Hijackthis

[Ship19]

hey just need some help have no idea what im looking for.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:31:50 PM, on 5/21/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\sttray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_Engine.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\explorer.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [CCUTRAYICON] C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
O4 - HKLM\..\Run: [NMSSupport] "C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" /startup
O4 - HKLM\..\Run: [ECenter] c:\dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Tyler\AppData\Local\Temp\awtqqpQg.dll,#1
O4 - HKCU\..\Run: [LSA Shellu] C:\Users\Tyler\lsass.exe
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Tyler\AppData\Local\Temp\cbXRLbCv.dll,c
O4 - HKCU\..\Run: [0e79a10b] rundll32.exe "C:\Users\Tyler\AppData\Local\Temp\ddxovanq.dll",b
O4 - HKCU\..\Run: [BM0d4a9297] Rundll32.exe "C:\Users\Tyler\AppData\Local\Temp\wmholgag.dll",s
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-673586276-4164519185-3278794416-1000\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'IUSR_NMPR')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O13 - Gopher Prefix:
O23 - Service: Intel(R) Alert Service (AlertService) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) Software Services Manager (ISSM) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: Intel(R) Viiv(TM) Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: Intel(R) Application Tracker (MCLServiceATL) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: Intel(R) Remoting Service (Remote UI Service) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8130 bytes

 

[techpro5238]

I can most definitely point this at a Vundo Infection. We have a WHOLE lot of work to do on this PC. Lets get started with my first instruction.

---------------------------

Download ComboFix from Here or Here to your Desktop.
Read first: "How to download and use ComboFix"
If you downloaded ComboFix previously, delete that version and download it again as the tool is frequently updated!

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

• Double click combofix.exe and follow the prompts.
• When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
• Be sure to re-enable your anti-virus and other security programs, after ComboFix finished.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

Extra-Note: Please, DO NOT use ComboFix on your own. It is a very powerful tool designed to deal with sophisticated infections and if something goes wrong or you use it incorrectly, you could possibly lose the use of your computer. It is ONLY meant to be used under the direct supervision of a malware removal specialist. Please read Combofix's Disclaimer

 

[carnageX]

Would also suggest going through Osiris's guide: http://www.techist.com/forums/f51/spyware-removal-guide-osiris-165828/

 

[Ship19]

hey guys thanks for the help. carnageX i tryed that link and it will not let me open it. and techpro5238 i restored my pc 4 days back and i have no problems now. do you want me to repost a hijackthis log? or do you think im ok? thanks for your time

 

[techpro5238]

Don't restore your computer back, it doesn't delete files and it may restore some infection that your AV deleted.

Follow my instructions and run CF.

Kind Regards,
Techpro5238

 

[Ship19]

ComboFix 08-05-21.3 - Tyler 2008-05-22 17:42:56.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1099 [GMT -5:00]
Running from: C:\Users\Tyler\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-04-22 to 2008-05-22 )))))))))))))))))))))))))))))))
.

2008-05-21 13:44 . 2008-05-21 13:44 <DIR> d-------- C:\Deckard
2008-05-21 13:31 . 2008-05-21 13:31 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-20 15:11 . 2008-05-20 15:11 <DIR> d-------- C:\temp\dmpxp32
2008-04-29 20:29 . 2008-04-29 20:29 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-04-28 20:25 . 2008-04-28 20:25 54,156 --ah----- C:\Windows\QTFont.qfn
2008-04-28 20:25 . 2008-04-28 20:25 1,409 --a------ C:\Windows\QTFont.for
2008-04-28 20:24 . 2008-04-28 20:24 <DIR> d-------- C:\Program Files\iTunes
2008-04-28 20:24 . 2008-04-28 20:24 <DIR> d-------- C:\Program Files\iPod
2008-04-28 20:23 . 2008-04-28 20:23 <DIR> d-------- C:\Program Files\QuickTime
2008-04-22 17:29 . 2008-04-22 17:29 41,296 --a------ C:\Windows\System32\xfcodec.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-21 22:03 --------- d--h--w C:\Program Files\Xp.dll
2008-05-21 20:37 --------- d-----w C:\Program Files\Common Files\Steam
2008-05-21 20:35 --------- d-----w C:\ProgramData\Microsoft Help
2008-05-21 20:35 --------- d-----w C:\Program Files\Steam
2008-05-21 20:35 --------- d-----w C:\Program Files\Microsoft.NET
2008-05-21 20:35 --------- d-----w C:\Program Files\Microsoft Visual Studio 9.0
2008-05-21 20:35 --------- d-----w C:\Program Files\Microsoft SDKs
2008-05-21 02:36 --------- d-----w C:\Users\Tyler\AppData\Roaming\LimeWire
2008-05-15 02:01 --------- d-----w C:\Program Files\Windows Mail
2008-05-09 03:07 --------- d-----w C:\Users\Tyler\AppData\Roaming\Xfire
2008-05-09 00:39 --------- d-----w C:\ProgramData\Roxio
2008-05-03 22:21 --------- d-----w C:\ProgramData\Xfire
2008-05-02 20:20 --------- d-----w C:\Users\Tyler\AppData\Roaming\Netscape
2008-04-29 01:22 --------- d-----w C:\Program Files\Xfire
2008-04-29 01:18 --------- d-----w C:\Program Files\Apple Software Update
2008-04-25 01:10 22,328 ----a-w C:\Windows\system32\drivers\PnkBstrK.sys
2008-04-25 01:10 107,832 ----a-w C:\Windows\System32\PnkBstrB.exe
2008-04-24 00:24 --------- d-----w C:\Program Files\LimeWire
2008-04-04 21:18 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-01 20:53 --------- d-----w C:\Program Files\Java
2008-03-25 01:08 --------- d-----w C:\Users\Tyler\AppData\Roaming\Apple Computer
2008-02-29 06:51 19,000 ----a-w C:\Windows\System32\kd1394.dll
2008-02-29 06:39 40,960 ----a-w C:\Windows\System32\srclient.dll
2008-02-29 06:39 371,712 ----a-w C:\Windows\System32\srcore.dll
2008-02-29 06:38 313,856 ----a-w C:\Windows\System32\rstrui.exe
2008-02-29 06:38 16,384 ----a-w C:\Windows\System32\srdelayed.exe
2008-02-29 06:35 6,656 ----a-w C:\Windows\System32\kbd106n.dll
2008-02-29 06:34 7,168 ----a-w C:\Windows\System32\f3ahvoas.dll
2008-02-29 04:16 2,027,008 ----a-w C:\Windows\System32\win32k.sys
2007-12-15 18:43 22,328 ----a-w C:\Users\Tyler\AppData\Roaming\PnkBstrK.sys
2007-08-29 22:18 174 --sha-w C:\Program Files\desktop.ini
2007-10-18 16:57 16,384 --sha-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2007-10-18 16:57 32,768 --sha-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2007-10-18 16:57 16,384 --sha-w C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

------- Sigcheck -------

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 07:35 125440]
"Aim6"="" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="sttray.exe" [2006-11-22 17:56 303104 C:\Windows\sttray.exe]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-09-29 13:39 151552]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 12:37 81920]
"CCUTRAYICON"="C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe" [2006-11-18 08:01 182744]
"NMSSupport"="C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" [2006-09-26 11:56 423424]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2006-11-17 16:19 17920]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 12:35 221184]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-12-11 18:06 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-12-11 18:06 8530464]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-12-11 18:06 81920]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-04-04 16:18:22 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiSpywareOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{B9E139EF-18C8-4BBF-8BD2-BB7BA513B654}C:\\program files\\steam\\steamapps\\rook1e187\\counter-strike source\\hl2.exe"= UDP:C:\program files\steam\steamapps\rook1e187\counter-strike source\hl2.exe:hl2
"UDP Query User{CEAF316A-8AE9-47F9-882C-C4B57950C075}C:\\program files\\steam\\steamapps\\rook1e187\\counter-strike source\\hl2.exe"= TCP:C:\program files\steam\steamapps\rook1e187\counter-strike source\hl2.exe:hl2
"TCP Query User{DFBE3C95-529D-42EF-86C6-554F5EC39B97}C:\\stubinstaller.exe"= UDP:C:\stubinstaller.exe:LimeWire swarmed installer
"UDP Query User{C0B9A083-54FA-4B26-B6FA-BE748EB13DB5}C:\\stubinstaller.exe"= TCP:C:\stubinstaller.exe:LimeWire swarmed installer
"{3E740467-702F-4387-BE5E-3CE2A3DA7F2E}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{418A232D-7399-4E3F-A85D-27D8D255D341}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"TCP Query User{5CD46747-6DB8-4151-B03C-46444049C005}C:\\program files\\steam\\steamapps\\rook1e187\\day of defeat source\\hl2.exe"= UDP:C:\program files\steam\steamapps\rook1e187\day of defeat source\hl2.exe:hl2
"UDP Query User{C72CF9DC-417C-48A4-9075-6AFD0180EE9E}C:\\program files\\steam\\steamapps\\rook1e187\\day of defeat source\\hl2.exe"= TCP:C:\program files\steam\steamapps\rook1e187\day of defeat source\hl2.exe:hl2
"TCP Query User{32358895-52E9-4F75-8E2C-E10DA7234C9B}F:\\limewire\\limewire.exe"= UDP:F:\limewire\limewire.exe:LimeWire
"UDP Query User{49D29B54-A337-4737-9B06-287C4A1705D0}F:\\limewire\\limewire.exe"= TCP:F:\limewire\limewire.exe:LimeWire
"TCP Query User{EE692F81-38A2-4C04-B4C1-F219075D8505}F:\\limewire\\limewire.exe"= UDP:F:\limewire\limewire.exe:LimeWire
"UDP Query User{CD81DA4F-FE0F-4224-81D6-550EE5C96B3D}F:\\limewire\\limewire.exe"= TCP:F:\limewire\limewire.exe:LimeWire
"TCP Query User{0B5E59A2-D33E-48A0-8864-115A34CA72AC}C:\\program files\\limewire\\limewire\\limewire.exe"= UDP:C:\program files\limewire\limewire\limewire.exe:LimeWire
"UDP Query User{0F58D1A9-6363-406D-9E91-3E44C532FCC6}C:\\program files\\limewire\\limewire\\limewire.exe"= TCP:C:\program files\limewire\limewire\limewire.exe:LimeWire
"TCP Query User{53F8C1EF-AD60-4CE2-B19E-6087BE86C115}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{2F9B4EE4-38D0-41EC-B1C1-F08910DF09BF}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{5F034622-E032-4EA0-BD90-610A6DCA08AA}C:\\program files\\steam\\steamapps\\rook1e187\\counter-strike source\\hl2.exe"= UDP:C:\program files\steam\steamapps\rook1e187\counter-strike source\hl2.exe:hl2
"UDP Query User{97BA7B17-AD8C-4113-B076-DE32532A34D8}C:\\program files\\steam\\steamapps\\rook1e187\\counter-strike source\\hl2.exe"= TCP:C:\program files\steam\steamapps\rook1e187\counter-strike source\hl2.exe:hl2
"TCP Query User{22E1B6D8-BADD-4D89-9493-CE95922BD638}C:\\program files\\xfire\\xfire.exe"= UDP:C:\program files\xfire\xfire.exe:Xfire
"UDP Query User{AA974D7F-A9EA-4AC2-83B9-035F7A60D351}C:\\program files\\xfire\\xfire.exe"= TCP:C:\program files\xfire\xfire.exe:Xfire
"TCP Query User{8509752B-818A-4FA7-A0DD-D8934921CAE4}C:\\program files\\sierra\\fear\\fpupdate.exe"= UDP:C:\program files\sierra\fear\fpupdate.exe:fpupdate
"UDP Query User{2423F475-211E-4F47-8F74-563D96260099}C:\\program files\\sierra\\fear\\fpupdate.exe"= TCP:C:\program files\sierra\fear\fpupdate.exe:fpupdate
"{48FA4154-F9DC-435D-AEB7-CEB8E48772FA}"= UDP:C:\Program Files\Sierra\FEAR\FEAR.exe:FEAR
"{D2C98ED6-00EF-41AF-A4E4-D3C21E3DF57F}"= TCP:C:\Program Files\Sierra\FEAR\FEAR.exe:FEAR
"{079AAF2B-E21F-4AE9-B2A7-31A456DABA2D}"= UDP:C:\Program Files\Sierra\FEAR\FEARMP.exe:FEAR
"{3E230DF8-3327-4283-98B9-5F8CA7C664F9}"= TCP:C:\Program Files\Sierra\FEAR\FEARMP.exe:FEAR
"{5298E1D1-CF83-441F-AD3E-E9F155EBA619}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{7ADD2367-5AF7-41F8-B9CC-E41FB92B3D7F}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{A3A48124-A60F-4CD3-BC15-E652B6FF4357}"= UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{A54DB489-EC65-446F-BEBF-FBCA2D7A6F60}"= TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"TCP Query User{1C62CC12-7362-4184-A058-80D7A1FF1F70}C:\\program files\\limewire\\limewire.exe"= UDP:C:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{D885F771-F227-4F3A-935F-6042DEB8F854}C:\\program files\\limewire\\limewire.exe"= TCP:C:\program files\limewire\limewire.exe:LimeWire
"TCP Query User{68E37EA9-924B-4B81-8BAD-5C17234B6C56}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{4AE4B788-15EA-4ADA-82B8-047C82B9E543}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{DEAB5B83-79EF-4E9C-98A4-602E6711E9F8}C:\\program files\\steam\\steam.exe"= UDP:C:\program files\steam\steam.exe:Steam
"UDP Query User{C80AB3F4-6EE7-4F0E-B361-F7109B0CA599}C:\\program files\\steam\\steam.exe"= TCP:C:\program files\steam\steam.exe:Steam
"{984C377B-9F1C-4263-9BDA-E2C280238953}"= UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{86BFD9EA-587E-4A25-BC09-107156DFC959}"= TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"TCP Query User{1E974F1B-8C4D-458F-B22E-A8E1B5C1B41E}C:\\program files\\quake iii arena\\quake3.exe"= UDP:C:\program files\quake iii arena\quake3.exe:quake3
"UDP Query User{85A6FEFC-9B3B-43CE-A9F2-C8FBB57AAB85}C:\\program files\\quake iii arena\\quake3.exe"= TCP:C:\program files\quake iii arena\quake3.exe:quake3
"{C7202D9F-220C-4E33-B25D-8448166B52E6}"= UDP:C:\Windows\System32\PnkBstrA.exenkBstrA
"{6626D656-6D35-451F-BF3C-8731C3768257}"= TCP:C:\Windows\System32\PnkBstrA.exenkBstrA
"{EC277F65-0891-4D46-B12C-78FB65E5223E}"= UDP:C:\Windows\System32\PnkBstrB.exenkBstrB
"{40D7C23D-8D45-4D2A-896B-7B0978BF90F1}"= TCP:C:\Windows\System32\PnkBstrB.exenkBstrB
"TCP Query User{FACA8DB4-D9AD-4CFC-9FC2-78A461A6FF78}C:\\program files\\xfire\\xfire.exe"= UDP:C:\program files\xfire\xfire.exe:Xfire
"UDP Query User{5B02CE08-5A43-45FE-A6EF-EA3C1BEBC82E}C:\\program files\\xfire\\xfire.exe"= TCP:C:\program files\xfire\xfire.exe:Xfire
"{549B1026-B444-4CE0-92C9-40F651F9A89D}"= UDP:C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:Call of Duty(R) 4 - Modern Warfare(TM)
"{4CCF127F-043F-4081-A150-329F3549542D}"= TCP:C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:Call of Duty(R) 4 - Modern Warfare(TM)
"{59939B6C-77F6-4E00-A7DC-42EB3AB2E5DC}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{0CE8094E-6D56-4811-AA37-682745859025}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R1 DLARTL_M;DLARTL_M;C:\Windows\system32\Drivers\DLARTL_M.SYS [2006-08-11 11:35]
R2 DQLWinService;DQLWinService;"C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe" [2006-10-29 10:03]
R2 nmsgopro;GoProto Protocol Driver for NMS;C:\Windows\system32\DRIVERS\nmsgopro.sys [2006-09-27 17:37]
R2 nmsunidr;UniDriver for NMS;C:\Windows\system32\DRIVERS\nmsunidr.sys [2006-10-19 16:49]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
R3 IntelDH;IntelDH Driver;C:\Windows\system32\Drivers\IntelDH.sys [2007-02-27 03:45]
S3 R300;R300;C:\Windows\system32\DRIVERS\atikmdag.sys [2006-11-02 02:36]
S3 Steam Client Service;Steam Client Service;C:\Program Files\Common Files\Steam\SteamService.exe [2008-03-14 17:37]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-22 20:25:31 C:\Windows\Tasks\User_Feed_Synchronization-{994D8E60-F973-4E28-9A5B-727AAA16D1B1}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-22 17:44:18
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\Users\Tyler\AppData\Roaming\GTek\GTUpdate\AUpdate\NMSSupport\DB\{9E10B8EB-21D5-4D97-9AB3-3993FFD4E6E5}.xml 1521 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2008-05-22 17:46:29
ComboFix-quarantined-files.txt 2008-05-22 22:45:33

Pre-Run: 132,317,024,256 bytes free
Post-Run: 133,282,594,816 bytes free

173 --- E O F --- 2008-05-21 20:46:34

 

[Ship19]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:51:17 PM, on 5/22/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\sttray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_Engine.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Windows\system32\Macromed\Flash\FlashUtil9f.exe
C:\Windows\Explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\DllHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [CCUTRAYICON] C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
O4 - HKLM\..\Run: [NMSSupport] "C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" /startup
O4 - HKLM\..\Run: [ECenter] c:\dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-673586276-4164519185-3278794416-1000\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'IUSR_NMPR')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O13 - Gopher Prefix:
O23 - Service: Intel(R) Alert Service (AlertService) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

 

[techpro5238]

Step1

1. Please open Notepad

• Click Start, then Run
• Type "notepad.exe" in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\Program Files\desktop.ini

Folder::
C:\temp

3. Then in the text file go to FILE => SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply

Step2

Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended (if available otherwise Standard)
  • Scan Options:
  • Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

Logs Required In Next Post
------------------------------

ComboFix Log
Kasperky Scan Log

Kind Regards,
Techpro5238

 

[Ship19]

C:\Bug.txt Object is locked skipped

C:\Program Files\InstallShield Installation Information\{5CD29180-A95E-11D3-A4EB-00C04F7BDB2C}\setup.ilg Object is locked skipped

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\5c70d0303f0e1c0d426d2b7a7b3ab9e4_59ff9839-e754-4fe7-a116-a50236d0e00e Object is locked skipped

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\dell.txt Object is locked skipped

C:\ProgramData\Microsoft\User Account Pictures\IUSR_NMPR.dat Object is locked skipped

C:\ProgramData\Microsoft\Windows\DRM\Cache\Indiv01.tmp Object is locked skipped

C:\ProgramData\Microsoft\Windows\DRM\drmstore.hds Object is locked skipped

C:\Users\Tyler\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat Object is locked skipped

C:\Users\Tyler\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat Object is locked skipped

C:\Users\Tyler\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Users\Tyler\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Users\Tyler\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G405NZK2\Codec[1].exe Infected: Trojan.Win32.VB.cxu skipped

C:\Users\Tyler\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat Object is locked skipped

C:\Users\Tyler\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT Object is locked skipped

C:\Users\Tyler\AppData\Local\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Users\Tyler\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 Object is locked skipped

C:\Users\Tyler\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 Object is locked skipped

C:\Users\Tyler\AppData\Local\Microsoft\Windows\UsrClass.dat{9ffc8f62-c94c-11db-aaeb-0019d13d000d}.TM.blf Object is locked skipped

C:\Users\Tyler\AppData\Local\Microsoft\Windows\UsrClass.dat{9ffc8f62-c94c-11db-aaeb-0019d13d000d}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped

C:\Users\Tyler\AppData\Local\Microsoft\Windows\UsrClass.dat{9ffc8f62-c94c-11db-aaeb-0019d13d000d}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped

C:\Users\Tyler\AppData\Local\Microsoft\Feeds Cache\index.dat Object is locked skipped

C:\Users\Tyler\AppData\Local\Microsoft\Windows Defender\FileTracker\{000BD572-8A69-49D9-9369-587199075F7E} Object is locked skipped

C:\Users\Tyler\AppData\Local\Temp\Low\~DFCDBC.tmp Object is locked skipped

C:\Users\Tyler\AppData\Local\Temp\Low\~DFCDC2.tmp Object is locked skipped

C:\Users\Tyler\AppData\Roaming\GTek\GTUpdate\AUpdate\NMSSupport\gdql_in_IntelHCTAgent.log Object is locked skipped

C:\Users\Tyler\AppData\Roaming\GTek\GTUpdate\AUpdate\NMSSupport\glog.log Object is locked skipped

C:\Users\Tyler\AppData\Roaming\GTek\GTUpdate\AUpdate\NMSSupport\IntelHCTAgent.log Object is locked skipped

C:\Users\Tyler\AppData\Roaming\GTek\GTUpdate\AUpdate\NMSSupport\IntelHCTAgent_GTActions.log Object is locked skipped

C:\Users\Tyler\AppData\Roaming\Microsoft\Windows\Cookies\index.dat Object is locked skipped

C:\Users\Tyler\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.dat Object is locked skipped

C:\Users\Tyler\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\25\9180419-541c9f77/BnnnnBaa.class Infected: Trojan.Java.ClassLoader.as skipped

C:\Users\Tyler\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\25\9180419-541c9f77/VaannnaaBaa.class Infected: Trojan.Java.ClassLoader.as skipped

C:\Users\Tyler\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\25\9180419-541c9f77/Bnnnnn.class Infected: Trojan.Java.ClassLoader.as skipped

C:\Users\Tyler\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\25\9180419-541c9f77 ZIP: infected - 3 skipped

C:\Users\Tyler\Desktop\Music\britt nicole christian.wm Infected: Trojan-Downloader.WMA.Wimad.m skipped

C:\Users\Tyler\Desktop\Music\christian new song.wm Infected: Trojan-Downloader.WMA.Wimad.m skipped

C:\Users\Tyler\ntuser.dat Object is locked skipped

C:\Users\Tyler\ntuser.dat.LOG1 Object is locked skipped

C:\Users\Tyler\ntuser.dat.LOG2 Object is locked skipped

C:\Users\Tyler\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf Object is locked skipped

C:\Users\Tyler\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped

C:\Users\Tyler\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped

C:\Windows\Debug\PASSWD.LOG Object is locked skipped

C:\Windows\Debug\sam.log Object is locked skipped

C:\Windows\Debug\WIA\wiatrace.log Object is locked skipped

C:\Windows\Logs\CBS\CBS.log Object is locked skipped

C:\Windows\Logs\CBS\CBS.persist.log Object is locked skipped

C:\Windows\Logs\DPX\setupact.log Object is locked skipped

C:\Windows\Logs\DPX\setuperr.log Object is locked skipped

C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe.config Object is locked skipped

C:\Windows\Panther\UnattendGC\diagerr.xml Object is locked skipped

C:\Windows\Panther\UnattendGC\diagwrn.xml Object is locked skipped

C:\Windows\Panther\UnattendGC\setupact.log Object is locked skipped

C:\Windows\Panther\UnattendGC\setuperr.log Object is locked skipped

C:\Windows\security\database\secedit.sdb Object is locked skipped

C:\Windows\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped

C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped

C:\Windows\System32\catroot2\edb.log Object is locked skipped

C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb Object is locked skipped

C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb Object is locked skipped

C:\Windows\System32\config\COMPONENTS Object is locked skipped

C:\Windows\System32\config\COMPONENTS.LOG1 Object is locked skipped

C:\Windows\System32\config\COMPONENTS.LOG2 Object is locked skipped

C:\Windows\System32\config\DEFAULT Object is locked skipped

C:\Windows\System32\config\DEFAULT.LOG1 Object is locked skipped

C:\Windows\System32\config\DEFAULT.LOG2 Object is locked skipped

C:\Windows\System32\config\SAM Object is locked skipped

C:\Windows\System32\config\SAM.LOG1 Object is locked skipped

C:\Windows\System32\config\SAM.LOG2 Object is locked skipped

C:\Windows\System32\config\SECURITY Object is locked skipped

C:\Windows\System32\config\SECURITY.LOG1 Object is locked skipped

C:\Windows\System32\config\SECURITY.LOG2 Object is locked skipped

C:\Windows\System32\config\SOFTWARE Object is locked skipped

C:\Windows\System32\config\SOFTWARE.LOG1 Object is locked skipped

C:\Windows\System32\config\SOFTWARE.LOG2 Object is locked skipped

C:\Windows\System32\config\SYSTEM Object is locked skipped

C:\Windows\System32\config\SYSTEM.LOG1 Object is locked skipped

C:\Windows\System32\config\SYSTEM.LOG2 Object is locked skipped

C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TM.blf Object is locked skipped

C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped

C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped

C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000003.regtrans-ms Object is locked skipped

C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000004.regtrans-ms Object is locked skipped

C:\Windows\System32\config\TxR\{39407d00-2773-11dd-9c8e-0019d13d000d}.TxR.0.regtrans-ms Object is locked skipped

C:\Windows\System32\config\TxR\{39407d00-2773-11dd-9c8e-0019d13d000d}.TxR.1.regtrans-ms Object is locked skipped

C:\Windows\System32\config\TxR\{39407d00-2773-11dd-9c8e-0019d13d000d}.TxR.2.regtrans-ms Object is locked skipped

C:\Windows\System32\config\TxR\{39407d00-2773-11dd-9c8e-0019d13d000d}.TxR.blf Object is locked skipped

C:\Windows\System32\LogFiles\Scm\SCM.EVM Object is locked skipped

C:\Windows\System32\LogFiles\SQM\SQMLogger_2008-5-22-22-14-30_0.etl Object is locked skipped

C:\Windows\System32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped

C:\Windows\System32\restore\MachineGuid.txt Object is locked skipped

C:\Windows\System32\spool\SpoolerETW.etl Object is locked skipped

C:\Windows\System32\sysprep\Panther\diagerr.xml Object is locked skipped

C:\Windows\System32\sysprep\Panther\diagwrn.xml Object is locked skipped

C:\Windows\System32\sysprep\Panther\setupact.log Object is locked skipped

C:\Windows\System32\sysprep\Panther\setuperr.log Object is locked skipped

C:\Windows\System32\wbem\AutoRecover\1EBE968EB7AF815A32641E6185350A9E.mof Object is locked skipped

C:\Windows\System32\wbem\AutoRecover\3460B7617E0429A960E481B197F238A3.mof Object is locked skipped

C:\Windows\System32\wbem\AutoRecover\75054C3771DF289038069A9BB1C1FB6E.mof Object is locked skipped

C:\Windows\System32\wbem\AutoRecover\7BDE76979585395D59B5DA1D62E63C50.mof Object is locked skipped

C:\Windows\System32\wbem\AutoRecover\DFB9AD54AC2D3B8122567AAD3BF3EB7F.mof Object is locked skipped

C:\Windows\System32\wbem\Logs\WMITracing.log Object is locked skipped

C:\Windows\System32\wbem\repository\INDEX.BTR Object is locked skipped

C:\Windows\System32\wbem\repository\MAPPING1.MAP Object is locked skipped

C:\Windows\System32\wbem\repository\MAPPING2.MAP Object is locked skipped

C:\Windows\System32\wbem\repository\OBJECTS.DATA Object is locked skipped

C:\Windows\System32\winevt\Logs\Application.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\DFS Replication.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\HardwareEvents.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\IntelDH.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Internet Explorer.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Key Management Service.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Media Center.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-CorruptedFileRecovery-Client%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-CorruptedFileRecovery-Server%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-DateTimeControlPanel%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-MSDT%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-PLA%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Networking%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-DiskDiagnostic%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-DiskDiagnosticDataCollector%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-DiskDiagnosticResolver%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Forwarding%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Help%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-International%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WDI%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-LanguagePackSetup%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-MeetingSpace%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-MemoryDiagnostics-Results%4Debug.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-MUI%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-ParentalControls%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-RemoteAssistance%4Admin.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-RemoteAssistance%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Resolver%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Leak-Diagnostic%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winsock-WS2HELP%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Wired-AutoConfig%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Microsoft-Windows-WLAN-AutoConfig%4Operational.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Security.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\Setup.evtx Object is locked skipped

C:\Windows\System32\winevt\Logs\System.evtx Object is locked skipped

C:\Windows\Tasks\SCHEDLGU.TXT Object is locked skipped

C:\Windows\WindowsUpdate.log Object is locked skipped

C:\Windows\winsxs\x86_microsoft-windows-n..n_service_datastore_31bf3856ad364e35_6.0.6000.16386_none_cef7ceb03914a67f\dnary.xsd Object is locked skipped

D:\Windows\security\database\secedit.sdb Object is locked skipped

Scan process completed.

 

[Ship19]

ComboFix 08-05-21.3 - Tyler 2008-05-22 19:24:50.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1129 [GMT -5:00]
Running from: C:\Users\Tyler\Desktop\ComboFix.exe
Command switches used :: C:\Users\Tyler\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\desktop.ini
C:\temp
C:\temp\dmpxp32\sakldsr.log
C:\temp\Patch Log.txt

.
((((((((((((((((((((((((( Files Created from 2008-04-23 to 2008-05-23 )))))))))))))))))))))))))))))))
.

2008-05-21 13:44 . 2008-05-21 13:44 <DIR> d-------- C:\Deckard
2008-05-21 13:31 . 2008-05-21 13:31 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-29 20:29 . 2008-04-29 20:29 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-04-28 20:25 . 2008-04-28 20:25 54,156 --ah----- C:\Windows\QTFont.qfn
2008-04-28 20:25 . 2008-04-28 20:25 1,409 --a------ C:\Windows\QTFont.for
2008-04-28 20:24 . 2008-04-28 20:24 <DIR> d-------- C:\Program Files\iTunes
2008-04-28 20:24 . 2008-04-28 20:24 <DIR> d-------- C:\Program Files\iPod
2008-04-28 20:23 . 2008-04-28 20:23 <DIR> d-------- C:\Program Files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-21 22:03 --------- d--h--w C:\Program Files\Xp.dll
2008-05-21 20:37 --------- d-----w C:\Program Files\Common Files\Steam
2008-05-21 20:35 --------- d-----w C:\ProgramData\Microsoft Help
2008-05-21 20:35 --------- d-----w C:\Program Files\Steam
2008-05-21 20:35 --------- d-----w C:\Program Files\Microsoft.NET
2008-05-21 20:35 --------- d-----w C:\Program Files\Microsoft Visual Studio 9.0
2008-05-21 20:35 --------- d-----w C:\Program Files\Microsoft SDKs
2008-05-21 02:36 --------- d-----w C:\Users\Tyler\AppData\Roaming\LimeWire
2008-05-15 02:01 --------- d-----w C:\Program Files\Windows Mail
2008-05-09 03:07 --------- d-----w C:\Users\Tyler\AppData\Roaming\Xfire
2008-05-09 00:39 --------- d-----w C:\ProgramData\Roxio
2008-05-03 22:21 --------- d-----w C:\ProgramData\Xfire
2008-05-02 20:20 --------- d-----w C:\Users\Tyler\AppData\Roaming\Netscape
2008-04-29 01:22 --------- d-----w C:\Program Files\Xfire
2008-04-29 01:18 --------- d-----w C:\Program Files\Apple Software Update
2008-04-25 01:10 22,328 ----a-w C:\Windows\system32\drivers\PnkBstrK.sys
2008-04-25 01:10 107,832 ----a-w C:\Windows\System32\PnkBstrB.exe
2008-04-24 00:24 --------- d-----w C:\Program Files\LimeWire
2008-04-22 22:29 41,296 ----a-w C:\Windows\System32\xfcodec.dll
2008-04-04 21:18 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-01 20:53 --------- d-----w C:\Program Files\Java
2008-03-25 01:08 --------- d-----w C:\Users\Tyler\AppData\Roaming\Apple Computer
2008-02-29 06:51 19,000 ----a-w C:\Windows\System32\kd1394.dll
2008-02-29 06:39 40,960 ----a-w C:\Windows\System32\srclient.dll
2008-02-29 06:39 371,712 ----a-w C:\Windows\System32\srcore.dll
2008-02-29 06:38 313,856 ----a-w C:\Windows\System32\rstrui.exe
2008-02-29 06:38 16,384 ----a-w C:\Windows\System32\srdelayed.exe
2008-02-29 06:35 6,656 ----a-w C:\Windows\System32\kbd106n.dll
2008-02-29 06:34 7,168 ----a-w C:\Windows\System32\f3ahvoas.dll
2008-02-29 04:16 2,027,008 ----a-w C:\Windows\System32\win32k.sys
2007-12-15 18:43 22,328 ----a-w C:\Users\Tyler\AppData\Roaming\PnkBstrK.sys
2007-10-18 16:57 16,384 --sha-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2007-10-18 16:57 32,768 --sha-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2007-10-18 16:57 16,384 --sha-w C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

------- Sigcheck -------

.
((((((((((((((((((((((((((((( snapshot@2008-05-22_17.45.17.44 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-22 22:37:27 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-05-23 00:17:24 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-05-22 22:37:27 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-05-23 00:17:24 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-05-22 22:37:27 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-05-23 00:17:24 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 07:35 125440]
"Aim6"="" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="sttray.exe" [2006-11-22 17:56 303104 C:\Windows\sttray.exe]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-09-29 13:39 151552]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 12:37 81920]
"CCUTRAYICON"="C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe" [2006-11-18 08:01 182744]
"NMSSupport"="C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" [2006-09-26 11:56 423424]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2006-11-17 16:19 17920]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 12:35 221184]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-12-11 18:06 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-12-11 18:06 8530464]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-12-11 18:06 81920]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-04-04 16:18:22 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiSpywareOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{B9E139EF-18C8-4BBF-8BD2-BB7BA513B654}C:\\program files\\steam\\steamapps\\rook1e187\\counter-strike source\\hl2.exe"= UDP:C:\program files\steam\steamapps\rook1e187\counter-strike source\hl2.exe:hl2
"UDP Query User{CEAF316A-8AE9-47F9-882C-C4B57950C075}C:\\program files\\steam\\steamapps\\rook1e187\\counter-strike source\\hl2.exe"= TCP:C:\program files\steam\steamapps\rook1e187\counter-strike source\hl2.exe:hl2
"TCP Query User{DFBE3C95-529D-42EF-86C6-554F5EC39B97}C:\\stubinstaller.exe"= UDP:C:\stubinstaller.exe:LimeWire swarmed installer
"UDP Query User{C0B9A083-54FA-4B26-B6FA-BE748EB13DB5}C:\\stubinstaller.exe"= TCP:C:\stubinstaller.exe:LimeWire swarmed installer
"{3E740467-702F-4387-BE5E-3CE2A3DA7F2E}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{418A232D-7399-4E3F-A85D-27D8D255D341}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"TCP Query User{5CD46747-6DB8-4151-B03C-46444049C005}C:\\program files\\steam\\steamapps\\rook1e187\\day of defeat source\\hl2.exe"= UDP:C:\program files\steam\steamapps\rook1e187\day of defeat source\hl2.exe:hl2
"UDP Query User{C72CF9DC-417C-48A4-9075-6AFD0180EE9E}C:\\program files\\steam\\steamapps\\rook1e187\\day of defeat source\\hl2.exe"= TCP:C:\program files\steam\steamapps\rook1e187\day of defeat source\hl2.exe:hl2
"TCP Query User{32358895-52E9-4F75-8E2C-E10DA7234C9B}F:\\limewire\\limewire.exe"= UDP:F:\limewire\limewire.exe:LimeWire
"UDP Query User{49D29B54-A337-4737-9B06-287C4A1705D0}F:\\limewire\\limewire.exe"= TCP:F:\limewire\limewire.exe:LimeWire
"TCP Query User{EE692F81-38A2-4C04-B4C1-F219075D8505}F:\\limewire\\limewire.exe"= UDP:F:\limewire\limewire.exe:LimeWire
"UDP Query User{CD81DA4F-FE0F-4224-81D6-550EE5C96B3D}F:\\limewire\\limewire.exe"= TCP:F:\limewire\limewire.exe:LimeWire
"TCP Query User{0B5E59A2-D33E-48A0-8864-115A34CA72AC}C:\\program files\\limewire\\limewire\\limewire.exe"= UDP:C:\program files\limewire\limewire\limewire.exe:LimeWire
"UDP Query User{0F58D1A9-6363-406D-9E91-3E44C532FCC6}C:\\program files\\limewire\\limewire\\limewire.exe"= TCP:C:\program files\limewire\limewire\limewire.exe:LimeWire
"TCP Query User{53F8C1EF-AD60-4CE2-B19E-6087BE86C115}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{2F9B4EE4-38D0-41EC-B1C1-F08910DF09BF}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{5F034622-E032-4EA0-BD90-610A6DCA08AA}C:\\program files\\steam\\steamapps\\rook1e187\\counter-strike source\\hl2.exe"= UDP:C:\program files\steam\steamapps\rook1e187\counter-strike source\hl2.exe:hl2
"UDP Query User{97BA7B17-AD8C-4113-B076-DE32532A34D8}C:\\program files\\steam\\steamapps\\rook1e187\\counter-strike source\\hl2.exe"= TCP:C:\program files\steam\steamapps\rook1e187\counter-strike source\hl2.exe:hl2
"TCP Query User{22E1B6D8-BADD-4D89-9493-CE95922BD638}C:\\program files\\xfire\\xfire.exe"= UDP:C:\program files\xfire\xfire.exe:Xfire
"UDP Query User{AA974D7F-A9EA-4AC2-83B9-035F7A60D351}C:\\program files\\xfire\\xfire.exe"= TCP:C:\program files\xfire\xfire.exe:Xfire
"TCP Query User{8509752B-818A-4FA7-A0DD-D8934921CAE4}C:\\program files\\sierra\\fear\\fpupdate.exe"= UDP:C:\program files\sierra\fear\fpupdate.exe:fpupdate
"UDP Query User{2423F475-211E-4F47-8F74-563D96260099}C:\\program files\\sierra\\fear\\fpupdate.exe"= TCP:C:\program files\sierra\fear\fpupdate.exe:fpupdate
"{48FA4154-F9DC-435D-AEB7-CEB8E48772FA}"= UDP:C:\Program Files\Sierra\FEAR\FEAR.exe:FEAR
"{D2C98ED6-00EF-41AF-A4E4-D3C21E3DF57F}"= TCP:C:\Program Files\Sierra\FEAR\FEAR.exe:FEAR
"{079AAF2B-E21F-4AE9-B2A7-31A456DABA2D}"= UDP:C:\Program Files\Sierra\FEAR\FEARMP.exe:FEAR
"{3E230DF8-3327-4283-98B9-5F8CA7C664F9}"= TCP:C:\Program Files\Sierra\FEAR\FEARMP.exe:FEAR
"{5298E1D1-CF83-441F-AD3E-E9F155EBA619}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{7ADD2367-5AF7-41F8-B9CC-E41FB92B3D7F}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{A3A48124-A60F-4CD3-BC15-E652B6FF4357}"= UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{A54DB489-EC65-446F-BEBF-FBCA2D7A6F60}"= TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"TCP Query User{1C62CC12-7362-4184-A058-80D7A1FF1F70}C:\\program files\\limewire\\limewire.exe"= UDP:C:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{D885F771-F227-4F3A-935F-6042DEB8F854}C:\\program files\\limewire\\limewire.exe"= TCP:C:\program files\limewire\limewire.exe:LimeWire
"TCP Query User{68E37EA9-924B-4B81-8BAD-5C17234B6C56}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{4AE4B788-15EA-4ADA-82B8-047C82B9E543}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{DEAB5B83-79EF-4E9C-98A4-602E6711E9F8}C:\\program files\\steam\\steam.exe"= UDP:C:\program files\steam\steam.exe:Steam
"UDP Query User{C80AB3F4-6EE7-4F0E-B361-F7109B0CA599}C:\\program files\\steam\\steam.exe"= TCP:C:\program files\steam\steam.exe:Steam
"{984C377B-9F1C-4263-9BDA-E2C280238953}"= UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{86BFD9EA-587E-4A25-BC09-107156DFC959}"= TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"TCP Query User{1E974F1B-8C4D-458F-B22E-A8E1B5C1B41E}C:\\program files\\quake iii arena\\quake3.exe"= UDP:C:\program files\quake iii arena\quake3.exe:quake3
"UDP Query User{85A6FEFC-9B3B-43CE-A9F2-C8FBB57AAB85}C:\\program files\\quake iii arena\\quake3.exe"= TCP:C:\program files\quake iii arena\quake3.exe:quake3
"{C7202D9F-220C-4E33-B25D-8448166B52E6}"= UDP:C:\Windows\System32\PnkBstrA.exenkBstrA
"{6626D656-6D35-451F-BF3C-8731C3768257}"= TCP:C:\Windows\System32\PnkBstrA.exenkBstrA
"{EC277F65-0891-4D46-B12C-78FB65E5223E}"= UDP:C:\Windows\System32\PnkBstrB.exenkBstrB
"{40D7C23D-8D45-4D2A-896B-7B0978BF90F1}"= TCP:C:\Windows\System32\PnkBstrB.exenkBstrB
"TCP Query User{FACA8DB4-D9AD-4CFC-9FC2-78A461A6FF78}C:\\program files\\xfire\\xfire.exe"= UDP:C:\program files\xfire\xfire.exe:Xfire
"UDP Query User{5B02CE08-5A43-45FE-A6EF-EA3C1BEBC82E}C:\\program files\\xfire\\xfire.exe"= TCP:C:\program files\xfire\xfire.exe:Xfire
"{549B1026-B444-4CE0-92C9-40F651F9A89D}"= UDP:C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:Call of Duty(R) 4 - Modern Warfare(TM)
"{4CCF127F-043F-4081-A150-329F3549542D}"= TCP:C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:Call of Duty(R) 4 - Modern Warfare(TM)
"{59939B6C-77F6-4E00-A7DC-42EB3AB2E5DC}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{0CE8094E-6D56-4811-AA37-682745859025}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R1 DLARTL_M;DLARTL_M;C:\Windows\system32\Drivers\DLARTL_M.SYS [2006-08-11 11:35]
R2 DQLWinService;DQLWinService;"C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe" [2006-10-29 10:03]
R2 nmsgopro;GoProto Protocol Driver for NMS;C:\Windows\system32\DRIVERS\nmsgopro.sys [2006-09-27 17:37]
R2 nmsunidr;UniDriver for NMS;C:\Windows\system32\DRIVERS\nmsunidr.sys [2006-10-19 16:49]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
R3 IntelDH;IntelDH Driver;C:\Windows\system32\Drivers\IntelDH.sys [2007-02-27 03:45]
S3 R300;R300;C:\Windows\system32\DRIVERS\atikmdag.sys [2006-11-02 02:36]
S3 Steam Client Service;Steam Client Service;C:\Program Files\Common Files\Steam\SteamService.exe [2008-03-14 17:37]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-22 20:25:31 C:\Windows\Tasks\User_Feed_Synchronization-{994D8E60-F973-4E28-9A5B-727AAA16D1B1}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-22 19:25:53
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-22 19:26:59
ComboFix-quarantined-files.txt 2008-05-23 00:26:50
ComboFix2.txt 2008-05-22 22:46:29

Pre-Run: 132,401,623,040 bytes free
Post-Run: 132,376,350,720 bytes free

190 --- E O F --- 2008-05-21 20:46:34