Mr Darns Friends Hijack this log

MrDarn · 12-11-2008, 05:09 PM

Hi all!

just finnished cleaning up my friends computer (although i still need to go thru the program installed and delete some her son installed).

All the advice has been given that i usually state in computer help, ref torrent downloads, P2P etc, and i've done the following so far:

uninstalled AVG, installed and updated Avast! home. Fully updated it, and ran a boot time scan, where isues were found and moved to chest.

Panda scan was ran, and a logfile is included (before i started cleaning)

Superantispyware was downloaded but would not run. i created a new administrative user account, and installed it there. ran it and it found several issues. all were 'apparently' cleaned. (i still have to do secondary scans on each program i list to ensure it is clean)

Malwarebytes was downloaded and installed, and again found several items which seemed to clean successfully.

2-3 suspicious programs were uninstalled using the CCleaner uninstall, before a full clean was completed, with all check boxes checked except 'saved form information'

i cleaned up the disk using the utility found under the tools section of properties in the c: right click menu.

i ran hijack this, and it identified 1 suspicious entry, (the java update). this was checked, and 'fix checked' was used.

a new hijack this log is included below.

I'm thinking i'm about done, but it did sugest i post a log.

any further advice please?

(i know i still have an active topic for another laptop, but i have yet to get back to it to preform the steps suggested.)

----------------------------------------------
new hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:57:02, on 11/12/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\C&E\OSD\osd.exe
C:\Program Files\SiS VGA Utilities\SiSTray.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = PC Repair, Installation and Technical Help | Welcome to The TechGuys
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Sky.com - Home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: TorrentMan Toolbar - {7c5c0f58-e061-457d-9033-77307f5ed00c} - C:\Program Files\TorrentMan\tbTorr.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: TorrentMan Toolbar - {7c5c0f58-e061-457d-9033-77307f5ed00c} - C:\Program Files\TorrentMan\tbTorr.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [OSD] C:\Program Files\C&E\OSD\osd.exe
O4 - HKLM\..\Run: [SiSTray] %ProgramFiles%\SiS VGA Utilities\SiSTray.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - Sky.com - Home (file missing)
O13 - Gopher Prefix:
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/reso...PUplden-gb.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://games.bigfishgames.com/en_cin...nematycoon.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://signin3.valueactive.com/Regi...18/flashax.cab
O16 - DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} (Flash Casino Helper Object) - https://bellerock.gameassists.co.uk/...y/FlashAX2.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: TeamViewer 3 (TeamViewer) - TeamViewer GmbH - C:\Program Files\TeamViewer3\TeamViewer_Service.exe

--
End of file - 4932 bytes

MrDarn · 12-11-2008, 05:10 PM

This is what pandascan found before i started:

-----------------------------------------
;******************************************************
ANALYSIS: 2008-12-11 15:34:55
PROTECTIONS: 1
MALWARE: 18
SUSPECTS: 0
;******************************************************
PROTECTIONS
Description Version Active Updated
;======================================================
Windows Defender 1.1.3007.0 No No
;======================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;=======================================================
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Users\daniel\AppData\Roaming\Microsoft\Windows\Cookies\Low\daniel@doubleclick[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Users\daniel\AppData\Roaming\Microsoft\Windows\Cookies\Low\daniel@atdmt[2].txt
00145393 Cookie/Tradedoubler TrackingCookie No 0 Yes No C:\Users\daniel\AppData\Roaming\Microsoft\Windows\Cookies\Low\daniel@tradedoubler[1].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Users\daniel\AppData\Roaming\Microsoft\Windows\Cookies\Low\daniel@mediaplex[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Users\daniel\AppData\Roaming\Microsoft\Windows\Cookies\Low\daniel@ad.yieldmanager[1].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Users\daniel\AppData\Roaming\Microsoft\Windows\Cookies\Low\daniel@apmebf[1].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Users\daniel\AppData\Roaming\Microsoft\Windows\Cookies\Low\daniel@serving-sys[1].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Users\daniel\AppData\Roaming\Microsoft\Windows\Cookies\Low\daniel@bs.serving-sys[2].txt
00168109 Cookie/Adtech TrackingCookie No 0 Yes No C:\Users\daniel\AppData\Roaming\Microsoft\Windows\Cookies\Low\daniel@adtech[1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Users\daniel\AppData\Roaming\Microsoft\Windows\Cookies\Low\daniel@advertising[2].txt
00169287 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Users\daniel\AppData\Roaming\Microsoft\Windows\Cookies\Low\daniel@media.adrevolver[3].txt
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Users\daniel\AppData\Roaming\Microsoft\Windows\Cookies\Low\daniel@statse.webtrendslive[2].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Users\daniel\AppData\Roaming\Microsoft\Windows\Cookies\Low\daniel@questionmarket[1].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Users\daniel\AppData\Roaming\Microsoft\Windows\Cookies\Low\daniel@zedo[1].txt
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Users\daniel\AppData\Roaming\Microsoft\Windows\Cookies\Low\daniel@adrevolver[2].txt
00207936 Cookie/Adviva TrackingCookie No 0 Yes No C:\Users\daniel\AppData\Roaming\Microsoft\Windows\Cookies\Low\daniel@adviva[2].txt
01143714 Trj/Downloader.MDW Virus/Trojan No 0 Yes No C:\GMouse20\Gmouse.exe
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\resycled\boot.com
;===========================================================
SUSPECTS
Sent Location �S�;�� C5
;===========================================================
;===========================================================
VULNERABILITIES
Id Severity Description �S�;�� C5
;===========================================================
;===========================================================

evilfantasy · 12-11-2008, 05:37 PM

From the Panda log.

03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\resycled\boot.com

Notice the misspelling resycled

This is a trojan that should be found and fixed by MalwareBytes. Have you noticed it being removed when looking at the log?

Also I wonder why this is being flagged"

01143714 Trj/Downloader.MDW Virus/Trojan No 0 Yes No C:\GMouse20\Gmouse.exe

You should scan that online, could be a false positive.

Suspicious files to scan

Please go to VirSCAN.org FREE on-line scan service
(If more than one file needs scanned they must be done separately and logs posted for each one)

1. Copy and paste the following file path into the Suspicious files to scan box on the top of the page.

Code:

C:\GMouse20\Gmouse.exe

2. At the upload site, click once inside the window next to Browse.
3. Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
4. Click on the Upload button.
This will perform a scan across multiple different virus scanning engines.
Your file will possibly be entered into a queue which normally takes less than a minute to clear.
Important: Wait for all of the scanning engines to complete.
5. Once the Scan is completed scroll down and click on the Copy to Clipboard button. This will copy the link of the report into the Clipboard.
6. Paste the contents of the Clipboard in your next reply.

MrDarn · 12-11-2008, 06:18 PM

Thanks for the quick responce EF, i did notice the miss-spelling

i'll double check on the rest when i'm over there tomorrow.

evilfantasy · 12-11-2008, 06:29 PM

I'm not 100% sure but I think the C:\resycled virus is comes from a flash drive. There is usually an autorun.inf file to deal with as well. A ComboFix log would be helpful.

MrDarn · 12-12-2008, 05:46 PM

i'm having trouble with combofix.

i just searched the forum for a download link, downloaded combofix to the desktop, right clicked it and selected 'run as administrator'
combofix ran, then went thru 30+ stages, but could not find a certain temp file.

i forget which temp file it was, as i was distracted by a certain little nuicance she calls her son! lol

any chance of some steps and a link to the download?

MrDarn · 12-12-2008, 05:52 PM

Language
English 简体中文繁體中文 한국어 日本語 Français Deutsch česky Portuguese Brazil Русский українська Nederlands Türkçe ภาษาไทย Polski Español (Latin America)

Server load

Suspicious files to scan
1, You can UPLOAD any files, but there is 10Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 10 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

Current Position: Current Scanner: Last Scanned: Suspicious degree:

File Name: File Size: File Type: MD5: SHA1: Compressed: Current Position: 0 / (0%) Elapsed time: 0 Est Time Left: 0 Est Speed: 0

Main Menu
HOME About VirSCAN Report Help VirSCAN Submit Bugs Contact us

File information
File Name : gmouse.exe File Size : 246272 byte File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit MD5 : 6c8178bd2fcef170871d4ceb422774b0 SHA1 : cc75b17a6f77a6237e9df1820b6e4027daabe763 Scanner results Scanner results : 21% Scanner(8/39) found malware! Time : 2008/11/24 23:21:47 (GMT) Scanner

Engine Ver Sig Ver Sig Date Scan result Time a-squared 4.0.0.26 20081124230322 2008-11-24 -
3.003 AhnLab V3 2008.11.24.03 2008.11.24 2008-11-24 -
1.020 AntiVir 7.9.0.35 7.1.0.131 2008-11-24 -
1.570 Antiy 2.0.18 20081124.1724866 2008-11-24 -
0.119 Arcavir 1.0.5 200811231052 2008-11-23 -
1.234 Authentium 5.1.1 200811241551 2008-11-24 -
1.069 AVAST! 3.0.1 081124-0 2008-11-24 -
0.019 AVG 7.5.52.442 270.9.10/1810 2008-11-24 -
1.760 BitDefender 7.81008.2260702 7.22067 2008-11-25 -
2.085 CA (VET) 9.0.0.143 31.6.6225 2008-11-24 -
10.439 ClamAV 0.94.1 8676 2008-11-25 Trojan.Downloader-8196
0.053 Comodo 2.11 2.0.0.712 2008-11-20 -
0.468 CP Secure 1.1.0.715 2008.11.24 2008-11-24 -
6.428 Dr.Web 4.44.0.9170 2008.11.24 2008-11-24 -
3.595 ewido 4.0.0.2 2008.11.24 2008-11-24 Downloader.Delf.aup
3.220 F-Prot 4.4.4.56 20081124 2008-11-24 -
1.069 F-Secure 5.51.6100 2008.11.24.09 2008-11-24 -
0.190 Fortinet 2.81-3.117 9.739 2008-11-24 PossibleThreat!019412
0.145 GData 19.1658/19.119 20081124 2008-11-24 -
3.112 Ikarus T3.1.01.45 2008.11.24.71907 2008-11-24 -
3.461 JiangMin 11.0.706 2008.11.24 2008-11-24 TrojanDownloader.Delf.npq
1.369 Kaspersky 5.5.10 2008.11.24 2008-11-24 -
0.188 KingSoft 2008.9.8.18 2008.11.24.20 2008-11-24 -
0.789 McAfee 5.3.00 5444 2008-11-24 -
2.532 Microsoft 1.4104 2008.11.24 2008-11-24 -
4.899 mks_vir 2.01 2008.11.17 2008-11-17 Trojan.Downloader.Delf.aup
2.577 Norman 5.93.01 5.93.00 2008-11-24 -
5.411 nProtect 2008-11-21.03 2625860 2008-11-21 Trojan-Downloader/W32.Agent.248835
3.094 Panda 9.05.01 2008.11.24 2008-11-24 Trj/Downloader.MDW
2.365 Quick Heal 10.00 2008.11.24 2008-11-24 -
0.896 Rising 20.0 21.05.02.00 2008-11-24 -
0.796 Sophos 2.80.0 4.35 2008-11-25 -
2.050 Sunbelt 4474 4474 2008-11-04 -
0.977 Symantec 1.3.0.24 20081124.003 2008-11-24 -
0.081 The Hacker 6.3.1.1 v00161 2008-11-24 -
0.476 Trend Micro 8.700-1004 5.672.09 2008-11-24 -
0.027 VBA32 3.12.8.9 20081124.0945 2008-11-24 Trojan-Downloader.Win32.Delf.aup
1.448 ViRobot 20081121 2008.11.21 2008-11-21 -
0.413 VirusBuster 4.5.11.10 10.94.5/715575 2008-11-24 -
1.125 NOTICE: It may be false positive by some scanners when they found a malware, so you should judge it by yourself.

Copy to clipboard

About VirSCAN | Privacy policy | Contact us | Help VirSCAN

Translated by Vit Rusych, Ukraine

MrDarn · 12-12-2008, 05:54 PM

the copy to clipboard button coped nothing, so i hope you get what you need from there.

evilfantasy · 12-12-2008, 06:20 PM

Looks like that file is indeed infected.

If ComboFix ran that long make sure it didn't create a log. It will be located in C:\combofix.txt. Post it if found please. If not then see below.

There are only 3 download links for ComboFix, here are two along with complete instructions.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

MrDarn · 12-13-2008, 05:51 PM

Hi EF

i downloaded from the link, nd ran the program from the desktop.

i noticed the program get to at least stage 50

i disabled avast before i started the program.

the message i'm getting is:
SED: can't read temp0D: no such file or directory

the log seems to be this tme:

ComboFix 08-12-12.02 - daniel 2008-12-13 23:37:55.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.892.390 [GMT 0:00]
Running from: c:\users\daniel\Downloads\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
S:\resycled
.
((((((((((((((((((((((((( Files Created from 2008-11-13 to 2008-12-13 )))))))))))))))))))))))))))))))
.
2008-12-12 11:49 . 2008-10-22 01:22 2,048 --a------ c:\windows\System32\tzres.dll
2008-12-12 11:14 . 2008-11-01 01:21 4,240,384 --a------ c:\windows\System32\GameUXLegacyGDFs.dll
2008-12-12 11:14 . 2008-10-29 06:29 2,927,104 --a------ c:\windows\explorer.exe
2008-12-12 11:14 . 2008-10-21 05:25 296,960 --a------ c:\windows\System32\gdi32.dll
2008-12-12 11:14 . 2008-10-22 03:57 241,152 --a------ c:\windows\System32\PortableDeviceApi.dll
2008-12-12 11:14 . 2008-11-01 03:44 28,672 --a------ c:\windows\System32\Apphlpdm.dll
2008-12-11 23:38 . 2008-12-11 23:38 <DIR> d--h----- C:\Chris
2008-12-11 23:02 . 2008-10-16 21:13 1,809,944 --a------ c:\windows\System32\wuaueng.dll
2008-12-11 23:02 . 2008-10-16 20:56 1,524,736 --a------ c:\windows\System32\wucltux.dll
2008-12-11 23:02 . 2008-10-16 21:12 561,688 --a------ c:\windows\System32\wuapi.dll
2008-12-11 23:02 . 2008-10-16 20:55 83,456 --a------ c:\windows\System32\wudriver.dll
2008-12-11 23:02 . 2008-10-16 21:09 51,224 --a------ c:\windows\System32\wuauclt.exe
2008-12-11 23:02 . 2008-10-16 21:09 43,544 --a------ c:\windows\System32\wups2.dll
2008-12-11 23:02 . 2008-10-16 21:08 34,328 --a------ c:\windows\System32\wups.dll
2008-12-11 23:01 . 2008-10-16 14:08 162,064 --a------ c:\windows\System32\wuwebv.dll
2008-12-11 23:01 . 2008-10-16 13:56 31,232 --a------ c:\windows\System32\wuapp.exe
2008-12-11 22:48 . 2008-12-11 22:48 410,984 --a------ c:\windows\System32\deploytk.dll
2008-12-11 13:48 . 2008-12-11 13:48 <DIR> d-------- c:\programdata\SUPERAntiSpyware.com
2008-12-11 13:47 . 2008-12-11 13:48 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-12-11 13:44 . 2008-12-11 13:44 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-11 13:39 . 2008-12-11 13:39 <DIR> d-------- c:\programdata\Malwarebytes
2008-12-11 13:39 . 2008-12-11 13:39 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-11 13:39 . 2008-12-03 19:52 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2008-12-11 13:39 . 2008-12-03 19:52 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2008-12-11 13:34 . 2008-12-11 13:34 <DIR> d-------- c:\program files\Panda Security
2008-12-11 13:34 . 2008-06-19 17:24 28,544 --a------ c:\windows\System32\drivers\pavboot.sys
2008-12-11 13:01 . 2008-12-11 23:57 <DIR> d-------- c:\program files\Beer Tycoon
2008-12-10 19:51 . 2008-12-10 20:52 <DIR> d-a------ c:\programdata\TEMP
2008-12-10 19:50 . 2008-12-10 19:50 <DIR> d-------- c:\windows\DQ Tycoon
2008-12-10 15:33 . 2008-12-10 15:33 <DIR> d-------- c:\program files\CCleaner
2008-12-09 23:02 . 2008-12-09 23:02 <DIR> d-------- c:\program files\Alwil Software
2008-12-09 23:02 . 2008-11-26 17:17 51,792 --a------ c:\windows\System32\drivers\aswMonFlt.sys
2008-12-08 17:01 . 2008-12-10 11:58 <DIR> d-------- c:\users\daniel\AppData\Roaming\Lionhead Studios
2008-12-08 16:49 . 2008-12-08 16:49 <DIR> d--hs---- c:\windows\ftpcache
2008-12-07 22:32 . 2006-12-14 18:47 782,336 -ra------ c:\windows\System32\tmpF956.tmp
2008-12-07 19:03 . 2008-12-07 19:06 <DIR> d-------- c:\program files\Industry Giant 2
2008-11-27 16:38 . 2008-11-27 16:38 <DIR> d-------- c:\program files\Bohemia Interactive
2008-11-26 23:08 . 2008-11-26 23:08 <DIR> d-------- c:\program files\OpenAL
2008-11-26 23:08 . 2008-12-07 23:38 409,600 --a------ c:\windows\System32\wrap_oal.dll
2008-11-26 23:08 . 2008-12-07 23:38 114,688 --a------ c:\windows\System32\OpenAL32.dll
2008-11-25 22:03 . 2008-12-13 10:51 <DIR> d-------- C:\.silabclient_store_32
2008-11-25 12:42 . 2008-11-25 12:42 <DIR> d-------- c:\program files\Trend Micro
2008-11-24 15:21 . 2008-11-29 11:16 <DIR> d-------- c:\program files\Health And Fitness Club Tycoon
2008-11-24 08:32 . 2008-11-24 08:32 <DIR> d-------- c:\program files\Cat Daddy Games
2008-11-24 08:11 . 2008-11-24 08:11 <DIR> d-------- c:\users\daniel\AppData\Roaming\MysteryStudio
2008-11-24 08:05 . 2008-11-24 08:05 <DIR> d-------- c:\program files\Coffee Tycoon
2008-11-24 07:32 . 2008-11-29 11:27 <DIR> d-------- c:\program files\Plant Tycoon
2008-11-24 06:49 . 2008-11-24 06:49 <DIR> d-------- c:\users\daniel\AppData\Roaming\ValuSoft
2008-11-24 06:49 . 2007-10-12 15:14 3,734,536 --a------ c:\windows\System32\d3dx9_36.dll
2008-11-24 06:49 . 2007-07-19 18:14 3,727,720 --a------ c:\windows\System32\d3dx9_35.dll
2008-11-24 06:49 . 2007-10-12 15:14 1,374,232 --a------ c:\windows\System32\D3DCompiler_36.dll
2008-11-24 06:49 . 2007-07-19 18:14 1,358,192 --a------ c:\windows\System32\D3DCompiler_35.dll
2008-11-24 06:49 . 2007-05-16 16:45 1,124,720 --a------ c:\windows\System32\D3DCompiler_34.dll
2008-11-24 06:49 . 2007-10-02 09:56 444,776 --a------ c:\windows\System32\d3dx10_36.dll
2008-11-24 06:49 . 2007-07-19 18:14 444,776 --a------ c:\windows\System32\d3dx10_35.dll
2008-11-24 06:49 . 2007-05-16 16:45 443,752 --a------ c:\windows\System32\d3dx10_34.dll
2008-11-24 06:49 . 2007-10-22 03:39 267,272 --a------ c:\windows\System32\xactengine2_10.dll
2008-11-24 06:49 . 2007-07-20 00:57 267,112 --a------ c:\windows\System32\xactengine2_9.dll
2008-11-24 06:49 . 2007-06-20 20:46 266,088 --a------ c:\windows\System32\xactengine2_8.dll
2008-11-24 06:49 . 2007-10-22 03:37 17,928 --a------ c:\windows\System32\X3DAudio1_2.dll
2008-11-24 06:47 . 2005-05-26 15:34 2,297,552 --a------ c:\windows\System32\d3dx9_26.dll
2008-11-24 06:31 . 2008-12-10 11:51 <DIR> d-------- c:\program files\DAEMON Tools Toolbar
2008-11-24 06:31 . 2008-11-24 06:31 <DIR> d-------- c:\program files\DAEMON Tools Lite
2008-11-24 06:22 . 2008-11-24 06:22 717,296 --a------ c:\windows\System32\drivers\sptd.sys
2008-11-24 06:21 . 2008-11-24 06:21 <DIR> d-------- c:\users\daniel\AppData\Roaming\DAEMON Tools
2008-11-23 22:48 . 2008-11-23 22:48 29,192 --a------ c:\windows\System32\drivers\ndisprot.sys
2008-11-22 22:28 . 2008-11-22 22:28 <DIR> d-------- C:\Activision
2008-11-22 19:44 . 2008-12-07 21:24 <DIR> d-------- c:\program files\Lemonade Tycoon 2
2008-11-22 19:43 . 2008-11-22 19:43 <DIR> d-------- c:\program files\ReflexiveArcade
2008-11-22 17:52 . 2008-11-29 11:20 <DIR> d-------- c:\program files\National Lampoon's University Tycoon
2008-11-22 17:47 . 2008-11-22 17:48 <DIR> d-------- c:\program files\Business tycoon
2008-11-20 23:15 . 2008-12-13 16:42 <DIR> d-------- c:\windows\System32\FlashAX2
2008-11-19 17:15 . 2008-11-19 17:15 <DIR> d-------- c:\windows\OvtCam
2008-11-19 17:14 . 2003-10-15 17:52 307,200 --a------ c:\windows\vidcap32.exe
2008-11-19 17:14 . 2003-10-15 17:52 200,704 --a------ c:\windows\sel3110.exe
2008-11-19 17:14 . 2003-10-15 17:52 174,530 --a------ c:\windows\System32\drivers\ov519vid.sys
2008-11-19 17:14 . 2003-10-15 17:52 135,168 --a------ c:\windows\ov519cap.exe
2008-11-19 17:14 . 2003-10-15 17:52 61,440 --a------ c:\windows\ov519dib.dll
2008-11-19 17:14 . 2003-10-15 17:52 40,960 --a------ c:\windows\System32\ov519ext.dll
2008-11-19 17:14 . 2003-10-15 17:52 40,960 --a------ c:\windows\CleanDev.exe
2008-11-19 17:14 . 2003-10-15 17:52 32,528 --a------ c:\windows\amcap.exe
2008-11-19 17:14 . 2003-10-15 17:52 25,211 --a------ c:\windows\System32\drivers\ov519cmd.sys
2008-11-19 17:14 . 2003-10-15 17:52 25,099 --a------ c:\windows\System32\ov519ext.ax
2008-11-19 17:14 . 2003-10-15 17:52 16,426 --a------ c:\windows\System32\ov519usd.dll
2008-11-17 18:47 . 2008-11-17 18:47 30 --a------ c:\users\daniel\jagex_runescape_preferences.dat
2008-11-17 15:33 . 2008-12-10 12:02 <DIR> d-------- c:\program files\RogueX
2008-11-15 23:40 . 2008-09-05 05:14 1,191,936 --a------ c:\windows\System32\msxml3.dll
2008-11-15 23:40 . 2008-08-27 01:05 212,480 --a------ c:\windows\System32\drivers\mrxsmb10.sys
2008-11-15 23:39 . 2008-09-10 03:40 1,334,272 --a------ c:\windows\System32\msxml6.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-13 16:44 --------- d-----w c:\program files\Cheat Engine
2008-12-13 16:43 --------- d-----w c:\users\daniel\AppData\Roaming\uTorrent
2008-12-12 13:43 --------- d-----w c:\program files\Windows Mail
2008-12-11 22:47 --------- d-----w c:\program files\Java
2008-12-11 21:29 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-10 19:16 --------- d-----w c:\users\daniel\AppData\Roaming\Hamachi
2008-12-10 15:44 --------- d-----w c:\programdata\McAfee
2008-12-10 13:12 --------- d-----w c:\program files\Toolkit3
2008-12-10 12:00 --------- d-----w c:\program files\RogueX Client
2008-12-01 08:02 --------- d-----w c:\program files\Google
2008-11-30 20:53 --------- d-----w c:\program files\Coupon Printer
2008-11-29 13:28 --------- d-----w c:\program files\MSN Messenger
2008-11-22 20:22 --------- d-----w c:\program files\Common Files\InstallShield
2008-11-17 18:45 --------- d-----w c:\program files\SwiftKit
2008-11-01 16:41 --------- d-----w c:\users\daniel\AppData\Roaming\CyberLink
2008-11-01 16:39 --------- d-----w c:\programdata\CyberLink
2008-11-01 03:44 541,696 ----a-w c:\windows\AppPatch\AcLayers.dll
2008-11-01 03:44 52,736 ----a-w c:\windows\AppPatch\iebrshim.dll
2008-11-01 03:44 460,288 ----a-w c:\windows\AppPatch\AcSpecfc.dll
2008-11-01 03:44 2,154,496 ----a-w c:\windows\AppPatch\AcGenral.dll
2008-11-01 03:44 173,056 ----a-w c:\windows\AppPatch\AcXtrnal.dll
2008-10-31 21:42 --------- d-----w c:\program files\Xvid
2008-10-31 17:02 --------- d-----w c:\users\daniel\AppData\Roaming\LimeWire
2008-10-21 05:25 1,645,568 ----a-w c:\windows\System32\connect.dll
2008-10-18 19:24 --------- d-----w c:\program files\Somescape Client 1.5
2008-10-16 04:47 827,392 ----a-w c:\windows\System32\wininet.dll
2008-10-15 15:00 --------- d-----w c:\programdata\WindowsSearch
2008-10-14 18:53 108,144 ----a-w c:\windows\System32\CmdLineExt.dll
2008-10-14 18:48 --------- d-----w c:\program files\Codemasters
2008-09-18 05:09 3,601,464 ----a-w c:\windows\System32\ntkrnlpa.exe
2008-09-18 05:09 3,549,240 ----a-w c:\windows\System32\ntoskrnl.exe
2008-09-18 04:56 147,456 ----a-w c:\windows\System32\Faultrep.dll
2008-09-18 04:56 125,952 ----a-w c:\windows\System32\wersvc.dll
2008-09-18 02:16 2,032,640 ----a-w c:\windows\System32\win32k.sys
2008-06-22 22:26 174 --sha-w c:\program files\desktop.ini
.
((((((((((((((((((((((((((((( snapshot@2008-12-12_23.37.36.31 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-12 15:40:29 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-12-13 10:31:14 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2008-12-12 15:40:29 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2008-12-13 10:31:14 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-12-12 15:43:07 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-12-13 10:33:55 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-12-13 10:33:55 262,144 ---ha-w c:\windows\ServiceProfiles\LocalService\ntuser.dat.LOG1
- 2008-12-12 15:43:02 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-12-13 10:34:00 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-12-13 10:34:00 262,144 ---ha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2008-12-12 15:40:31 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-12-13 22:43:54 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-12-12 15:40:31 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-13 22:43:54 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-12-12 15:40:31 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-12-13 22:43:54 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-12-12 13:50:42 105,852 ----a-w c:\windows\System32\perfc009.dat
+ 2008-12-13 10:36:34 105,852 ----a-w c:\windows\System32\perfc009.dat
- 2008-12-12 13:50:42 600,378 ----a-w c:\windows\System32\perfh009.dat
+ 2008-12-13 10:36:34 600,378 ----a-w c:\windows\System32\perfh009.dat
- 2008-12-12 15:42:34 48,970 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-12-13 10:33:17 49,226 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{7c5c0f58-e061-457d-9033-77307f5ed00c}"= "c:\program files\TorrentMan\tbTorr.dll" [2008-05-20 1526296]
[HKEY_CLASSES_ROOT\clsid\{7c5c0f58-e061-457d-9033-77307f5ed00c}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7c5c0f58-e061-457d-9033-77307f5ed00c}]
2008-05-20 23:43 1526296 --a------ c:\program files\TorrentMan\tbTorr.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7c5c0f58-e061-457d-9033-77307f5ed00c}"= "c:\program files\TorrentMan\tbTorr.dll" [2008-05-20 1526296]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{7C5C0F58-E061-457D-9033-77307F5ED00C}"= "c:\program files\TorrentMan\tbTorr.dll" [2008-05-20 1526296]
[HKEY_CLASSES_ROOT\clsid\{7c5c0f58-e061-457d-9033-77307f5ed00c}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]
"Power2GoExpress"="" [BU]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OSD"="c:\program files\C&E\OSD\osd.exe" [2007-08-28 671801]
"SiSTray"="c:\program files\SiS VGA Utilities\SiSTray.exe" [2007-08-24 552960]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"RtHDVCpl"="RtHDVCpl.exe" [2007-08-09 c:\windows\RtHDVCpl.exe]
"Skytel"="Skytel.exe" [2007-08-03 c:\windows\SkyTel.exe]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-03 14:56 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateP2GShortCut]
c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe [BU]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{CF18263F-9861-4E95-94A1-ACFA043AD0A7}"= UDP:c:\program files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{06C77D2E-17D6-43B8-B160-76244AAD1005}"= c:\program files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)
"TCP Query User{FFC4D97B-06E9-410B-97B6-D314E45DB316}c:\\ac web ultimate repack\\server\\apache\\bin\\apache.exe"= UDP:c:\ac web ultimate repack\server\apache\bin\apache.exe:Apache HTTP Server
"UDP Query User{1F2FE738-DAFF-48C8-916A-93203964CBCE}c:\\ac web ultimate repack\\server\\apache\\bin\\apache.exe"= TCP:c:\ac web ultimate repack\server\apache\bin\apache.exe:Apache HTTP Server
"TCP Query User{AABC2A79-0263-4255-BFE7-42FB2FC023DF}c:\\ac web ultimate repack\\server\\mysql\\bin\\mysqld.exe"= UDP:c:\ac web ultimate repack\server\mysql\bin\mysqld.exe:mysqld
"UDP Query User{B5AF91F8-6C35-4B39-BAD9-AFF70A16847D}c:\\ac web ultimate repack\\server\\mysql\\bin\\mysqld.exe"= TCP:c:\ac web ultimate repack\server\mysql\bin\mysqld.exe:mysqld
"TCP Query User{DF344C96-6932-4038-AF6A-68B272852CCF}c:\\program files\\bitlord\\bitlord.exe"= UDP:c:\program files\bitlord\bitlord.exe:BitLord
"UDP Query User{8CCD7132-252E-4901-BBC2-4E86C1795824}c:\\program files\\bitlord\\bitlord.exe"= TCP:c:\program files\bitlord\bitlord.exe:BitLord
"TCP Query User{5046DF91-9A6B-493D-B77E-AAE293F4A2DF}c:\\program files\\java\\jre1.6.0_07\\bin\\javaw.exe"= UDP:c:\program files\java\jre1.6.0_07\bin\javaw.exe:Java(TM) Platform SE binary
"UDP Query User{C8014FDB-91DE-4D24-8181-C6A3CF105A0E}c:\\program files\\java\\jre1.6.0_07\\bin\\javaw.exe"= TCP:c:\program files\java\jre1.6.0_07\bin\javaw.exe:Java(TM) Platform SE binary
"TCP Query User{A2BB6735-7230-413A-ABE9-93B6FCDC5E26}c:\\program files\\java\\jre1.6.0_07\\bin\\javaw.exe"= UDP:c:\program files\java\jre1.6.0_07\bin\javaw.exe:Java(TM) Platform SE binary
"UDP Query User{632B0AA9-0A82-4CDE-82A3-5402DFEEAEF9}c:\\program files\\java\\jre1.6.0_07\\bin\\javaw.exe"= TCP:c:\program files\java\jre1.6.0_07\bin\javaw.exe:Java(TM) Platform SE binary
"TCP Query User{A08DBBC1-E338-4F34-8FF5-27357BCA6FED}c:\\program files\\java\\jdk1.6.0_02\\bin\\java.exe"= UDP:c:\program files\java\jdk1.6.0_02\bin\java.exe:Java(TM) Platform SE binary
"UDP Query User{2C1F5594-0DF5-4422-8C46-E59CE870F718}c:\\program files\\java\\jdk1.6.0_02\\bin\\java.exe"= TCP:c:\program files\java\jdk1.6.0_02\bin\java.exe:Java(TM) Platform SE binary
"TCP Query User{C9E57137-5A93-4FF6-8625-BA873FF13D58}c:\\program files\\java\\jre1.6.0_02\\bin\\java.exe"= UDP:c:\program files\java\jre1.6.0_02\bin\java.exe:Java(TM) Platform SE binary
"UDP Query User{DF68878D-9A99-4742-8F84-1DFD668029C0}c:\\program files\\java\\jre1.6.0_02\\bin\\java.exe"= TCP:c:\program files\java\jre1.6.0_02\bin\java.exe:Java(TM) Platform SE binary
"TCP Query User{0CAF3F77-7B78-492D-A8D1-C230851708E5}c:\\program files\\networkactiv autapf 1.0\\networkactivautapfv1.0.exe"= UDP:c:\program files\networkactiv autapf 1.0\networkactivautapfv1.0.exe:NetworkActiv AUTAPF Application and Installer
"UDP Query User{C78931B8-8555-4795-9DE6-9B963B9E9F61}c:\\program files\\networkactiv autapf 1.0\\networkactivautapfv1.0.exe"= TCP:c:\program files\networkactiv autapf 1.0\networkactivautapfv1.0.exe:NetworkActiv AUTAPF Application and Installer
"{FF98B357-DE42-4009-9555-B09FEF5A48A3}"= UDP:c:\program files\Hamachi\hamachi.exe:Hamachi
"{119B7F2B-6A51-4E98-B127-A49D89224A2A}"= TCP:c:\program files\Hamachi\hamachi.exe:Hamachi
"{1D2F4635-230E-44CD-918A-B24F3FDA6A0D}"= UDP:43594:5.30.149.93
"{0F347106-9016-4F1C-B1D5-DAA9184EF605}"= TCP:43594:5.30.149.93
"{24CD8175-5BBC-4FC7-9A97-F7AFA94BE09D}"= UDP:c:\program files\No-IP\DUC20.exe:No-IP DUC
"{D6FFD02B-7156-4566-B42D-53443C118A67}"= TCP:c:\program files\No-IP\DUC20.exe:No-IP DUC
"TCP Query User{E4769302-2953-42DF-994E-995DE40E5DB9}c:\\windows\\system32\\java.exe"= UDP:c:\windows\system32\java.exe:Java(TM) Platform SE binary
"UDP Query User{743DDD53-2F9F-4A62-88CC-02DEF489AE70}c:\\windows\\system32\\java.exe"= TCP:c:\windows\system32\java.exe:Java(TM) Platform SE binary
"TCP Query User{5770063A-5638-40D9-8FAE-DE3A897F8054}c:\\program files\\limewire\\limewire.exe"= UDP:c:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{AB6AD8B6-AC03-4A11-A7F5-D6EAED808217}c:\\program files\\limewire\\limewire.exe"= TCP:c:\program files\limewire\limewire.exe:LimeWire
"TCP Query User{498AF322-5714-47B1-80B2-31A2D9F7EDBA}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{EDF2619D-D121-4D2E-8D83-D040F8B00320}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{22750FAA-9BE2-4A94-87E2-ED0FB6AE0B1D}c:\\program files\\america's army\\system\\armyops.exe"= UDP:c:\program files\america's army\system\armyops.exe:ArmyOps
"UDP Query User{1A692F84-C492-44C5-877A-0FAB2F857784}c:\\program files\\america's army\\system\\armyops.exe"= TCP:c:\program files\america's army\system\armyops.exe:ArmyOps
"TCP Query User{A383301D-9DA0-4719-B34E-467E9A2ABC19}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:µTorrent
"UDP Query User{1F387AFF-29ED-40EB-8405-51C1C4EF33E2}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:µTorrent
"TCP Query User{6B802B99-5D45-438A-9BCE-650B1897AC30}c:\\windows\\system32\\java.exe"= UDP:c:\windows\system32\java.exe:Java(TM) Platform SE binary
"UDP Query User{CE337B60-D440-48BE-A685-2E13A8B9640D}c:\\windows\\system32\\java.exe"= TCP:c:\windows\system32\java.exe:Java(TM) Platform SE binary
"TCP Query User{91999FF1-1F82-47B3-85AE-6DBD9C831FC5}c:\\users\\daniel\\downloads\\desktop\\spf_exe[1]\\spf.exe"= UDP:c:\users\daniel\downloads\desktop\spf_exe[1]\spf.exe:Smart Port Forwarding
"UDP Query User{81A910C0-40C7-48C3-A96F-FE1E2C4DCBED}c:\\users\\daniel\\downloads\\desktop\\spf_exe[1]\\spf.exe"= TCP:c:\users\daniel\downloads\desktop\spf_exe[1]\spf.exe:Smart Port Forwarding
"TCP Query User{0AE016B4-83D1-4BAF-98C3-01C801B2662E}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{14321CD7-A8AA-4B4C-977E-B3DABFF193E5}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{D1652B26-DF62-485F-B981-AD6CB01572A0}c:\\program files\\america's army\\system\\armyops.exe"= UDP:c:\program files\america's army\system\armyops.exe:ArmyOps
"UDP Query User{AD01C73F-BBE0-4FE6-BA19-ECBA1BC0390D}c:\\program files\\america's army\\system\\armyops.exe"= TCP:c:\program files\america's army\system\armyops.exe:ArmyOps
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-12-11 28544]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-12-09 111184]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-12-04 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-12-04 55024]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-12-09 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\DRIVERS\aswMonFlt.sys [2008-12-09 51792]
R2 TeamViewer;TeamViewer 3;"c:\program files\TeamViewer3\TeamViewer_Service.exe" -service [2008-08-06 181544]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys [2008-04-28 283136]
R3 SiS6350;SiS6350;c:\windows\system32\DRIVERS\SISGRKMD.sys [2007-09-03 452096]
R3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;c:\windows\system32\DRIVERS\SiSGB6.sys [2007-09-03 46592]
S3 Ndisprot;ArcNet NDIS Protocol Driver;\??\c:\windows\system32\drivers\Ndisprot.sys [2008-11-23 29192]
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ce837d0f-151e-11dd-ac08-00030d76151c}]
\shell\AutoRun\command - D:\setupSNK.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e8c7e782-b9f0-11dd-aa50-00030d76151c}]
\shell\AutoRun\command - D:\autorun.exe
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-13 23:42:10
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-12-13 23:48:17
ComboFix-quarantined-files.txt 2008-12-13 23:48:10
Pre-Run: 615,923,712 bytes free
Post-Run: 590,254,080 bytes free
278 --- E O F --- 2008-12-12 11:56:11