Im not sure why but it just decided this morning 2 be slow, even my itunes was choopy
i ran malware scan and that turnout with no infections
i have a combo fix and hijack this log
COMBO FIX
ComboFix 09-03-29.04 - JQ 2009-03-31 13:00:03.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2378 [GMT 10:00]
Running from: c:\documents and settings\JQ\My Documents\Downloads\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-31 )))))))))))))))))))))))))))))))
.
2009-03-29 15:17 . 2009-03-29 15:17 <DIR> d-------- c:\documents and settings\JQ\Application Data\Locktime
2009-03-29 15:17 . 2009-03-29 15:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\Locktime
2009-03-28 21:03 . 2009-03-28 21:03 <DIR> d-------- c:\documents and settings\JQ\Application Data\MathWorks
2009-03-28 21:00 . 2004-07-29 22:35 1,077,344 --a------ c:\windows\system32\mscomctl.ocx
2009-03-28 21:00 . 2009-03-28 21:00 645,120 --a------ c:\windows\system32\config.gms
2009-03-28 21:00 . 2004-03-01 21:05 407,104 --a------ c:\windows\system32\MSHFLXGD.OCX
2009-03-28 21:00 . 2004-02-11 13:37 203,976 --a------ c:\windows\system32\RICHTX32.OCX
2009-03-28 21:00 . 2002-02-13 09:20 2,364 --a------ c:\windows\system32\mscomctl.dep
2009-03-24 11:45 . 2009-03-24 11:45 <DIR> d-------- c:\documents and settings\JQ\Application Data\DiskAid
2009-03-24 11:00 . 2009-03-24 11:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\FLEXnet
2009-03-24 10:53 . 2009-03-24 10:53 <DIR> d-------- c:\program files\Common Files\Macrovision Shared
2009-02-25 21:43 . 2009-02-25 21:43 <DIR> d-------- c:\program files\Hamachi
2009-02-25 21:43 . 2009-02-25 21:43 25,280 --a------ c:\windows\system32\drivers\hamachi.sys
2009-02-25 21:41 . 2009-02-26 00:30 <DIR> d-------- c:\documents and settings\JQ\Application Data\Hamachi
2009-02-10 12:50 . 2009-02-10 12:50 <DIR> d-------- c:\documents and settings\JQ\Application Data\Radmin
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-31 02:58 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-31 01:54 --------- d-----w c:\documents and settings\JQ\Application Data\uTorrent
2009-03-31 00:51 22,528 ----a-w c:\windows\system32\drivers\nhcDriver.sys
2009-03-29 16:32 --------- d-----w c:\documents and settings\JQ\Application Data\mIRC
2009-03-24 00:58 --------- d-----w c:\program files\Common Files\Adobe
2009-03-08 00:56 --------- d-----w c:\documents and settings\JQ\Application Data\LimeWire
2009-02-25 06:19 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-26 00:47 120,320 ----a-w c:\windows\system32\LAGARITH.DLL
.
((((((((((((((((((((((((((((( snapshot@2009-01-11_16.00.39.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-28 11:00:09 73,728 ----a-w c:\windows\assembly\GAC_32\MWArray\2.0.0.0__e1d84a0da19db86f\MWArray.dll
+ 2009-01-26 00:20:41 53,248 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\AjaVideoProperties\8a84c4744e34b6918cdc7da972e08461\AjaVideoProperties.ni.dll
+ 2009-01-26 00:20:48 74,752 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\ControlLibrary\591d1bc77dce0e2c5da89868d00cdb93\ControlLibrary.ni.dll
+ 2009-01-26 00:20:46 1,165,824 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\CoreGraphics.XmlSer#\c13abcc3ca79068385a67277f9774bb1\CoreGraphics.XmlSerializers.ni.dll
+ 2009-01-26 00:20:44 1,523,712 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\CoreGraphics\e4360641cb4784e758bcb29c628a0735\CoreGraphics.ni.dll
+ 2009-01-26 00:20:41 120,320 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\CorePrimitives\42638bf168d4cba4b302b438285a076c\CorePrimitives.ni.dll
+ 2009-01-26 00:20:48 809,984 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\CoreUI.XmlSerialize#\6b0ce91b1cc2fbd6100d967959a42c7a\CoreUI.XmlSerializers.ni.dll
+ 2009-01-26 00:20:46 324,608 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\CoreUI\482402185e1fad730cfca4ef3e59bd4a\CoreUI.ni.dll
+ 2009-01-26 00:20:50 44,544 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\Interop\d53d051c57c688a5e9c61e027addd086\Interop.ni.dll
+ 2009-01-26 00:20:40 643,584 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\Sony.Capture\1b5144364ed26275c1e0afba51fc3428\Sony.Capture.ni.dll
+ 2009-01-26 00:20:39 278,016 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\Sony.MediaSoftware.#\fb1398494fe61a2fe910a7480c7e1155\Sony.MediaSoftware.ExternalVideoDevice.ni.dll
+ 2009-01-26 00:20:40 222,208 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\Sony.Vegas.NetRender\fbe35570e844f12423434f6534f49560\Sony.Vegas.NetRender.ni.dll
+ 2009-01-26 00:20:38 868,864 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\Sony.Vegas\7899c329bf3a25c31273a74f7bc85767\Sony.Vegas.ni.dll
+ 2009-01-26 00:20:49 1,363,456 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\WidgetLibrary\655575a6e1ab3455160bda48dbb14c70\WidgetLibrary.ni.dll
- 2005-10-20 09:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
+ 2005-10-20 10:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
- 2000-08-30 21:00:00 28,672 ----a-w c:\windows\NIRCMD.exe
+ 2000-08-30 22:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
- 2000-08-30 21:00:00 161,792 ----a-w c:\windows\SWREG.exe
+ 2000-08-30 22:00:00 161,792 ----a-w c:\windows\SWREG.exe
+ 2006-09-28 09:52:18 655,360 ----a-w c:\windows\system32\CDDBControl.dll
+ 2006-09-28 09:52:18 98,304 ----a-w c:\windows\system32\CddbLangDE.dll
+ 2006-09-28 09:52:18 98,304 ----a-w c:\windows\system32\CddbLangES.dll
+ 2006-09-28 09:52:18 98,304 ----a-w c:\windows\system32\CddbLangFR.dll
+ 2006-09-28 09:52:18 102,400 ----a-w c:\windows\system32\CddbLangIT.dll
+ 2006-09-28 09:52:18 77,824 ----a-w c:\windows\system32\CddbLangJA.dll
+ 2006-09-28 09:52:18 98,304 ----a-w c:\windows\system32\CddbLangNL.dll
+ 2006-09-28 09:52:18 765,952 ----a-w c:\windows\system32\CDDBUI.dll
+ 2007-04-23 16:08:52 81,688 ----a-w c:\windows\system32\drivers\nltdi.sys
- 2009-01-06 07:53:31 95,072 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-03-24 09:46:30 1,975,928 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2004-05-04 09:53:40 1,645,320 ----a-w c:\windows\system32\GDIPLUS.DLL
+ 2007-12-13 13:57:22 135,168 ----a-w c:\windows\system32\java.exe
+ 2007-12-13 13:57:24 135,168 ----a-w c:\windows\system32\javaw.exe
+ 2007-12-13 14:59:16 139,264 ----a-w c:\windows\system32\javaws.exe
+ 2006-09-28 09:53:16 499,712 ----a-w c:\windows\system32\msvcp71.dll
+ 2006-09-28 09:53:16 344,064 ----a-w c:\windows\system32\msvcr70.dll
- 2009-01-06 01:26:35 67,818 ----a-w c:\windows\system32\perfc009.dat
+ 2009-03-28 23:23:07 68,508 ----a-w c:\windows\system32\perfc009.dat
- 2009-01-06 01:26:35 433,042 ----a-w c:\windows\system32\perfh009.dat
+ 2009-03-28 23:23:07 434,270 ----a-w c:\windows\system32\perfh009.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Steam"="d:\program files\steam\steam.exe" [2008-10-08 1410296]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"d:\program files\NetMeter\NetMeter.exe"="d:\program files\NetMeter\NetMeter.exe" [2007-08-11 331264]
"Fraps"="d:\fraps\FRAPS.EXE" [2008-01-14 3182248]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HControl"="c:\windows\ATK0100\HControl.exe" [2006-07-28 110592]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-04-26 13529088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-04-26 86016]
"Wireless Console 2"="c:\program files\Wireless Console 2\wcourier.exe" [2007-07-05 1040384]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-10-08 995328]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-10-08 1101824]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1024000]
"DirectMessenger"="c:\program files\ASUS\ASUS Direct Console\LCMP.EXE" [2006-10-24 986624]
"ATKMEDIA"="c:\program files\ASUS\ATK Media\DMEDIA.EXE" [2006-11-02 61440]
"ATKHOTKEY"="c:\program files\ATK Hotkey\Hcontrol.exe" [2007-10-16 229376]
"Power_Gear"="c:\program files\ASUS\Power4 Gear\BatteryLife.exe" [2006-07-26 90112]
"Copperhead"="d:\program files\Razer\Copperhead\razerhid.exe" [2005-11-25 155648]
"CTAPR2"="c:\program files\Creative\Sound Blaster X-Fi\Console Launcher\CTAPR2.exe" [2007-02-15 57344]
"NotebookHardwareControl"="c:\program files\Notebook Hardware Control\nhc.exe" [2007-05-04 2629632]
"Hronos"="d:\program files\Hronos.exe" [2007-08-04 380928]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 144784]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"RTHDCPL"="RTHDCPL.EXE" [2008-06-13 c:\windows\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2008-04-26 c:\windows\system32\nwiz.exe]
"SPIRun"="SPIRun.dll" [2006-11-29 c:\windows\system32\SPIRun.dll]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\JQ\Start Menu\Programs\Startup\
Creative Console Launcher.lnk - c:\program files\Creative\Sound Blaster X-Fi\Console Launcher\ConsoLCu.exe [11/25/2008 9:12:09 PM 217088]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [8/2/2007 6:41:52 PM 2760704]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.LAGS"= lagarith.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\uTorrent\\uTorrent.exe"=
"d:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"d:\\Program Files\\Steam\\SteamApps\\iguessnoonehasthisname\\team fortress 2\\hl2.exe"=
"d:\\Program Files\\Steam\\SteamApps\\iguessnoonehasthisname\\source 2007 dedicated server\\srcds.exe"=
"d:\\Program Files\\Steam\\SteamApps\\iguessnoonehasthisname\\diprip warm up\\hl2.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"d:\\Seperate\\ZZ\\dls\\Condition Zero\\hl.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Program Files\\iTunes\\iTunes.exe"=
"d:\\Program Files\\Steam\\SteamApps\\iguessnoonehasthisname\\half-life 2 deathmatch\\hl2.exe"=
"d:\\Program Files\\Steam\\SteamApps\\aishiteru00\\counter-strike source\\hl2.exe"=
"d:\\Program Files\\mIRC\\mirc.exe"=
"d:\\Program Files\\Steam\\steam.exe"=
"d:\\Program Files\\Steam\\SteamApps\\iguessnoonehasthisname\\synergy\\hl2.exe"=
"d:\\Program Files\\Steam\\SteamApps\\iguessnoonehasthisname\\synergy dedicated server\\srcds.exe"=
"c:\\Program Files\\ASUS\\Power4 Gear\\BatteryLife.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"d:\\Program Files\\iTunes\\iTunesHelper.exe"=
"c:\\Program Files\\Toshiba\\Bluetooth Toshiba Stack\\TosBtMng.exe"=
"c:\\Program Files\\Toshiba\\Bluetooth Toshiba Stack\\TosBtHSP.exe"=
"c:\\WINDOWS\\system32\\taskmgr.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\Program Files\\Intel\\Wireless\\Bin\\S24EvMon.exe"=
"c:\\Program Files\\Intel\\Wireless\\Bin\\EvtEng.exe"=
"c:\\Program Files\\Toshiba\\Bluetooth Toshiba Stack\\TosBtSrv.exe"=
"c:\\Program Files\\Intel\\Wireless\\Bin\\iFrmewrk.exe"=
"c:\\Program Files\\Intel\\Wireless\\Bin\\Dot1XCfg.exe"=
"c:\\Program Files\\Intel\\Wireless\\Bin\\RegSrvc.exe"=
"c:\\WINDOWS\\system32\\wscntfy.exe"=
"d:\\Program Files\\Hronos.exe"=
"d:\\Program Files\\Razer\\Copperhead\\razerhid.exe"=
"c:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"=
"d:\\Program Files\\NetMeter\\NetMeter.exe"=
"c:\\WINDOWS\\RTHDCPL.exe"=
"c:\\Program Files\\Notebook Hardware Control\\nhc.exe"=
"c:\\Program Files\\Creative\\Sound Blaster X-Fi\\Console Launcher\\ConsoLCu.exe"=
"d:\\Program Files\\Razer\\Copperhead\\razertra.exe"=
"d:\\Program Files\\Razer\\Copperhead\\razerofa.exe"=
"d:\\Fraps\\fraps.exe"=
"c:\\Program Files\\ASUS\\ATK Media\\DMedia.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"d:\\Program Files\\Steam\\SteamApps\\iguessnoonehasthisname\\zombie panic! source\\hl2.exe"=
"d:\\Program Files\\Steam\\SteamApps\\iguessnoonehasthisname\\source sdk base\\hl2.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
R1 nltdi;nltdi;c:\windows\system32\drivers\nltdi.sys [4/24/2007 2:08:52 AM 81688]
R3 t3;SB Xtreme Audio Notebook;c:\windows\system32\drivers\t3.sys [11/25/2008 9:13:01 PM 735744]
R3 t3filt;t3filt;c:\windows\system32\drivers\t3filt.sys [11/25/2008 9:13:02 PM 1656960]
R3 UsbFltr;Razer Copperhead Driver;c:\windows\system32\drivers\copperhd.sys [6/29/2008 10:36:16 PM 11596]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\JQ\Application Data\Mozilla\Firefox\Profiles\pjedk1f1.default\
FF - prefs.js: browser.startup.homepage - hxxps://sso.portal.unimelb.edu.au/UnimelbSSO/login.jsp?site2pstoretoken=v1.2~AD64F60A~537231D0B104C8661296CC1C12FDD6EF5D7B12644615036B135799B6337DDC9D7CA68C6A8C0363156D3D841E10C65F7CAFC6D3FC3F02998643B94EE65C8589F4564D40D15B76656B1874583784266713AE85B315F0E1413A93EBD642E80E3DCD1FE43A40204AD2490FAF9A95FDEABC4BC89864FD71EFA6001A9542036CD46F1098A18E75470230D5D14427ED4643773F6DE46AC6D1BEBE333AE31B7B446203898276C3FA2E2F48C387BAE00FD447C701474AF3D58F4EDC516262110AC4C3B1B4066A8A623317A4A65D7E0CA49B87643A26AD7044E6CE4B6C2D15AD10829CBA0633A0C7A70788F2BA&p_error_code=&p_submit_url=https%3A%2F%2Fsso.portal.unimelb.edu.au%2Fsso%2Fauth&p_cancel_url=https%3A%2F%2Fapp.portal.unimelb.edu.au%2Fportal%2Fpls%2Fportal%2FPORTAL.home&ssousername=
FF - plugin: d:\program files\iTunes\Mozilla Plugins\npitunes.dll
.
**************************************************************************
catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-31 13:01:07
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
SPIRun = Rundll32 SPIRun.dll,RunDLLEntry?
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1024)
c:\windows\system32\netprovcredman.dll
.
Completion time: 2009-03-31 13:01:47
ComboFix-quarantined-files.txt 2009-03-31 03:01:45
ComboFix2.txt 2009-01-15 23:26:42
ComboFix3.txt 2009-01-15 05:19:09
ComboFix4.txt 2009-01-15 00:53:13
ComboFix5.txt 2009-03-31 02:59:35
Pre-Run: 7,178,686,464 bytes free
Post-Run: 7,284,629,504 bytes free
215
i ran malware scan and that turnout with no infections
i have a combo fix and hijack this log
COMBO FIX
ComboFix 09-03-29.04 - JQ 2009-03-31 13:00:03.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2378 [GMT 10:00]
Running from: c:\documents and settings\JQ\My Documents\Downloads\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-31 )))))))))))))))))))))))))))))))
.
2009-03-29 15:17 . 2009-03-29 15:17 <DIR> d-------- c:\documents and settings\JQ\Application Data\Locktime
2009-03-29 15:17 . 2009-03-29 15:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\Locktime
2009-03-28 21:03 . 2009-03-28 21:03 <DIR> d-------- c:\documents and settings\JQ\Application Data\MathWorks
2009-03-28 21:00 . 2004-07-29 22:35 1,077,344 --a------ c:\windows\system32\mscomctl.ocx
2009-03-28 21:00 . 2009-03-28 21:00 645,120 --a------ c:\windows\system32\config.gms
2009-03-28 21:00 . 2004-03-01 21:05 407,104 --a------ c:\windows\system32\MSHFLXGD.OCX
2009-03-28 21:00 . 2004-02-11 13:37 203,976 --a------ c:\windows\system32\RICHTX32.OCX
2009-03-28 21:00 . 2002-02-13 09:20 2,364 --a------ c:\windows\system32\mscomctl.dep
2009-03-24 11:45 . 2009-03-24 11:45 <DIR> d-------- c:\documents and settings\JQ\Application Data\DiskAid
2009-03-24 11:00 . 2009-03-24 11:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\FLEXnet
2009-03-24 10:53 . 2009-03-24 10:53 <DIR> d-------- c:\program files\Common Files\Macrovision Shared
2009-02-25 21:43 . 2009-02-25 21:43 <DIR> d-------- c:\program files\Hamachi
2009-02-25 21:43 . 2009-02-25 21:43 25,280 --a------ c:\windows\system32\drivers\hamachi.sys
2009-02-25 21:41 . 2009-02-26 00:30 <DIR> d-------- c:\documents and settings\JQ\Application Data\Hamachi
2009-02-10 12:50 . 2009-02-10 12:50 <DIR> d-------- c:\documents and settings\JQ\Application Data\Radmin
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-31 02:58 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-31 01:54 --------- d-----w c:\documents and settings\JQ\Application Data\uTorrent
2009-03-31 00:51 22,528 ----a-w c:\windows\system32\drivers\nhcDriver.sys
2009-03-29 16:32 --------- d-----w c:\documents and settings\JQ\Application Data\mIRC
2009-03-24 00:58 --------- d-----w c:\program files\Common Files\Adobe
2009-03-08 00:56 --------- d-----w c:\documents and settings\JQ\Application Data\LimeWire
2009-02-25 06:19 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-26 00:47 120,320 ----a-w c:\windows\system32\LAGARITH.DLL
.
((((((((((((((((((((((((((((( snapshot@2009-01-11_16.00.39.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-28 11:00:09 73,728 ----a-w c:\windows\assembly\GAC_32\MWArray\2.0.0.0__e1d84a0da19db86f\MWArray.dll
+ 2009-01-26 00:20:41 53,248 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\AjaVideoProperties\8a84c4744e34b6918cdc7da972e08461\AjaVideoProperties.ni.dll
+ 2009-01-26 00:20:48 74,752 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\ControlLibrary\591d1bc77dce0e2c5da89868d00cdb93\ControlLibrary.ni.dll
+ 2009-01-26 00:20:46 1,165,824 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\CoreGraphics.XmlSer#\c13abcc3ca79068385a67277f9774bb1\CoreGraphics.XmlSerializers.ni.dll
+ 2009-01-26 00:20:44 1,523,712 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\CoreGraphics\e4360641cb4784e758bcb29c628a0735\CoreGraphics.ni.dll
+ 2009-01-26 00:20:41 120,320 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\CorePrimitives\42638bf168d4cba4b302b438285a076c\CorePrimitives.ni.dll
+ 2009-01-26 00:20:48 809,984 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\CoreUI.XmlSerialize#\6b0ce91b1cc2fbd6100d967959a42c7a\CoreUI.XmlSerializers.ni.dll
+ 2009-01-26 00:20:46 324,608 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\CoreUI\482402185e1fad730cfca4ef3e59bd4a\CoreUI.ni.dll
+ 2009-01-26 00:20:50 44,544 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\Interop\d53d051c57c688a5e9c61e027addd086\Interop.ni.dll
+ 2009-01-26 00:20:40 643,584 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\Sony.Capture\1b5144364ed26275c1e0afba51fc3428\Sony.Capture.ni.dll
+ 2009-01-26 00:20:39 278,016 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\Sony.MediaSoftware.#\fb1398494fe61a2fe910a7480c7e1155\Sony.MediaSoftware.ExternalVideoDevice.ni.dll
+ 2009-01-26 00:20:40 222,208 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\Sony.Vegas.NetRender\fbe35570e844f12423434f6534f49560\Sony.Vegas.NetRender.ni.dll
+ 2009-01-26 00:20:38 868,864 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\Sony.Vegas\7899c329bf3a25c31273a74f7bc85767\Sony.Vegas.ni.dll
+ 2009-01-26 00:20:49 1,363,456 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\WidgetLibrary\655575a6e1ab3455160bda48dbb14c70\WidgetLibrary.ni.dll
- 2005-10-20 09:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
+ 2005-10-20 10:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
- 2000-08-30 21:00:00 28,672 ----a-w c:\windows\NIRCMD.exe
+ 2000-08-30 22:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
- 2000-08-30 21:00:00 161,792 ----a-w c:\windows\SWREG.exe
+ 2000-08-30 22:00:00 161,792 ----a-w c:\windows\SWREG.exe
+ 2006-09-28 09:52:18 655,360 ----a-w c:\windows\system32\CDDBControl.dll
+ 2006-09-28 09:52:18 98,304 ----a-w c:\windows\system32\CddbLangDE.dll
+ 2006-09-28 09:52:18 98,304 ----a-w c:\windows\system32\CddbLangES.dll
+ 2006-09-28 09:52:18 98,304 ----a-w c:\windows\system32\CddbLangFR.dll
+ 2006-09-28 09:52:18 102,400 ----a-w c:\windows\system32\CddbLangIT.dll
+ 2006-09-28 09:52:18 77,824 ----a-w c:\windows\system32\CddbLangJA.dll
+ 2006-09-28 09:52:18 98,304 ----a-w c:\windows\system32\CddbLangNL.dll
+ 2006-09-28 09:52:18 765,952 ----a-w c:\windows\system32\CDDBUI.dll
+ 2007-04-23 16:08:52 81,688 ----a-w c:\windows\system32\drivers\nltdi.sys
- 2009-01-06 07:53:31 95,072 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-03-24 09:46:30 1,975,928 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2004-05-04 09:53:40 1,645,320 ----a-w c:\windows\system32\GDIPLUS.DLL
+ 2007-12-13 13:57:22 135,168 ----a-w c:\windows\system32\java.exe
+ 2007-12-13 13:57:24 135,168 ----a-w c:\windows\system32\javaw.exe
+ 2007-12-13 14:59:16 139,264 ----a-w c:\windows\system32\javaws.exe
+ 2006-09-28 09:53:16 499,712 ----a-w c:\windows\system32\msvcp71.dll
+ 2006-09-28 09:53:16 344,064 ----a-w c:\windows\system32\msvcr70.dll
- 2009-01-06 01:26:35 67,818 ----a-w c:\windows\system32\perfc009.dat
+ 2009-03-28 23:23:07 68,508 ----a-w c:\windows\system32\perfc009.dat
- 2009-01-06 01:26:35 433,042 ----a-w c:\windows\system32\perfh009.dat
+ 2009-03-28 23:23:07 434,270 ----a-w c:\windows\system32\perfh009.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Steam"="d:\program files\steam\steam.exe" [2008-10-08 1410296]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"d:\program files\NetMeter\NetMeter.exe"="d:\program files\NetMeter\NetMeter.exe" [2007-08-11 331264]
"Fraps"="d:\fraps\FRAPS.EXE" [2008-01-14 3182248]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HControl"="c:\windows\ATK0100\HControl.exe" [2006-07-28 110592]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-04-26 13529088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-04-26 86016]
"Wireless Console 2"="c:\program files\Wireless Console 2\wcourier.exe" [2007-07-05 1040384]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-10-08 995328]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-10-08 1101824]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1024000]
"DirectMessenger"="c:\program files\ASUS\ASUS Direct Console\LCMP.EXE" [2006-10-24 986624]
"ATKMEDIA"="c:\program files\ASUS\ATK Media\DMEDIA.EXE" [2006-11-02 61440]
"ATKHOTKEY"="c:\program files\ATK Hotkey\Hcontrol.exe" [2007-10-16 229376]
"Power_Gear"="c:\program files\ASUS\Power4 Gear\BatteryLife.exe" [2006-07-26 90112]
"Copperhead"="d:\program files\Razer\Copperhead\razerhid.exe" [2005-11-25 155648]
"CTAPR2"="c:\program files\Creative\Sound Blaster X-Fi\Console Launcher\CTAPR2.exe" [2007-02-15 57344]
"NotebookHardwareControl"="c:\program files\Notebook Hardware Control\nhc.exe" [2007-05-04 2629632]
"Hronos"="d:\program files\Hronos.exe" [2007-08-04 380928]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 144784]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"RTHDCPL"="RTHDCPL.EXE" [2008-06-13 c:\windows\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2008-04-26 c:\windows\system32\nwiz.exe]
"SPIRun"="SPIRun.dll" [2006-11-29 c:\windows\system32\SPIRun.dll]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\JQ\Start Menu\Programs\Startup\
Creative Console Launcher.lnk - c:\program files\Creative\Sound Blaster X-Fi\Console Launcher\ConsoLCu.exe [11/25/2008 9:12:09 PM 217088]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [8/2/2007 6:41:52 PM 2760704]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.LAGS"= lagarith.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\uTorrent\\uTorrent.exe"=
"d:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"d:\\Program Files\\Steam\\SteamApps\\iguessnoonehasthisname\\team fortress 2\\hl2.exe"=
"d:\\Program Files\\Steam\\SteamApps\\iguessnoonehasthisname\\source 2007 dedicated server\\srcds.exe"=
"d:\\Program Files\\Steam\\SteamApps\\iguessnoonehasthisname\\diprip warm up\\hl2.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"d:\\Seperate\\ZZ\\dls\\Condition Zero\\hl.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Program Files\\iTunes\\iTunes.exe"=
"d:\\Program Files\\Steam\\SteamApps\\iguessnoonehasthisname\\half-life 2 deathmatch\\hl2.exe"=
"d:\\Program Files\\Steam\\SteamApps\\aishiteru00\\counter-strike source\\hl2.exe"=
"d:\\Program Files\\mIRC\\mirc.exe"=
"d:\\Program Files\\Steam\\steam.exe"=
"d:\\Program Files\\Steam\\SteamApps\\iguessnoonehasthisname\\synergy\\hl2.exe"=
"d:\\Program Files\\Steam\\SteamApps\\iguessnoonehasthisname\\synergy dedicated server\\srcds.exe"=
"c:\\Program Files\\ASUS\\Power4 Gear\\BatteryLife.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"d:\\Program Files\\iTunes\\iTunesHelper.exe"=
"c:\\Program Files\\Toshiba\\Bluetooth Toshiba Stack\\TosBtMng.exe"=
"c:\\Program Files\\Toshiba\\Bluetooth Toshiba Stack\\TosBtHSP.exe"=
"c:\\WINDOWS\\system32\\taskmgr.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\Program Files\\Intel\\Wireless\\Bin\\S24EvMon.exe"=
"c:\\Program Files\\Intel\\Wireless\\Bin\\EvtEng.exe"=
"c:\\Program Files\\Toshiba\\Bluetooth Toshiba Stack\\TosBtSrv.exe"=
"c:\\Program Files\\Intel\\Wireless\\Bin\\iFrmewrk.exe"=
"c:\\Program Files\\Intel\\Wireless\\Bin\\Dot1XCfg.exe"=
"c:\\Program Files\\Intel\\Wireless\\Bin\\RegSrvc.exe"=
"c:\\WINDOWS\\system32\\wscntfy.exe"=
"d:\\Program Files\\Hronos.exe"=
"d:\\Program Files\\Razer\\Copperhead\\razerhid.exe"=
"c:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"=
"d:\\Program Files\\NetMeter\\NetMeter.exe"=
"c:\\WINDOWS\\RTHDCPL.exe"=
"c:\\Program Files\\Notebook Hardware Control\\nhc.exe"=
"c:\\Program Files\\Creative\\Sound Blaster X-Fi\\Console Launcher\\ConsoLCu.exe"=
"d:\\Program Files\\Razer\\Copperhead\\razertra.exe"=
"d:\\Program Files\\Razer\\Copperhead\\razerofa.exe"=
"d:\\Fraps\\fraps.exe"=
"c:\\Program Files\\ASUS\\ATK Media\\DMedia.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"d:\\Program Files\\Steam\\SteamApps\\iguessnoonehasthisname\\zombie panic! source\\hl2.exe"=
"d:\\Program Files\\Steam\\SteamApps\\iguessnoonehasthisname\\source sdk base\\hl2.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
R1 nltdi;nltdi;c:\windows\system32\drivers\nltdi.sys [4/24/2007 2:08:52 AM 81688]
R3 t3;SB Xtreme Audio Notebook;c:\windows\system32\drivers\t3.sys [11/25/2008 9:13:01 PM 735744]
R3 t3filt;t3filt;c:\windows\system32\drivers\t3filt.sys [11/25/2008 9:13:02 PM 1656960]
R3 UsbFltr;Razer Copperhead Driver;c:\windows\system32\drivers\copperhd.sys [6/29/2008 10:36:16 PM 11596]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\JQ\Application Data\Mozilla\Firefox\Profiles\pjedk1f1.default\
FF - prefs.js: browser.startup.homepage - hxxps://sso.portal.unimelb.edu.au/UnimelbSSO/login.jsp?site2pstoretoken=v1.2~AD64F60A~537231D0B104C8661296CC1C12FDD6EF5D7B12644615036B135799B6337DDC9D7CA68C6A8C0363156D3D841E10C65F7CAFC6D3FC3F02998643B94EE65C8589F4564D40D15B76656B1874583784266713AE85B315F0E1413A93EBD642E80E3DCD1FE43A40204AD2490FAF9A95FDEABC4BC89864FD71EFA6001A9542036CD46F1098A18E75470230D5D14427ED4643773F6DE46AC6D1BEBE333AE31B7B446203898276C3FA2E2F48C387BAE00FD447C701474AF3D58F4EDC516262110AC4C3B1B4066A8A623317A4A65D7E0CA49B87643A26AD7044E6CE4B6C2D15AD10829CBA0633A0C7A70788F2BA&p_error_code=&p_submit_url=https%3A%2F%2Fsso.portal.unimelb.edu.au%2Fsso%2Fauth&p_cancel_url=https%3A%2F%2Fapp.portal.unimelb.edu.au%2Fportal%2Fpls%2Fportal%2FPORTAL.home&ssousername=
FF - plugin: d:\program files\iTunes\Mozilla Plugins\npitunes.dll
.
**************************************************************************
catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-31 13:01:07
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
SPIRun = Rundll32 SPIRun.dll,RunDLLEntry?
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1024)
c:\windows\system32\netprovcredman.dll
.
Completion time: 2009-03-31 13:01:47
ComboFix-quarantined-files.txt 2009-03-31 03:01:45
ComboFix2.txt 2009-01-15 23:26:42
ComboFix3.txt 2009-01-15 05:19:09
ComboFix4.txt 2009-01-15 00:53:13
ComboFix5.txt 2009-03-31 02:59:35
Pre-Run: 7,178,686,464 bytes free
Post-Run: 7,284,629,504 bytes free
215