[NeueZiel]

I am not sure what I had downloaded but my computer has been running very slow. During any kind of gameplay or loading of drives it just runs extremely slow. I have also noticed that while using the Alt + Tab function to scroll through running programs that there is an unlabeled icon there, but I cannot bring it up or find out what it is.

Here is the log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:05:07 PM, on 4/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Logitech\G-series Software\LCDMon.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe
C:\Windows\System32\ssms.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDMedia.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Documents and Settings\Mike\Desktop\HiJackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\mIRC\mirc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\G-series Software\LCDMon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [ssms] C:\Windows\System32\ssms.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{FD4D8DD8-394B-4BEB-8B6B-34315BA1CB68}: NameServer = 64.233.214.34,64.233.214.41
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

--
End of file - 6674 bytes

[Advertisements]

Hello and welcome to Geeks To Go! My name is BHowett and I will be helping you to get sorted. If for any reason you do not understand any of the instructions, or are just unsure then please do not guess , simply post back with your question, and we will go through it again.

The fixes may take several attempts and my replies may take some time but stick with it, and we will be sure to get you sorted.

I am looking over you log now, and I will post your first set of instructions shortly.

[BHowett]

Hello and welcome to Geeks To Go! My name is BHowett and I will be helping you to get sorted. If for any reason you do not understand any of the instructions, or are just unsure then please do not guess , simply post back with your question, and we will go through it again.

The fixes may take several attempts and my replies may take some time but stick with it, and we will be sure to get you sorted.

I am looking over you log now, and I will post your first set of instructions shortly.

[BHowett]

Hi NeueZiel,

Not looking to bad… lets see what we can do.

Your copy of HijackThis needs to be in a folder of it's own. When HJT fixes anything, it makes backups of the original files in the folder it is in. For this reason it cannot be run from a Zip file, Temporary folders, desktop etc… because the backups will most likely be deleted. Having the backups could be VITAL to restoring your system if something went wrong in the FIX process!

• Please go to Start > My Computer > C:\
• right-click and select New > Folder then name the folder 'HJT'.
• Copy and paste HijackThis.exe to the new folder.

===============================================

It looks like your running AVG8 as your antivirus, however I see some parts of Norton antivirus running. It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.

Norton is pretty hard to uninstall so I will give you a removal tool to help out.

Download and run the Norton Removal Tool

Please visit Symantec support by clicking HERE

Choose the Norton product you had installed.

Then follow the steps listed on the page that opens.

===============================================



SDFix
Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

===============================================

Needed in your reply:

SDFix results

New HijackThis log

And let me know how things are running.

[NeueZiel]

Great, Thank you for looking into this for me.

I can provide you with some more information though now.

I have done all the previous steps that should be done before posting a log but they all took rediculously long or caused my computer to crash. I have a good machine so simple processes like installing these scanners should freeze up my computer.

While forcing to restart the computer wanted to scndsk. So I allowed it and it seemed to bring up alot of problems with $I30 on my C drive. Also during boot up, once I log into my account it will load several thigns quickly, like my D-Link Router program and AVG. But then it will Pause for 1-2 minutes. During this pause Windows Firewall will tell me that its disabled but then soon tell me that everything is up and running. After this finishes I will then get the connection icon to appear.

When the icon finally appears the system will lag up and then give me .NET errors. I have copied down the debug errors and I will post them.


This is the first error I encountered:

See the end of this message for details on invoking
just-in-time (JIT) debugging instead of this dialog box.

************** Exception Text **************
System.IO.IOException: Unable to read data from the transport connection: An established connection was aborted by the software in your host machine. ---> System.Net.Sockets.SocketException: An established connection was aborted by the software in your host machine
at System.Net.Sockets.Socket.Receive(Byte[] buffer, Int32 offset, Int32 size, SocketFlags socketFlags)
at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)
--- End of inner exception stack trace ---
at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)
at System.IO.StreamReader.ReadBuffer()
at System.IO.StreamReader.ReadLine()
at project.Form1.Form1_Load(Object sender, EventArgs e)
at System.EventHandler.Invoke(Object sender, EventArgs e)
at System.Windows.Forms.Form.OnLoad(EventArgs e)
at System.Windows.Forms.Form.OnCreateControl()
at System.Windows.Forms.Control.CreateControl(Boolean fIgnoreVisible)
at System.Windows.Forms.Control.CreateControl()
at System.Windows.Forms.Control.WmShowWindow(Message& m)
at System.Windows.Forms.Control.WndProc(Message& m)
at System.Windows.Forms.ScrollableControl.WndProc(Message& m)
at System.Windows.Forms.ContainerControl.WndProc(Message& m)
at System.Windows.Forms.Form.WmShowWindow(Message& m)
at System.Windows.Forms.Form.WndProc(Message& m)
at System.Windows.Forms.Control.ControlNativeWindow.OnMessage(Message& m)
at System.Windows.Forms.Control.ControlNativeWindow.WndProc(Message& m)
at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)


************** Loaded Assemblies **************
mscorlib
Assembly Version: 2.0.0.0
Win32 Version: 2.0.50727.1433 (REDBITS.050727-1400)
CodeBase: file:///c:/WINDOWS/Microsoft.NET/Framework/v2.0.50727/mscorlib.dll
----------------------------------------
project
Assembly Version: 1.0.0.0
Win32 Version: 1.0.0.0
CodeBase: file:///C:/Windows/System32/ssms.exe
----------------------------------------
Microsoft.VisualBasic
Assembly Version: 8.0.0.0
Win32 Version: 8.0.50727.1433 (REDBITS.050727-1400)
CodeBase: file:///C:/WINDOWS/assembly/GAC_MSIL/Microsoft.VisualBasic/8.0.0.0__b03f5f7f11d50a3a/Microsoft.VisualBasic.dll
----------------------------------------
System
Assembly Version: 2.0.0.0
Win32 Version: 2.0.50727.1433 (REDBITS.050727-1400)
CodeBase: file:///C:/WINDOWS/assembly/GAC_MSIL/System/2.0.0.0__b77a5c561934e089/System.dll
----------------------------------------
System.Windows.Forms
Assembly Version: 2.0.0.0
Win32 Version: 2.0.50727.1433 (REDBITS.050727-1400)
CodeBase: file:///C:/WINDOWS/assembly/GAC_MSIL/System.Windows.Forms/2.0.0.0__b77a5c561934e089/System.Windows.Forms.dll
----------------------------------------
System.Drawing
Assembly Version: 2.0.0.0
Win32 Version: 2.0.50727.1433 (REDBITS.050727-1400)
CodeBase: file:///C:/WINDOWS/assembly/GAC_MSIL/System.Drawing/2.0.0.0__b03f5f7f11d50a3a/System.Drawing.dll
----------------------------------------
System.Runtime.Remoting
Assembly Version: 2.0.0.0
Win32 Version: 2.0.50727.1433 (REDBITS.050727-1400)
CodeBase: file:///C:/WINDOWS/assembly/GAC_MSIL/System.Runtime.Remoting/2.0.0.0__b77a5c561934e089/System.Runtime.Remoting.dll
----------------------------------------
System.Configuration
Assembly Version: 2.0.0.0
Win32 Version: 2.0.50727.1433 (REDBITS.050727-1400)
CodeBase: file:///C:/WINDOWS/assembly/GAC_MSIL/System.Configuration/2.0.0.0__b03f5f7f11d50a3a/System.Configuration.dll
----------------------------------------
System.Xml
Assembly Version: 2.0.0.0
Win32 Version: 2.0.50727.1433 (REDBITS.050727-1400)
CodeBase: file:///C:/WINDOWS/assembly/GAC_MSIL/System.Xml/2.0.0.0__b77a5c561934e089/System.Xml.dll
----------------------------------------

************** JIT Debugging **************
To enable just-in-time (JIT) debugging, the .config file for this
application or computer (machine.config) must have the
jitDebugging value set in the system.windows.forms section.
The application must also be compiled with debugging
enabled.

For example:

<configuration>
<system.windows.forms jitDebugging="true" />
</configuration>

When JIT debugging is enabled, any unhandled exception
will be sent to the JIT debugger registered on the computer
rather than be handled by this dialog box.




Because of these issues I am very suspicious about the "O17 - HKLM\System\CCS\Services\Tcpip\..\{FD4D8DD8-394B-4BEB-8B6B-34315BA1CB68}: NameServer = 64.233.214.34,64.233.214.41" Line in the Hijack this log.

Before I had posted here I had used the program and deleted this entry before. The slowness went away and all my programs ran seemlessly fast. But I could not get any internet. I could connect to my network, but when I looked into my ipconfig I did not have any DNS numbers. They were all blank. So I ran the back up that I created before I made this change and here I am now.



Also sometimes when I alt + tab I will see an extra unnamed icon. The icon looks like several boxes and rectangles. there is a yellow, blue and red one and then serveral white boxes. They are unnamed and do not appear in my task manager at all.

Edited by NeueZiel, 29 April 2008 - 04:02 PM.

[BHowett]

Hi NeueZiel,

prior to your post, I posted some instructions; please follow them first and then I will address some of your other concerns.


Thanks.

[NeueZiel]

Already on it.



Thanks

[NeueZiel]

Alright,

I did as I was instructed by you and here are the results.


From the first 5 minutes of computer usage after the scans were completed I would say that my system is running smoother. I will get back to you in a while with an update of how its working.




SDFix: Version 1.177
Run by Mike on Tue 04/29/2008 at 06:36 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFIX\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\ssms.exe - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1353.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-29 18:41:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Messenger"
"C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Enabled:Run a DLL as an App"
"C:\\Program Files\\Steam\\Steam.exe"="C:\\Program Files\\Steam\\Steam.exe:*:Enabled:Steam"
"C:\\Program Files\\Steam\\steamapps\\aoa_kampfer\\counter-strike source\\hl2.exe"="C:\\Program Files\\Steam\\steamapps\\aoa_kampfer\\counter-strike source\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Steam\\steamapps\\aoa_kampfer\\team fortress 2\\hl2.exe"="C:\\Program Files\\Steam\\steamapps\\aoa_kampfer\\team fortress 2\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Xfire\\xfire.exe"="C:\\Program Files\\Xfire\\xfire.exe:*:Enabled:Xfire"
"C:\\Program Files\\Stardock\\TotalGaming\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"="C:\\Program Files\\Stardock\\TotalGaming\\Sins of a Solar Empire\\Sins of a Solar Empire.exe:*:Enabled:Sins of a Solar Empire"
"C:\\Program Files\\Steam\\steamapps\\aoa_kampfer\\counter-strike\\hl.exe"="C:\\Program Files\\Steam\\steamapps\\aoa_kampfer\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\WINDOWS\\system32\\ElectricSheep.scr"="C:\\WINDOWS\\system32\\ElectricSheep.scr:*:Enabled:ElectricSheep"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFIX\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 21 Feb 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Mon 10 Sep 2007 1,197,576 ...H. --- "C:\Documents and Settings\Mike\Application Data\netmarble\NMWizard24.exe"

Finished!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:46:24 PM, on 4/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Logitech\G-series Software\LCDMon.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Logitech\G-series Software\Applets\LCDMedia.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Documents and Settings\Mike\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\G-series Software\LCDMon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [ssms] C:\Windows\System32\ssms.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{FD4D8DD8-394B-4BEB-8B6B-34315BA1CB68}: NameServer = 64.233.214.34,64.233.214.41
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

--
End of file - 6089 bytes

Edited by NeueZiel, 29 April 2008 - 04:51 PM.

[BHowett]

Hi NeueZiel,

Although SDFix found what I was looking for I’m stilling seeing it in you log so, we will try a different approach. Also I am still seeing signs of Norton, were you unable to uninstall it?

Because of these issues I am very suspicious about the "O17 - HKLM\System\CCS\Services\Tcpip\..\{FD4D8DD8-394B-4BEB-8B6B-34315BA1CB68}: NameServer = 64.233.214.34,64.233.214.41" Line in the Hijack this log.

Before I had posted here I had used the program and deleted this entry before. The slowness went away and all my programs ran seemlessly fast. But I could not get any internet. I could connect to my network, but when I looked into my ipconfig I did not have any DNS numbers. They were all blank. So I ran the back up that I created before I made this change and here I am now.

That entry would appear to be legit, when I did a WHOIS on it, it came back to the following:

IP address:					 64.233.214.41
Reverse DNS:					clv11-dns2.clv.wideopenwest.com.
Reverse DNS authenticity:	   [Verified]
ASN:							29780
ASN Name:					   WOW-INTERNET-CLV
IP range connectivity:		  4
Registrar (per ASN):			ARIN
Country (per IP registrar):	 US [United States]
Country Currency:			   USD [United States Dollars]
Country IP Range:			   64.232.0.0 to 64.233.255.255
Country fraud profile:		  Normal
City (per outside source):	  North Royalton, Ohio
Country (per outside source):   US [United States]
Private (internal) IP?		  No
IP address registrar:		   whois.arin.net
Known Proxy?					No
Link for WHOIS:				 64.233.214.41

You can check with your provider and verify if you would like.


Ok… moving on, please do the following:


ComboFix

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

• Please, never rename Combofix unless instructed.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  

  -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    

    -----------------------------------------------------------

  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  -----------------------------------------------------------

• Double click on combofix.exe & follow the prompts.
• When finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
===============================================

Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review. And let me know how things are running.

[NeueZiel]

Sorry for the delay in getting back to you. Had to be away from my computer for a few days. I will post the info when I have time to go through this.

I don't wanna leave you in the dark, so just letting you know that I have not quit this.

[NeueZiel]

Here is the log. I will comment on my systems performance once I try it out

ComboFix 08-05-01.3 - Mike 2008-05-03 19:01:57.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.574 [GMT -4:00]
Running from: C:\Documents and Settings\Mike\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-04-03 to 2008-05-03 )))))))))))))))))))))))))))))))
.


2008-04-29 18:33 . 2008-04-29 18:34 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-29 18:32 . 2008-04-29 18:32 <DIR> d-------- C:\SDFIX
2008-04-29 17:52 . 2008-04-29 17:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-29 17:51 . 2008-04-29 18:52 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-29 17:51 . 2008-04-29 17:51 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\SUPERAntiSpyware.com
2008-04-29 17:32 . 2008-04-29 17:32 <DIR> d--hs---- C:\found.002
2008-04-29 16:06 . 2008-04-29 16:06 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-29 16:06 . 2008-04-29 16:06 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\Malwarebytes
2008-04-29 16:06 . 2008-04-29 16:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-29 16:05 . 2008-04-29 16:05 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-04-29 13:03 . 2008-04-29 13:03 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-04-29 12:58 . 2008-04-29 12:58 <DIR> d--hs---- C:\found.001
2008-04-28 23:38 . 2008-04-30 14:16 <DIR> d--h----- C:\$AVG8.VAULT$
2008-04-28 23:34 . 2008-05-03 12:17 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-04-28 23:34 . 2008-04-28 23:34 <DIR> d-------- C:\Program Files\AVG
2008-04-28 23:34 . 2008-05-03 12:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-04-28 23:34 . 2008-04-28 23:34 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-04-28 23:34 . 2008-04-28 23:34 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-04-26 03:00 . 2008-04-29 13:05 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-04-25 04:23 . 2008-04-27 22:04 <DIR> d---s---- C:\Documents and Settings\Administrator.GETTER_ONE
2008-04-25 04:23 . 2008-05-03 19:01 1,024 --ah----- C:\Documents and Settings\Administrator.GETTER_ONE\ntuser.dat.LOG
2008-04-25 04:04 . 2008-04-25 04:04 <DIR> d-------- C:\!KillBox
2008-04-04 19:33 . 2008-04-04 19:35 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-04-04 19:33 . 2008-04-04 19:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-03 07:01 --------- d-----w C:\Program Files\mIRC
2008-05-03 07:01 --------- d-----w C:\Documents and Settings\Mike\Application Data\Azureus
2008-04-29 21:14 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-28 22:12 --------- d-----w C:\Program Files\Java
2008-04-25 02:27 --------- d-----w C:\Program Files\Trillian
2008-04-20 22:26 --------- d-----w C:\Documents and Settings\Mike\Application Data\Ahead
2008-04-20 21:05 --------- d-----w C:\Program Files\World of Warcraft
2008-04-13 20:44 --------- d-----w C:\Program Files\Apophysis 2.0
2008-04-01 17:13 --------- d-----w C:\Documents and Settings\Mike\Application Data\Xfire
2008-03-28 23:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
2008-03-28 23:11 --------- d-----w C:\Program Files\Nero
2008-03-28 05:52 --------- d-----w C:\Program Files\AV Vcs 5.5 DIAMOND
2008-03-27 07:54 --------- d-----w C:\Program Files\Winamp
2008-03-27 07:25 48,456 ----a-w C:\WINDOWS\system32\UninstallElectricSheep.exe
2008-03-27 00:14 --------- d-s---w C:\Program Files\Xfire
2008-03-25 10:31 --------- d-----w C:\Program Files\Steam
2008-03-20 18:00 --------- d-----w C:\Program Files\Lavasoft
2008-03-20 18:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-20 00:11 --------- d-----w C:\Program Files\CCleaner
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-17 09:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ironclad Games
2008-03-17 09:21 --------- d-----w C:\Program Files\Stardock
2008-03-17 08:16 --------- d-----w C:\Program Files\Common Files\Stardock
2008-03-13 23:05 41,296 ----a-w C:\WINDOWS\system32\xfcodec.dll
2008-03-10 14:26 --------- d-----w C:\Program Files\Azureus
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-15 20:04 141,909,560 ----a-w C:\Documents and Settings\Mike\WoW-2.3.3.7799-to-0.4.0.7897-enUS-patch.exe
2007-10-13 18:57 140,202,521 ----a-w C:\Documents and Settings\Mike\WoW-2.2.3.7359-to-0.3.0.7382-enUS-patch.exe
2007-06-12 12:25 40,836,719 ----a-w C:\Documents and Settings\Mike\WoW-2.1.1.6739-to-0.1.2.6757-enUS-patch.exe
2007-04-23 22:20 221,149,222 ----a-w C:\Documents and Settings\Mike\WoW-2.0.12.6546-to-0.1.0.6577-enUS-patch.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 08:00 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-03 21:51 131072]
"D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [2005-03-18 05:34 1228800]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-12-16 18:49 49152]
"DiskeeperSystray"="C:\Program Files\Executive Software\Diskeeper\DkIcon.exe" [2005-07-26 18:52 184408]
"Launch LGDCore"="C:\Program Files\Logitech\G-series Software\LGDCore.exe" [2005-08-23 09:36 1110079]
"Launch LCDMon"="C:\Program Files\Logitech\G-series Software\LCDMon.exe" [2005-08-23 09:22 188416]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 13:35 90112]
"AtiPTA"="atiptaxx.exe" [2006-02-21 21:05 344064 C:\WINDOWS\system32\atiptaxx.exe]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-04-28 23:34 1177368]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
"vidc.wmv3"= C:\PROGRA~1\COMBIN~1\Filters\wmv9vcm.dll
"VIDC.XFR1"= xfcodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Mike^Start Menu^Programs^Startup^Xfire.lnk]
path=C:\Documents and Settings\Mike\Start Menu\Programs\Startup\Xfire.lnk
backup=C:\WINDOWS\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
-ra------ 2007-03-01 10:37 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiTrayTools]
--a------ 2006-12-06 09:00 516608 C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-06-01 10:21 153136 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2006-02-28 08:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTRegRun]
--------- 1999-10-10 13:00 41984 C:\WINDOWS\CTRegRun.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 13:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-02-21 06:42 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2006-11-10 13:35 90112 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-01-28 09:48 1266936 C:\Program Files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
--a------ 2005-01-01 19:08 100048 C:\PROGRA~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"C:\\Program Files\\Steam\\Steam.exe"=
"C:\\Program Files\\Steam\\steamapps\\aoa_kampfer\\team fortress 2\\hl2.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"C:\\Program Files\\Stardock\\TotalGaming\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
"C:\\Program Files\\Steam\\steamapps\\aoa_kampfer\\counter-strike\\hl.exe"=
"C:\\WINDOWS\\system32\\ElectricSheep.scr"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\SecondLife\\SLVoice.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6000:TCP"= 6000:TCP:Host
"6000:UDP"= 6000:UDP:Host1
"6112:TCP"= 6112:TCP:host2
"6112:UDP"= 6112:UDP:Host4

R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;C:\WINDOWS\system32\DRIVERS\SI3112r.sys [2004-05-12 02:01]
R1 atitray;atitray;C:\Program Files\Ray Adams\ATI Tray Tools\atitray.sys [2006-11-30 04:05]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-04-28 23:34]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-04-28 23:34]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys [2005-03-22 20:17]
S3 AC2003;AC2003;C:\WINDOWS\system32\Drivers\AC2003.sys [2004-07-11 23:57]
S3 cpuz126;cpuz126;C:\DOCUME~1\Mike\LOCALS~1\Temp\cpuz.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2d123d77-c137-11db-b6d5-806d6172696f}]
\Shell\AutoRun\command - F:\Autorun.exe root.ini

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a01cc654-8c3d-11dc-aec9-001195d09dab}]
\Shell\AutoRun\command - G:\Autorun.exe /run
\Shell\Shell00\Command - G:\Autorun.exe /run
\Shell\Shell01\Command - G:\Autorun.exe /action
\Shell\Shell02\Command - G:\Autorun.exe /uninstall

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-03 19:06:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-03 19:07:08
ComboFix-quarantined-files.txt 2008-05-03 23:06:57

Pre-Run: 6,642,282,496 bytes free
Post-Run: 6,951,788,544 bytes free

190 --- E O F --- 2008-05-01 07:11:02

[NeueZiel]

Alright, I ran the Norton Removal Tools.

Also there seems to be some other odd quirks about my system that I would like to ask about. They aren't major issues but maybe you would know a solution off the top of your head.

When ever I try to change my startup options in msconfig it will constantly add and not listen to my commands and refuses to allow me to change things permanently. For example. I will disable windows live messenger and then receive and error message stating I need to be on an account administrator. But this is account is set to have administrative purposes and is the only account on the computer besides the default administrator account that I see when entering into windows in safe mode. But then I can just click the OK button and I will receive the same prompt again but after I close that prompt it will ask me if I want to restart windows now or later, as if it has actually changed the settings. Got any clues on how to solve this? If its out of your range of what you do on these forums, then just ignore it. he he.

Also here is my latest hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:47:25 PM, on 5/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Logitech\G-series Software\LCDMon.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDMedia.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Mike\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\G-series Software\LCDMon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{FD4D8DD8-394B-4BEB-8B6B-34315BA1CB68}: NameServer = 64.233.214.34,64.233.214.41
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 5580 bytes

Edited by NeueZiel, 03 May 2008 - 05:47 PM.

[NeueZiel]

First impression is that the system is running smoother

[BHowett]

Hi NeueZiel,


Let me address your question first:

When ever I try to change my startup options in msconfig it will constantly add and not listen to my commands and refuses to allow me to change things permanently. For example. I will disable windows live messenger and then receive and error message stating I need to be on an account administrator. But this is account is set to have administrative purposes and is the only account on the computer besides the default administrator account that I see when entering into windows in safe mode. But then I can just click the OK button and I will receive the same prompt again but after I close that prompt it will ask me if I want to restart windows now or later, as if it has actually changed the settings. Got any clues on how to solve this?

Based off of the information given, I would say this is because you have windows live messenger set to start on log in. To fix this please open your windows live messenger, go to personal settings > General, and uncheck Run Windows Live When I Log In. Also if you get that window that’s always popping up; you can stop that too, underneath Run windows live when I log in, uncheck open windows live main windows when windows starts.

Ok moving on….

Combofix Script.txt
1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\imsins.BAK
Folder::
C:\found.002
C:\found.001

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.

===============================================

Needed in your next reply:

Combofix.txt
A new HijackThis log

Also let me know how your system is running

[NeueZiel]

ComboFix 08-05-01.3 - Mike 2008-05-04 23:05:03.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.520 [GMT -4:00]
Running from: C:\Documents and Settings\Mike\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mike\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\imsins.BAK
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\found.001
C:\found.001\dir0000.chk\Accessibility.api
C:\found.001\dir0000.chk\AcroForm.api
C:\found.001\dir0000.chk\AcroForm\adobepdf.xdc
C:\found.001\dir0000.chk\AcroForm\PMP\AdobePDF417.pmp
C:\found.001\dir0000.chk\AcroForm\PMP\DataMatrix.pmp
C:\found.001\dir0000.chk\AcroForm\PMP\QRCode.pmp
C:\found.001\dir0000.chk\AcroSign.prc
C:\found.001\dir0000.chk\Annotations\Stamps\ENU\Dynamic.pdf
C:\found.001\dir0000.chk\Annotations\Stamps\ENU\SignHere.pdf
C:\found.001\dir0000.chk\Annotations\Stamps\ENU\StandardBusiness.pdf
C:\found.001\dir0000.chk\Annotations\Stamps\Words.pdf
C:\found.001\dir0000.chk\Annots.api
C:\found.001\dir0000.chk\Checkers.api
C:\found.001\dir0000.chk\DigSig.api
C:\found.001\dir0000.chk\DVA.api
C:\found.001\dir0000.chk\eBook.api
C:\found.001\dir0000.chk\EScript.api
C:\found.001\dir0000.chk\EWH32.api
C:\found.001\dir0000.chk\HLS.api
C:\found.001\dir0000.chk\IA32.api
C:\found.001\dir0000.chk\ImageViewer.API
C:\found.001\dir0000.chk\ImageViewer\en_US\svgrsrc.dll
C:\found.001\dir0000.chk\ImageViewer\en_US\SVGViewer.dict
C:\found.001\dir0000.chk\ImageViewer\SVGCore.DLL
C:\found.001\dir0000.chk\MakeAccessible.api
C:\found.001\dir0000.chk\Multimedia.api
C:\found.001\dir0000.chk\Multimedia\MPP\Flash.mpp
C:\found.001\dir0000.chk\Multimedia\MPP\MCIMPP.mpp
C:\found.001\dir0000.chk\Multimedia\MPP\QuickTime.mpp
C:\found.001\dir0000.chk\Multimedia\MPP\Real.mpp
C:\found.001\dir0000.chk\Multimedia\MPP\WindowsMedia.mpp
C:\found.001\dir0000.chk\PDDom.api
C:\found.001\dir0000.chk\PPKLite.api
C:\found.001\dir0000.chk\ReadOutLoud.api
C:\found.001\dir0000.chk\reflow.api
C:\found.001\dir0000.chk\SaveAsRTF.api
C:\found.001\dir0000.chk\Search.api
C:\found.001\dir0000.chk\Search5.api
C:\found.001\dir0000.chk\SendMail.api
C:\found.001\dir0000.chk\Spelling.api
C:\found.001\dir0000.chk\Updater.api
C:\found.001\dir0000.chk\weblink.api
C:\found.001\dir0001.chk\VDK10.CMP
C:\found.001\dir0001.chk\VDK10.LIC
C:\found.001\dir0001.chk\VDK10.STD
C:\found.001\dir0001.chk\VDK10.SYX
C:\found.001\dir0001.chk\VDK10.THD
C:\found.002
C:\found.002\dir0000.chk\1033\MSOSVINT.DLL
C:\found.002\dir0000.chk\1033\NSEXTINT.DLL
C:\found.002\dir0000.chk\1033\WebView\CATEGORY.HTT
C:\found.002\dir0000.chk\1033\WebView\CLASSICF.HTT
C:\found.002\dir0000.chk\1033\WebView\Images\APPR.GIF
C:\found.002\dir0000.chk\1033\WebView\Images\COUT.GIF
C:\found.002\dir0000.chk\1033\WebView\Images\PEND.GIF
C:\found.002\dir0000.chk\1033\WebView\MANAGMNT.HTT
C:\found.002\dir0000.chk\1033\WebView\SCHEMA.HTT
C:\found.002\dir0000.chk\1033\WebView\SEARCH.HTT
C:\found.002\dir0000.chk\1033\WebView\SMARTF.HTT
C:\found.002\dir0000.chk\1033\WebView\WORKSPC.HTT
C:\found.002\dir0000.chk\MSONSEXT.DLL
C:\found.002\dir0000.chk\MSOSV.DLL
C:\found.002\dir0000.chk\MSOWS409.DLL
C:\found.002\dir0000.chk\MSVCP60.DLL
C:\found.002\dir0000.chk\PKMAXCTL.DLL
C:\found.002\dir0000.chk\PKMCDO.DLL
C:\found.002\dir0000.chk\PKMCORE.DLL
C:\found.002\dir0000.chk\PKMFORMS.DLL
C:\found.002\dir0000.chk\PKMRES.DLL
C:\found.002\dir0000.chk\PKMSSTLB.DLL
C:\found.002\dir0000.chk\PKMTEMPL.DLL
C:\found.002\dir0000.chk\PKMTRACE.DLL
C:\found.002\dir0000.chk\PKMWS.DLL
C:\found.002\dir0000.chk\PROMDEMO.DLL
C:\found.002\dir0000.chk\PUBPLACE.HTT
C:\found.002\dir0000.chk\SECMGR.DLL
C:\found.002\dir0000.chk\VAIDDMGR.DLL
C:\found.002\dir0000.chk\VAIMEM.DLL
C:\found.002\dir0001.chk\acro20.lng
C:\found.002\dir0001.chk\Vdk10.lng
C:\found.002\dir0001.chk\VDK10.RSD
C:\found.002\dir0001.chk\Vdk10.rst
C:\found.002\dir0001.chk\VDK10.STC
C:\found.002\dir0001.chk\VDK10.STP
C:\found.002\dir0002.chk\ATI_Classic\ATI_Classic.uis
C:\found.002\dir0002.chk\ATI_Classic\ATITrackBarThumbDown.tga
C:\found.002\dir0002.chk\ATI_Classic\ATITrackBarThumbHorz.tga
C:\found.002\dir0002.chk\ATI_Classic\ATITrackBarThumbLeft.tga
C:\found.002\dir0002.chk\ATI_Classic\ATITrackBarThumbRight.tga
C:\found.002\dir0002.chk\ATI_Classic\ATITrackBarThumbUp.tga
C:\found.002\dir0002.chk\ATI_Classic\ATITrackBarThumbVert.tga
C:\found.002\dir0002.chk\ATI_Classic\ATITrackBarTrack.tga
C:\found.002\dir0002.chk\ATI_Classic\CheckboxNew.tga
C:\found.002\dir0002.chk\ATI_Classic\CloseButton.bmp
C:\found.002\dir0002.chk\ATI_Classic\CloseButton_dis.bmp
C:\found.002\dir0002.chk\ATI_Classic\ComboboxDropDownButton.tga
C:\found.002\dir0002.chk\ATI_Classic\dialog_bg.bmp
C:\found.002\dir0002.chk\ATI_Classic\ExtraImages.tga
C:\found.002\dir0002.chk\ATI_Classic\GroupBox.bmp
C:\found.002\dir0002.chk\ATI_Classic\GroupBoxHeader.bmp
C:\found.002\dir0002.chk\ATI_Classic\HelpButton.bmp
C:\found.002\dir0002.chk\ATI_Classic\ListViewHeader.bmp
C:\found.002\dir0002.chk\ATI_Classic\MaxButton.bmp
C:\found.002\dir0002.chk\ATI_Classic\mdibar.bmp
C:\found.002\dir0002.chk\ATI_Classic\MDIButtons.bmp
C:\found.002\dir0002.chk\ATI_Classic\MDIButtons.tga
C:\found.002\dir0002.chk\ATI_Classic\MenuBackground.bmp
C:\found.002\dir0002.chk\ATI_Classic\MenuItem.tga
C:\found.002\dir0002.chk\ATI_Classic\MinButton.bmp
C:\found.002\dir0002.chk\ATI_Classic\ProgressBar.bmp
C:\found.002\dir0002.chk\ATI_Classic\pulldownitemextra.tga
C:\found.002\dir0002.chk\ATI_Classic\PushButton.tga
C:\found.002\dir0002.chk\ATI_Classic\RadioButtonNew.tga
C:\found.002\dir0002.chk\ATI_Classic\Rebar.bmp
C:\found.002\dir0002.chk\ATI_Classic\RebarGripper.bmp
C:\found.002\dir0002.chk\ATI_Classic\RestoreButton.bmp
C:\found.002\dir0002.chk\ATI_Classic\ScrollBarButtons.bmp
C:\found.002\dir0002.chk\ATI_Classic\ScrollbarShaftHorz.bmp
C:\found.002\dir0002.chk\ATI_Classic\ScrollbarShaftVert.bmp
C:\found.002\dir0002.chk\ATI_Classic\ScrollbarThumbBtnHorz.bmp
C:\found.002\dir0002.chk\ATI_Classic\ScrollbarThumbBtnVert.bmp
C:\found.002\dir0002.chk\ATI_Classic\Spin.tga
C:\found.002\dir0002.chk\ATI_Classic\SpinUpDownHorizontalGlyph.tga
C:\found.002\dir0002.chk\ATI_Classic\SpinUpDownVerticalGlyph.tga
C:\found.002\dir0002.chk\ATI_Classic\StatusBar.bmp
C:\found.002\dir0002.chk\ATI_Classic\SunkEdge.bmp
C:\found.002\dir0002.chk\ATI_Classic\TabItem.tga
C:\found.002\dir0002.chk\ATI_Classic\TabPane.bmp
C:\found.002\dir0002.chk\ATI_Classic\TabsPage.bmp
C:\found.002\dir0002.chk\ATI_Classic\TexbackLeft.bmp
C:\found.002\dir0002.chk\ATI_Classic\TexbackLeft2.bmp
C:\found.002\dir0002.chk\ATI_Classic\TexbackRight.bmp
C:\found.002\dir0002.chk\ATI_Classic\textback.bmp
C:\found.002\dir0002.chk\ATI_Classic\ToolbarButton.tga
C:\found.002\dir0002.chk\ATI_Classic\TreeViewNode.bmp
C:\found.002\dir0002.chk\ATI_Classic\WindowFrameBottomUis2.bmp
C:\found.002\dir0002.chk\ATI_Classic\WindowFrameLeftUis2.bmp
C:\found.002\dir0002.chk\ATI_Classic\WindowFrameRightUis2.bmp
C:\found.002\dir0002.chk\ATI_Classic\WindowFrameTopUis2.bmp
C:\found.002\dir0002.chk\ATI_Crimson\ATI_Crimson.uis
C:\found.002\dir0002.chk\ATI_Crimson\ATITrackBarThumbDown.tga
C:\found.002\dir0002.chk\ATI_Crimson\ATITrackBarThumbHorz.tga
C:\found.002\dir0002.chk\ATI_Crimson\ATITrackBarThumbLeft.tga
C:\found.002\dir0002.chk\ATI_Crimson\ATITrackBarThumbRight.tga
C:\found.002\dir0002.chk\ATI_Crimson\ATITrackBarThumbUp.tga
C:\found.002\dir0002.chk\ATI_Crimson\ATITrackBarThumbVert.tga
C:\found.002\dir0002.chk\ATI_Crimson\ATITrackBarTrack.tga
C:\found.002\dir0002.chk\ATI_Crimson\CheckboxNew.tga
C:\found.002\dir0002.chk\ATI_Crimson\CloseButton.bmp
C:\found.002\dir0002.chk\ATI_Crimson\CloseButton_dis.bmp
C:\found.002\dir0002.chk\ATI_Crimson\ComboboxDropDownButton.tga
C:\found.002\dir0002.chk\ATI_Crimson\ExtraImages.tga
C:\found.002\dir0002.chk\ATI_Crimson\GroupBox.bmp
C:\found.002\dir0002.chk\ATI_Crimson\GroupBoxHeader.bmp
C:\found.002\dir0002.chk\ATI_Crimson\HelpButton.bmp
C:\found.002\dir0002.chk\ATI_Crimson\ListViewHeader.bmp
C:\found.002\dir0002.chk\ATI_Crimson\MaxButton.bmp
C:\found.002\dir0002.chk\ATI_Crimson\mdibar.bmp
C:\found.002\dir0002.chk\ATI_Crimson\MDIButtons.bmp
C:\found.002\dir0002.chk\ATI_Crimson\MDIButtons.tga
C:\found.002\dir0002.chk\ATI_Crimson\MenuBackground.bmp
C:\found.002\dir0002.chk\ATI_Crimson\MenuItem.tga
C:\found.002\dir0002.chk\ATI_Crimson\MinButton.bmp
C:\found.002\dir0002.chk\ATI_Crimson\ProgressBar.bmp
C:\found.002\dir0002.chk\ATI_Crimson\pulldownitemextra.tga
C:\found.002\dir0002.chk\ATI_Crimson\PushButton.tga
C:\found.002\dir0002.chk\ATI_Crimson\RadioButtonNew.tga
C:\found.002\dir0002.chk\ATI_Crimson\Rebar.bmp
C:\found.002\dir0002.chk\ATI_Crimson\RebarGripper.bmp
C:\found.002\dir0002.chk\ATI_Crimson\RestoreButton.bmp
C:\found.002\dir0002.chk\ATI_Crimson\ScrollBarButtons.bmp
C:\found.002\dir0002.chk\ATI_Crimson\ScrollbarShaftHorz.bmp
C:\found.002\dir0002.chk\ATI_Crimson\ScrollbarShaftVert.bmp
C:\found.002\dir0002.chk\ATI_Crimson\ScrollbarThumbBtnHorz.bmp
C:\found.002\dir0002.chk\ATI_Crimson\ScrollbarThumbBtnVert.bmp
C:\found.002\dir0002.chk\ATI_Crimson\Spin.tga
C:\found.002\dir0002.chk\ATI_Crimson\SpinUpDownHorizontalGlyph.tga
C:\found.002\dir0002.chk\ATI_Crimson\SpinUpDownVerticalGlyph.tga
C:\found.002\dir0002.chk\ATI_Crimson\StatusBar.bmp
C:\found.002\dir0002.chk\ATI_Crimson\SunkEdge.bmp
C:\found.002\dir0002.chk\ATI_Crimson\TabItem.tga
C:\found.002\dir0002.chk\ATI_Crimson\TabPane.bmp
C:\found.002\dir0002.chk\ATI_Crimson\TabsPage.bmp
C:\found.002\dir0002.chk\ATI_Crimson\TexbackLeft.bmp
C:\found.002\dir0002.chk\ATI_Crimson\TexbackLeft2.bmp
C:\found.002\dir0002.chk\ATI_Crimson\TexbackRight.bmp
C:\found.002\dir0002.chk\ATI_Crimson\textback.bmp
C:\found.002\dir0002.chk\ATI_Crimson\ToolbarButton.tga
C:\found.002\dir0002.chk\ATI_Crimson\TreeViewNode.bmp
C:\found.002\dir0002.chk\ATI_Crimson\WindowFrameBottomUis2.bmp
C:\found.002\dir0002.chk\ATI_Crimson\WindowFrameLeftUis2.bmp
C:\found.002\dir0002.chk\ATI_Crimson\WindowFrameRightUis2.bmp
C:\found.002\dir0002.chk\ATI_Crimson\WindowFrameTopUis2.bmp
C:\found.002\dir0002.chk\CATALYST_Quicksilver\buttons.tga
C:\found.002\dir0002.chk\CATALYST_Quicksilver\CATALYST_Quicksilver.uis
C:\found.002\dir0002.chk\CATALYST_Quicksilver\CATALYST_Quicksilver.uis_Button.CheckBox.WB4
C:\found.002\dir0002.chk\CATALYST_Quicksilver\CATALYST_Quicksilver.uis_Button.Radio.WB4
C:\found.002\dir0002.chk\CATALYST_Quicksilver\CATALYST_Quicksilver.uis_Buttons.WB4
C:\found.002\dir0002.chk\CATALYST_Quicksilver\CATALYST_Quicksilver.uis_ComboButton.WB4
C:\found.002\dir0002.chk\CATALYST_Quicksilver\CATALYST_Quicksilver.uis_GroupBox.WB4
C:\found.002\dir0002.chk\CATALYST_Quicksilver\CATALYST_Quicksilver.uis_GroupBoxEdge.WB4
C:\found.002\dir0002.chk\CATALYST_Quicksilver\CATALYST_Quicksilver.uis_HeaderBar.WB4
C:\found.002\dir0002.chk\CATALYST_Quicksilver\CATALYST_Quicksilver.uis_HorzScroll.WB4
C:\found.002\dir0002.chk\CATALYST_Quicksilver\CATALYST_Quicksilver.uis_HorzScrollThumb.WB4
C:\found.002\dir0002.chk\CATALYST_Quicksilver\CATALYST_Quicksilver.uis_MenuBackground.WB4
C:\found.002\dir0002.chk\CATALYST_Quicksilver\CATALYST_Quicksilver.uis_MenuItem.WB4
C:\found.002\dir0002.chk\CATALYST_Quicksilver\CATALYST_Quicksilver.uis_ReBar.Grip.WB4
C:\found.002\dir0002.chk\CATALYST_Quicksilver\CATALYST_Quicksilver.uis_Scrollbar.WB4
C:\found.002\dir0002.chk\CATALYST_Quicksilver\CATALYST_Quicksilver.uis_StatusBarEdges.WB4
C:\found.002\dir0002.chk\CATALYST_Quicksilver\CATALYST_Quicksilver.uis_SunkEdge.WB4
C:\found.002\dir0002.chk\CATALYST_Quicksilver\CATALYST_Quicksilver.uis_Tabs.Border.WB4
C:\found.002\dir0002.chk\CATALYST_Quicksilver\CATALYST_Quicksilver.uis_Tabs.WB4
C:\found.002\dir0002.chk\CATALYST_Quicksilver\CATALYST_Quicksilver.uis_TaskBar.WB4
C:\found.002\dir0002.chk\CATALYST_Quicksilver\CATALYST_Quicksilver.uis_ToolBarBackground.WB4
C:\found.002\dir0002.chk\CATALYST_Quicksilver\CATALYST_Quicksilver.uis_Toolbars.WB4
C:\found.002\dir0002.chk\CATALYST_Quicksilver\CATALYST_Quicksilver.uis_TopBorder.TextBack.WB4
C:\found.002\dir0002.chk\CATALYST_Quicksilver\CATALYST_Quicksilver.uis_TrackBar.ThumbDown.WB4
C:\found.002\dir0002.chk\CATALYST_Quicksilver\CATALYST_Quicksilver.uis_TrackBar.ThumbHorz.WB4
C:\found.002\dir0002.chk\CATALYST_Quicksilver\CATALYST_Quicksilver.uis_TrackBar.ThumbLeft.WB4
C:\found.002\dir0002.chk\CATALYST_Quicksilver\CATALYST_Quicksilver.uis_TrackBar.ThumbRight.WB4
C:\found.002\dir0002.chk\CATALYST_Quicksilver\CATALYST_Quicksilver.uis_TrackBar.ThumbUp.WB4
C:\found.002\dir0002.chk\CATALYST_Quicksilver\CATALYST_Quicksilver.uis_TrackBar.ThumbVert.WB4
C:\found.002\dir0002.chk\CATALYST_Quicksilver\CATALYST_Quicksilver.uis_TrackBar.Track.WB4
C:\found.002\dir0002.chk\CATALYST_Quicksilver\CATALYST_Quicksilver.uis_TrackBar.TrackVert.WB4
C:\found.002\dir0002.chk\CATALYST_Quicksilver\CATALYST_Quicksilver.uis_UpDown.Horz.WB4
C:\found.002\dir0002.chk\CATALYST_Quicksilver\CATALYST_Quicksilver.uis_UpDown.Vert.WB4
C:\found.002\dir0002.chk\CATALYST_Quicksilver\CATALYST_Quicksilver.uis_VertScroll.WB4
C:\found.002\dir0002.chk\CATALYST_Quicksilver\CATALYST_Quicksilver.uis_VertScrollThumb.WB4
C:\found.002\dir0002.chk\CATALYST_Quicksilver\CATALYST_QuicksilverStatusBar.bmp
C:\found.002\dir0002.chk\CATALYST_Quicksilver\checkbox.bmp
C:\found.002\dir0002.chk\CATALYST_Quicksilver\checkbox_old.tga
C:\found.002\dir0002.chk\CATALYST_Quicksilver\close1.bmp
C:\found.002\dir0002.chk\CATALYST_Quicksilver\close1_dis.bmp
C:\found.002\dir0002.chk\CATALYST_Quicksilver\close2.bmp
C:\found.002\dir0002.chk\CATALYST_Quicksilver\close2_dis.bmp
C:\found.002\dir0002.chk\CATALYST_Quicksilver\ComboBox.bmp
C:\found.002\dir0002.chk\CATALYST_Quicksilver\ComboButton2.bmp
C:\found.002\dir0002.chk\CATALYST_Quicksilver\comboglyph.tga
C:\found.002\dir0002.chk\CATALYST_Quicksilver\dialog_bg.bmp
C:\found.002\dir0002.chk\CATALYST_Quicksilver\explorer_bg.bmp
C:\found.002\dir0002.chk\CATALYST_Quicksilver\FrameBottom.bmp
C:\found.002\dir0002.chk\CATALYST_Quicksilver\FrameLeft.bmp
C:\found.002\dir0002.chk\CATALYST_Quicksilver\FrameRight.bmp
C:\found.002\dir0002.chk\CATALYST_Quicksilver\FrameTop.bmp
C:\found.002\dir0002.chk\CATALYST_Quicksilver\Groupbox.bmp
C:\found.002\dir0002.chk\CATALYST_Quicksilver\GroupBoxTop2.bmp
C:\found.002\dir0002.chk\CATALYST_Quicksilver\header.bmp
C:\found.002\dir0002.chk\CATALYST_Quicksilver\HScrollShaft.bmp
C:\found.002\dir0002.chk\CATALYST_Quicksilver\HScrollThumb.bmp
C:\found.002\dir0002.chk\CATALYST_Quicksilver\Menu.bmp
C:\found.002\dir0002.chk\CATALYST_Quicksilver\menubg.bmp
C:\found.002\dir0002.chk\CATALYST_Quicksilver\MenuFrame.bmp
C:\found.002\dir0002.chk\CATALYST_Quicksilver\menuitem.tga
C:\found.002\dir0002.chk\CATALYST_Quicksilver\minimize2.bmp
C:\found.002\dir0002.chk\CATALYST_Quicksilver\radio.tga
C:\found.002\dir0002.chk\CATALYST_Quicksilver\radio_old.tga
C:\found.002\dir0002.chk\CATALYST_Quicksilver\Rebar.bmp
C:\found.002\dir0002.chk\CATALYST_Quicksilver\ScrollArrows.bmp
C:\found.002\dir0002.chk\CATALYST_Quicksilver\spinner-horz-glyphs.bmp
C:\found.002\dir0002.chk\CATALYST_Quicksilver\spinner-vert-glyphs.bmp
C:\found.002\dir0002.chk\CATALYST_Quicksilver\spinner.tga
C:\found.002\dir0002.chk\CATALYST_Quicksilver\sysicon.bmp
C:\found.002\dir0002.chk\CATALYST_Quicksilver\Tab.tga
C:\found.002\dir0002.chk\CATALYST_Quicksilver\TabPanel.bmp
C:\found.002\dir0002.chk\CATALYST_Quicksilver\textback-wb4.bmp
C:\found.002\dir0002.chk\CATALYST_Quicksilver\textback.bmp
C:\found.002\dir0002.chk\CATALYST_Quicksilver\textcap.bmp
C:\found.002\dir0002.chk\CATALYST_Quicksilver\toolbar_bg.bmp
C:\found.002\dir0002.chk\CATALYST_Quicksilver\toolbuttons.tga
C:\found.002\dir0002.chk\CATALYST_Quicksilver\TrackBar-h.tga
C:\found.002\dir0002.chk\CATALYST_Quicksilver\TrackBar-v.tga
C:\found.002\dir0002.chk\CATALYST_Quicksilver\TrackBarHTrack.bmp
C:\found.002\dir0002.chk\CATALYST_Quicksilver\TrackBarVTrack.bmp
C:\found.002\dir0002.chk\CATALYST_Quicksilver\VScrollShaft.bmp
C:\found.002\dir0002.chk\CATALYST_Quicksilver\VScrollThumb.bmp
C:\found.002\dir0002.chk\CATALYST_SteelBlue\buttons.tga
C:\found.002\dir0002.chk\CATALYST_SteelBlue\CATALYST_SteelBlue.uis
C:\found.002\dir0002.chk\CATALYST_SteelBlue\checkbox.bmp
C:\found.002\dir0002.chk\CATALYST_SteelBlue\checkbox_old.tga
C:\found.002\dir0002.chk\CATALYST_SteelBlue\close1.bmp
C:\found.002\dir0002.chk\CATALYST_SteelBlue\close1_dis.bmp
C:\found.002\dir0002.chk\CATALYST_SteelBlue\close2.bmp
C:\found.002\dir0002.chk\CATALYST_SteelBlue\close2_dis.bmp
C:\found.002\dir0002.chk\CATALYST_SteelBlue\ComboBox.bmp
C:\found.002\dir0002.chk\CATALYST_SteelBlue\ComboButton2.bmp
C:\found.002\dir0002.chk\CATALYST_SteelBlue\comboglyph.tga
C:\found.002\dir0002.chk\CATALYST_SteelBlue\ControlCenterStatusBar.bmp
C:\found.002\dir0002.chk\CATALYST_SteelBlue\dialog_bg.bmp
C:\found.002\dir0002.chk\CATALYST_SteelBlue\explorer_bg.bmp
C:\found.002\dir0002.chk\CATALYST_SteelBlue\FrameBottom.bmp
C:\found.002\dir0002.chk\CATALYST_SteelBlue\FrameLeft.bmp
C:\found.002\dir0002.chk\CATALYST_SteelBlue\FrameRight.bmp
C:\found.002\dir0002.chk\CATALYST_SteelBlue\FrameTop.bmp
C:\found.002\dir0002.chk\CATALYST_SteelBlue\Groupbox.bmp
C:\found.002\dir0002.chk\CATALYST_SteelBlue\GroupBoxTop2.bmp
C:\found.002\dir0002.chk\CATALYST_SteelBlue\header.bmp
C:\found.002\dir0002.chk\CATALYST_SteelBlue\HScrollShaft.bmp
C:\found.002\dir0002.chk\CATALYST_SteelBlue\HScrollThumb.bmp
C:\found.002\dir0002.chk\CATALYST_SteelBlue\Menu.bmp
C:\found.002\dir0002.chk\CATALYST_SteelBlue\menubg.bmp
C:\found.002\dir0002.chk\CATALYST_SteelBlue\MenuFrame.bmp
C:\found.002\dir0002.chk\CATALYST_SteelBlue\menuitem.tga
C:\found.002\dir0002.chk\CATALYST_SteelBlue\minimize2.bmp
C:\found.002\dir0002.chk\CATALYST_SteelBlue\radio.tga
C:\found.002\dir0002.chk\CATALYST_SteelBlue\radio_old.tga
C:\found.002\dir0002.chk\CATALYST_SteelBlue\Rebar.bmp
C:\found.002\dir0002.chk\CATALYST_SteelBlue\ScrollArrows.bmp
C:\found.002\dir0002.chk\CATALYST_SteelBlue\spinner-horz-glyphs.bmp
C:\found.002\dir0002.chk\CATALYST_SteelBlue\spinner-vert-glyphs.bmp
C:\found.002\dir0002.chk\CATALYST_SteelBlue\spinner.tga
C:\found.002\dir0002.chk\CATALYST_SteelBlue\sysicon.bmp
C:\found.002\dir0002.chk\CATALYST_SteelBlue\Tab.tga
C:\found.002\dir0002.chk\CATALYST_SteelBlue\TabPanel.bmp
C:\found.002\dir0002.chk\CATALYST_SteelBlue\textback-wb4.bmp
C:\found.002\dir0002.chk\CATALYST_SteelBlue\textback.bmp
C:\found.002\dir0002.chk\CATALYST_SteelBlue\textcap.bmp
C:\found.002\dir0002.chk\CATALYST_SteelBlue\toolbar_bg.bmp
C:\found.002\dir0002.chk\CATALYST_SteelBlue\toolbuttons.tga
C:\found.002\dir0002.chk\CATALYST_SteelBlue\TrackBar-h.tga
C:\found.002\dir0002.chk\CATALYST_SteelBlue\TrackBar-v.tga
C:\found.002\dir0002.chk\CATALYST_SteelBlue\TrackBarHTrack.bmp
C:\found.002\dir0002.chk\CATALYST_SteelBlue\TrackBarVTrack.bmp
C:\found.002\dir0002.chk\CATALYST_SteelBlue\VScrollShaft.bmp
C:\found.002\dir0002.chk\CATALYST_SteelBlue\VScrollThumb.bmp
C:\found.002\dir0002.chk\Skins.xml

.
((((((((((((((((((((((((( Files Created from 2008-04-05 to 2008-05-05 )))))))))))))))))))))))))))))))
.

2008-05-02 09:25 . 2008-05-02 09:27 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\SecondLife
2008-05-02 09:22 . 2008-05-02 09:28 <DIR> d-------- C:\Program Files\SecondLife
2008-04-29 18:33 . 2008-04-29 18:34 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-29 18:32 . 2008-04-29 18:32 <DIR> d-------- C:\SDFIX
2008-04-29 17:52 . 2008-04-29 17:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-29 17:51 . 2008-04-29 18:52 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-29 17:51 . 2008-04-29 17:51 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\SUPERAntiSpyware.com
2008-04-29 16:06 . 2008-04-29 16:06 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-29 16:06 . 2008-04-29 16:06 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\Malwarebytes
2008-04-29 16:06 . 2008-04-29 16:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-29 16:05 . 2008-04-29 16:05 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-04-29 13:03 . 2008-04-29 13:03 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-04-28 23:38 . 2008-04-30 14:16 <DIR> d--h----- C:\$AVG8.VAULT$
2008-04-28 23:34 . 2008-05-04 18:50 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-04-28 23:34 . 2008-04-28 23:34 <DIR> d-------- C:\Program Files\AVG
2008-04-28 23:34 . 2008-05-03 12:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-04-28 23:34 . 2008-04-28 23:34 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-04-28 23:34 . 2008-04-28 23:34 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-04-25 04:23 . 2008-04-27 22:04 <DIR> d---s---- C:\Documents and Settings\Administrator.GETTER_ONE
2008-04-25 04:23 . 2008-05-03 19:01 1,024 --ah----- C:\Documents and Settings\Administrator.GETTER_ONE\ntuser.dat.LOG
2008-04-25 04:04 . 2008-04-25 04:04 <DIR> d-------- C:\!KillBox

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-05 02:57 --------- d-----w C:\Program Files\mIRC
2008-05-03 23:36 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-03 23:35 --------- d-----w C:\Program Files\Trillian
2008-05-03 07:01 --------- d-----w C:\Documents and Settings\Mike\Application Data\Azureus
2008-04-29 21:14 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-28 22:12 --------- d-----w C:\Program Files\Java
2008-04-20 22:26 --------- d-----w C:\Documents and Settings\Mike\Application Data\Ahead
2008-04-20 21:05 --------- d-----w C:\Program Files\World of Warcraft
2008-04-13 20:44 --------- d-----w C:\Program Files\Apophysis 2.0
2008-04-04 23:35 --------- d-----w C:\Program Files\Common Files\Ahead
2008-04-04 23:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2008-04-01 17:13 --------- d-----w C:\Documents and Settings\Mike\Application Data\Xfire
2008-03-28 23:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
2008-03-28 23:11 --------- d-----w C:\Program Files\Nero
2008-03-28 05:52 --------- d-----w C:\Program Files\AV Vcs 5.5 DIAMOND
2008-03-27 07:54 --------- d-----w C:\Program Files\Winamp
2008-03-27 07:25 48,456 ----a-w C:\WINDOWS\system32\UninstallElectricSheep.exe
2008-03-27 00:14 --------- d-s---w C:\Program Files\Xfire
2008-03-25 10:31 --------- d-----w C:\Program Files\Steam
2008-03-20 18:00 --------- d-----w C:\Program Files\Lavasoft
2008-03-20 18:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-20 00:11 --------- d-----w C:\Program Files\CCleaner
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-17 09:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ironclad Games
2008-03-17 09:21 --------- d-----w C:\Program Files\Stardock
2008-03-17 08:16 --------- d-----w C:\Program Files\Common Files\Stardock
2008-03-13 23:05 41,296 ----a-w C:\WINDOWS\system32\xfcodec.dll
2008-03-10 14:26 --------- d-----w C:\Program Files\Azureus
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-15 20:04 141,909,560 ----a-w C:\Documents and Settings\Mike\WoW-2.3.3.7799-to-0.4.0.7897-enUS-patch.exe
2007-10-13 18:57 140,202,521 ----a-w C:\Documents and Settings\Mike\WoW-2.2.3.7359-to-0.3.0.7382-enUS-patch.exe
2007-06-12 12:25 40,836,719 ----a-w C:\Documents and Settings\Mike\WoW-2.1.1.6739-to-0.1.2.6757-enUS-patch.exe
2007-04-23 22:20 221,149,222 ----a-w C:\Documents and Settings\Mike\WoW-2.0.12.6546-to-0.1.0.6577-enUS-patch.exe
.

((((((((((((((((((((((((((((( snapshot@2008-05-03_19.06.46.57 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-01 13:17:19 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-04 22:48:39 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-04 22:48:53 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_72c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 08:00 15360]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-03 21:51 131072]
"D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [2005-03-18 05:34 1228800]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-12-16 18:49 49152]
"DiskeeperSystray"="C:\Program Files\Executive Software\Diskeeper\DkIcon.exe" [2005-07-26 18:52 184408]
"Launch LGDCore"="C:\Program Files\Logitech\G-series Software\LGDCore.exe" [2005-08-23 09:36 1110079]
"Launch LCDMon"="C:\Program Files\Logitech\G-series Software\LCDMon.exe" [2005-08-23 09:22 188416]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 13:35 90112]
"AtiPTA"="atiptaxx.exe" [2006-02-21 21:05 344064 C:\WINDOWS\system32\atiptaxx.exe]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-04-28 23:34 1177368]
"MSConfig"="C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.exe" [2006-02-28 08:00 158208]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
"vidc.wmv3"= C:\PROGRA~1\COMBIN~1\Filters\wmv9vcm.dll
"VIDC.XFR1"= xfcodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Mike^Start Menu^Programs^Startup^Xfire.lnk]
path=C:\Documents and Settings\Mike\Start Menu\Programs\Startup\Xfire.lnk
backup=C:\WINDOWS\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
-ra------ 2007-03-01 10:37 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiTrayTools]
--a------ 2006-12-06 09:00 516608 C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-06-01 10:21 153136 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2006-02-28 08:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTRegRun]
--------- 1999-10-10 13:00 41984 C:\WINDOWS\CTRegRun.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 13:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-02-21 06:42 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2006-11-10 13:35 90112 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-01-28 09:48 1266936 C:\Program Files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--------- 2007-02-27 11:39 1310720 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"C:\\Program Files\\Steam\\Steam.exe"=
"C:\\Program Files\\Steam\\steamapps\\aoa_kampfer\\team fortress 2\\hl2.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"C:\\Program Files\\Stardock\\TotalGaming\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
"C:\\Program Files\\Steam\\steamapps\\aoa_kampfer\\counter-strike\\hl.exe"=
"C:\\WINDOWS\\system32\\ElectricSheep.scr"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\SecondLife\\SLVoice.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6000:TCP"= 6000:TCP:Host
"6000:UDP"= 6000:UDP:Host1
"6112:TCP"= 6112:TCP:host2
"6112:UDP"= 6112:UDP:Host4

R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;C:\WINDOWS\system32\DRIVERS\SI3112r.sys [2004-05-12 02:01]
R1 atitray;atitray;C:\Program Files\Ray Adams\ATI Tray Tools\atitray.sys [2006-11-30 04:05]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-04-28 23:34]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-04-28 23:34]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys [2005-03-22 20:17]
S3 AC2003;AC2003;C:\WINDOWS\system32\Drivers\AC2003.sys [2004-07-11 23:57]
S3 cpuz126;cpuz126;C:\DOCUME~1\Mike\LOCALS~1\Temp\cpuz.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2d123d77-c137-11db-b6d5-806d6172696f}]
\Shell\AutoRun\command - F:\Autorun.exe root.ini

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a01cc654-8c3d-11dc-aec9-001195d09dab}]
\Shell\AutoRun\command - G:\Autorun.exe /run
\Shell\Shell00\Command - G:\Autorun.exe /run
\Shell\Shell01\Command - G:\Autorun.exe /action
\Shell\Shell02\Command - G:\Autorun.exe /uninstall

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-04 23:09:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-04 23:10:05
ComboFix-quarantined-files.txt 2008-05-05 03:10:01
ComboFix2.txt 2008-05-03 23:07:09

Pre-Run: 6,981,283,840 bytes free
Post-Run: 6,975,303,680 bytes free

527 --- E O F --- 2008-05-01 07:11:02

[NeueZiel]

Everything seems to be running smooth

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:11:16 PM, on 5/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Logitech\G-series Software\LCDMon.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Logitech\G-series Software\Applets\LCDMedia.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Mike\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\G-series Software\LCDMon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{FD4D8DD8-394B-4BEB-8B6B-34315BA1CB68}: NameServer = 64.233.214.34,64.233.214.41
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 5783 bytes