Slow PC HJT Log for the heck of it.. [F]

[Peter.Cort]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:40:32 PM, on 6/20/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16681)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Windows\system\svchost.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SVCHOST] C:\Windows\system\svchost.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/Driver...sysreqlab2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...nt/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

--
End of file - 5454 bytes

[Mak213]

Hello Peter.Cort,

I do not see anythign really bad in there at all. That log looks clean to me. Do you wish to try some other scanners to see if they find anything?

Regards,
Mak

[macdawg]

do you have really high cpu and memory usage from scvhost.exe in task manager?

You should have someone who knows more investigate this but I ran your log through an analyzer that points to 2 things why your pc might be slow:

C:\Windows\system\svchost.exe - This entry is not running from the System32 folder, so it is probably nasty.
Possibly nasty! According to our database this process runs normally in c:\windows\system32\!

O4 - HKLM\..\Run: [SVCHOST] C:\Windows\system\svchost.exe - Must be fixed! Added by the DLOADER-EV TROJAN! Note - this is not the legitimate svchost.exe process which is always located in the System (9x/Me) or System32 (NT/2K/XP) folder and should not normally figure in Msconfig/Startup!

[Mak213]

Sorry that was my fault. I miread the log. I take full blame. Now after reading it Mac is right.


Step 1 | ComboFix

Download ComboFix from Here or Here to your Desktop.
Read first: "How to download and use ComboFix"
If you downloaded ComboFix previously, delete that version and download it again as the tool is frequently updated!

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

• Double click combofix.exe and follow the prompts.
• When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
• Be sure to re-enable your anti-virus and other security programs, after ComboFix finished.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

Extra-Note: Please, DO NOT use ComboFix on your own. It is a very powerful tool designed to deal with sophisticated infections and if something goes wrong or you use it incorrectly, you could possibly lose the use of your computer. It is ONLY meant to be used under the direct supervision of a malware removal specialist. Please read Combofix's Disclaimer

Logs needed in next post:

ComboFix

Regards,
Mak

[Formerly the latter]

Please note the edit made by Mak213.

[Peter.Cort]

ComboFix 08-06-20.4 - Peter 2008-06-22 11:11:37.1 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6000.0.1252.1.1033.18.1125 [GMT -4:00]
Running from: C:\Users\Peter\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\system\svchost.exe

.
((((((((((((((((((((((((( Files Created from 2008-05-22 to 2008-06-22 )))))))))))))))))))))))))))))))
.

2008-06-20 14:40 . 2008-06-20 14:40 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-19 15:57 . 2008-06-19 15:57 <DIR> d-------- C:\Program Files\Apple Software Update
2008-06-18 20:01 . 2008-06-18 20:02 <DIR> d-------- C:\Program Files\iTunes
2008-06-18 20:01 . 2008-06-18 20:01 <DIR> d-------- C:\Program Files\iPod
2008-06-18 19:59 . 2008-06-18 19:59 <DIR> d-------- C:\Program Files\QuickTime
2008-06-18 19:18 . 2008-04-23 00:27 1,244,672 --a------ C:\Windows\System32\mcmde.dll
2008-06-18 19:18 . 2008-04-23 00:27 428,032 --a------ C:\Windows\System32\EncDec.dll
2008-06-18 19:18 . 2008-04-23 00:27 292,352 --a------ C:\Windows\System32\psisdecd.dll
2008-06-18 19:18 . 2008-04-23 00:26 218,624 --a------ C:\Windows\System32\psisrndr.ax
2008-06-18 19:18 . 2008-04-23 00:26 80,896 --a------ C:\Windows\System32\MSNP.ax
2008-06-18 19:18 . 2008-04-23 00:26 68,608 --a------ C:\Windows\System32\Mpeg2Data.ax
2008-06-18 19:18 . 2008-04-23 00:26 57,856 --a------ C:\Windows\System32\MSDvbNP.ax
2008-06-08 20:45 . 2008-06-08 20:45 <DIR> d-------- C:\Program Files\Simpli Software
2008-06-08 18:25 . 2008-06-08 18:29 <DIR> d-------- C:\Program Files\OCCT
2008-05-28 18:10 . 2008-05-28 18:10 0 --a------ C:\Windows\ativpsrm.bin
2008-05-28 18:09 . 2008-05-28 18:09 <DIR> d-------- C:\Program Files\ATI Technologies
2008-05-28 18:09 . 2008-05-28 18:09 <DIR> d-------- C:\Program Files\ATI
2008-05-28 18:08 . 2008-05-28 18:08 <DIR> d-------- C:\ATI
2008-05-28 17:56 . 2008-05-28 17:56 268 --ah----- C:\sqmdata19.sqm
2008-05-28 17:56 . 2008-05-28 17:56 244 --ah----- C:\sqmnoopt19.sqm
2008-05-28 17:40 . 2008-05-28 17:40 268 --ah----- C:\sqmdata18.sqm
2008-05-28 17:40 . 2008-05-28 17:40 244 --ah----- C:\sqmnoopt18.sqm
2008-05-28 17:32 . 2008-05-28 17:32 268 --ah----- C:\sqmdata17.sqm
2008-05-28 17:32 . 2008-05-28 17:32 244 --ah----- C:\sqmnoopt17.sqm
2008-05-28 15:32 . 2008-06-18 21:17 268 --ah----- C:\sqmdata16.sqm
2008-05-28 15:32 . 2008-06-18 21:17 244 --ah----- C:\sqmnoopt16.sqm
2008-05-27 23:34 . 2008-06-18 20:58 268 --ah----- C:\sqmdata15.sqm
2008-05-27 23:34 . 2008-06-18 20:58 244 --ah----- C:\sqmnoopt15.sqm
2008-05-27 16:59 . 2008-05-27 16:59 <DIR> d-------- C:\Program Files\Microsoft Works
2008-05-27 16:58 . 2008-05-27 16:58 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-05-27 16:56 . 2008-06-10 20:48 <DIR> d-------- C:\Users\All Users\Microsoft Help
2008-05-27 16:56 . 2008-06-10 20:48 <DIR> d-------- C:\ProgramData\Microsoft Help
2008-05-27 16:55 . 2008-05-27 16:55 <DIR> dr-h----- C:\MSOCache
2008-05-27 16:53 . 2008-03-07 20:37 4,247,552 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-05-27 16:53 . 2008-03-08 00:30 1,686,528 --a------ C:\Windows\System32\gameux.dll
2008-05-27 10:50 . 2008-05-27 10:50 90,112 --a------ C:\Windows\System32\QuickTimeVR.qtx
2008-05-27 10:50 . 2008-05-27 10:50 57,344 --a------ C:\Windows\System32\QuickTime.qts
2008-05-26 23:16 . 2008-06-18 19:32 268 --ah----- C:\sqmdata14.sqm
2008-05-26 23:16 . 2008-06-18 19:32 244 --ah----- C:\sqmnoopt14.sqm
2008-05-26 20:40 . 2008-06-18 19:20 268 --ah----- C:\sqmdata13.sqm
2008-05-26 20:40 . 2008-06-18 19:20 244 --ah----- C:\sqmnoopt13.sqm
2008-05-26 11:45 . 2008-06-10 22:35 268 --ah----- C:\sqmdata12.sqm
2008-05-26 11:45 . 2008-06-10 22:35 244 --ah----- C:\sqmnoopt12.sqm
2008-05-26 11:21 . 2008-05-26 11:21 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-05-26 11:21 . 2008-05-26 11:21 <DIR> d-------- C:\Program Files\GameSpy Arcade
2008-05-26 00:10 . 2008-06-09 22:20 268 --ah----- C:\sqmdata11.sqm
2008-05-26 00:10 . 2008-06-09 22:20 244 --ah----- C:\sqmnoopt11.sqm
2008-05-25 13:06 . 2008-05-25 13:06 <DIR> d-------- C:\Users\Peter\AppData\Roaming\AltrixSoft
2008-05-25 11:24 . 2008-05-25 11:24 <DIR> d-------- C:\Program Files\PowerISO

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-06-22 14:42 --------- d-----w C:\Program Files\Steam
2008-06-19 01:53 --------- d-----w C:\Users\Peter\AppData\Roaming\uTorrent
2008-06-19 01:17 --------- d-----w C:\Program Files\Windows Live
2008-06-18 23:29 --------- d-----w C:\Program Files\Common Files\Steam
2008-06-18 23:20 --------- d-----w C:\Program Files\Windows Mail
2008-06-11 02:28 --------- d-----w C:\Users\Peter\AppData\Roaming\.purple
2008-06-11 02:27 --------- d---a-w C:\ProgramData\TEMP
2008-05-31 18:06 22,328 ----a-w C:\Windows\system32\drivers\PnkBstrK.sys
2008-05-31 18:06 103,736 ----a-w C:\Windows\System32\PnkBstrB.exe
2008-05-31 16:48 --------- d-----w C:\ProgramData\Xfire
2008-05-28 21:57 --------- d-----w C:\ProgramData\NVIDIA
2008-05-28 03:32 --------- d-----w C:\Users\Peter\AppData\Roaming\Apple Computer
2008-05-26 15:18 --------- d-----w C:\Program Files\Microsoft Games
2008-05-26 03:23 --------- d-----w C:\Program Files\Xfire
2008-05-26 03:22 --------- d-----w C:\Users\Peter\AppData\Roaming\Xfire
2008-05-20 20:55 66,872 ----a-w C:\Windows\System32\PnkBstrA.exe
2008-05-19 23:58 22,328 ----a-w C:\Users\Peter\AppData\Roaming\PnkBstrK.sys
2008-05-17 15:46 --------- d-----w C:\Program Files\Common Files\3DO Shared
2008-05-17 15:46 --------- d-----w C:\Program Files\3DO
2008-05-14 01:29 41,296 ----a-w C:\Windows\System32\xfcodec.dll
2008-05-12 16:30 3,592,704 ----a-w C:\Windows\system32\drivers\atikmdag.sys
2008-05-12 15:56 397,312 ----a-w C:\Windows\System32\ATIDEMGX.dll
2008-05-12 15:55 43,520 ----a-w C:\Windows\System32\ati2edxx.dll
2008-05-12 15:55 327,680 ----a-w C:\Windows\System32\atipdlxx.dll
2008-05-12 15:55 266,240 ----a-w C:\Windows\System32\Ati2evxx.dll
2008-05-12 15:55 262,144 ----a-w C:\Windows\System32\Oemdspif.dll
2008-05-12 15:55 159,744 ----a-w C:\Windows\System32\atitmmxx.dll
2008-05-12 15:53 675,840 ----a-w C:\Windows\System32\Ati2evxx.exe
2008-05-12 15:45 1,554,944 ----a-w C:\Windows\System32\atidxx32.dll
2008-05-12 15:40 3,101,184 ----a-w C:\Windows\System32\atiumdag.dll
2008-05-12 15:26 9,994,240 ----a-w C:\Windows\System32\atioglxx.dll
2008-05-12 15:23 4,291,584 ----a-w C:\Windows\System32\atiumdva.dll
2008-05-12 15:11 48,640 ----a-w C:\Windows\System32\amdpcom32.dll
2008-05-12 15:11 19,968 ----a-w C:\Windows\System32\atiadlxx.dll
2008-05-12 14:56 49,152 ----a-w C:\Windows\system32\drivers\ati2erec.dll
2008-05-10 03:30 14,848 ----a-w C:\Windows\System32\wshrm.dll
2008-05-10 01:21 113,664 ----a-w C:\Windows\system32\drivers\rmcast.sys
2008-05-07 23:26 --------- d-----w C:\Users\Peter\AppData\Roaming\gtk-2.0
2008-05-04 18:11 --------- d-----w C:\ProgramData\Apple Computer
2008-05-04 17:48 --------- d-----w C:\Program Files\CCleaner
2008-05-04 17:37 --------- d-----w C:\Program Files\Pidgin
2008-05-04 17:37 --------- d-----w C:\Program Files\Common Files\GTK
2008-05-04 17:22 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-05-04 17:14 --------- d-----w C:\ProgramData\WLInstaller
2008-05-04 16:56 --------- d-----w C:\ProgramData\Lavasoft
2008-05-04 16:55 --------- d-----w C:\Program Files\Lavasoft
2008-05-04 16:55 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-04 15:24 --------- d-----w C:\Program Files\uTorrent
2008-05-04 14:54 --------- d-----w C:\Users\Peter\AppData\Roaming\Sony
2008-05-04 14:54 --------- d-----w C:\Users\Peter\AppData\Roaming\Publish Providers
2008-05-04 14:49 --------- d-----w C:\ProgramData\Sony
2008-05-04 14:49 --------- d-----w C:\Program Files\Vstplugins
2008-05-04 14:48 --------- d-----w C:\Program Files\Sony
2008-05-04 14:47 --------- d-----w C:\Users\Peter\AppData\Roaming\Media Player Classic
2008-05-04 14:46 --------- d-----w C:\Program Files\K-Lite Codec Pack
2008-05-03 15:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-03 15:09 --------- d-----w C:\ProgramData\Adobe Systems
2008-05-03 15:05 --------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2008-05-03 15:05 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-03 14:58 --------- d-----w C:\ProgramData\Apple
2008-05-03 14:58 --------- d-----w C:\Program Files\Common Files\Apple
2008-05-03 02:02 278,984 ----a-w C:\Windows\system32\drivers\atksgt.sys
2008-05-03 02:02 25,416 ----a-w C:\Windows\system32\drivers\lirsgt.sys
2008-05-03 02:02 --------- d-----w C:\Program Files\The Witcher
2008-05-03 00:25 --------- d-----w C:\Users\Peter\AppData\Roaming\Ubisoft
2008-05-03 00:24 --------- d-----w C:\ProgramData\Ubisoft
2008-05-03 00:14 --------- d-----w C:\Program Files\Ubisoft
2008-05-03 00:13 --------- d-----w C:\Users\Peter\AppData\Roaming\InstallShield
2008-05-02 22:41 --------- d-----w C:\Program Files\RivaTuner v2.08
2008-05-02 11:38 174 --sha-w C:\Program Files\desktop.ini
2008-05-02 02:30 --------- d-----w C:\Program Files\Windows Defender
2008-05-02 02:30 --------- d-----w C:\Program Files\Windows Calendar
2008-05-02 02:29 --------- d-----w C:\Program Files\Windows Sidebar
2008-05-02 00:19 --------- d-----w C:\Program Files\Activision
2008-05-01 22:51 87,040 ----a-w C:\Windows\System32\msoert2.dll
2008-05-01 22:51 704,000 ----a-w C:\Windows\System32\PhotoScreensaver.scr
2008-05-01 22:51 67,584 ----a-w C:\Windows\System32\wlanhlp.dll
2008-05-01 22:51 542,720 ----a-w C:\Windows\System32\sysmain.dll
2008-05-01 22:51 502,784 ----a-w C:\Windows\System32\wlansvc.dll
2008-05-01 22:51 47,104 ----a-w C:\Windows\System32\wlanapi.dll
2008-05-01 22:51 39,424 ----a-w C:\Windows\System32\ACCTRES.dll
2008-05-01 22:51 297,984 ----a-w C:\Windows\System32\wlansec.dll
2008-05-01 22:51 290,816 ----a-w C:\Windows\System32\wlanmsm.dll
2008-05-01 22:51 258,232 ----a-w C:\Windows\system32\drivers\acpi.sys
2008-05-01 22:51 24,064 ----a-w C:\Windows\System32\wtsapi32.dll
2008-05-01 22:51 205,824 ----a-w C:\Windows\System32\msoeacct.dll
2008-05-01 22:51 2,923,520 ----a-w C:\Windows\explorer.exe
2008-05-01 22:50 194,560 ----a-w C:\Windows\System32\WebClnt.dll
2008-05-01 22:50 110,080 ----a-w C:\Windows\system32\drivers\mrxdav.sys
2008-05-01 22:49 49,664 ----a-w C:\Windows\System32\csrsrv.dll
2008-05-01 22:49 376,320 ----a-w C:\Windows\System32\winsrv.dll
2008-05-01 22:48 41,984 ----a-w C:\Windows\system32\drivers\monitor.sys
2008-05-01 22:48 1,060,920 ----a-w C:\Windows\system32\drivers\ntfs.sys
2008-05-01 22:47 8,147,968 ----a-w C:\Windows\System32\wmploc.DLL
2008-05-01 22:47 7,680 ----a-w C:\Windows\System32\spwmp.dll
2008-05-01 22:47 414,208 ----a-w C:\Windows\System32\msscp.dll
2008-05-01 22:47 374,456 ----a-w C:\Windows\System32\mcupdate_GenuineIntel.dll
2008-05-01 22:46 86,016 ----a-w C:\Windows\System32\icfupgd.dll
2008-05-01 22:46 63,488 ----a-w C:\Windows\system32\drivers\mpsdrv.sys
2008-05-01 22:46 61,952 ----a-w C:\Windows\System32\cmifw.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Steam"="C:\Program Files\Steam\Steam.exe" [2008-04-30 22:31 1271032]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [ ]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 08:33 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-04-12 12:01 4431872 C:\Windows\RtHDVCpl.exe]
"Skytel"="Skytel.exe" [2007-04-06 13:22 1822720 C:\Windows\SkyTel.exe]
"JMB36X IDE Setup"="C:\Windows\RaidTool\xInsIDE.exe" [2007-03-21 10:36 36864]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-04-30 22:45 1177368]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2008-03-14 19:50 233472]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-06-02 11:13 267048]

C:\Users\Peter\AppData\Roaming\Microsoft\Windows\S tart Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3fhg"= mp3fhg.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"VIDC.YV12"= yv12vfw.dll
"msacm.divxa32"= divxa32.acm
"VIDC.XFR1"= xfcodec.dll

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\FirewallRules]
"{A19B385B-C99C-4BFC-858B-22EC2DAA808A}"= C:\Program Files\AVG\AVG8\avgupd.exe:avgupd.exe
"{6A020B18-34E8-42CD-A165-3B38ADEDEE86}"= C:\Program Files\AVG\AVG8\avgemc.exe:avgemc.exe
"{DE7BFB3A-D0DC-4656-AE54-1F676B592389}"= UDP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA
"{4AACF654-DB43-4ACC-BA62-04834F8FFCC7}"= TCP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA
"{83CBEA70-C234-454B-8065-7EB4A4E833A9}"= UDP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB
"{05DC8680-9B6A-4258-B014-17C59C9A6148}"= TCP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB
"{8008AC53-9256-4B5F-BC93-BC4DE5BC335B}"= UDP:C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:Call of Duty(R) 4 - Modern Warfare(TM)
"{F9AF2853-5E1F-4AA6-BC98-73964F05BEE7}"= TCP:C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:Call of Duty(R) 4 - Modern Warfare(TM)
"{E53B81EA-CFAA-4A29-971B-0F9B8DF49716}"= UDP:C:\Program Files\Ubisoft\Assassin's Creed\AssassinsCreed_Dx9.exe:Assassin's Creed Dx9
"{807B0C77-8D52-4E7C-A216-509C008B7D93}"= TCP:C:\Program Files\Ubisoft\Assassin's Creed\AssassinsCreed_Dx9.exe:Assassin's Creed Dx9
"{560C456F-A0E0-4954-954F-EF797278C2BB}"= UDP:C:\Program Files\Ubisoft\Assassin's Creed\AssassinsCreed_Dx10.exe:Assassin's Creed Dx10
"{B61C6A75-C110-4DA8-AD04-88889FA79ECC}"= TCP:C:\Program Files\Ubisoft\Assassin's Creed\AssassinsCreed_Dx10.exe:Assassin's Creed Dx10
"{4B146565-1D29-44E3-BD3B-CA9F76BC3400}"= UDP:C:\Program Files\Ubisoft\Assassin's Creed\AssassinsCreed_Launcher.exe:Assassin's Creed Update
"{F8CC3026-9DC2-4268-9A7C-EFFB9F473D74}"= TCP:C:\Program Files\Ubisoft\Assassin's Creed\AssassinsCreed_Launcher.exe:Assassin's Creed Update
"{76243C62-2239-48D9-B767-7D121A44A15A}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{D5A9FFEE-0269-421D-8165-2094A163C5D0}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"TCP Query User{EF86F957-2796-48CC-BFE3-34E532B9A25A}C:\\program files\\xfire\\xfire.exe"= UDP:C:\program files\xfire\xfire.exe:Xfire
"UDP Query User{DBB670B3-8A40-4199-83A5-01FFBED69270}C:\\program files\\xfire\\xfire.exe"= TCP:C:\program files\xfire\xfire.exe:Xfire
"{2EAA6C3E-2538-4C51-8042-869E8BEC3400}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{C4558688-97AD-4351-B258-5420136AF282}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{F8A0F4DB-F3B1-47AF-A8DB-AF93D0E9068E}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{1E90E351-E61A-4721-97DE-B73E3F4F2D33}"= UDP:40274:utorrent
"{579F1EAF-CCBC-43E1-879B-C5C5A07B8540}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{174CE7A4-BB41-488E-BC41-B163DFACE302}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"TCP Query User{5C0D157A-91A0-413A-BB3F-5A006110E767}C:\\program files\\pidgin\\pidgin.exe"= UDP:C:\program files\pidgin\pidgin.exe:Pidgin
"UDP Query User{EAB3AF7B-D7A1-4988-8111-7714C32E66C1}C:\\program files\\pidgin\\pidgin.exe"= TCP:C:\program files\pidgin\pidgin.exe:Pidgin
"TCP Query User{302217A7-EC07-447E-9872-42EC786FB9B9}C:\\program files\\steam\\steamapps\\peter_cort\\team fortress 2\\hl2.exe"= UDP:C:\program files\steam\steamapps\peter_cort\team fortress 2\hl2.exe:hl2
"UDP Query User{23B66724-5B5E-4349-A638-1A850FCB48E7}C:\\program files\\steam\\steamapps\\peter_cort\\team fortress 2\\hl2.exe"= TCP:C:\program files\steam\steamapps\peter_cort\team fortress 2\hl2.exe:hl2
"TCP Query User{8A677B1B-2D90-4603-A3DA-0C22737CBD61}C:\\program files\\steam\\steamapps\\peter_cort\\counter-strike source\\hl2.exe"= UDP:C:\program files\steam\steamapps\peter_cort\counter-strike source\hl2.exe:hl2
"UDP Query User{37D67CAD-0216-40C8-BF61-C11E11E9386B}C:\\program files\\steam\\steamapps\\peter_cort\\counter-strike source\\hl2.exe"= TCP:C:\program files\steam\steamapps\peter_cort\counter-strike source\hl2.exe:hl2
"{47C5823D-A1FA-4AF1-8657-91AA231E2CE3}"= UDP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA
"{431ED205-46F8-49EF-95A6-F8C90DC5B456}"= TCP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA
"{978F8FD7-B864-4DD5-8AF7-526E37D34B50}"= UDP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB
"{577CF535-FA87-46B1-918E-A50089C1A358}"= TCP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB
"{4E52D9B1-677D-4430-A507-7351E18D45AF}"= UDP:C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:Call of Duty(R) 4 - Modern Warfare(TM)
"{58F68EA5-05E3-451D-9EBA-DEB4747AB9E1}"= TCP:C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:Call of Duty(R) 4 - Modern Warfare(TM)
"TCP Query User{DAB64A21-7298-4518-9D99-E4E4801D925C}C:\\program files\\xfire\\xfire.exe"= UDP:C:\program files\xfire\xfire.exe:Xfire
"UDP Query User{76AC8925-E707-4BF1-96DF-39D60B0BAB68}C:\\program files\\xfire\\xfire.exe"= TCP:C:\program files\xfire\xfire.exe:Xfire
"TCP Query User{4BD19E98-52F7-4218-8150-B62B56F37607}C:\\program files\\microsoft games\\halo\\halo.exe"= UDP:C:\program files\microsoft games\halo\halo.exe:Halo
"UDP Query User{F1B5C363-28B5-4351-A7C5-FB33384E70B0}C:\\program files\\microsoft games\\halo\\halo.exe"= TCP:C:\program files\microsoft games\halo\halo.exe:Halo
"{5D0B6EAD-A0BC-439D-BF40-8EE751C726E1}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{84B9136F-CCAE-4700-8898-8F04B97200D2}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{6F457953-5083-452A-9666-0686A5553687}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes

[Peter.Cort]

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|S vc=DFSR:Allow inbound TCP traffic|

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\Windows\system32\Drivers\avgldx86.sys [2008-04-30 22:45]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-04-30 22:45]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-04-30 22:45]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;C:\Windows\system32\DRIVERS\atl01v32.sy s [2007-04-12 19:29]
R3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atik mdag.sys [2008-05-12 12:30]
R3 AvgWfpX;AVG8 Firewall Driver x86;C:\Windows\system32\Drivers\avgwfpx.sys [2008-04-30 22:46]
R3 BENDER;Pinnacle DV/AV Capture;C:\Windows\system32\drivers\bender.sys [2006-11-21 12:34]
R3 Steam Client Service;Steam Client Service;C:\Program Files\Common Files\Steam\SteamService.exe [2008-06-18 19:14]

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\E]
\shell\AutoRun\command - E:\setup.exe /autorun
\shell\directx\command - E:\DirectX\dxsetup.exe
\shell\setup\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\F]
\shell\AutoRun\command - F:\setup.exe /autorun
\shell\directx\command - F:\DirectX\dxsetup.exe
\shell\setup\command - F:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{33cd7649-fe73-11d5-811e-806e6f6e6963}]
\shell\AutoRun\command - D:\Bin\Assetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{7b91343f-35bc-11dd-9b2a-001d601c1225}]
\shell\AutoRun\command - F:\WD_Windows_Tools\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{e1f54b20-fe5f-11d5-9009-806e6f6e6963}]
\shell\AutoRun\command - D:\setup\rsrc\Autorun.exe
\shell\dinstall\command - D:\Directx\dxsetup.exe

*Newly Created Service* - CATCHME
.
************************************************** ************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-22 11:14:04
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2008-06-22 11:14:52
ComboFix-quarantined-files.txt 2008-06-22 15:14:49

Pre-Run: 185,630,097,408 bytes free
Post-Run: 185,601,757,184 bytes free

281 --- E O F --- 2008-06-19 21:33:02

[Peter.Cort]

bump..

[Formerly the latter]

Hello Peter.Cort,

Due to the high workloads, and extra work that Mak213 gets, he becomes very busy and sometimes not able to answer back to logs in timely fashions. I will take a look over your log, and give you your instructions but you must remember that we all have lives and that there are other threads that have been waiting longer than you have

[Formerly the latter]

Step1 | ComboFix Script

1. Please open Notepad

• Click Start, then Run
• Type "notepad.exe" in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:

KillAll::

File::
C:\Windows\ativpsrm.bin
C:\Windows\System32\x264vfw.dll
C:\Windows\System32\yv12vfw.dll


Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.X264"=-
"VIDC.YV12"=-

3. Then in the text file go to FILE => SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://users.pandora.be/bluepatchy/m...s/CFScript.gif

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply

Step2 | ATF Cleaner

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

• Double-click ATF-Cleaner.exe to run the program.
  Under Main choose: Select All
  Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Step3 | Kasperky WebScanner


Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended (if available otherwise Standard)
  • Scan Options:
  • Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

Step4 | MBAM Scanner

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Logs Required In Next Post
---------------------------------

ComboFix (CFScript) Log
Kasperky Scanner Log
MBAM Scanner Log
New Hijackthis Log