iesetup.dll 2008-02-21 04:43 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll 2008-02-21 04:43 296,448 ----a-w C:\Windows\System32\gdi32.dll 2008-02-21 04:43 26,624 ----a-w C:\Windows\System32\ieUnatt.exe 2008-02-17 16:48 --------- d-----w C:\Program Files\Audiosurf 2008-02-17 13:15 --------- d-----w C:\Program Files\Fiddler2 2008-02-17 04:00 1,244,672 ----a-w C:\Windows\System32\mcmde.dll 2008-02-17 01:56 --------- d-----w C:\PROGRA~2\FLEXnet 2008-02-17 01:06 --------- d-----w C:\Program Files\Reallusion 2008-02-16 22:24 --------- d-----w C:\Program Files\ImageX 2008-02-16 20:41 --------- d-----w C:\Program Files\Vista Boot Logo Generator 2008-02-16 20:31 --------- d-----w C:\Program Files\Stardock 2008-02-16 20:31 --------- d-----w C:\PROGRA~2\Stardock 2008-02-16 20:02 --------- d-----w C:\Program Files\CoreCodec 2008-02-16 19:59 --------- d-----w C:\Users\Daniel\AppData\Roaming\CoreCodec 2008-02-14 14:54 194,560 ----a-w C:\Windows\System32\WebClnt.dll 2008-02-14 14:54 110,080 ----a-w C:\Windows\system32\drivers\mrxdav.sys 2008-02-14 14:52 595,456 ----a-w C:\Windows\System32\schedsvc.dll 2008-02-14 14:52 39,424 ----a-w C:\Windows\System32\lodctr.exe 2008-02-14 14:52 32,256 ----a-w C:\Windows\System32\unlodctr.exe 2008-02-14 14:52 17,408 ----a-w C:\Windows\System32\prflbmsg.dll 2008-02-14 14:52 115,200 ----a-w C:\Windows\System32\loadperf.dll 2008-02-14 14:50 45,112 ----a-w C:\Windows\system32\drivers\pciidex.sys 2008-02-14 14:50 3,504,696 ----a-w C:\Windows\System32\ntkrnlpa.exe 2008-02-14 14:50 3,470,392 ----a-w C:\Windows\System32\ntoskrnl.exe 2008-02-14 14:50 21,560 ----a-w C:\Windows\system32\drivers\atapi.sys 2008-02-14 14:50 154,624 ----a-w C:\Windows\system32\drivers\nwifi.sys 2008-02-14 14:50 15,928 ----a-w C:\Windows\system32\drivers\pciide.sys 2008-02-14 14:50 109,624 ----a-w C:\Windows\system32\drivers\ataport.sys 2008-02-14 14:49 806,400 ----a-w C:\Windows\system32\drivers\tcpip.sys 2008-02-14 14:49 24,064 ----a-w C:\Windows\System32\netcfg.exe 2008-02-14 14:49 22,016 ----a-w C:\Windows\System32\netiougc.exe 2008-02-14 14:49 217,144 ----a-w C:\Windows\system32\drivers\netio.sys 2008-02-14 14:49 167,424 ----a-w C:\Windows\System32\tcpipcfg.dll 2008-02-14 14:48 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll 2008-02-14 14:48 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll 2008-02-14 14:48 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll 2008-02-14 14:48 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll 2008-02-14 14:48 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll 2008-02-14 14:48 1,686,528 ----a-w C:\Windows\System32\gameux.dll 2008-02-13 19:04 --------- d-----w C:\PROGRA~2\Media Center Programs 2008-02-03 17:01 352,256 ----a-w C:\Windows\eSellerateEngine.dll 2008-02-03 16:44 774,144 ----a-w C:\Program Files\RngInterstitial.dll 2007-12-27 21:00 22,328 ----a-w C:\Users\Daniel\AppData\Roaming\PnkBstrK.sys 2006-05-06 16:42 7,260,160 ----a-w C:\Program Files\mozilla firefox\plugins\libvlc.dll 2007-11-24 12:11 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012007112420071125\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-10 16:46 1232896] "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352] "DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-08-29 17:09 171464] "GetSmile"="C:\Program Files\GetSmile\GetSmile.exe" [2005-10-22 17:39 1814528] "ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 14:34 125440] "NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-07-03 13:32 81920] "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 14:33 201728] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-09-02 06:37 1006264] "RtHDVCpl"="RtHDVCpl.exe" [2007-03-23 21:04 4423680 C:\Windows\RtHDVCpl.exe] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496] "NWEReboot"="" [] "ElbyCheckAnyDVD"="C:\Program Files\SlySoft\AnyDVD\ElbyCheck.exe" [2003-09-20 21:23 45056] "AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2004-10-10 11:10 175616] "Resume copy"="copyfstq.exe" [2007-09-09 17:45 73728 C:\Windows\copyfstq.exe] "NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-09-11 22:28 86016] "NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-09-11 22:28 8497696] "NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-09-11 22:28 81920] "IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-06 01:52 849280] "GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 07:00 33648] "RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-02-07 16:24 71216] "LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-02-07 16:21 54832] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 07:59 115816] "NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57 153136] "NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 09:51 1836328] "PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2006-11-06 10:27 200704] "Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 20:51 583048] "RegistryMechanic"="" [] "AgataSoft ShutDown Pro"="C:\Program Files\AgataSoft\AgataSoft ShutDown Pro\AgataSoft_ShutDown_Pro.exe" [2007-06-17 16:29 631808] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792] C:\Users\Daniel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Password Keeper.lnk - C:\Program Files\Software by Design\PassKeep.exe [2008-01-26 20:12:14 647168] Xfire.lnk - C:\Program Files\Xfire\xfire.exe [2008-04-03 01:25:58 2987856] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableLUA"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UacDisableNotify"=dword:00000001 "InternetSettingsDisableNotify"=dword:00000001 "AutoUpdateDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules] "TCP Query User{13D95D7C-66DC-4C36-B260-5360EA241F68}C:\\program files\\utorrent\\utorrent.exe"= UDP:C:\program files\utorrent\utorrent.exe:uTorrent "UDP Query User{58B15E43-A715-41A2-9155-3CD5F4AE38B5}C:\\program files\\utorrent\\utorrent.exe"= TCP:C:\program files\utorrent\utorrent.exe:uTorrent "{43F7A967-96FE-4201-A4F7-E0BD65FF578D}"= C:\Program Files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone) "{BF81EFCC-D035-4AD0-A447-A8769D09CFAC}"= UDP:D:\Spill\Demoer\World in Conflict\wic.exe:World in Conflict - DEMO "{477C907A-73D6-4F4A-B422-2FABD6ED44A9}"= TCP:D:\Spill\Demoer\World in Conflict\wic.exe:World in Conflict - DEMO "{71124765-EF6A-414D-B672-EA926BC15B25}"= UDP:C:\Program Files\EA GAMES\Battlefield 2\BF2.exe:Battlefield 2 "{DC960AE6-6255-41CE-9D80-5CEF7766999B}"= TCP:C:\Program Files\EA GAMES\Battlefield 2\BF2.exe:Battlefield 2 "{E49E740A-08C7-46A0-97D5-F4EEF966F501}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire "{924000B7-D2BA-41F2-AF4E-CE86A2A00E52}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire "{D0236AC8-BC3E-44E8-A36E-17822D3AF005}"= UDP:D:\Spill\World in Conflict\wic.exe:World in Conflict "{766CD8B6-6763-4CBA-AF7B-B11248773451}"= TCP:D:\Spill\World in Conflict\wic.exe:World in Conflict "{8A3AE816-0C9D-4D52-86AA-B14DC93EF3D7}"= UDP:D:\Spill\World in Conflict\wic_online.exe:World in Conflict - Online Only "{6EE4CD71-EE46-43C0-9759-6F52FDA8A11C}"= TCP:D:\Spill\World in Conflict\wic_online.exe:World in Conflict - Online Only "{4F978B53-A89D-41A2-931C-BECDEAFBB1A3}"= UDP:D:\Spill\World in Conflict\wic_ds.exe:World in Conflict - Dedicated Server "{01F286E8-D27B-434F-839A-64C09B9921C3}"= TCP:D:\Spill\World in Conflict\wic_ds.exe:World in Conflict - Dedicated Server "{4C0F2710-ECD8-4595-A45E-7EF4A3FFFFEA}"= UDP:C:\Users\Daniel\Program Files\uTorrent\uTorrent.exe:µTorrent "{5B8BB0DB-C62E-47B8-B16B-5FE0CD65B1A1}"= TCP:C:\Users\Daniel\Program Files\uTorrent\uTorrent.exe:µTorrent "{CEDBAD2A-2A62-486B-ADE4-263FCCB65601}"= UDP:D:\Spill\S.T.A.L.K.E.R. - Shadow of Chernobyl\bin\XR_3DA.exe:S.T.A.L.K.E.R. - Shadow of Chernobyl (CLI) "{F8E1AC03-3CF4-4C0E-8ECC-490A02B8DF6C}"= TCP:D:\Spill\S.T.A.L.K.E.R. - Shadow of Chernobyl\bin\XR_3DA.exe:S.T.A.L.K.E.R. - Shadow of Chernobyl (CLI) "{042764B0-2AAB-42C5-8F5E-05D02C9D3354}"= UDP:D:\Spill\S.T.A.L.K.E.R. - Shadow of Chernobyl\bin\dedicated\XR_3DA.exe:S.T.A.L.K.E.R. - Shadow of Chernobyl (SRV) "{E065B37F-F75A-4602-BCF7-F6333B86D040}"= TCP:D:\Spill\S.T.A.L.K.E.R. - Shadow of Chernobyl\bin\dedicated\XR_3DA.exe:S.T.A.L.K.E.R. - Shadow of Chernobyl (SRV) "{EF890C9E-18D4-43F9-B36A-4B11EFA634AB}"= UDP:C:\Program Files\Ubisoft\Tom Clancy's Rainbow Six Vegas\Binaries\R6Vegas_Game.exe:Rainbow Six Vegas "{AA524B74-76B9-4C88-B61C-A7779842BB10}"= TCP:C:\Program Files\Ubisoft\Tom Clancy's Rainbow Six Vegas\Binaries\R6Vegas_Game.exe:Rainbow Six Vegas "{8D3F1C2A-DDB5-47D6-ADA0-3691654DBAC2}"= UDP:C:\Program Files\Ubisoft\Tom Clancy's Rainbow Six Vegas\Binaries\R6Vegas_Launcher.exe:Rainbow Six Vegas Updater "{06E978F4-340F-4025-922E-78F211BFCE6B}"= TCP:C:\Program Files\Ubisoft\Tom Clancy's Rainbow Six Vegas\Binaries\R6Vegas_Launcher.exe:Rainbow Six Vegas Updater "{18C04B73-418B-465B-AF7F-33B1740D2F78}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook "{DF32217B-D472-4D8F-BB90-2A9FA86B13A0}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove "{E3E7E2CD-59EE-492B-B78E-1903001FA8B3}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove "{73EFD741-966B-40EA-8080-BC6A0764DA82}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote "{BC9106B5-F8A1-44A7-8CE3-54D531EB5F3F}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote "{E2AD9088-AAC0-4899-936A-93069C4FA757}"= C:\Program Files\Cyberlink\PowerDVD\PowerDVD.EXE:CyberLink PowerDVD "{9DCD755F-F233-4785-A9D4-B6C9209E57F9}"= UDP:C:\Program Files\Sienzo\DMM\DMM.exe:DMM "{44B7D920-8429-4AE7-9B54-547FCC7C2A89}"= TCP:C:\Program Files\Sienzo\DMM\DMM.exe:DMM "{37E0CED8-F7A9-433B-A6B0-491B499ECFFF}"= UDP:C:\Users\Daniel\Program Files\uTorrent\uTorrent.exe:µTorrent "{F38CD448-B5E0-4E09-8343-F12E3CA759CA}"= TCP:C:\Users\Daniel\Program Files\uTorrent\uTorrent.exe:µTorrent "{5C734DC1-EE31-42DB-8FD4-E4092AB869A0}"= UDP:C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe:BlueSoleil "{427CC88B-A2E8-4708-9877-2EA899D6B295}"= TCP:C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe:BlueSoleil "{F2729A36-9B21-4CDE-BC60-AAF2F765EFD4}"= UDP:C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe:BlueSoleilCS "{88866CA4-1FF0-4C62-B740-D38E31AFCE4D}"= TCP:C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe:BlueSoleilCS "{125D739A-8B8D-4D49-94FC-A89F0720D066}"= UDP:C:\Program Files\Leaf Networks\Leaf\bin\Leaf.exe:Leaf "{A095958D-A503-49C0-9E3B-BF2DBEC9D4CD}"= TCP:C:\Program Files\Leaf Networks\Leaf\bin\Leaf.exe:Leaf "{DF0F5B76-025F-4B17-BE00-29DB0F4D2B3C}"= UDP:D:\Spill\THE SETTLERS - Rise of an Empire\base\bin\Settlers6.exe:THE SETTLERS - Rise of an Empire "{584D1B40-812C-49BF-A1F9-A33CE55DC219}"= TCP:D:\Spill\THE SETTLERS - Rise of an Empire\base\bin\Settlers6.exe:THE SETTLERS - Rise of an Empire "{5D25814B-0948-449F-8871-CF617C3D9572}"= UDP:C:\Program Files\SmartFTP Client\SmartFTP.exe:SmartFTP Client "{86E2C3B7-A06E-4B42-8A3D-11213E5E0C36}"= TCP:C:\Program Files\SmartFTP Client\SmartFTP.exe:SmartFTP Client "{EF1ED000-DB61-4BA0-846F-6F9DBE382E4A}"= UDP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA "{28B2D202-5EA6-43CF-BCC5-5286D421AB9E}"= TCP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA "{DBF40C5F-7FE9-45A4-8E6B-4F36DFE8D28D}"= UDP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB "{70CEA0B9-EEE4-4C72-96AE-531CD7CBFD1A}"= TCP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB "{BD99C07F-1421-473C-A19B-043CE7AE85E6}"= UDP:C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:Call of Duty® 4 - Modern Warfare "{8EDB1CF2-EDBF-4A85-917F-95DDE5970E17}"= TCP:C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:Call of Duty® 4 - Modern Warfare "{4A035EA9-F75F-4EB4-BF00-26692B848784}"= UDP:C:\Program Files\AeriaGames\ProjectTorque\ProjectTorque.bin:Project Torque "{1A88F8FE-E7BF-442B-8F3C-FBA0C6CC9766}"= TCP:C:\Program Files\AeriaGames\ProjectTorque\ProjectTorque.bin:Project Torque [HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System] "DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic| [HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile] "EnableFirewall"= 0 (0x0) R0 hotcore3;hotcore3;C:\Windows\system32\drivers\hotcore3.sys [2007-03-07 13:27] R0 pe3ah4nb;DiRT Environment Driver (pe3ah4nb);C:\Windows\system32\drivers\pe3ah4nb.sys [2007-06-11 13:11] R0 pe3ah4nc;DiRT Environment Driver (pe3ah4nc);C:\Windows\system32\drivers\pe3ah4nc.sys [2007-05-18 21:53] R0 ps6ah4nb;DiRT Synchronization Driver (ps6ah4nb);C:\Windows\system32\drivers\ps6ah4nb.sys [2007-06-11 13:10] R0 ps6ah4nc;DiRT Synchronization Driver (ps6ah4nc);C:\Windows\system32\drivers\ps6ah4nc.sys [2007-05-18 21:52] R1 avfwot;avfwot;C:\Windows\system32\DRIVERS\avfwot.sys [2007-10-10 20:23] R1 ElRawDisk;ElRawDisk;C:\Windows\system32\drivers\elrawdsk.sys [2007-09-20 14:12] R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\idsdefs\20080407.003\IDSvix86.sys [2008-02-13 18:18] R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [2006-11-02 16:51] R2 AVEService;Avira Premium Security Suite MailGuard helper service;"C:\Program Files\Avira\Avira Premium Security Suite\avesvc.exe" [2007-10-10 20:23] R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;C:\Windows\system32\DRIVERS\atl01v32.sys [2007-09-02 00:04] R3 avfwim;AvFw Packet Filter Miniport;C:\Windows\system32\DRIVERS\avfwim.sys [2007-08-30 13:12] R3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2008-03-07 14:39] R3 usbprint;Microsoft USB PRINTER Class;C:\Windows\system32\DRIVERS\usbprint.sys [2006-11-02 11:14] S2 AntiVirFirewallService;Avira Premium Security Suite Firewall;"C:\Program Files\Avira\Avira Premium Security Suite\avfwsvc.exe" [] S2 AntiVirMailService;Avira Premium Security Suite MailGuard;"C:\Program Files\Avira\Avira Premium Security Suite\avmailc.exe" [] S2 antivirwebservice;Avira Premium Security Suite WebGuard;"C:\Program Files\Avira\Avira Premium Security Suite\AVWEBGRD.EXE" [] S2 pr2ah4nb;DiRT Drivers Auto Removal (pr2ah4nb);C:\Windows\system32\pr2ah4nb.exe svc [] S2 pr2ah4nc;DiRT Drivers Auto Removal (pr2ah4nc);C:\Windows\system32\pr2ah4nc.exe svc [] S3 leafnets;Leaf Networks Adapter;C:\Windows\system32\DRIVERS\leafnets.sys [2007-05-03 01:48] S3 Start BT in service;Start BT in service;C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe [2007-04-21 15:54] S3 Steam Client Service;Steam Client Service;C:\Program Files\Common Files\Steam\SteamService.exe [2008-04-06 15:35] *Newly Created Service* - COMHOST . Contents of the 'Scheduled Tasks' folder "2007-12-03 19:26:17 C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - Daniel.job" - C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeB/TASK: . ************************************************************************** catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-12 23:12:32 Windows 6.0.6000 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Windows\System32\audiodg.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe C:\Windows\System32\conime.exe C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe C:\Windows\System32\PnkBstrA.exe C:\Program Files\CyberLink\Shared files\RichVideo.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\WUDFHost.exe C:\Windows\ehome\ehmsas.exe C:\Windows\System32\rundll32.exe C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Windows\System32\wbem\unsecapp.exe C:\Windows\System32\dllhost.exe . ************************************************************************** . Completion time: 2008-04-12 23:17:43 - machine was rebooted ComboFix-quarantined-files.txt 2008-04-12 21:17:27 Pre-Run: 35,179,941,888 byte ledig Post-Run: 36,461,969,408 byte ledig . 2008-04-11 16:04:03 --- E O F --- Lenke til kommentar
snippsat Skrevet 12. april 2008 Del Skrevet 12. april 2008 (endret) internetgamebox som nå er fjernet holder du deg unna. Start HijackThis "scan" finn disse linjene merk dem,så trykk fix checked. O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file) O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - (no file) O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file) O9 - Extra button: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler2\Fiddler.exe" (file missing) O9 - Extra 'Tools' menuitem: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler2\Fiddler.exe" (file missing) --------------- Start->kjør->cmd Skriv dette(tips du kan kopiere->lime inn til cmd) Sc stop AntiVirFirewallService Sc delete AntiVirFirewallService Sc stop AntiVirMailService Sc delete AntiVirMailService Sc stop AntiVirScheduler Sc delete AntiVirScheduler Sc stop AntiVirService Sc delete AntiVirService Sc stop antivirwebservice Sc delete antivirwebservice Sc stop AVEService Sc delete AVEService --------------- Kopiere fet tekst->lim inn i notisblokk. Lagre på skrivebordet som CFScript.txt. Gjør som på bildet,Post logg c:\combofix.txt Driver:: R1 avfwot R2 AVEService S2 AntiVirFirewallService S2 AntiVirMailService S2 antivirwebservice --------------- Last ned kjør CCleaner 'Valg'->'Avansert'. Fjern avkryssingen framfor: "bare slett midlertidige filer som er eldere enn 48 t. Kjør register-renser og"svar ja til og reparere" Last ned oppdatere og kjør full scan SAS free Post loggen fra SAS (preferences->statistics/logs) --------------- Har du brukt "legg til og fjern programer"når du slettet "Avira Premium Security Suite"? I såfall har den gjort en dårlig jobb. Som du ser er det litt styr og gjøre det manuelt. Restart og en ny HijackThis logg. Endret 13. april 2008 av SNIPPSAT Lenke til kommentar
Sniken_123 Skrevet 13. april 2008 Forfatter Del Skrevet 13. april 2008 Nå har jeg gjort det du skrev.. Det var kunn disse som var i listen til HijackThis: O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O9 - Extra button: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler2\Fiddler.exe" (file missing) O9 - Extra 'Tools' menuitem: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler2\Fiddler.exe" (file missing) Her er Combofix loggen: ComboFix 08-04-12.1 - Daniel 2008-04-13 12:45:40.2 - NTFSx86 Microsoft® Windows Vista™ Ultimate 6.0.6000.0.1252.1.1044.18.1142 [GMT 2:00] Running from: C:\Users\Daniel\Desktop\ComboFix.exe Command switches used :: C:\Users\Daniel\Desktop\CFScript.txt * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_ccEvtMgr ((((((((((((((((((((((((( Files Created from 2008-03-13 to 2008-04-13 ))))))))))))))))))))))))))))))) . 2008-04-12 22:10 . 2008-04-12 22:10 <DIR> d-------- C:\Program Files\Trend Micro 2008-04-09 15:49 . 2008-02-15 01:19 944,184 --a------ C:\Windows\System32\winload.exe 2008-04-09 15:49 . 2008-02-19 07:10 620,088 --a------ C:\Windows\System32\ci.dll 2008-04-09 15:49 . 2008-02-29 08:39 371,712 --a------ C:\Windows\System32\srcore.dll 2008-04-09 15:49 . 2008-02-29 08:38 313,856 --a------ C:\Windows\System32\rstrui.exe 2008-04-09 15:49 . 2008-02-29 08:39 40,960 --a------ C:\Windows\System32\srclient.dll 2008-04-09 15:49 . 2008-02-29 08:51 19,000 --a------ C:\Windows\System32\kd1394.dll 2008-04-09 15:49 . 2008-02-29 08:38 16,384 --a------ C:\Windows\System32\srdelayed.exe 2008-04-09 15:49 . 2008-02-29 08:34 7,168 --a------ C:\Windows\System32\f3ahvoas.dll 2008-04-09 15:49 . 2008-02-29 08:35 6,656 --a------ C:\Windows\System32\kbd106n.dll 2008-04-03 23:18 . 2008-04-03 23:18 <DIR> d-------- C:\Users\Daniel\AppData\Roaming\dvdcss 2008-04-03 18:04 . 2008-04-03 23:15 <DIR> d-------- C:\temp_dvd 2008-04-03 18:02 . 2008-04-03 23:03 <DIR> d-------- C:\Program Files\Dvd-cloner 2008-04-03 17:59 . 2008-04-03 17:59 <DIR> d-------- C:\Users\Daniel\AppData\Roaming\Download Manager 2008-04-03 16:02 . 2008-04-03 16:03 <DIR> d-------- C:\Users\Daniel\dwhelper 2008-04-03 01:26 . 2008-04-03 01:26 41,296 --a------ C:\Windows\System32\xfcodec.dll 2008-04-01 18:05 . 2008-04-01 18:18 36 --a------ C:\Windows\mafosav.INI 2008-03-29 23:37 . 2008-03-29 23:37 <DIR> d-------- C:\Program Files\7-Zip 2008-03-29 23:22 . 2008-03-29 23:23 <DIR> d-------- C:\Users\All Users\Bluetooth 2008-03-29 23:22 . 2008-03-29 23:23 <DIR> d-------- C:\PROGRA~2\Bluetooth 2008-03-29 23:20 . 2008-03-29 23:20 <DIR> d-------- C:\Program Files\IVT Corporation 2008-03-29 22:22 . 2008-03-29 22:22 <DIR> d-------- C:\Program Files\Kwyshell 2008-03-23 01:40 . 2008-03-24 14:50 139,264 --a------ C:\Windows\War3Unin.exe 2008-03-23 01:40 . 2008-03-24 14:56 81,818 --a------ C:\Windows\War3Unin.dat 2008-03-23 01:40 . 2008-03-24 14:50 2,829 --a------ C:\Windows\War3Unin.pif 2008-03-22 22:09 . 2008-04-05 15:54 <DIR> d-------- C:\Program Files\WC3Banlist 2008-03-21 02:19 . 2008-03-21 02:19 <DIR> d-------- C:\Users\Daniel\AppData\Roaming\Zabersoft 2008-03-20 19:24 . 2008-04-01 20:56 <DIR> d-------- C:\TEMP 2008-03-20 18:53 . 2008-03-20 18:53 <DIR> d-------- C:\Program Files\KnockOut 2 2008-03-18 01:32 . 2008-03-18 01:32 <DIR> d-------- C:\Users\Daniel\AppData\Roaming\Talkback 2008-03-18 01:25 . 2008-03-18 01:31 <DIR> d-------- C:\Program Files\Mozilla Firefox 3 Beta 4 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-04-13 01:34 --------- d-----w C:\Users\Daniel\AppData\Roaming\uTorrent 2008-04-13 00:32 --------- d-----w C:\PROGRA~2\Symantec 2008-04-12 23:59 --------- d-----w C:\Program Files\Warcraft III 2008-04-12 19:08 --------- d---a-w C:\PROGRA~2\TEMP 2008-04-12 02:08 --------- d-----w C:\Program Files\DC++ 2008-04-11 15:43 --------- d-----w C:\PROGRA~2\Xfire 2008-04-10 15:03 --------- d-----w C:\Users\Daniel\AppData\Roaming\LimeWire 2008-04-09 20:56 --------- d-----w C:\Program Files\Windows Mail 2008-04-09 16:32 --------- d-----w C:\PROGRA~2\Microsoft Help 2008-04-08 19:55 --------- d-----w C:\Users\Daniel\AppData\Roaming\Vso 2008-04-08 15:41 --------- d-----w C:\Program Files\StepMania 2008-04-08 12:55 --------- d-----w C:\Users\Daniel\AppData\Roaming\Xfire 2008-04-08 12:55 --------- d-----w C:\Program Files\Xfire 2008-04-06 13:35 --------- d-----w C:\Program Files\Common Files\Steam 2008-04-06 11:38 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-04-05 19:22 --------- d-----w C:\Users\Daniel\AppData\Roaming\Bioshock 2008-04-04 20:20 22,328 ----a-w C:\Windows\system32\drivers\PnkBstrK.sys 2008-04-03 15:31 --------- d-----w C:\Users\Daniel\AppData\Roaming\Winamp 2008-04-03 14:33 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-04-03 13:57 --------- d-----w C:\Program Files\WMR11 2008-04-01 18:56 --------- d-----w C:\Users\Daniel\AppData\Roaming\Hamachi 2008-03-21 00:19 --------- d-----w C:\Program Files\PimpFish 2008-03-21 00:19 --------- d-----w C:\PROGRA~2\Zabersoft 2008-03-20 17:18 --------- d-----w C:\Users\Daniel\AppData\Roaming\Alien Skin 2008-03-20 01:29 --------- d-----w C:\Program Files\GetSmile 2008-03-11 15:38 --------- d-----w C:\Program Files\Norton Internet Security 2008-03-10 22:48 --------- d-----w C:\PROGRA~2\vsosdk 2008-03-09 17:32 --------- d-----w C:\PROGRA~2\Trymedia 2008-03-07 12:40 13,035 ----a-w C:\Windows\system32\drivers\SymRedir.cat 2008-03-07 12:40 1,358 ----a-w C:\Windows\system32\drivers\SymRedir.inf 2008-03-07 12:39 39,984 ----a-w C:\Windows\system32\drivers\symids.sys 2008-03-07 12:39 37,936 ----a-w C:\Windows\system32\drivers\symndisv.sys 2008-03-07 12:39 27,696 ----a-w C:\Windows\system32\drivers\symredrv.sys 2008-03-07 12:39 191,536 ----a-w C:\Windows\system32\drivers\symtdi.sys 2008-03-07 12:39 145,968 ----a-w C:\Windows\system32\drivers\symfw.sys 2008-03-07 12:39 12,848 ----a-w C:\Windows\system32\drivers\symdns.sys 2008-03-06 20:32 706 ----a-w C:\Windows\system32\drivers\COH_Mon.inf 2008-03-06 20:32 23,904 ----a-w C:\Windows\system32\drivers\COH_Mon.sys 2008-03-06 20:32 10,537 ----a-w C:\Windows\system32\drivers\COH_Mon.cat 2008-02-29 16:50 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-02-29 16:50 --------- d-----w C:\Program Files\AGEIA Technologies 2008-02-29 16:39 --------- d-----w C:\Program Files\Sony 2008-02-29 16:39 --------- d-----w C:\Program Files\Flying Lab Software 2008-02-26 21:21 --------- d-----w C:\Program Files\Common Files\Adobe 2008-02-26 20:46 --------- d-----w C:\Users\Daniel\AppData\Roaming\Notepad++ 2008-02-26 20:46 --------- d-----w C:\Program Files\Notepad++ 2008-02-26 16:13 --------- d-----w C:\Program Files\LimeWire 2008-02-25 15:06 --------- d-----w C:\Program Files\OpenTTD 2008-02-25 14:24 --------- d-----w C:\Program Files\Hamachi 2008-02-25 14:23 25,280 ----a-w C:\Windows\system32\drivers\hamachi.sys 2008-02-23 15:08 --------- d-----w C:\Users\Daniel\AppData\Roaming\UseNeXT 2008-02-23 14:24 --------- d-----w C:\Program Files\Cheat Engine 2008-02-21 04:43 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll 2008-02-17 16:48 --------- d-----w C:\Program Files\Audiosurf 2008-02-17 13:15 --------- d-----w C:\Program Files\Fiddler2 2008-02-17 01:56 --------- d-----w C:\PROGRA~2\FLEXnet 2008-02-17 01:06 --------- d-----w C:\Program Files\Reallusion 2008-02-16 22:24 --------- d-----w C:\Program Files\ImageX 2008-02-16 20:41 --------- d-----w C:\Program Files\Vista Boot Logo Generator 2008-02-16 20:31 --------- d-----w C:\Program Files\Stardock 2008-02-16 20:31 --------- d-----w C:\PROGRA~2\Stardock 2008-02-16 20:02 --------- d-----w C:\Program Files\CoreCodec 2008-02-16 19:59 --------- d-----w C:\Users\Daniel\AppData\Roaming\CoreCodec 2008-02-14 14:54 110,080 ----a-w C:\Windows\system32\drivers\mrxdav.sys 2008-02-14 14:53 54,784 ----a-w C:\Windows\system32\drivers\i8042prt.sys 2008-02-14 14:53 495,160 ----a-w C:\Windows\system32\drivers\Wdf01000.sys 2008-02-14 14:53 35,384 ----a-w C:\Windows\system32\drivers\WdfLdr.sys 2008-02-14 14:53 35,384 ----a-w C:\Windows\system32\drivers\kbdclass.sys 2008-02-14 14:53 34,360 ----a-w C:\Windows\system32\drivers\mouclass.sys 2008-02-14 14:53 19,968 ----a-w C:\Windows\system32\drivers\sermouse.sys 2008-02-14 14:53 15,872 ----a-w C:\Windows\system32\drivers\mouhid.sys 2008-02-14 14:50 45,112 ----a-w C:\Windows\system32\drivers\pciidex.sys 2008-02-14 14:50 21,560 ----a-w C:\Windows\system32\drivers\atapi.sys 2008-02-14 14:50 154,624 ----a-w C:\Windows\system32\drivers\nwifi.sys 2008-02-14 14:50 15,928 ----a-w C:\Windows\system32\drivers\pciide.sys 2008-02-14 14:50 109,624 ----a-w C:\Windows\system32\drivers\ataport.sys 2008-02-14 14:49 806,400 ----a-w C:\Windows\system32\drivers\tcpip.sys 2008-02-14 14:49 217,144 ----a-w C:\Windows\system32\drivers\netio.sys 2008-02-14 14:48 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll 2008-02-14 14:48 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll 2008-02-14 14:48 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll 2008-02-14 14:48 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll 2008-02-13 19:04 --------- d-----w C:\PROGRA~2\Media Center Programs 2008-02-03 17:01 352,256 ----a-w C:\Windows\eSellerateEngine.dll 2008-02-03 16:44 774,144 ----a-w C:\Program Files\RngInterstitial.dll 2007-12-27 21:00 22,328 ----a-w C:\Users\Daniel\AppData\Roaming\PnkBstrK.sys 2007-12-01 20:58 47,360 ----a-w C:\Users\Daniel\AppData\Roaming\pcouffin.sys 2007-11-28 16:28 81,920 ----a-w C:\Users\Daniel\AppData\Roaming\ezpinst.exe 2007-11-22 14:49 129,382 ----a-w C:\Users\All Users\firstlsp.reg.dat 2007-11-22 14:49 129,382 ----a-w C:\PROGRA~2\firstlsp.reg.dat 2007-09-02 10:32 174 --sha-w C:\Program Files\desktop.ini 2006-05-06 16:42 7,260,160 ----a-w C:\Program Files\mozilla firefox\plugins\libvlc.dll 2007-11-24 12:11 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012007112420071125\index.dat . ((((((((((((((((((((((((((((( snapshot@2008-04-12_23.16.58.93 ))))))))))))))))))))))))))))))))))))))))) . - 2008-04-12 21:10:47 67,584 --s-a-w C:\Windows\bootstat.dat + 2008-04-13 10:51:54 67,584 --s-a-w C:\Windows\bootstat.dat - 2008-04-12 20:28:55 262,144 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\UsrClass.dat + 2008-04-13 10:34:23 262,144 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\UsrClass.dat - 2008-04-12 21:11:05 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat + 2008-04-13 10:52:21 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat + 2008-04-13 10:52:21 262,144 ---ha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1 - 2008-04-12 19:14:41 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\UsrClass.dat + 2008-04-13 10:21:15 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\UsrClass.dat - 2008-04-12 21:11:05 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat + 2008-04-13 10:52:21 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat + 2008-04-13 10:52:21 262,144 ---ha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1 - 2008-04-12 20:19:20 65,536 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat + 2008-04-13 10:34:41 65,536 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat - 2008-04-12 20:19:20 688,128 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat + 2008-04-13 10:34:41 688,128 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat - 2008-04-12 20:19:20 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat + 2008-04-13 10:34:41 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat - 2008-04-12 19:14:14 21,500 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-609434516-2690223779-1038198900-1000_UserData.bin + 2008-04-13 10:21:35 21,762 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-609434516-2690223779-1038198900-1000_UserData.bin - 2008-04-12 19:14:13 124,464 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin + 2008-04-13 10:21:34 124,776 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin - 2008-04-12 11:21:55 101,410 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin + 2008-04-13 10:21:32 101,582 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-10 16:46 1232896] "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352] "DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-08-29 17:09 171464] "GetSmile"="C:\Program Files\GetSmile\GetSmile.exe" [2005-10-22 17:39 1814528] "ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 14:34 125440] "NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-07-03 13:32 81920] "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 14:33 201728] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-09-02 06:37 1006264] "RtHDVCpl"="RtHDVCpl.exe" [2007-03-23 21:04 4423680 C:\Windows\RtHDVCpl.exe] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496] "NWEReboot"="" [] "ElbyCheckAnyDVD"="C:\Program Files\SlySoft\AnyDVD\ElbyCheck.exe" [2003-09-20 21:23 45056] "AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2004-10-10 11:10 175616] "Resume copy"="copyfstq.exe" [2007-09-09 17:45 73728 C:\Windows\copyfstq.exe] "NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-09-11 22:28 86016] "NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-09-11 22:28 8497696] "NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-09-11 22:28 81920] "IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-06 01:52 849280] "GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 07:00 33648] "RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-02-07 16:24 71216] "LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-02-07 16:21 54832] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 07:59 115816] "NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57 153136] "NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 09:51 1836328] "PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2006-11-06 10:27 200704] "Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 20:51 583048] "RegistryMechanic"="" [] "AgataSoft ShutDown Pro"="C:\Program Files\AgataSoft\AgataSoft ShutDown Pro\AgataSoft_ShutDown_Pro.exe" [2007-06-17 16:29 631808] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792] C:\Users\Daniel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Password Keeper.lnk - C:\Program Files\Software by Design\PassKeep.exe [2008-01-26 20:12:14 647168] Xfire.lnk - C:\Program Files\Xfire\xfire.exe [2008-04-03 01:25:58 2987856] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableLUA"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UacDisableNotify"=dword:00000001 "InternetSettingsDisableNotify"=dword:00000001 "AutoUpdateDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules] "TCP Query User{13D95D7C-66DC-4C36-B260-5360EA241F68}C:\\program files\\utorrent\\utorrent.exe"= UDP:C:\program files\utorrent\utorrent.exe:uTorrent "UDP Query User{58B15E43-A715-41A2-9155-3CD5F4AE38B5}C:\\program files\\utorrent\\utorrent.exe"= TCP:C:\program files\utorrent\utorrent.exe:uTorrent "{43F7A967-96FE-4201-A4F7-E0BD65FF578D}"= C:\Program Files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone) "{BF81EFCC-D035-4AD0-A447-A8769D09CFAC}"= UDP:D:\Spill\Demoer\World in Conflict\wic.exe:World in Conflict - DEMO "{477C907A-73D6-4F4A-B422-2FABD6ED44A9}"= TCP:D:\Spill\Demoer\World in Conflict\wic.exe:World in Conflict - DEMO "{71124765-EF6A-414D-B672-EA926BC15B25}"= UDP:C:\Program Files\EA GAMES\Battlefield 2\BF2.exe:Battlefield 2 "{DC960AE6-6255-41CE-9D80-5CEF7766999B}"= TCP:C:\Program Files\EA GAMES\Battlefield 2\BF2.exe:Battlefield 2 "{E49E740A-08C7-46A0-97D5-F4EEF966F501}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire "{924000B7-D2BA-41F2-AF4E-CE86A2A00E52}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire "{D0236AC8-BC3E-44E8-A36E-17822D3AF005}"= UDP:D:\Spill\World in Conflict\wic.exe:World in Conflict "{766CD8B6-6763-4CBA-AF7B-B11248773451}"= TCP:D:\Spill\World in Conflict\wic.exe:World in Conflict "{8A3AE816-0C9D-4D52-86AA-B14DC93EF3D7}"= UDP:D:\Spill\World in Conflict\wic_online.exe:World in Conflict - Online Only "{6EE4CD71-EE46-43C0-9759-6F52FDA8A11C}"= TCP:D:\Spill\World in Conflict\wic_online.exe:World in Conflict - Online Only "{4F978B53-A89D-41A2-931C-BECDEAFBB1A3}"= UDP:D:\Spill\World in Conflict\wic_ds.exe:World in Conflict - Dedicated Server "{01F286E8-D27B-434F-839A-64C09B9921C3}"= TCP:D:\Spill\World in Conflict\wic_ds.exe:World in Conflict - Dedicated Server "{4C0F2710-ECD8-4595-A45E-7EF4A3FFFFEA}"= UDP:C:\Users\Daniel\Program Files\uTorrent\uTorrent.exe:µTorrent "{5B8BB0DB-C62E-47B8-B16B-5FE0CD65B1A1}"= TCP:C:\Users\Daniel\Program Files\uTorrent\uTorrent.exe:µTorrent "{CEDBAD2A-2A62-486B-ADE4-263FCCB65601}"= UDP:D:\Spill\S.T.A.L.K.E.R. - Shadow of Chernobyl\bin\XR_3DA.exe:S.T.A.L.K.E.R. - Shadow of Chernobyl (CLI) "{F8E1AC03-3CF4-4C0E-8ECC-490A02B8DF6C}"= TCP:D:\Spill\S.T.A.L.K.E.R. - Shadow of Chernobyl\bin\XR_3DA.exe:S.T.A.L.K.E.R. - Shadow of Chernobyl (CLI) "{042764B0-2AAB-42C5-8F5E-05D02C9D3354}"= UDP:D:\Spill\S.T.A.L.K.E.R. - Shadow of Chernobyl\bin\dedicated\XR_3DA.exe:S.T.A.L.K.E.R. - Shadow of Chernobyl (SRV) "{E065B37F-F75A-4602-BCF7-F6333B86D040}"= TCP:D:\Spill\S.T.A.L.K.E.R. - Shadow of Chernobyl\bin\dedicated\XR_3DA.exe:S.T.A.L.K.E.R. - Shadow of Chernobyl (SRV) "{EF890C9E-18D4-43F9-B36A-4B11EFA634AB}"= UDP:C:\Program Files\Ubisoft\Tom Clancy's Rainbow Six Vegas\Binaries\R6Vegas_Game.exe:Rainbow Six Vegas "{AA524B74-76B9-4C88-B61C-A7779842BB10}"= TCP:C:\Program Files\Ubisoft\Tom Clancy's Rainbow Six Vegas\Binaries\R6Vegas_Game.exe:Rainbow Six Vegas "{8D3F1C2A-DDB5-47D6-ADA0-3691654DBAC2}"= UDP:C:\Program Files\Ubisoft\Tom Clancy's Rainbow Six Vegas\Binaries\R6Vegas_Launcher.exe:Rainbow Six Vegas Updater "{06E978F4-340F-4025-922E-78F211BFCE6B}"= TCP:C:\Program Files\Ubisoft\Tom Clancy's Rainbow Six Vegas\Binaries\R6Vegas_Launcher.exe:Rainbow Six Vegas Updater "{18C04B73-418B-465B-AF7F-33B1740D2F78}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook "{DF32217B-D472-4D8F-BB90-2A9FA86B13A0}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove "{E3E7E2CD-59EE-492B-B78E-1903001FA8B3}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove "{73EFD741-966B-40EA-8080-BC6A0764DA82}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote "{BC9106B5-F8A1-44A7-8CE3-54D531EB5F3F}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote "{E2AD9088-AAC0-4899-936A-93069C4FA757}"= C:\Program Files\Cyberlink\PowerDVD\PowerDVD.EXE:CyberLink PowerDVD "{9DCD755F-F233-4785-A9D4-B6C9209E57F9}"= UDP:C:\Program Files\Sienzo\DMM\DMM.exe:DMM "{44B7D920-8429-4AE7-9B54-547FCC7C2A89}"= TCP:C:\Program Files\Sienzo\DMM\DMM.exe:DMM "{37E0CED8-F7A9-433B-A6B0-491B499ECFFF}"= UDP:C:\Users\Daniel\Program Files\uTorrent\uTorrent.exe:µTorrent "{F38CD448-B5E0-4E09-8343-F12E3CA759CA}"= TCP:C:\Users\Daniel\Program Files\uTorrent\uTorrent.exe:µTorrent "{5C734DC1-EE31-42DB-8FD4-E4092AB869A0}"= UDP:C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe:BlueSoleil "{427CC88B-A2E8-4708-9877-2EA899D6B295}"= TCP:C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe:BlueSoleil "{F2729A36-9B21-4CDE-BC60-AAF2F765EFD4}"= UDP:C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe:BlueSoleilCS "{88866CA4-1FF0-4C62-B740-D38E31AFCE4D}"= TCP:C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe:BlueSoleilCS "{125D739A-8B8D-4D49-94FC-A89F0720D066}"= UDP:C:\Program Files\Leaf Networks\Leaf\bin\Leaf.exe:Leaf "{A095958D-A503-49C0-9E3B-BF2DBEC9D4CD}"= TCP:C:\Program Files\Leaf Networks\Leaf\bin\Leaf.exe:Leaf "{DF0F5B76-025F-4B17-BE00-29DB0F4D2B3C}"= UDP:D:\Spill\THE SETTLERS - Rise of an Empire\base\bin\Settlers6.exe:THE SETTLERS - Rise of an Empire "{584D1B40-812C-49BF-A1F9-A33CE55DC219}"= TCP:D:\Spill\THE SETTLERS - Rise of an Empire\base\bin\Settlers6.exe:THE SETTLERS - Rise of an Empire "{5D25814B-0948-449F-8871-CF617C3D9572}"= UDP:C:\Program Files\SmartFTP Client\SmartFTP.exe:SmartFTP Client "{86E2C3B7-A06E-4B42-8A3D-11213E5E0C36}"= TCP:C:\Program Files\SmartFTP Client\SmartFTP.exe:SmartFTP Client "{EF1ED000-DB61-4BA0-846F-6F9DBE382E4A}"= UDP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA "{28B2D202-5EA6-43CF-BCC5-5286D421AB9E}"= TCP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA "{DBF40C5F-7FE9-45A4-8E6B-4F36DFE8D28D}"= UDP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB "{70CEA0B9-EEE4-4C72-96AE-531CD7CBFD1A}"= TCP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB "{BD99C07F-1421-473C-A19B-043CE7AE85E6}"= UDP:C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:Call of Duty® 4 - Modern Warfare "{8EDB1CF2-EDBF-4A85-917F-95DDE5970E17}"= TCP:C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:Call of Duty® 4 - Modern Warfare "{4A035EA9-F75F-4EB4-BF00-26692B848784}"= UDP:C:\Program Files\AeriaGames\ProjectTorque\ProjectTorque.bin:Project Torque "{1A88F8FE-E7BF-442B-8F3C-FBA0C6CC9766}"= TCP:C:\Program Files\AeriaGames\ProjectTorque\ProjectTorque.bin:Project Torque [HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System] "DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic| [HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile] "EnableFirewall"= 0 (0x0) R0 hotcore3;hotcore3;C:\Windows\system32\drivers\hotcore3.sys [2007-03-07 13:27] R0 pe3ah4nb;DiRT Environment Driver (pe3ah4nb);C:\Windows\system32\drivers\pe3ah4nb.sys [2007-06-11 13:11] R0 pe3ah4nc;DiRT Environment Driver (pe3ah4nc);C:\Windows\system32\drivers\pe3ah4nc.sys [2007-05-18 21:53] R0 ps6ah4nb;DiRT Synchronization Driver (ps6ah4nb);C:\Windows\system32\drivers\ps6ah4nb.sys [2007-06-11 13:10] R0 ps6ah4nc;DiRT Synchronization Driver (ps6ah4nc);C:\Windows\system32\drivers\ps6ah4nc.sys [2007-05-18 21:52] R1 avfwot;avfwot;C:\Windows\system32\DRIVERS\avfwot.sys [2007-10-10 20:23] R1 ElRawDisk;ElRawDisk;C:\Windows\system32\drivers\elrawdsk.sys [2007-09-20 14:12] R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\idsdefs\20080407.003\IDSvix86.sys [2008-02-13 18:18] R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [2006-11-02 16:51] R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;C:\Windows\system32\DRIVERS\atl01v32.sys [2007-09-02 00:04] R3 avfwim;AvFw Packet Filter Miniport;C:\Windows\system32\DRIVERS\avfwim.sys [2007-08-30 13:12] R3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2008-03-07 14:39] R3 usbprint;Microsoft USB PRINTER Class;C:\Windows\system32\DRIVERS\usbprint.sys [2006-11-02 11:14] S2 pr2ah4nb;DiRT Drivers Auto Removal (pr2ah4nb);C:\Windows\system32\pr2ah4nb.exe svc [] S2 pr2ah4nc;DiRT Drivers Auto Removal (pr2ah4nc);C:\Windows\system32\pr2ah4nc.exe svc [] S3 leafnets;Leaf Networks Adapter;C:\Windows\system32\DRIVERS\leafnets.sys [2007-05-03 01:48] S3 Start BT in service;Start BT in service;C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe [2007-04-21 15:54] S3 Steam Client Service;Steam Client Service;C:\Program Files\Common Files\Steam\SteamService.exe [2008-04-06 15:35] *Newly Created Service* - COMHOST . Contents of the 'Scheduled Tasks' folder "2007-12-03 19:26:17 C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - Daniel.job" - C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeB/TASK: . ************************************************************************** catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-13 12:52:47 Windows 6.0.6000 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Windows\System32\audiodg.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe C:\Windows\System32\conime.exe C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe C:\Windows\System32\rundll32.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe C:\Windows\ehome\ehmsas.exe C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe C:\Windows\System32\PnkBstrA.exe C:\Program Files\CyberLink\Shared files\RichVideo.exe C:\Windows\System32\WUDFHost.exe C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Windows\System32\wbem\unsecapp.exe C:\Windows\System32\dllhost.exe . ************************************************************************** . Completion time: 2008-04-13 12:57:04 - machine was rebooted ComboFix-quarantined-files.txt 2008-04-13 10:56:55 ComboFix2.txt 2008-04-12 21:17:44 Pre-Run: 41,458,495,488 byte ledig Post-Run: 41,166,589,952 byte ledig . 2008-04-11 16:04:03 --- E O F --- Her er SAS loggen: SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 04/13/2008 at 01:49 PM Application Version : 4.0.1154 Core Rules Database Version : 3437 Trace Rules Database Version: 1429 Scan type : Complete Scan Total Scan Time : 00:29:39 Memory items scanned : 824 Memory threats detected : 0 Registry items scanned : 8365 Registry threats detected : 0 File items scanned : 26252 File threats detected : 22 Adware.Tracking Cookie C:\Users\Daniel\AppData\Roaming\Microsoft\Windows\Cookies\daniel@doubleclick[1].txt C:\Users\Daniel\AppData\Roaming\Microsoft\Windows\Cookies\daniel@atdmt[2].txt C:\Users\Daniel\AppData\Roaming\Microsoft\Windows\Cookies\daniel@tradedoubler[1].txt C:\Users\Daniel\AppData\Roaming\Microsoft\Windows\Cookies\daniel@imrworldwide[1].txt C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@doubleclick[1].txt C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@atdmt[2].txt C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@overture[1].txt C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@revenue[2].txt C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@casinolasvegas[1].txt C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@casalemedia[2].txt C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@questionmarket[2].txt C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@findwhat[1].txt C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@partypoker[2].txt C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@tradedoubler[2].txt C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@imrworldwide[1].txt C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@enhance[2].txt Her er HijackThis loggen: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 13:56:44, on 13.04.2008 Platform: Windows Vista (WinNT 6.00.1904) MSIE: Internet Explorer v7.00 (7.00.6000.16643) Boot mode: Normal Running processes: C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\system32\taskeng.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Windows\RtHDVCpl.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Program Files\Microsoft IntelliPoint\ipoint.exe C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\PowerISO\PWRISOVM.EXE C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\DAEMON Tools\daemon.exe C:\Program Files\GetSmile\getsmile.exe C:\Windows\ehome\ehtray.exe C:\Windows\ehome\ehmsas.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Xfire\xfire.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Windows\System32\mobsync.exe C:\Windows\system32\wbem\unsecapp.exe C:\Windows\system32\SearchFilterHost.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll O2 - BHO: PimpFish Toolbar Opcode Handler - {29C88E20-4234-41B9-A9DB-982958C95FB1} - C:\Program Files\PimpFish\PimpFish.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll O2 - BHO: FloatBar Class - {75B1A646-CDCE-4C06-B52F-84F4463B4FC8} - C:\Program Files\PimpFish\FloatBar.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O3 - Toolbar: PimpFish - {D593DE91-7B41-45C2-830E-E9A99AB142AA} - C:\Program Files\PimpFish\PimpFish.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [ElbyCheckAnyDVD] "C:\Program Files\SlySoft\AnyDVD\ElbyCheck.exe" /L AnyDVD O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe" O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKLM\..\Run: [AgataSoft ShutDown Pro] C:\Program Files\AgataSoft\AgataSoft ShutDown Pro\AgataSoft_ShutDown_Pro.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKCU\..\Run: [GetSmile] C:\Program Files\GetSmile\GetSmile.exe O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETTVERKSTJENESTE') O4 - Startup: Password Keeper.lnk = C:\Program Files\Software by Design\PassKeep.exe O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 O8 - Extra context menu item: PimpFish Grab movies on this page - res://C:\Program Files\PimpFish\PimpFish.dll/GRABPAGEMOVIES.HTM O8 - Extra context menu item: PimpFish Grab pictures on this page - res://C:\Program Files\PimpFish\PimpFish.dll/GRABPAGEPICS.HTM O8 - Extra context menu item: PimpFish Grab pictures this page links to - res://C:\Program Files\PimpFish\PimpFish.dll/GRABPAGELINKS.HTM O8 - Extra context menu item: PimpFish Grab Target File - res://C:\Program Files\PimpFish\PimpFish.dll/GRABLINK.HTM O8 - Extra context menu item: PimpFish Grab This Picture - res://C:\Program Files\PimpFish\PimpFish.dll/GRABPIC.HTM O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Send til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL O13 - Gopher Prefix: O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ss/sa...abs/tgctlsr.cab O16 - DPF: {5CD4310E-88FB-43C1-BE24-5F3FA9C5C9D1} (KooPlayer Control) - http://www.euchannels.net/KooPlayer.ocx O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab O16 - DPF: {A903E5AB-C67E-40FB-94F1-E1305982F6E0} (KooPlayer Control) - http://www.tvkoo.com/update/UKooPlayer.ocx O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.12) - http://www.yougamers.com/systeminfo/MSC3.cab O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{938F512F-60B8-4B7D-B366-7CDFF9E3D677}: NameServer = 62.97.193.3,62.97.193.53 O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe O23 - Service: DiRT Drivers Auto Removal (pr2ah4nb) (pr2ah4nb) - CODEMASTERS - C:\Windows\system32\pr2ah4nb.exe O23 - Service: DiRT Drivers Auto Removal (pr2ah4nc) (pr2ah4nc) - CODEMASTERS - C:\Windows\system32\pr2ah4nc.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: Start BT in service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe -- End of file - 12329 bytes Nå bruker ikke services.exe noe spesielt med CPU. Den ligger godt under 1% Er alt som det skal nå da? Eller er det mer jeg skal gjøre? Lenke til kommentar
snippsat Skrevet 13. april 2008 Del Skrevet 13. april 2008 Da ser det bra ut Du kan fjerne combofix ved å skrive combofix /u fra kjør-vinduet. Denne kommandoen gjør at filer i karantene og backups blir slette. Systemgjenopprettingsmappa nullstilt etc. Surf trygt. Lenke til kommentar
Sniken_123 Skrevet 13. april 2008 Forfatter Del Skrevet 13. april 2008 Takker alle for den gode hjelpen, spesielt SNIPPSAT. Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå