Windows Explorer suddenly slow...

MobiusJedi · 09:34 PM

Starting without warning about a week ago, windows explorer takes an average of 30 seconds to browse through drives/folders. It doesn't matter what folder, if the folder pane is open or not, or how explorer is accessed; any program I use that needs to open or save a file opens the drives just as slow. Expanding the file tree is just as slow if not slower than opening each folder.

For the past week, I've been trying to find a solution to this problem. I've searched with Avast and Spybot S&D - all clean. I ran check disk on every partition - including my external. I defragged recently.

Killing the process helps, but browsing folders still takes several seconds when explorer is rerun. It seems about 50% of the time memory usage is normal while running explorer, the other 50% of the time physical memory bottoms out. When the latter happens and I open task manager, sometimes explorer shows the memory usage, but usually the numbers only add up to a few hundred Meg of memory being used even though over a Gig of physical memory is in use. I tried a couple other tricks that apparently solved similar problems around the net; deleting/moving "local settings/application data/microsoft/windows" worked the first time, deleting prefetch entry for explorer did nothing.

I logged onto a secondary user account (they're both admin), and for the first few sessions explorer worked great. (Firefox runs faster too, but that might just be it's an emptier profile.) The last session on the secondary account had explorer running just as slow.

This is ridiculously frustrating, any ideas? I really don't want to start from scratch, and I'm not excited at the prospect of a repair reinstall if I can do something else first.

EDIT: Recent developments.

I decided to try a repair install of windows anyway, but the problem persists. However, I noticed while using media monkey that media monkey's own built-in browser works just fine.

techkid · 25-Jan-2010, 06:35 AM #2

To assist in your problem, we need you to download HijackThis (http://www.trendsecure.com/portal/en...HJTInstall.exe). Install the program (it will save to C:\Program Files\Trend Micro\HijackThis), run it, and select 'Scan'. Do not fix anything yet, just select 'Save log', and copy the contents of the log to your next post. A security expert will be along to check the log. Please be patient.

If, after 48 hours, you have not received a response, click on the 'Report' button at the bottom of your post, and ask politely to have the post moved to the Malware Removal forum.

MobiusJedi · 25-Jan-2010, 09:45 PM #3

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 8:41:32 PM, on 1/25/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\OpenDrive\OpenDrive_Tray.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\tbctray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\NinjaProof\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
D:\Program Files\Winwall\Winwall.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8118
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Mega Manager IE Click Monitor - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [avast!] "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [delayedExecApp] C:\Program Files\DelayedExec\delayedExec.exe /exec
O4 - HKLM\..\Run: [DVDTray] "D:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [DVDBitSet] "D:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [OpenDrive Tray] C:\Program Files\OpenDrive\OpenDrive_Tray.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SmartRAM] "C:\Program Files\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe" /m
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\NinjaProof\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Pando] "C:\Program Files\Pando Networks\Pando\Pando.exe" /Minimized
O4 - Startup: Winwall Autostart.lnk = D:\Program Files\Winwall\Winwall.exe
O4 - Global Startup: Winwall Autostart.lnk = D:\Program Files\Winwall\Winwall.exe
O8 - Extra context menu item: &Search - ?p=GRman000
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0080B870-D8CA-4B9A-88F7-DAAEA6D1D1A4}: NameServer = 85.255.112.100;85.255.112.217
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\iEvony\Skype4COM.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL,wbsys.dll C:\PROGRA~1\Google\GOOGLE~4\GoogleDesktopNetwork3.dll
O20 - Winlogon Notify: efcARjKa - efcARjKa.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Traffic Shaper XP Server (bcserver) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Desktop Manager 5.8.811.4345 (GoogleDesktopManager-110408-113106) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate1c9eee0858e47e0) (gupdate1c9eee0858e47e0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 10393 bytes

Phantom010 · 25-Jan-2010, 10:13 PM #4

Your computer is infected. Please click on the Report button and kindly ask to be moved to the Malware Removal & HijackThis Logs forum. From there, be patient. You should get an answer within the next 48 hours. These guys are really busy!

Rollin' Rog · 26-Jan-2010, 02:29 PM #5

Try deleting this with HijackThis, reboot and post another log.

O20 - Winlogon Notify: efcARjKa - efcARjKa.dll (file missing)

I would also disable or uninstall this program, even though it appears non malicious >>

O4 - Startup: Winwall Autostart.lnk = D:\Program Files\Winwall\Winwall.exe
O4 - Global Startup: Winwall Autostart.lnk = D:\Program Files\Winwall\Winwall.exe

Also (with special attention to item 6) >>

PERFORMANCE QUESTIONS:

0 > when did the problem seem to be begin?
1 > is it very slow to boot up?
2 > do programs open slowly?
3 > does the same behavior occur both on and off the internet. Or with no connection at all?
4 > does it matter how long the system has been on, and does a restart improve things?

Slow performance issues can often be due to overheating, so if the system is faster after it has been shutdown for a while and then restarted -- that would be especially suspect. To check for possible problems here, shutdown, open the case and blow out any accumulated dust. Then turn it
on and check to see that the fan is working. Sometimes it helps to physically clean the fan.

If a laptop, check to see that the vent is clear of dust and verify the fan is working. Temps and fan speed can usually be monitored with SpeedFan (except on Dell desktops), a free utility.

5 > if you do a ctrl-alt-del, do any processes show excess cpu usage, other than System Idle Process?

6 > If you open the Device Manager (run devmgmt.msc) and select the entry for IDE ATA/Atapi and select the Primary IDE > Advanced Settings, does it say the "current transfer mode" is Ultra DMA or PIO?

If it says PIO or even just DMA (rather than “ULTRA” DMA, first ensure "Use DMA if Available” is selected, then select the driver tab and uninstall the driver and reboot. Then check again.

Alternately you can run the script on this page >> http://winhlp.com/node/10

*note that the above will not apply to RAID drive configurations.
___________________________________________________________________________ _
COMMIT CHARGE

Do ctrl-alt-del to open up the task manager. Select the "performance" tab. Let me know what you see under:

Physical Memory

Total: this is your total installed ram -- "physical" memory
Available: this is the amt of real "physical" memory presently uncommitted

Commit Charge

Total: this is the combination of total physical and virtual memory currently in use
Limit: this is the total physical and virtual memory available
Peak: this is the most you have had in use in this session

MobiusJedi · 26-Jan-2010, 03:37 PM #6

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 2:34:51 PM, on 1/26/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\DelayedExec\delayedExec.exe
D:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\OpenDrive\OpenDrive_Tray.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\WINDOWS\system32\tbctray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\NinjaProof\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
D:\Program Files\Winwall\Winwall.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\svchost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8118
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Mega Manager IE Click Monitor - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [avast!] "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [delayedExecApp] C:\Program Files\DelayedExec\delayedExec.exe /exec
O4 - HKLM\..\Run: [DVDTray] "D:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [DVDBitSet] "D:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [OpenDrive Tray] C:\Program Files\OpenDrive\OpenDrive_Tray.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SmartRAM] "C:\Program Files\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe" /m
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\NinjaProof\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Pando] "C:\Program Files\Pando Networks\Pando\Pando.exe" /Minimized
O4 - Startup: Winwall Autostart.lnk = D:\Program Files\Winwall\Winwall.exe
O4 - Global Startup: Winwall Autostart.lnk = D:\Program Files\Winwall\Winwall.exe
O8 - Extra context menu item: &Search - ?p=GRman000
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0080B870-D8CA-4B9A-88F7-DAAEA6D1D1A4}: NameServer = 85.255.112.100;85.255.112.217
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\iEvony\Skype4COM.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL,wbsys.dll C:\PROGRA~1\Google\GOOGLE~4\GoogleDesktopNetwork3.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Traffic Shaper XP Server (bcserver) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Desktop Manager 5.8.811.4345 (GoogleDesktopManager-110408-113106) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate1c9eee0858e47e0) (gupdate1c9eee0858e47e0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 10226 bytes

MobiusJedi · 08:05 PM

Quote:

Originally Posted by Rollin' Rog

Try deleting this with HijackThis, reboot and post another log.

O20 - Winlogon Notify: efcARjKa - efcARjKa.dll (file missing)

Done, takes 5-10 seconds each click instead of 15-30, startup just as slow.

Quote:

I would also disable or uninstall this program, even though it appears non malicious >>

O4 - Startup: Winwall Autostart.lnk = D:\Program Files\Winwall\Winwall.exe
O4 - Global Startup: Winwall Autostart.lnk = D:\Program Files\Winwall\Winwall.exe

Well, I've never had a problem with winwall in the several years I've used it, but I'll disable it in the meantime.

0 > about a week ago
1 > only once the ui initializes (taskbar, desktop)
2 > everything except explorer runs fine until the program needs to open or save via explorer
3 > disabled connection and I think there was a slight improvement, not much
4 > makes no difference either which way

(I dust with a can of air on a fairly regular basis)

5 > explorer takes 70-95 CPU and reaches 160,000k mem. firefox, svchost, and vsmon all sit at around 30,000k without taking up much cpu. After explorer window has been closed, task manager's processes don't account for the low available physical mem. i.e. explorer process is back down to 5000k, but physical mem shows 400,000k available when there should be about 800,000k free.

6 > "DMA if available" already selected, uninstalled, rebooted, no change.

___________________________________________________________________________ _
COMMIT CHARGE

Physical Memory

Total: 1310196
Available: 400000

Commit Charge

Total: 1250000
Limit: 3127808
Peak: 1264140

MobiusJedi · 26-Jan-2010, 08:07 PM #8

Well, after getting rid of the O20 entry, I can live with the 5 seconds or so to navigate explorer for now. If I need to start from scratch, I'll actually be able to backup files without that ridiculous 15 second wait every time I clicked on a folder.

**dvk01** · 27-Jan-2010, 04:41 AM #9

you have malware including a rootkit and a dns diverter to divert your searches

step 1

Please download Malwarebytes' Anti-Malware to your desktop
from HERE or HERE

Double-click mbam-setup.exe and follow the prompts to install the program. At the end, be sure a checkmark is placed next to the following:

Update Malwarebytes' Anti-Malware. Launch Malwarebytes' Anti-Malware. Then click Finish.

If an update is found, it will download and install the latest version. Press Update to make sure the latest database is loaded.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad.
Please include this log in your next reply.

It might ask you to reboot to finish cleaning. Please do so. ( Press YES on the alert)
If you receive an (Error Loading xxxxxxxxxx .dll) error on reboot please reboot a second time . It is normal for this error to occur once and does not need to be reported unless it continues on every boot

MobiusJedi · 27-Jan-2010, 07:29 PM **#10**

Malwarebytes' Anti-Malware 1.44
Database version: 3644
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/27/2010 4:17:36 AM
mbam-log-2010-01-27 (04-17-36).txt

Scan type: Quick Scan
Objects scanned: 126853
Time elapsed: 13 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 23
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{c5bf49a2-94f3-42bd-f434-3604812c897d} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0ed4 03e8-470a-4a8a-85a4-d7688cfe39a3} (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6 faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5bf 49a2-94f3-42bd-f434-3604812c897d} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{0 ed403e8-470a-4a8a-85a4-d7688cfe39a3} (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{0 0a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{0 7b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{0 7b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\homeview (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\cs41275 (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{913e6282-7eb9-11d2-b1a6-208761c10000} (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{913e6283-7eb9-11d2-b1a6-208761c10000} (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{913e6284-7eb9-11d2-b1a6-208761c10000} (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{913e6285-7eb9-11d2-b1a6-208761c10000} (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{913e6286-7eb9-11d2-b1a6-208761c10000} (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\winid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\xml2u (Spyware.OnlineGames) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Inter faces\{0080b870-d8ca-4b9a-88f7-daaea6d1d1a4}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.100;85.255.112.217 -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Uninstall Fun Web Products.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Explorer.ocx (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

After reboot, the problem persisted, so I did a deep scan overnight:

Malwarebytes' Anti-Malware 1.44
Database version: 3644
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/27/2010 5:47:53 PM
mbam-log-2010-01-27 (17-47-53).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|J:\|)
Objects scanned: 512844
Time elapsed: 4 hour(s), 14 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Mobius\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_002862 (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Program Files\Windows Live\Messenger\msimg32.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\Windows Live\Messenger\riched20.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FCB3BE07-23DE-4134-87E0-2FC24C80B7A0}\RP14\A0007558.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
D:\audio\ReValver\REVALV~1.EXE (Malware.Packer) -> Quarantined and deleted successfully.
D:\Cakewalk\VstPlugins\VstPlugins\Nomad Factory RAL\UNWISE.EXE (Malware.Packer.Morphine) -> Quarantined and deleted successfully.
D:\Cakewalk\VstPlugins\VstPlugins\Princeton Digital\2016 Stereo Room\2016 Stereo Room Uninstall\UNWISE.EXE (Malware.Packer.Morphine) -> Quarantined and deleted successfully.
D:\FLStudio7\Plugins\VST\Princeton Digital\2016 Stereo Room\2016 Stereo Room Uninstall\UNWISE.EXE (Malware.Packer.Morphine) -> Quarantined and deleted successfully.
D:\Program Files\IK Multimedia\AmpliTube\UNWISE.EXE (Malware.Packer.Morphine) -> Quarantined and deleted successfully.
D:\Program Files\VstPlugins\Nomad Factory RAL\UNWISE.EXE (Malware.Packer.Morphine) -> Quarantined and deleted successfully.
D:\Program Files\VstPlugins\Princeton Digital\2016 Stereo Room\2016 Stereo Room Uninstall\UNWISE.EXE (Malware.Packer.Morphine) -> Quarantined and deleted successfully.

Explorer takes from several seconds to over a minute to browse folders.

**dvk01** · 03:48 AM

first restore these from MBAM quarantine as they are not malicious & is only being detected on the packer, which often gets used by malware

D:\audio\ReValver\REVALV~1.EXE (Malware.Packer) -> Quarantined and deleted successfully.
D:\Cakewalk\VstPlugins\VstPlugins\Nomad Factory RAL\UNWISE.EXE (Malware.Packer.Morphine) -> Quarantined and deleted successfully.
D:\Cakewalk\VstPlugins\VstPlugins\Princeton Digital\2016 Stereo Room\2016 Stereo Room Uninstall\UNWISE.EXE (Malware.Packer.Morphine) -> Quarantined and deleted successfully.
D:\FLStudio7\Plugins\VST\Princeton Digital\2016 Stereo Room\2016 Stereo Room Uninstall\UNWISE.EXE (Malware.Packer.Morphine) -> Quarantined and deleted successfully.
D:\Program Files\IK Multimedia\AmpliTube\UNWISE.EXE (Malware.Packer.Morphine) -> Quarantined and deleted successfully.
D:\Program Files\VstPlugins\Nomad Factory RAL\UNWISE.EXE (Malware.Packer.Morphine) -> Quarantined and deleted successfully.
D:\Program Files\VstPlugins\Princeton Digital\2016 Stereo Room\2016 Stereo Room Uninstall\UNWISE.EXE (Malware.Packer.Morphine) -> Quarantined and deleted successfully.

then

Delete any existing version of ComboFix you have sitting on your desktop

Please read and follow all these instructions very carefully

Download ComboFix from Here to your Desktop.

**Note: It is important that it is saved directly to your desktop and run from the desktop and not any other folder on your computer**
--------------------------------------------------------------------
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus and anti-malware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results" or stop combofix running at all
Click on THIS LINK to see instructions on how to temporarily disable many security programs while running combofix. The list does not cover every program. If yours is not listed and you don't know how to disable it, please ask.
Remember to re enable the protection again after combofix has finished

--------------------------------------------------------------------
2. Close any open browsers and any other programs you might have running

Double click on combofix.exe & follow the prompts.

If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?"
Please select yes & let it download the files it needs to do this
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" for further review

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read HERE why we disable autoruns

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

MobiusJedi · 28-Jan-2010, 06:59 AM **#12**

ComboFix 10-01-27.03 - NinjaProof 01/28/2010 4:42.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1279.814 [GMT -5:00]
Running from: c:\documents and settings\NinjaProof\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100127-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\NinjaProof\Application Data\inst.exe
c:\windows\CouponPrinter.ocx
J:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-12-28 to 2010-01-28 )))))))))))))))))))))))))))))))
.

2010-01-27 10:51 . 2010-01-27 10:51 -------- d-----w- c:\program files\Common Files\Java
2010-01-27 08:58 . 2010-01-27 08:58 -------- d-----w- c:\documents and settings\NinjaProof\Application Data\Malwarebytes
2010-01-27 08:58 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-27 08:58 . 2010-01-27 08:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-27 08:58 . 2010-01-27 08:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-27 08:58 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-26 02:38 . 2004-08-04 12:00 403 -c----w- c:\windows\system32\dllcache\npdrmv2.zip
2010-01-26 02:38 . 2004-08-04 12:00 22060 -c----w- c:\windows\system32\dllcache\npds.zip
2010-01-26 02:38 . 2009-07-31 15:05 1372672 -c----w- c:\windows\system32\dllcache\msxml6.dll
2010-01-26 02:38 . 2008-04-13 17:27 79872 -c----w- c:\windows\system32\dllcache\msxml6r.dll
2010-01-26 02:35 . 2008-04-14 00:12 294912 -c----w- c:\windows\system32\dllcache\dlimport.exe
2010-01-26 01:36 . 2010-01-26 01:36 -------- d-----w- c:\program files\TrendMicro
2010-01-25 23:53 . 2009-12-21 19:14 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-01-25 23:53 . 2009-12-21 19:14 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-01-25 23:53 . 2009-12-21 19:14 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-01-25 23:53 . 2009-12-21 19:14 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-01-25 23:53 . 2009-12-21 19:14 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-01-25 23:53 . 2009-12-21 19:14 11070464 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-01-25 22:27 . 2010-01-25 22:27 -------- d-----w- c:\documents and settings\NinjaProof Shell
2010-01-25 22:10 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-01-25 22:03 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2010-01-25 22:03 . 2008-12-11 10:57 333952 -c----w- c:\windows\system32\dllcache\srv.sys
2010-01-25 22:03 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-25 22:02 . 2009-08-04 15:13 2145280 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-01-25 22:02 . 2009-08-04 14:20 2023936 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-01-25 22:02 . 2009-08-04 14:20 2066048 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-01-25 22:01 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2010-01-25 22:01 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-01-25 22:00 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2010-01-25 21:58 . 2009-10-15 16:28 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-01-25 21:58 . 2009-10-15 16:28 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2010-01-25 21:58 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2010-01-25 21:58 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2010-01-25 21:58 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2010-01-25 21:58 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2010-01-25 21:58 . 2009-06-25 08:25 730112 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2010-01-25 21:58 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2010-01-25 21:58 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2010-01-25 21:58 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2010-01-25 21:58 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2010-01-25 21:57 . 2008-10-24 11:21 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-01-25 21:56 . 2008-04-11 19:04 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2010-01-25 20:54 . 2004-08-04 12:00 41600 -c--a-w- c:\windows\system32\dllcache\weitekp9.dll
2010-01-25 20:54 . 2004-08-04 12:00 31232 -c--a-w- c:\windows\system32\dllcache\weitekp9.sys
2010-01-25 20:54 . 2004-08-04 12:00 48256 -c--a-w- c:\windows\system32\dllcache\w32.dll
2010-01-25 20:54 . 2008-04-14 00:11 86073 -c--a-w- c:\windows\system32\dllcache\voicesub.dll
2010-01-25 20:54 . 2008-04-14 00:11 426041 -c--a-w- c:\windows\system32\dllcache\voicepad.dll
2010-01-25 20:54 . 2008-04-14 00:11 76288 -c--a-w- c:\windows\system32\dllcache\uniime.dll
2010-01-25 20:54 . 2004-08-04 12:00 14336 -c--a-w- c:\windows\system32\dllcache\tsprof.exe
2010-01-25 20:54 . 2008-04-14 00:10 10240 -c--a-w- c:\windows\system32\dllcache\tmigrate.dll
2010-01-25 20:54 . 2004-08-04 12:00 455168 -c--a-w- c:\windows\system32\dllcache\tintsetp.exe
2010-01-25 20:54 . 2004-08-04 12:00 44032 -c--a-w- c:\windows\system32\dllcache\tintlphr.exe
2010-01-25 20:54 . 2004-08-04 12:00 185344 -c--a-w- c:\windows\system32\dllcache\thawbrkr.dll
2010-01-25 20:52 . 2001-08-18 03:36 38912 -c--a-w- c:\windows\system32\dllcache\EXCH_ntfsdrv.dll
2010-01-25 20:51 . 2008-04-14 00:09 315455 -c--a-w- c:\windows\system32\dllcache\imskf.dll
2010-01-25 20:50 . 2004-08-04 12:00 10096640 -c--a-w- c:\windows\system32\dllcache\hwxcht.dll
2010-01-25 20:49 . 2001-08-18 03:36 45056 -c--a-w- c:\windows\system32\dllcache\EXCH_aqadmin.dll
2010-01-25 20:49 . 2001-08-18 03:36 5632 -c--a-w- c:\windows\system32\dllcache\EXCH_adsiisex.dll
2010-01-25 20:47 . 2010-01-25 20:47 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Microsoft
2010-01-25 20:45 . 2004-08-04 12:00 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2010-01-25 20:26 . 2004-08-04 03:31 20992 ----a-w- c:\windows\system32\drivers\RTL8139.sys
2010-01-25 20:19 . 2010-01-25 21:23 -------- d--h--w- c:\documents and settings\Default User
2010-01-25 09:59 . 2010-01-25 09:59 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Winwall
2010-01-25 09:57 . 2010-01-25 09:57 -------- d-sh--w- c:\documents and settings\Ugh\IETldCache
2010-01-25 09:57 . 2010-01-25 11:06 -------- d-----w- c:\documents and settings\Ugh
2010-01-25 04:55 . 2010-01-25 04:55 -------- d-----w- c:\documents and settings\Mobius\Application Data\Shareaza
2010-01-25 04:55 . 2010-01-25 04:55 -------- d-----w- c:\documents and settings\Mobius\Application Data\Quintessential Player
2010-01-25 04:54 . 2010-01-25 04:54 -------- d-----w- c:\documents and settings\Mobius\Application Data\LimeWire
2010-01-25 04:54 . 2010-01-25 04:54 -------- d-----w- c:\documents and settings\Mobius\Application Data\Digsby
2010-01-25 04:53 . 2010-01-25 04:54 -------- d-----w- c:\documents and settings\Mobius\Local Settings\Application Data\Digsby
2010-01-25 04:52 . 2010-01-25 04:53 -------- d-----w- c:\documents and settings\Mobius\Application Data\Azureus
2010-01-25 04:48 . 2010-01-25 04:48 -------- d-----w- c:\documents and settings\Mobius\Application Data\Thunderbird
2010-01-25 04:47 . 2010-01-25 04:47 -------- d-----w- c:\documents and settings\Mobius\Local Settings\Application Data\MediaMonkey
2010-01-25 04:39 . 2010-01-25 06:04 -------- d-----w- c:\documents and settings\Mobius\Application Data\uTorrent
2010-01-25 04:24 . 2010-01-25 04:24 -------- d-----w- c:\documents and settings\Mobius\Application Data\Winwall
2010-01-14 11:47 . 2010-01-14 12:00 -------- d-----w- c:\documents and settings\NinjaProof\.pcgen
2010-01-14 11:41 . 2010-01-14 11:41 -------- d-----w- c:\documents and settings\NinjaProof\Application Data\NBOS
2010-01-14 11:07 . 2010-01-25 05:30 6160 ----a-w- c:\windows\system32\gadmsysw.dll
2010-01-14 11:03 . 2010-01-14 11:03 -------- d-----w- c:\documents and settings\NinjaProof\.chartool
2010-01-14 11:02 . 2010-01-14 11:01 286720 ----a-w- c:\windows\iun507.exe
2010-01-13 12:00 . 2001-02-25 08:45 22528 ----a-w- c:\windows\system32\ToolTip.dll
2010-01-13 12:00 . 2002-03-13 22:46 53248 ----a-w- c:\windows\system32\zlib.dll
2010-01-13 11:11 . 2010-01-13 11:11 -------- d-----w- c:\documents and settings\NinjaProof\.inittoolDbg
2010-01-13 11:02 . 2010-01-13 11:08 -------- d-----w- c:\documents and settings\NinjaProof\.maptool
2010-01-13 10:50 . 2010-01-13 11:19 249856 ----a-w- c:\windows\Setup1.exe
2010-01-13 10:50 . 2010-01-13 11:19 73216 ----a-w- c:\windows\ST6UNST.EXE
2010-01-13 10:43 . 2010-01-13 10:43 -------- d-----w- c:\documents and settings\NinjaProof\.tokentool
2010-01-12 05:15 . 2010-01-12 05:16 -------- d-----w- c:\program files\GIMPshop
2010-01-07 12:36 . 2010-01-26 01:45 -------- d-----w- c:\program files\PlaySushi

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-28 10:00 . 2008-12-10 03:18 163712 ----a-w- c:\windows\system32\drivers\vidstub.sys
2010-01-28 09:41 . 2008-11-02 23:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-01-28 08:56 . 2009-03-31 21:26 -------- d-----w- c:\documents and settings\NinjaProof\Application Data\uTorrent
2010-01-27 22:50 . 2010-01-27 22:53 95744 ----a-w- c:\windows\Internet Logs\xDB91.tmp
2010-01-27 10:52 . 2010-01-27 10:52 61440 ----a-w- c:\documents and settings\NinjaProof\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-1dfd042c-n\decora-sse.dll
2010-01-27 10:52 . 2010-01-27 10:52 503808 ----a-w- c:\documents and settings\NinjaProof\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3e45cd24-n\msvcp71.dll
2010-01-27 10:52 . 2010-01-27 10:52 348160 ----a-w- c:\documents and settings\NinjaProof\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3e45cd24-n\msvcr71.dll
2010-01-27 10:52 . 2010-01-27 10:51 499712 ----a-w- c:\documents and settings\NinjaProof\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3e45cd24-n\jmc.dll
2010-01-27 10:51 . 2010-01-27 10:51 12800 ----a-w- c:\documents and settings\NinjaProof\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-1dfd042c-n\decora-d3d.dll
2010-01-27 10:49 . 2008-12-22 05:33 -------- d-----w- c:\program files\Java
2010-01-26 20:05 . 2010-01-26 20:06 37376 ----a-w- c:\windows\Internet Logs\xDB90.tmp
2010-01-26 19:27 . 2010-01-26 19:29 84992 ----a-w- c:\windows\Internet Logs\xDB8F.tmp
2010-01-26 12:39 . 2009-10-20 23:36 4036 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-26 01:36 . 2010-01-26 01:36 388096 ----a-r- c:\documents and settings\NinjaProof\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-01-26 00:26 . 2010-01-26 00:27 184320 ----a-w- c:\windows\Internet Logs\xDB8E.tmp
2010-01-25 20:43 . 2008-11-02 22:28 23392 -c--a-w- c:\windows\system32\emptyregdb.dat
2010-01-25 04:27 . 2008-11-03 03:57 -------- d-----w- c:\program files\RoughDraft
2010-01-24 16:31 . 2009-05-10 04:26 -------- d-----w- c:\documents and settings\NinjaProof\Application Data\U3
2010-01-23 00:03 . 2008-12-13 23:32 31595008 -c--a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-01-21 22:56 . 2010-01-21 22:57 3842560 ----a-w- c:\windows\Internet Logs\xDB8D.tmp
2010-01-21 22:55 . 2010-01-21 22:57 74240 ----a-w- c:\windows\Internet Logs\xDB8C.tmp
2010-01-21 11:06 . 2009-11-02 02:46 -------- d-----w- c:\documents and settings\NinjaProof\Application Data\vlc
2010-01-21 00:41 . 2010-01-21 00:51 149504 ----a-w- c:\windows\Internet Logs\xDB8B.tmp
2010-01-19 14:48 . 2008-11-23 12:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-19 03:30 . 2009-07-25 23:24 -------- d-----w- c:\program files\QuickTime
2010-01-19 03:16 . 2009-06-28 23:21 129248 -c-ha-w- c:\windows\system32\mlfcache.dat
2010-01-17 13:10 . 2010-01-17 13:11 40448 ----a-w- c:\windows\Internet Logs\xDB89.tmp
2010-01-17 13:10 . 2010-01-17 13:11 3821056 ----a-w- c:\windows\Internet Logs\xDB8A.tmp
2010-01-17 02:26 . 2010-01-17 08:05 59904 ----a-w- c:\windows\Internet Logs\xDB88.tmp
2010-01-16 03:14 . 2010-01-16 03:15 92672 ----a-w- c:\windows\Internet Logs\xDB87.tmp
2010-01-13 08:25 . 2010-01-13 08:27 142336 ----a-w- c:\windows\Internet Logs\xDB85.tmp
2010-01-13 08:25 . 2010-01-13 08:27 3805184 ----a-w- c:\windows\Internet Logs\xDB86.tmp
2010-01-12 12:54 . 2008-12-02 09:19 -------- d-----w- c:\documents and settings\NinjaProof\Application Data\IObit
2010-01-12 12:54 . 2008-11-02 23:34 -------- d-----w- c:\program files\IObit
2010-01-10 02:01 . 2010-01-10 11:05 55808 ----a-w- c:\windows\Internet Logs\xDB84.tmp
2010-01-09 11:41 . 2010-01-09 11:43 74752 ----a-w- c:\windows\Internet Logs\xDB83.tmp
2010-01-08 00:22 . 2010-01-08 00:24 75776 ----a-w- c:\windows\Internet Logs\xDB82.tmp
2010-01-06 20:54 . 2010-01-06 20:57 74240 ----a-w- c:\windows\Internet Logs\xDB81.tmp
2010-01-04 22:50 . 2010-01-04 22:51 125440 ----a-w- c:\windows\Internet Logs\xDB80.tmp
2009-12-31 23:25 . 2009-12-31 23:27 374784 ----a-w- c:\windows\Internet Logs\xDB7F.tmp
2009-12-29 21:51 . 2009-12-13 12:09 900216 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-12-29 09:16 . 2009-03-29 16:29 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-27 22:15 . 2009-12-06 16:37 -------- d-----w- c:\program files\DelayedExec
2009-12-27 21:04 . 2009-09-21 20:51 -------- d-----w- c:\documents and settings\Mobius\Application Data\U3
2009-12-27 21:00 . 2009-09-21 20:52 191112 -c--a-w- c:\documents and settings\Mobius\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-24 15:01 . 2008-11-02 23:58 -------- d-----w- c:\program files\Google
2009-12-22 22:04 . 2010-01-25 05:00 188928 ----a-w- c:\documents and settings\Mobius\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@playsushi.com\components\PlaySushiFF.dll
2009-12-22 22:04 . 2009-12-22 22:04 188928 ----a-w- c:\documents and settings\NinjaProof\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@playsushi.com\components\PlaySushiFF.dll
2009-12-22 05:35 . 2009-12-22 05:35 81920 ------w- c:\windows\system32\ieencode.dll
2009-12-21 19:14 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-18 18:31 . 2010-01-25 06:47 84480 ----a-w- c:\documents and settings\NinjaProof\Application Data\Mozilla\Firefox\Profiles\hp6fj2cn.Default User\extensions\{1BB22D38-A411-4B13-A746-C2A4F4EC7344}\components\Engine.dll
2009-12-18 18:31 . 2010-01-25 04:52 84480 ----a-w- c:\documents and settings\Mobius\Application Data\Mozilla\Firefox\Profiles\gtedhhj0.Johan\extensions\{1BB22D38-A411-4B13-A746-C2A4F4EC7344}\components\Engine.dll
2009-12-18 18:31 . 2010-01-14 07:04 84480 ----a-w- c:\documents and settings\NinjaProof\Application Data\Mozilla\Firefox\Profiles\gtedhhj0.Johan\extensions\{1BB22D38-A411-4B13-A746-C2A4F4EC7344}\components\Engine.dll
2009-12-18 11:46 . 2009-12-18 11:47 124928 ----a-w- c:\windows\Internet Logs\xDB7D.tmp
2009-12-18 11:46 . 2009-12-18 11:47 3724800 ----a-w- c:\windows\Internet Logs\xDB7E.tmp
2009-12-18 03:06 . 2009-12-18 03:06 -------- d-----w- c:\documents and settings\NinjaProof\Application Data\com.moasis
2009-12-18 02:53 . 2009-12-11 20:41 -------- d-----w- c:\program files\Music Oasis
2009-12-18 02:53 . 2009-12-18 02:53 -------- d-----w- c:\documents and settings\NinjaProof\Application Data\Titanium Gears
2009-12-17 22:14 . 2008-12-22 05:34 411368 -c--a-w- c:\windows\system32\deploytk.dll
2009-12-15 15:14 . 2009-12-15 20:28 144384 ----a-w- c:\windows\Internet Logs\xDB7B.tmp
2009-12-15 15:14 . 2009-12-15 20:28 3707392 ----a-w- c:\windows\Internet Logs\xDB7C.tmp
2009-12-15 02:23 . 2009-12-15 13:31 3715072 ----a-w- c:\windows\Internet Logs\xDB7A.tmp
2009-12-14 21:35 . 2009-12-14 21:31 -------- d-----w- c:\documents and settings\NinjaProof\Application Data\IcoFX
2009-12-14 21:31 . 2009-12-14 21:31 -------- d-----w- c:\program files\IcoFX 1.6
2009-12-14 19:39 . 2009-10-14 00:37 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-12-14 19:15 . 2009-12-14 19:15 2146304 -c--a-w- c:\windows\system32\GPhotos.scr
2009-12-13 05:08 . 2009-12-13 05:08 152576 ----a-w- c:\documents and settings\NinjaProof\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-13 05:07 . 2009-12-13 05:07 79488 ----a-w- c:\documents and settings\NinjaProof\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-12 09:37 . 2009-12-12 17:10 104448 ----a-w- c:\windows\Internet Logs\xDB79.tmp
2009-12-11 21:43 . 2009-12-11 21:43 -------- d-----w- c:\documents and settings\NinjaProof\Application Data\inkscape
2009-12-11 20:43 . 2009-12-11 20:43 -------- d-----w- c:\program files\Freeze.com
2009-12-11 20:43 . 2009-12-11 20:40 -------- d-----w- c:\program files\Free Offers from Freeze.com
2009-12-11 20:40 . 2009-12-11 20:40 -------- d-----w- c:\documents and settings\NinjaProof\Application Data\blinkx
2009-12-11 20:40 . 2009-12-11 20:40 -------- d-----w- c:\program files\Blinkx
2009-12-10 21:26 . 2009-12-10 21:28 101888 ----a-w- c:\windows\Internet Logs\xDB77.tmp
2009-12-10 21:26 . 2009-12-10 21:28 3692032 ----a-w- c:\windows\Internet Logs\xDB78.tmp
2009-12-10 20:44 . 2009-12-10 19:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2009-12-10 07:12 . 2009-12-10 04:46 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-12-10 04:09 . 2009-11-22 03:50 -------- d-----w- c:\program files\Digsby
2009-12-09 19:24 . 2009-12-09 19:24 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-12-09 19:09 . 2008-11-03 01:55 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-09 09:09 . 2009-12-09 09:11 231424 ----a-w- c:\windows\Internet Logs\xDB76.tmp
2009-12-08 21:19 . 2008-12-10 05:53 -------- d-----w- c:\program files\Common Files\LightScribe
2009-12-08 19:58 . 2008-11-02 23:14 -------- d-----w- c:\documents and settings\NinjaProof\Application Data\Azureus
2009-12-08 04:00 . 2009-10-30 04:39 -------- d-----w- c:\documents and settings\NinjaProof\Application Data\Atari
2009-12-07 19:12 . 2009-12-07 01:47 125 ----a-w- C:\location.tmp
2009-12-06 16:37 . 2008-11-02 23:30 191112 -c--a-w- c:\documents and settings\NinjaProof\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-05 17:54 . 2009-12-05 22:32 193024 -c--a-w- c:\windows\Internet Logs\xDB74.tmp
2009-12-05 17:54 . 2009-12-05 22:32 3551744 -c--a-w- c:\windows\Internet Logs\xDB75.tmp
2009-12-04 23:23 . 2009-12-04 23:23 -------- d-----w- c:\program files\MSXML 6.0
2009-12-03 11:20 . 2009-12-03 11:18 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-12-03 11:18 . 2009-12-03 11:18 -------- d-----w- c:\program files\NOS
2009-12-03 11:09 . 2009-12-03 11:09 -------- d-----w- c:\program files\Secunia
2009-12-03 10:38 . 2009-12-03 10:38 228152 -c--a-w- c:\windows\system32\xa661491.exe
2009-12-03 10:38 . 2009-12-03 10:38 228152 -c--a-w- c:\windows\system32\xa661220.exe
2009-12-02 22:41 . 2009-03-30 23:44 -------- d-----w- c:\documents and settings\NinjaProof\Application Data\Audacity
2009-12-02 19:13 . 2009-12-02 19:14 3509248 -c--a-w- c:\windows\Internet Logs\xDB73.tmp
2009-12-02 19:13 . 2009-12-02 19:14 166912 -c--a-w- c:\windows\Internet Logs\xDB72.tmp
2009-12-01 01:56 . 2009-12-01 01:56 -------- d-----w- c:\program files\OpenDrive
2009-11-28 09:43 . 2009-11-28 09:45 332288 -c--a-w- c:\windows\Internet Logs\xDB71.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\OpenDrive_ShellOverlayIcon]
@="{3268FFAC-39F2-4058-BE09-7396DB121F4A}"
[HKEY_CLASSES_ROOT\CLSID\{3268FFAC-39F2-4058-BE09-7396DB121F4A}]
2009-09-30 07:55 1241600 ----a-w- c:\program files\OpenDrive\OpenDrive.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmartRAM"="c:\program files\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe" [2009-02-19 202064]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-02 39408]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Google Update"="c:\documents and settings\NinjaProof\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-10-27 133104]
"Pando"="c:\program files\Pando Networks\Pando\Pando.exe" [2009-07-08 4045496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\program files\Alwil Software\Avast4\ashDisp.exe" [2009-11-24 81000]
"BootSkin Startup Jobs"="c:\program files\Stardock\WinCustomize\BootSkin\BootSkin.exe" [2004-04-26 270336]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-10-29 4620288]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2004-10-29 86016]
"delayedExecApp"="c:\program files\DelayedExec\delayedExec.exe" [2009-09-27 45568]
"DVDTray"="d:\program files\HP DVD\Umbrella\DVDTray.exe" [2004-09-03 57344]
"DVDBitSet"="d:\program files\HP DVD\Umbrella\DVDBitSet.exe" [2003-12-18 184320]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 19968]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2004-03-18 892928]
"OpenDrive Tray"="c:\program files\OpenDrive\OpenDrive_Tray.exe" [2009-09-30 300544]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-06-16 30192]
"nwiz"="nwiz.exe" [2004-10-29 921600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"TraySantaCruz"="c:\windows\system32\tbctray.exe" [2001-12-16 290816]

c:\documents and settings\Mobius\Start Menu\Programs\Startup\
Winwall Autostart.lnk - d:\program files\Winwall\Winwall.exe [2002-11-22 1126400]

c:\documents and settings\NinjaProof\Start Menu\Programs\Startup\
Winwall Autostart.lnk - d:\program files\Winwall\Winwall.exe [2002-11-22 1126400]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Winwall Autostart.lnk - d:\program files\Winwall\Winwall.exe [2002-11-22 1126400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2008-09-16 13:44 174328 ----a-w- c:\program files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"<NO NAME>"=

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"g:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"g:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"g:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Icmp Settings]
"AllowInboundMaskRequest"= 0 (0x0)
"AllowInboundRouterRequest"= 0 (0x0)

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [12/3/2008 5:08 AM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/3/2008 5:08 AM 20560]
R3 hhdusbh;USB Monitor Filter driver;c:\program files\HHD Software\USB Monitor\hhdusbh.sys [7/9/2004 2:45 PM 22304]
R3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [6/23/2003 12:15 PM 144512]
R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [6/23/2003 12:15 PM 536768]
S0 gfcv;gfcv;c:\windows\system32\drivers\kmto.sys --> c:\windows\system32\drivers\kmto.sys [?]
S2 gupdate1c9eee0858e47e0;Google Update Service (gupdate1c9eee0858e47e0);c:\program files\Google\Update\GoogleUpdate.exe [6/16/2009 6:47 PM 133104]
S3 GoogleDesktopManager-110408-113106;Google Desktop Manager 5.8.811.4345;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [11/2/2008 7:00 PM 30192]
S3 Ndisprot;ArcNet NDIS Protocol Driver;c:\windows\system32\drivers\ndisprot.sys [12/4/2008 3:41 AM 27904]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [6/17/2009 7:20 AM 12648]
S3 viafilter;VIA USB Filter;c:\windows\system32\drivers\viausb1.sys [12/23/2008 3:04 AM 9728]
S3 vtdg46xx;vtdg46xx;c:\progra~1\Turtle Beach\Santa Cruz\Control Panel\vtdg46xx.sys [6/13/2003 4:45 PM 19232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-01-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-01-28 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-11-02 02:56]

2010-01-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-16 23:46]

2010-01-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-16 23:46]

2010-01-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1004336348-492894223-1060284298-1004Core.job
- c:\documents and settings\NinjaProof\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-02 10:34]

2010-01-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1004336348-492894223-1060284298-1004UA.job
- c:\documents and settings\NinjaProof\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-02 10:34]

2010-01-19 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2010-01-12 20:30]

MobiusJedi · 28-Jan-2010, 07:00 AM **#13**

------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyServer = 127.0.0.1:8118
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Search - ?p=GRman000
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Download Link Using Mega Manager... - c:\program files\Megaupload\Mega Manager\mm_file.htm
FF - ProfilePath - c:\documents and settings\NinjaProof\Application Data\Mozilla\Firefox\Profiles\hp6fj2cn.Default User\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: keyword.URL - hxxp://www.greatsearchnow.com/greatsearch.aspx?category=web&Toolbar_Id={D293E312-6D0B-17B8-6516-9F6058EEC9AC}&query=
FF - component: c:\documents and settings\NinjaProof\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@playsushi.com\components\PlaySushiFF.dll
FF - component: c:\documents and settings\NinjaProof\Application Data\Mozilla\Firefox\Profiles\hp6fj2cn.Default User\extensions\{1BB22D38-A411-4B13-A746-C2A4F4EC7344}\components\Engine.dll
FF - component: c:\documents and settings\NinjaProof\Application Data\Mozilla\Firefox\Profiles\hp6fj2cn.Default User\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\NinjaProof\Application Data\Mozilla\Firefox\Profiles\hp6fj2cn.Default User\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff35\gears.dll
FF - plugin: c:\documents and settings\NinjaProof\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\eMusic Download Manager\plugin\npemusic.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\NPPandBr.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - plugin: d:\program files\VideoLAN\VLC\npvlc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-28 04:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\bcserver]
"ImagePath"="c:\program files\Traffic Shaper XP Server\bcserver.service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(580)
c:\windows\system32\Ati2evxx.dll
c:\program files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll

- - - - - - - > 'explorer.exe'(2828)
c:\windows\system32\WININET.dll
c:\program files\Logitech\MouseWare\System\LgWndHk.dll
c:\program files\Unlocker\UnlockerHook.dll
c:\program files\OpenDrive\OpenDrive.dll
c:\program files\OpenDrive\libcurl.dll
c:\program files\OpenDrive\LIBEAY32.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\OpenDrive\SSLEAY32.dll
c:\program files\OpenDrive\libssh2.dll
c:\program files\OpenDrive\zlibwapi.dll
c:\program files\OpenDrive\boost_filesystem-vc90-mt-1_35.dll
c:\program files\OpenDrive\boost_system-vc90-mt-1_35.dll
c:\program files\Logitech\iTouch\iTchHk.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Stardock\Object Desktop\WindowBlinds\tray.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
c:\program files\Logitech\MouseWare\system\em_exec.exe
c:\program files\Alwil Software\Avast4\setup\avast.setup
.
**************************************************************************
.
Completion time: 2010-01-28 05:10:34 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-28 10:10

Pre-Run: 452,820,992 bytes free
Post-Run: 604,250,112 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

Current=4 Default=4 Failed=0 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - 05F42E4BD443C4060A88F7059CE1A685

**dvk01** · 28-Jan-2010, 01:10 PM **#14**

I need to examine a few files

Download the attached CFScript.txt and save it to your desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press SAVE and choose desktop in the list of selections in that window & press save)
Disable any antivirus/antimalware/firewall realtime protection or script blocking in the same way you did previously before running combofix & remember to re-enable it when it has finished
Close any open browsers
Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply

Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system and will not fix your problem. If you have a similar problem start your own topic in the malware fixing forum

This will create a zip file inside C:\QooBox\quarantine named something like [38]-Submit_2008-01-17@17.50.zip

at the end it will pop up an alert & open your browser and ask you to send the zip file

please follow those instructions. We need to see the zip file before we can carry on with the fix

If there is no pop up alert or open browser then

please go to http://www.thespykiller.co.uk/index.php?board=1.0 and upload these files so I can examine them and if needed distribute them to antivirus companies.
Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

Files to submit:
the zip file inside C:\QooBox\quarantine created by combofix named something like [38]-Submit_2008-01-17@17.50.zip

or to
http://www.bleepingcomputer.com/subm...php?channel=38

MobiusJedi · 28-Jan-2010, 08:34 PM **#15**

http://thespykiller.co.uk/index.php/...5.new.html#new

avast randomly found a trojan while combofix was running. . .

Tag Cloud
acer asus bios bsod computer crash desktop drive driver drivers error ethernet excel freeze gaming hard drive hardware hdmi internet laptop malware memory missing monitor motherboard mouse network operating system printer problem ram registry router slow software sound toshiba trojan uninstall usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Find the solution to yourcomputer problem!

Find the solution to your
computer problem!