Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Problem


  • Please log in to reply
13 replies to this topic

#1 glenn.225

glenn.225

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:looking in the manual again, Canada
  • Local time:11:44 AM

Posted 21 January 2009 - 06:33 PM

I have a problem that I think is a virus or spybot in Google. I use Maxthon 2.1.5 web browser and for the past couple of weeks whenever I do a Google search, the first page is all redirected to “Best Deal Pages” or whatever you call them.

I am running XP Pro SP3 and have Norton System Works that is updated regularly, last scan it detected a w32.Spybot.worm. I had to try a couple of times but finally deleted this and scans come up clean. I also use Spybot Search and Destroy which has been updated regularly. It also comes up clean. Although I’m not sure the registry updater is working I think Norton will not allow changes (will have to look into this more). Yesterday I installed Ad-Aware, Anti-Malware and Hijack This, as suggested by the Google help page. Ad-Aware came up with a couple more items that I deleted but problem still persists. I have the Hijack This log to post if necessary.

Anyway has anyone come across this issue with Google and how do you fix it?

I'm not a power user by any means but not completely illiterate either, if someone could point me in the right direction I may be able to fix this.

Thanks


Glenn

BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:12:44 PM

Posted 21 January 2009 - 08:42 PM

Hi Glenn and welcome to BleepingComputer :thumbsup:

The process of cleaning your computer may require temporarily disabliling some security programs. If you are using SpyBot Search and Destroy, please refer to Note 2 at the bottom of this page.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note:
-- If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Note 2:
-- MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes (like Spybot's Teatimer), they may interfere with the fix or alert you after scanning with MBAM. Please disable such programs until disinfection is complete or permit them to allow the changes. To disable these programs, please view this topic: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#3 glenn.225

glenn.225
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:looking in the manual again, Canada
  • Local time:11:44 AM

Posted 21 January 2009 - 09:04 PM

Rigel

I'll try running Malwarebytes Anti-malware again, with Norton off.


Thanks

Glenn

#4 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:12:44 PM

Posted 21 January 2009 - 09:49 PM

Please post the log so we can see what files are being regenerated.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#5 glenn.225

glenn.225
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:looking in the manual again, Canada
  • Local time:11:44 AM

Posted 21 January 2009 - 11:28 PM

Rigel

I shut down Norton, reran Ad-Aware, Malewarebytes' Anti-Malware(fullscan) and Sypbot, shut off teatimer and ran Malwarebytes Anti-Malware in quick scan. All came clean, but problem still same.

here is last log.


Malwarebytes' Anti-Malware 1.33
Database version: 1675
Windows 5.1.2600 Service Pack 3

21/01/2009 11:11:28 PM
mbam-log-2009-01-21 (23-11-28).txt

Scan type: Quick Scan
Objects scanned: 56043
Time elapsed: 3 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:12:44 PM

Posted 22 January 2009 - 08:07 AM

Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#7 glenn.225

glenn.225
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:looking in the manual again, Canada
  • Local time:11:44 AM

Posted 22 January 2009 - 10:10 PM

Rigel

I ran the SDFix.

Here is the log.


SDFix: Version 1.240
Run by Administrator on 22/01/2009 at 09:37 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: D:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-22 21:49:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000761472956]
"0007614cfb92"=hex:8f,ca,c3,a7,34,b1,7e,40,dd,7d,73,0c,74,5c,cc,66
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:db,57,dc,b7,ff,e0,3b,c4,56,b1,e4,b4,10,36,09,af,ea,ab,c0,a9,51,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:db,57,dc,b7,ff,e0,3b,c4,56,b1,e4,b4,10,36,09,af,ea,ab,c0,a9,51,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\000761472956]
"0007614cfb92"=hex:8f,ca,c3,a7,34,b1,7e,40,dd,7d,73,0c,74,5c,cc,66
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:db,57,dc,b7,ff,e0,3b,c4,56,b1,e4,b4,10,36,09,af,ea,ab,c0,a9,51,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"D:\\WINDOWS\\system32\\sessmgr.exe"="D:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"F:\\Program Folder\\BitTorrent\\bittorrent.exe"="F:\\Program Folder\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"D:\\Program Files\\MSN Messenger\\msnmsgr.exe"="D:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Disabled:Windows Live Messenger 8.1"
"D:\\Program Files\\MSN Messenger\\livecall.exe"="D:\\Program Files\\MSN Messenger\\livecall.exe:*:Disabled:Windows Live Messenger 8.1 (Phone)"
"G:\\New Folder\\LimeWire\\LimeWire.exe"="G:\\New Folder\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"D:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="D:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Disabled:Logitech Desktop Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"D:\\Program Files\\MSN Messenger\\msnmsgr.exe"="D:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"D:\\Program Files\\MSN Messenger\\livecall.exe"="D:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"D:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="D:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :



Files with Hidden Attributes :

Wed 21 Jul 2004 166,400 A.SHR --- D:\NTBOOTDD.SYS
Wed 15 Oct 2008 633,632 A.SH. --- D:\PROGRA~1\INTERN~1\IEXPLORE.EXE
Sun 13 Apr 2008 1,695,232 ..SH. --- D:\PROGRA~1\MESSEN~1\MSMSGS.EXE
Sun 13 Apr 2008 60,416 A.SH. --- D:\PROGRA~1\OUTLOO~1\MSIMN.EXE
Wed 22 Oct 2008 949,072 A.SHR --- D:\PROGRA~1\SPYBOT~1\ADVCHECK.DLL
Mon 7 Jul 2008 1,429,840 A.SHR --- D:\PROGRA~1\SPYBOT~1\SDUPDATE.EXE
Mon 7 Jul 2008 4,891,472 A.SHR --- D:\PROGRA~1\SPYBOT~1\SPYBOTSD.EXE
Wed 22 Oct 2008 962,896 A.SHR --- D:\PROGRA~1\SPYBOT~1\TOOLS.DLL
Sun 13 Apr 2008 4,639 A.SH. --- D:\PROGRA~1\WINDOW~2\MPLAYER2.EXE
Wed 18 Oct 2006 64,000 A.SH. --- D:\PROGRA~1\WINDOW~2\WMPLAYER.EXE

Finished!


thanks
Glenn

#8 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:12:44 PM

Posted 23 January 2009 - 10:50 AM

Please download ATF Cleaner by Atribune & save it to your desktop.
alternate download link DO NOT use yet.

Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the
    definitions before scanning by selecting "Check for Updates". (If you encounter
    any problems while downloading the updates, manually download them from
    here and
    unzip into the program's folder.
    )
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under
    Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner
    Options
    , make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose:
    Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp"

ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#9 MJOJ

MJOJ

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:44 AM

Posted 23 January 2009 - 02:55 PM

I am watching this post with bated breath.

#10 glenn.225

glenn.225
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:looking in the manual again, Canada
  • Local time:11:44 AM

Posted 23 January 2009 - 04:24 PM

Rigel (and MJOJ too!!)


Tried ATF and SuperAntiSpyware as you detailed but still no luck. SuperAntiSpyware scan came up clean, 0 problems.

But the first page of Google search is still still being redirected. I am going to start all scans again will post results.

What about deleting browser and reinstalling??


Thanks

Glenn

#11 glenn.225

glenn.225
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:looking in the manual again, Canada
  • Local time:11:44 AM

Posted 24 January 2009 - 02:20 AM

Ok, this is really starting to get frustrating!! :thumbsup:

Over the past few hours I have, updated all virus/spy ware and updated Java.

Ran Norton, full scan, 0 problem detected.

Disconected network , disabled Norton, Ad-Aware and SuperAntiSpyware, ran Spybot full scan, 0 threats, 97 minor tracks, Repaired.

Disabled Teatimer, ran Ad-Aware full scan, found 4 problems 1 of which was a threat, repaired.

Disabled Ad-Aware, ran Malwarebytes full scan, 2 problems found, repaired.

Rebooted in Safe Mode, ran ATF-Cleaner, then ran Super AntiSpyware full scan, 0 problem.

Rebooted normal reactivated everything, ran SuperAntiSpyware again because no log of the "run in safe mode" was saved.

Contected to net, tried Google and same thing still being redirected.

Below are the logs, if they are any good. Also Hijack This log if required.

Thanks to anyone who tries.

Glenn


Spybot Report
--- Report generated: 2009-01-23 21:35 ---

Common Dialogs: History (277 files) (Registry key, fixed)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU

Log: Activity: COM+.log (Backup file, fixed)
D:\WINDOWS\COM+.log

Log: Activity: SchedLgU.Txt (Backup file, fixed)
D:\WINDOWS\SchedLgU.Txt

Log: Activity: imsins.log (Backup file, fixed)
D:\WINDOWS\imsins.log

Log: Activity: OEWABLog.txt (Backup file, fixed)
D:\WINDOWS\OEWABLog.txt

Log: Activity: ntbtlog.txt (Backup file, fixed)
D:\WINDOWS\ntbtlog.txt

Log: Install: ocgen.log (Backup file, fixed)
D:\WINDOWS\ocgen.log

Log: Install: setupact.log (Backup file, fixed)
D:\WINDOWS\setupact.log

Log: Install: setupapi.log (Backup file, fixed)
D:\WINDOWS\setupapi.log

Log: Install: setuplog.txt (Backup file, fixed)
D:\WINDOWS\setuplog.txt

Log: Install: svcpack.log (Backup file, fixed)
D:\WINDOWS\svcpack.log

Log: Install: wmsetup.log (Backup file, fixed)
D:\WINDOWS\wmsetup.log

Log: Install: DtcInstall.log (Backup file, fixed)
D:\WINDOWS\DtcInstall.log

Log: Shutdown: System32\wbem\logs\mofcomp.log (Backup file, fixed)
D:\WINDOWS\System32\wbem\logs\mofcomp.log

Log: Shutdown: System32\wbem\logs\setup.log (Backup file, fixed)
D:\WINDOWS\System32\wbem\logs\setup.log

Log: Shutdown: System32\wbem\logs\wbemcore.log (Backup file, fixed)
D:\WINDOWS\System32\wbem\logs\wbemcore.log

Log: Shutdown: System32\wbem\logs\wbemess.lo_ (Backup file, fixed)
D:\WINDOWS\System32\wbem\logs\wbemess.lo_

Log: Shutdown: System32\wbem\logs\wbemess.log (Backup file, fixed)
D:\WINDOWS\System32\wbem\logs\wbemess.log

Log: Shutdown: System32\wbem\logs\wbemprox.log (Backup file, fixed)
D:\WINDOWS\System32\wbem\logs\wbemprox.log

Log: Shutdown: System32\wbem\logs\wbemsnmp.log (Backup file, fixed)
D:\WINDOWS\System32\wbem\logs\wbemsnmp.log

Log: Shutdown: System32\wbem\logs\winmgmt.log (Backup file, fixed)
D:\WINDOWS\System32\wbem\logs\winmgmt.log

Log: Shutdown: System32\wbem\logs\wmiadap.log (Backup file, fixed)
D:\WINDOWS\System32\wbem\logs\wmiadap.log

Log: Shutdown: System32\wbem\logs\wmiprov.log (Backup file, fixed)
D:\WINDOWS\System32\wbem\logs\wmiprov.log

Ahead Nero Burning Rom: [SBI $B67505E9] Recent file list (4 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-1229272821-573735546-839522115-1003\Software\Ahead\Nero - Burning Rom\Recent file list

Ahead Nero Burning Rom: [SBI $0D846EDB] Compilation directory (Registry change, fixed)
HKEY_USERS\S-1-5-21-1229272821-573735546-839522115-1003\Software\Ahead\Nero - Burning Rom\Settings\NeroCompilation

Ahead Nero Burning Rom: [SBI $DE353278] Browser directory (Registry change, fixed)
HKEY_USERS\S-1-5-21-1229272821-573735546-839522115-1003\Software\Ahead\Nero - Burning Rom\Settings\BrowserDir

Ahead Nero Burning Rom: [SBI $F3FD92E9] Working directory (Registry change, fixed)
HKEY_USERS\S-1-5-21-1229272821-573735546-839522115-1003\Software\Ahead\Nero - Burning Rom\Settings\WorkingDir

Ahead Nero Burning Rom: [SBI $055C754D] Last ISO directory (Registry change, fixed)
HKEY_USERS\S-1-5-21-1229272821-573735546-839522115-1003\Software\ahead\Nero - Burning Rom\General\OFDLastISODir

Ahead Nero Burning Rom: [SBI $505FB952] Last Audio directory (Registry change, fixed)
HKEY_USERS\S-1-5-21-1229272821-573735546-839522115-1003\Software\ahead\Nero - Burning Rom\General\OFDLastAudioDir

Ahead Nero Burning Rom: [SBI $0A02AC84] Last MP3 directory (Registry change, fixed)
HKEY_USERS\S-1-5-21-1229272821-573735546-839522115-1003\Software\ahead\Nero - Burning Rom\General\OFDLastMP3Dir

Ahead Nero Cover Designer: [SBI $6441CE99] Recent file list (1 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-1229272821-573735546-839522115-1003\Software\ahead\Cover Designer\Recent File List

Internet Explorer: [SBI $FF589D0C] Download directory (Registry change, fixed)
HKEY_USERS\S-1-5-21-1229272821-573735546-839522115-1003\Software\Microsoft\Internet Explorer\Download Directory

Internet Explorer: [SBI $0BC7B918] User agent (Registry change, fixed)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent

Internet Explorer: [SBI $0BC7B918] User agent (Registry change, fixed)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent

Internet Explorer: [SBI $0BC7B918] User agent (Registry change, fixed)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent

Internet Explorer: [SBI $0BC7B918] User agent (Registry change, fixed)
HKEY_USERS\S-1-5-21-1229272821-573735546-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent

Internet Explorer: [SBI $0BC7B918] User agent (Registry change, fixed)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent

Isobuster: [SBI $FFCD5808] Last save folder (Registry value, fixed)
HKEY_USERS\S-1-5-21-1229272821-573735546-839522115-1003\Software\Smart Projects\IsoBuster\LastSavedPath

MS Management Console: [SBI $ECD50EAD] Recent command list (4 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-1229272821-573735546-839522115-1003\Software\Microsoft\Microsoft Management Console\Recent File List

MS Media Player: [SBI $735D57D7] Recent open directory (Registry change, fixed)
HKEY_USERS\S-1-5-21-1229272821-573735546-839522115-1003\Software\Microsoft\MediaPlayer\Player\Settings\OpenDir

MS Media Player: [SBI $3EE69CC3] Save as Directory (Registry change, fixed)
HKEY_USERS\S-1-5-21-1229272821-573735546-839522115-1003\Software\Microsoft\MediaPlayer\Player\Settings\SaveAsDir

MS Media Player: [SBI $656F1808] Search terms history (Registry key, fixed)
HKEY_USERS\S-1-5-21-1229272821-573735546-839522115-1003\Software\Microsoft\MediaPlayer\AutoComplete\MediaSearch

MS Media Player: [SBI $8E65C0EE] Last opened playlist (Registry value, fixed)
HKEY_USERS\S-1-5-21-1229272821-573735546-839522115-1003\Software\Microsoft\MediaPlayer\Preferences\LastPlaylist

MS Media Player: [SBI $1BDA487B] Last selected track index (Registry value, fixed)
HKEY_USERS\S-1-5-21-1229272821-573735546-839522115-1003\Software\Microsoft\MediaPlayer\Preferences\LastPlaylistIndex

MS Media Player: [SBI $6D2E50D8] Last selected node (Registry change, fixed)
HKEY_USERS\S-1-5-21-1229272821-573735546-839522115-1003\Software\Microsoft\MediaPlayer\MediaLibraryUI\MLLastSelectedNode

MS Media Player: [SBI $3B9B7B9A] Last CD record path (Registry change, fixed)
HKEY_USERS\S-1-5-21-1229272821-573735546-839522115-1003\Software\Microsoft\MediaPlayer\Preferences\CDRecordPath

MS Media Player: [SBI $3B46EBCE] Manually modified tags history (32 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-1229272821-573735546-839522115-1003\Software\Microsoft\MediaPlayer\AutoComplete\MediaEdit

MS Media Player: [SBI $5C51E349] Client ID (Registry change, fixed)
HKEY_USERS\.DEFAULT\Software\Microsoft\MediaPlayer\Player\Settings\Client ID

MS Media Player: [SBI $5C51E349] Client ID (Registry change, fixed)
HKEY_USERS\S-1-5-19\Software\Microsoft\MediaPlayer\Player\Settings\Client ID

MS Media Player: [SBI $5C51E349] Client ID (Registry change, fixed)
HKEY_USERS\S-1-5-20\Software\Microsoft\MediaPlayer\Player\Settings\Client ID

MS Media Player: [SBI $5C51E349] Client ID (Registry change, fixed)
HKEY_USERS\S-1-5-18\Software\Microsoft\MediaPlayer\Player\Settings\Client ID

MS Direct3D: [SBI $7FB7B83F] Most recent application (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Direct3D\MostRecentApplication\Name

MS Direct3D: [SBI $C2A44980] Most recent application (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication\Name

MS Direct3D: [SBI $C2A44980] Most recent application (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1229272821-573735546-839522115-1003\Software\Microsoft\Direct3D\MostRecentApplication\Name

MS Direct3D: [SBI $C2A44980] Most recent application (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Direct3D\MostRecentApplication\Name

MS DirectDraw: [SBI $EB49D5AF] Most recent application (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\Name

MS DirectInput: [SBI $9A063C91] Most recent application (Registry change, fixed)
HKEY_USERS\S-1-5-21-1229272821-573735546-839522115-1003\Software\Microsoft\DirectInput\MostRecentApplication\Name

MS DirectInput: [SBI $7B184199] Most recent application ID (Registry change, fixed)
HKEY_USERS\S-1-5-21-1229272821-573735546-839522115-1003\Software\Microsoft\DirectInput\MostRecentApplication\Id

MS Office 11.0 (Document Imaging): [SBI $1E04F9F2] Persistent filename list (4 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-1229272821-573735546-839522115-1003\Software\Microsoft\MSPaper 11.0\Persist File Name

MS Office 11.0 (Document Imaging): [SBI $8D4B9B9B] Recent file list (4 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-1229272821-573735546-839522115-1003\Software\Microsoft\MSPaper 11.0\Recent File List

MS Office 11.0 (Outlook): [SBI $51367364] Typed search term history (1 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-1229272821-573735546-839522115-1003\Software\Microsoft\Office\11.0\Outlook\Office Finder

MS Office 11.0 (Picture Manager): [SBI $2379928F] Last selected folder (Registry value, fixed)
HKEY_USERS\S-1-5-21-1229272821-573735546-839522115-1003\Software\Microsoft\Office\11.0\OIS\Options\LastTreeSelection

MS Office 11.0 (Word): [SBI $15AC27CE] Recent file list (Registry value, fixed)
HKEY_USERS\S-1-5-21-1229272821-573735546-839522115-1003\Software\Microsoft\Office\11.0\Word\Data\Settings

MS Paint: [SBI $07867C39] Recent file list (4 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-1229272821-573735546-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List

MS Regedit: [SBI $C3B62FC1] Recent open key (Registry change, fixed)
HKEY_USERS\S-1-5-21-1229272821-573735546-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\LastKey

MS Search Assistant: [SBI $AE0C4647] Typed search terms history (Registry key, fixed)
HKEY_USERS\S-1-5-21-1229272821-573735546-839522115-1003\Software\Microsoft\Search Assistant\ACMru

MS Wordpad: [SBI $4C02334D] Recent file list (2 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-1229272821-573735546-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Applets\Wordpad\Recent File List

Windows: [SBI $1E4E2003] Drivers installation paths (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Installation Sources

Windows.OpenWith: [SBI $5738CAE7] Open with list - .000 extension (2 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-1229272821-573735546-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.000\OpenWithList

Windows.OpenWith: [SBI $48691F6C] Open with list - .ASD extension (2 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-1229272821-573735546-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ASD\OpenWithList

Windows.OpenWith: [SBI $F7204896] Open with list - .AVI extension (5 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-1229272821-573735546-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AVI\OpenWithList

Windows.OpenWith: [SBI $691C1B44] Open with list - .BIN extension (6 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-1229272821-573735546-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BIN\OpenWithList

Windows.OpenWith: [SBI $1A8E7C6C] Open with list - .BLD extension (2 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-1229272821-573735546-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BLD\OpenWithList

Windows.OpenWith: [SBI $A1C94E79] Open with list - .BMP extension (7 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-1229272821-573735546-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BMP\OpenWithList

Windows.OpenWith: [SBI $C92C6763] Open with list - .BUP extension (4 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-1229272821-573735546-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BUP\OpenWithList

Windows.OpenWith: [SBI $63036C95] Open with list - .CAB extension (2 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-1229272821-573735546-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CAB\OpenWithList

Windows.OpenWith: [SBI $9E8D5C8A] Open with list - .CDA extension (3 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-1229272821-573735546-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CDA\OpenWithList

Windows.OpenWith: [SBI $7681FFE3] Open with list - .CDR extension (4 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-1229272821-573735546-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CDR\OpenWithList

Windows.OpenWith: [SBI $31610C46] Open with list - .CMX extension (2 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-1229272821-573735546-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CMX\OpenWithList

Windows.OpenWith: [SBI $C98879E0] Open with list - .CPT extension (3 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-1229272821-573735546-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CPT\OpenWithList

Windows.OpenWith: [SBI $ECC28BDF] Open with list - .CSV extension (2 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-1229272821-573735546-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CSV\OpenWithList

Windows.OpenWith: [SBI $F34FE1D0] Open with list - .CUE extension (3 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-1229272821-573735546-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CUE\OpenWithList

Windows Explorer: [SBI $A2C7B3CD] Recent wallpaper list (501 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-1229272821-573735546-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper\MRU

Windows Explorer: [SBI $7308A845] Run history (3 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-1229272821-573735546-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

Windows Explorer: [SBI $AA0766B5] Stream history (201 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-1229272821-573735546-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU

Windows Explorer: [SBI $2026AFB6] User Assistant history IE (1 files) (Registry key, fixed)
HKEY_USERS\PE_D_ADMINISTRATOR\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count

Windows Explorer: [SBI $2026AFB6] User Assistant history IE (12 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-1229272821-573735546-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count

Windows Explorer: [SBI $6107D172] User Assistant history files (14 files) (Registry key, fixed)
HKEY_USERS\PE_D_ADMINISTRATOR\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count

Windows Explorer: [SBI $6107D172] User Assistant history files (343 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-1229272821-573735546-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count

Windows Explorer: [SBI $B7EBA926] Last visited history (2 files) (Registry key, fixed)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU

Windows Explorer: [SBI $B7EBA926] Last visited history (2 files) (Registry key, fixed)
HKEY_USERS\PE_D_ADMINISTRATOR\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU

Windows Explorer: [SBI $B7EBA926] Last visited history (5 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-1229272821-573735546-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU

Windows Explorer: [SBI $B7EBA926] Last visited history (2 files) (Registry key, fixed)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU

Windows Explorer: [SBI $D20DA0AD] Recent file global history (Registry key, fixed)
HKEY_USERS\S-1-5-21-1229272821-573735546-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Windows Explorer: [SBI $85C2C910] Last Copy/MoveTo folder (Registry value, fixed)
HKEY_USERS\S-1-5-21-1229272821-573735546-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CopyMoveTo\LastFolder

Windows Media SDK: [SBI $37AAEDE6] Computer name (Registry change, fixed)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows Media\WMSDK\General\ComputerName

Windows Media SDK: [SBI $37AAEDE6] Computer name (Registry change, fixed)
HKEY_USERS\S-1-5-21-1229272821-573735546-839522115-1003\Software\Microsoft\Windows Media\WMSDK\General\ComputerName

Windows Media SDK: [SBI $37AAEDE6] Computer name (Registry change, fixed)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows Media\WMSDK\General\ComputerName

Windows Media SDK: [SBI $CAA58B6E] Unique ID (Registry change, fixed)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows Media\WMSDK\General\UniqueID

Windows Media SDK: [SBI $CAA58B6E] Unique ID (Registry change, fixed)
HKEY_USERS\S-1-5-21-1229272821-573735546-839522115-1003\Software\Microsoft\Windows Media\WMSDK\General\UniqueID

Windows Media SDK: [SBI $CAA58B6E] Unique ID (Registry change, fixed)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows Media\WMSDK\General\UniqueID

Windows Media SDK: [SBI $BACCD0DA] Volume serial number (Registry value, fixed)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber

Windows Media SDK: [SBI $BACCD0DA] Volume serial number (Registry value, fixed)
HKEY_USERS\S-1-5-21-1229272821-573735546-839522115-1003\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber

Windows Media SDK: [SBI $BACCD0DA] Volume serial number (Registry value, fixed)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber

WinRAR: [SBI $0B56E92B] Recent file list (4 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-1229272821-573735546-839522115-1003\Software\WinRAR\ArcHistory

WinRAR: [SBI $B84F9965] Last used directory (Registry change, fixed)
HKEY_USERS\S-1-5-21-1229272821-573735546-839522115-1003\Software\WinRAR\General\LastFolder

WinRAR: [SBI $B510882E] Extraction directory history (5 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-1229272821-573735546-839522115-1003\Software\WinRAR\DialogEditHistory\ExtrPath

Cookie: [SBI $49804B54] Cookie (42) (Cookie, fixed)


Cache: [SBI $49804B54] Cache (513) (Cache, fixed)


History: [SBI $49804B54] History (220) (History, fixed)


Congratulations!: No immediate threats were found. ()



--- Spybot - Search & Destroy version: 1.6.0 (build: 20080707) ---

2008-07-07 blindman.exe (1.0.0.8)
2008-07-07 SDFiles.exe (1.6.0.4)
2008-07-07 SDMain.exe (1.0.0.6)
2008-07-07 SDShred.exe (1.0.2.3)
2008-07-07 SDUpdate.exe (1.6.0.8)
2008-07-07 SDWinSec.exe (1.0.0.12)
2008-07-07 SpybotSD.exe (1.6.0.30)
2008-09-16 TeaTimer.exe (1.6.3.25)
2009-01-20 unins000.exe (51.49.0.0)
2008-07-07 Update.exe (1.6.0.7)
2008-10-22 advcheck.dll (1.6.2.13)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2008-09-15 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2008-10-22 Tools.dll (2.1.6.8)
2009-01-13 Includes\Adware.sbi (*)
2009-01-20 Includes\AdwareC.sbi (*)
2009-01-15 Includes\Cookies.sbi (*)
2009-01-06 Includes\Dialer.sbi (*)
2009-01-13 Includes\DialerC.sbi (*)
2009-01-13 Includes\HeavyDuty.sbi (*)
2008-11-18 Includes\Hijackers.sbi (*)
2009-01-13 Includes\HijackersC.sbi (*)
2008-12-09 Includes\Keyloggers.sbi (*)
2009-01-20 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-11-18 Includes\Malware.sbi (*)
2009-01-21 Includes\MalwareC.sbi (*)
2008-12-16 Includes\PUPS.sbi (*)
2009-01-20 Includes\PUPSC.sbi (*)
2009-01-13 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2009-01-20 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-01-20 Includes\Spyware.sbi (*)
2009-01-13 Includes\SpywareC.sbi (*)
2008-06-03 Includes\Tracks.uti (*)
2009-01-21 Includes\Trojans.sbi (*)
2009-01-21 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
_______________________________________________________________________________

Ad-Aware Report

Logfile created: 23/01/2009 21:51:8
Lavasoft Ad-Aware version: 8.0
Extended engine version: 8.1
User performing scan: Glenn

*********************** Definitions database information ***********************
Lavasoft definition file: 146.0
Extended engine definition file: 8.1

******************************** Scan results: *********************************
Scan profile name: Full Scan (ID: full)
Objects scanned: 79546
Objects detected: 4


Type Detected
==========================
Processes.......: 0
Registry entries: 0
Hostfile entries: 0
Files...........: 4
Folders.........: 0
LSPs............: 0
Cookies.........: 0
Browser hijacks.: 0
MRU objects.....: 0



Skipped items:
Description: D:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE Family Name: Suspicious Object Clean status: Success Item ID: 0 Family ID: 0
Description: D:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE Family Name: Suspicious Object Clean status: Success Item ID: 0 Family ID: 0
Description: D:\WINDOWS\system32\vidccleaner.exe Family Name: Suspicious Object Clean status: Success Item ID: 0 Family ID: 0

Quarantined items:
Description: D:\SDFix\apps\cliptext.exe Family Name: Win32.Worm.KdCrypt Clean status: Success Item ID: 408049 Family ID: 5462

Scan and cleaning complete: Finished correctly after 1234 seconds

*********************************** Settings ***********************************

Scan profile:
ID: full, enabled:1, value: Full Scan
ID: scancriticalareas, enabled:1, value: true
ID: scanrunningapps, enabled:1, value: true
ID: scanregistry, enabled:1, value: true
ID: scanlsp, enabled:1, value: true
ID: scanads, enabled:1, value: true
ID: scanhostsfile, enabled:1, value: true
ID: scanmru, enabled:1, value: true
ID: scanbrowserhijacks, enabled:1, value: true
ID: scantrackingcookies, enabled:1, value: true
ID: closebrowsers, enabled:1, value: false
ID: folderstoscan, enabled:1, value: D:\
ID: scanrootkits, enabled:1, value: true
ID: usespywareheuristics, enabled:1, value: true
ID: extendedengine, enabled:0, value: true
ID: useheuristics, enabled:0, value: true
ID: heuristicslevel, enabled:0, value: mild, domain: medium,mild,strict
ID: filescanningoptions, enabled:1
ID: archives, enabled:1, value: true
ID: onlyexecutables, enabled:1, value: false
ID: skiplargerthan, enabled:1, value: 20480

Scan global:
ID: global, enabled:1
ID: addtocontextmenu, enabled:1, value: true
ID: playsoundoninfection, enabled:1, value: false
ID: soundfile, enabled:0, value: *to be filled in automatically*\alert.wav

Scheduled scan settings:
<Empty>

Update settings:
ID: updates, enabled:1
ID: launchthreatworksafterscan, enabled:1, value: normal, domain: normal,off,silently
ID: displaystatus, enabled:1, value: false
ID: deffiles, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall
ID: autodetectproxy, enabled:1, value: false
ID: useautoconfigscript, enabled:1, value: false
ID: autoconfigurl, enabled:0, value:
ID: useproxy, enabled:1, value: false
ID: proxyserver, enabled:0, value:
ID: softwareupdates, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall
ID: licenseandinfo, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall
ID: schedules, enabled:1, value: true
ID: updatedaily, enabled:1, value: Daily
ID: time, enabled:1, value: Tue Jan 20 23:32:00 2009
ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: false
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: false
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false
ID: updateweekly, enabled:1, value: Weekly
ID: time, enabled:1, value: Tue Jan 20 23:32:00 2009
ID: frequency, enabled:1, value: weekly, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: true
ID: tuesday, enabled:1, value: true
ID: wednesday, enabled:1, value: false
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false

Appearance settings:
ID: appearance, enabled:1
ID: skin, enabled:1, value: Carbon.eGL, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Resource
ID: showtrayicon, enabled:1, value: true
ID: language, enabled:1, value: en, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Language

Realtime protection settings:
ID: realtime, enabled:1
ID: processprotection, enabled:1, value: true
ID: registryprotection, enabled:0, value: false
ID: networkprotection, enabled:0, value: false
ID: loadatstartup, enabled:1, value: true
ID: usespywareheuristics, enabled:0, value: false
ID: extendedengine, enabled:0, value: true
ID: useheuristics, enabled:0, value: true
ID: heuristicslevel, enabled:0, value: mild, domain: medium,mild,strict
ID: infomessages, enabled:1, value: animated, domain: animated,display,dontnotify


****************************** System information ******************************
Computer name: HOME-OFFICE
Processor name: AMD Athlon™ 64 X2 Dual Core Processor 3800+
Processor identifier: x86 Family 15 Model 43 Stepping 1
Raw info: processorarchitecture 0, processortype 586, processorlevel 15, processor revision 11009, number of processors 2
Physical memory available: 1282473984 bytes
Physical memory total: 2146881536 bytes
Virtual memory available: 2055049216 bytes
Virtual memory total: 2147352576 bytes
Memory load: 40%
Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Windows startup mode:

Running processes:
PID: 852 name: \SystemRoot\System32\smss.exe owner: SYSTEM domain: NT AUTHORITY
PID: 984 name: \??\D:\WINDOWS\system32\csrss.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1008 name: \??\D:\WINDOWS\system32\winlogon.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1052 name: D:\WINDOWS\system32\services.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1064 name: D:\WINDOWS\system32\lsass.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1212 name: D:\WINDOWS\system32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1312 name: D:\WINDOWS\system32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY
PID: 1364 name: D:\WINDOWS\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1432 name: D:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE owner: SYSTEM domain: NT AUTHORITY
PID: 1452 name: D:\WINDOWS\system32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1564 name: D:\WINDOWS\system32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY
PID: 1604 name: D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe owner: <UNKNOWN> domain: <UNKNOWN>
PID: 1800 name: D:\WINDOWS\Explorer.EXE owner: Glenn domain: HOME-OFFICE
PID: 1876 name: D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe owner: <UNKNOWN> domain: <UNKNOWN>
PID: 1964 name: D:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe owner: <UNKNOWN> domain: <UNKNOWN>
PID: 1984 name: D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe owner: <UNKNOWN> domain: <UNKNOWN>
PID: 2016 name: D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe owner: <UNKNOWN> domain: <UNKNOWN>
PID: 256 name: D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe owner: <UNKNOWN> domain: <UNKNOWN>
PID: 412 name: D:\WINDOWS\system32\spoolsv.exe owner: SYSTEM domain: NT AUTHORITY
PID: 496 name: D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe owner: <UNKNOWN> domain: <UNKNOWN>
PID: 540 name: D:\WINDOWS\system32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 604 name: D:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe owner: <UNKNOWN> domain: <UNKNOWN>
PID: 832 name: D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE owner: SYSTEM domain: NT AUTHORITY
PID: 896 name: D:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe owner: <UNKNOWN> domain: <UNKNOWN>
PID: 948 name: D:\Program Files\Norton SystemWorks\Norton Ghost\Agent\VProSvc.exe owner: <UNKNOWN> domain: <UNKNOWN>
PID: 976 name: D:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe owner: <UNKNOWN> domain: <UNKNOWN>
PID: 1028 name: D:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE owner: <UNKNOWN> domain: <UNKNOWN>
PID: 1652 name: D:\WINDOWS\system32\nvsvc32.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1692 name: D:\WINDOWS\System32\snmp.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1648 name: D:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE owner: SYSTEM domain: NT AUTHORITY
PID: 2088 name: D:\WINDOWS\system32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2188 name: D:\Program Files\Common Files\Symantec Shared\ccApp.exe owner: <UNKNOWN> domain: <UNKNOWN>
PID: 2284 name: D:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe owner: <UNKNOWN> domain: <UNKNOWN>
PID: 2304 name: D:\WINDOWS\system32\nvraidservice.exe owner: Glenn domain: HOME-OFFICE
PID: 2340 name: D:\WINDOWS\system32\rundll32.exe owner: Glenn domain: HOME-OFFICE
PID: 2372 name: D:\WINDOWS\system32\RUNDLL32.EXE owner: Glenn domain: HOME-OFFICE
PID: 2408 name: D:\Program Files\Logitech\SetPoint\LBTWiz.exe owner: Glenn domain: HOME-OFFICE
PID: 2460 name: D:\WINDOWS\SOUNDMAN.EXE owner: Glenn domain: HOME-OFFICE
PID: 2528 name: D:\WINDOWS\system32\ctfmon.exe owner: Glenn domain: HOME-OFFICE
PID: 2688 name: D:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe owner: Glenn domain: HOME-OFFICE
PID: 2848 name: D:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe owner: <UNKNOWN> domain: <UNKNOWN>
PID: 2920 name: D:\WINDOWS\System32\alg.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 1292 name: D:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE owner: <UNKNOWN> domain: <UNKNOWN>
PID: 3592 name: D:\WINDOWS\system32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 920 name: D:\WINDOWS\system32\dllhost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2780 name: D:\WINDOWS\system32\msdtc.exe owner: NETWORK SERVICE domain: NT AUTHORITY
PID: 4968 name: D:\Program Files\Java\jre6\bin\jusched.exe owner: <UNKNOWN> domain: <UNKNOWN>
PID: 5000 name: D:\Program Files\Java\jre6\bin\jqs.exe owner: SYSTEM domain: NT AUTHORITY
PID: 5096 name: D:\WINDOWS\Explorer.EXE owner: Glenn domain: HOME-OFFICE
PID: 5044 name: D:\WINDOWS\System32\vssvc.exe owner: SYSTEM domain: NT AUTHORITY
PID: 5380 name: D:\PROGRA~1\iolo\SYSTEM~1\SysMech6.exe owner: Glenn domain: HOME-OFFICE
PID: 4472 name: D:\Program Files\Common Files\Symantec Shared\NMain.exe owner: <UNKNOWN> domain: <UNKNOWN>
PID: 3328 name: D:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe owner: Glenn domain: HOME-OFFICE
PID: 2044 name: D:\Program Files\Lavasoft\Ad-Aware\AAWService.exe owner: SYSTEM domain: NT AUTHORITY
PID: 3460 name: D:\WINDOWS\system32\wbem\unsecapp.exe owner: SYSTEM domain: NT AUTHORITY
PID: 5112 name: D:\WINDOWS\system32\wbem\wmiprvse.exe owner: SYSTEM domain: NT AUTHORITY
PID: 4232 name: D:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe owner: SYSTEM domain: NT AUTHORITY

Startup items:
Name: PostBootReminder
imagepath: {7849596a-48ea-486e-8937-a2a3009f31a9}
Name: CDBurn
imagepath: {fbeb8a05-beee-4442-804e-409d6c4515e9}
Name: WebCheck
imagepath: {E6FB5E20-DE35-11CF-9C87-00AA005127ED}
Name: SysTray
imagepath: {35CEC8A3-2BE6-11D2-8773-92E220524153}
Name: WPDShServiceObj
imagepath: {AAA288BA-9A4C-45B0-95D7-94D524869DB5}
Name: CTFMON.EXE
imagepath: D:\WINDOWS\system32\CTFMON.EXE
Name: NvCplDaemon
imagepath: RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
Name: nwiz
imagepath: nwiz.exe /install
Name: ccApp
imagepath: "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
Name: Norton Ghost 10.0
imagepath: "D:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe"
Name: NVRaidService
imagepath: D:\WINDOWS\system32\nvraidservice.exe
Name: Logitech Hardware Abstraction Layer
imagepath: KHALMNPR.EXE
Name: BluetoothAuthenticationAgent
imagepath: rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
Name: Kernel and Hardware Abstraction Layer
imagepath: KHALMNPR.EXE
Name: NvMediaCenter
imagepath: RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
Name: Bluetooth Connection Assistant
imagepath: D:\Program Files\Logitech\SetPoint\LBTWiz.exe -silent
Name: zzGBK
imagepath: I:\Setup.exe
Name: SoundMan
imagepath: SOUNDMAN.EXE
Name: NeroFilterCheck
imagepath: D:\WINDOWS\system32\NeroCheck.exe
Name: Ad-Watch
imagepath: D:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
Name: SunJavaUpdateSched
imagepath: "D:\Program Files\Java\jre6\bin\jusched.exe"
Name: SpybotDeletingA9519
imagepath: command /c del "D:\WINDOWS\SchedLgU.Txt"
Name: SpybotDeletingC8136
imagepath: cmd /c del "D:\WINDOWS\SchedLgU.Txt"
Name: {438755C2-A8BA-11D1-B96B-00A0C90312E1}
imagepath: Browseui preloader
Name: {8C7461EF-2B13-11d2-BE35-3078302C2030}
imagepath: Component Categories cache daemon
Name:
imagepath:

Bootexecute items:
Name:
imagepath: autocheck autochk *
Name:
imagepath: smrgdf D:\Program Files\iolo\System Mechanic Professional 6\
Name:
imagepath: iolobtdfg d:\windows\system32
Name:
imagepath: lsdelete

Running services:
Name: ALG
displayname: Application Layer Gateway Service
Name: AudioSrv
displayname: Windows Audio
Name: Automatic LiveUpdate Scheduler
displayname: Automatic LiveUpdate Scheduler
Name: BthServ
displayname: Bluetooth Support Service
Name: ccEvtMgr
displayname: Symantec Event Manager
Name: ccSetMgr
displayname: Symantec Settings Manager
Name: COMSysApp
displayname: COM+ System Application
Name: CryptSvc
displayname: Cryptographic Services
Name: DcomLaunch
displayname: DCOM Server Process Launcher
Name: Dhcp
displayname: DHCP Client
Name: Dnscache
displayname: DNS Client
Name: ERSvc
displayname: Error Reporting Service
Name: Eventlog
displayname: Event Log
Name: EventSystem
displayname: COM+ Event System
Name: GBPoll
displayname: GoBack Polling Service
Name: helpsvc
displayname: Help and Support
Name: lanmanworkstation
displayname: Workstation
Name: Lavasoft Ad-Aware Service
displayname: Lavasoft Ad-Aware Service
Name: LBTServ
displayname: Logitech Bluetooth Service
Name: LiveUpdate Notice Service
displayname: LiveUpdate Notice Service
Name: MDM
displayname: Machine Debug Manager
Name: MSDTC
displayname: Distributed Transaction Coordinator
Name: navapsvc
displayname: Norton AntiVirus Auto-Protect Service
Name: Netman
displayname: Network Connections
Name: Nla
displayname: Network Location Awareness (NLA)
Name: Norton Ghost
displayname: Norton Ghost
Name: NPFMntor
displayname: Norton AntiVirus Firewall Monitor Service
Name: NProtectService
displayname: Norton UnErase Protection
Name: NSCService
displayname: Norton Protection Center Service
Name: NVSvc
displayname: NVIDIA Display Driver Service
Name: PlugPlay
displayname: Plug and Play
Name: ProtectedStorage
displayname: Protected Storage
Name: RasMan
displayname: Remote Access Connection Manager
Name: RpcSs
displayname: Remote Procedure Call (RPC)
Name: SamSs
displayname: Security Accounts Manager
Name: Schedule
displayname: Task Scheduler
Name: SENS
displayname: System Event Notification
Name: SharedAccess
displayname: Windows Firewall/Internet Connection Sharing (ICS)
Name: ShellHWDetection
displayname: Shell Hardware Detection
Name: SNDSrvc
displayname: Symantec Network Drivers Service
Name: SNMP
displayname: SNMP Service
Name: SPBBCSvc
displayname: SPBBCSvc
Name: Speed Disk service
displayname: Speed Disk service
Name: Spooler
displayname: Print Spooler
Name: srservice
displayname: System Restore Service
Name: SSDPSRV
displayname: SSDP Discovery Service
Name: stisvc
displayname: Windows Image Acquisition (WIA)
Name: Symantec Core LC
displayname: Symantec Core LC
Name: TapiSrv
displayname: Telephony
Name: Themes
displayname: Themes
Name: upnphost
displayname: Universal Plug and Play Device Host
Name: VSS
displayname: Volume Shadow Copy
Name: W32Time
displayname: Windows Time
Name: winmgmt
displayname: Windows Management Instrumentation
Name: wscsvc
displayname: Security Center
Name: wuauserv
displayname: Automatic Updates
Name: WudfSvc
displayname: Windows Driver Foundation - User-mode Driver Framework
Name: JavaQuickStarterService
displayname: Java Quick Starter
___________________________________________________________________________________________
Malwarebytes Report

Malwarebytes' Anti-Malware 1.33
Database version: 1685
Windows 5.1.2600 Service Pack 3

23/01/2009 11:32:38 PM
mbam-log-2009-01-23 (23-32-38).txt

Scan type: Full Scan (D:\|E:\|F:\|G:\|H:\|K:\|)
Objects scanned: 190070
Time elapsed: 1 hour(s), 4 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\scrfile\shell\open\command\ (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" /S) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\regfile\shell\open\command\ (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: (regedit.exe "%1") -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#12 glenn.225

glenn.225
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:looking in the manual again, Canada
  • Local time:11:44 AM

Posted 24 January 2009 - 09:54 AM

Also here is the lastest SDFix log.


SDFix: Version 1.240
Run by Administrator on 24/01/2009 at 09:29 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: D:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-24 09:36:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000761472956]
"0007614cfb92"=hex:8f,ca,c3,a7,34,b1,7e,40,dd,7d,73,0c,74,5c,cc,66
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:db,57,dc,b7,ff,e0,3b,c4,56,b1,e4,b4,10,36,09,af,ea,ab,c0,a9,51,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:db,57,dc,b7,ff,e0,3b,c4,56,b1,e4,b4,10,36,09,af,ea,ab,c0,a9,51,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\000761472956]
"0007614cfb92"=hex:8f,ca,c3,a7,34,b1,7e,40,dd,7d,73,0c,74,5c,cc,66
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:db,57,dc,b7,ff,e0,3b,c4,56,b1,e4,b4,10,36,09,af,ea,ab,c0,a9,51,..

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:00000145

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"D:\\WINDOWS\\system32\\sessmgr.exe"="D:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"F:\\Program Folder\\BitTorrent\\bittorrent.exe"="F:\\Program Folder\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"D:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="D:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Disabled:Logitech Desktop Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"D:\\Program Files\\MSN Messenger\\msnmsgr.exe"="D:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"D:\\Program Files\\MSN Messenger\\livecall.exe"="D:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"D:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="D:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :



Files with Hidden Attributes :

Wed 21 Jul 2004 166,400 A.SHR --- D:\NTBOOTDD.SYS
Wed 15 Oct 2008 633,632 A.SH. --- D:\PROGRA~1\INTERN~1\IEXPLORE.EXE
Sun 13 Apr 2008 1,695,232 ..SH. --- D:\PROGRA~1\MESSEN~1\MSMSGS.EXE
Sun 13 Apr 2008 60,416 A.SH. --- D:\PROGRA~1\OUTLOO~1\MSIMN.EXE
Wed 22 Oct 2008 949,072 A.SHR --- D:\PROGRA~1\SPYBOT~1\ADVCHECK.DLL
Mon 7 Jul 2008 1,429,840 A.SHR --- D:\PROGRA~1\SPYBOT~1\SDUPDATE.EXE
Mon 7 Jul 2008 4,891,472 A.SHR --- D:\PROGRA~1\SPYBOT~1\SPYBOTSD.EXE
Wed 22 Oct 2008 962,896 A.SHR --- D:\PROGRA~1\SPYBOT~1\TOOLS.DLL
Sun 13 Apr 2008 4,639 A.SH. --- D:\PROGRA~1\WINDOW~2\MPLAYER2.EXE
Wed 18 Oct 2006 64,000 A.SH. --- D:\PROGRA~1\WINDOW~2\WMPLAYER.EXE

Finished!

#13 glenn.225

glenn.225
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:looking in the manual again, Canada
  • Local time:11:44 AM

Posted 24 January 2009 - 10:51 AM

Rigel

I'm not sure which one did it, maybe the last try of SDFix, I also tried F-secure? an on-line scanner but it showed 0 problems.

Anyway it's GONE!!!!!, my family and I can use Google correctly again. :thumbsup:

Only took about 15 hours work. :flowers:

I'm beefing up all my protection, from now on I'm running Norton SystemWorks, ZoneAlarm, Spybot, Ad- Aware and SuperAntiSpyware constantly with regular checks by CCleaner, Malwarebytes and SDFix. This would of sounded like way overkill to me last month but now I'm not sure it is enough. :trumpet:

Thanks for the help.

Glenn

#14 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:12:44 PM

Posted 24 January 2009 - 12:55 PM

Glad everything is better!

If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok"
  • Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" Tab.
  • Click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Safe surfing

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users