Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet Explorer randomly opening


  • This topic is locked This topic is locked
13 replies to this topic

#1 Leeford

Leeford

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:48 PM

Posted 27 January 2009 - 10:27 AM

Hello all,

This is the almost the same post I put up in the ‘Web Browsing…’ forum about a week ago, and after carrying out most of the suggested virus scans I’m still having problems. A few weeks ago my internet explorer started randomly opening to my homepage and, if I was already browsing, it would redirect me to my homepage as well as opening up to 40-odd other windows and occasionally tabs. More often than not these pages are almost impossible to close down and more will take their place when they do, this happens to the point where everything freezes and I have to force it to shutdown. I'm running Internet Explorer 7, Avast4 and Zonealarm alongside Spyware Blaster. I have scanned with Spybot, Ad-aware, Malwarebytes and others. All have shown nothing. I understand that this may be hardware as I do have a quick launch key for the internet but as far as i know this wouldn't cause the browser to return to the homepage....or would it? In anycase when I tried this key, even pressing it a dozen or so times, the pages were a lot easier to close down than when even only 6 pages open at random.

Just after the original post I installed Google Toolbar, getting rid of the old one (MSN I think) I was still using, for almost a week there were no problems. Then yesterday the problem flared up again as bad as ever.

Any help would be very much appreciated.
Leeford



DDS (Ver_09-01-19.01) - NTFSx86
Run by Ben at 23:40:48.56 on 26/01/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.223.55 [GMT 0:00]

AV: avast! antivirus 4.7.1098 [VPS 090126-0] *On-access scanning enabled* (Updated)
FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\pctspk.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Documents and Settings\Ben\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = hxxp://www.microsoft.com
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SpywareGuardDLBLOCK.CBrowserHelper: {4a368e80-174f-4872-96b5-0b27ddd11db2} - c:\program files\spywareguard\dlprotect.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: MSN Search Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn toolbar suite\tb\02.05.0000.1082\en-gb\msntb.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: MSN Search Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn toolbar suite\tb\02.05.0000.1082\en-gb\msntb.dll
TB: Wanadoo: {8b68564d-53fd-4293-b80c-993a9f3988ee} - c:\progra~1\wanadoo\wsbar\WSBar.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [<NO NAME>]
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [PCTVOICE] pctspk.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [WorksFUD] c:\program files\microsoft works\wkfud.exe
mRun: [Microsoft Works Update Detection] c:\program files\microsoft works\WkDetect.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [ctfmon.exe] c:\windows\system32\CTFMON.EXE
dRunOnce: [Magnify] Magnify.exe
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\ben\startm~1\programs\startup\spywar~1.lnk - c:\program files\spywareguard\sgmain.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\msn toolbar suite\ds\02.05.0001.1119\en-gb\bin\WindowsSearch.exe
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - hxxp://static.windupdates.com/cab/CDT/ie/bridge-c10.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://www.pandasecurity.com/activescan/cabs/as2stubie.cab
DPF: {556DDE35-E955-11D0-A707-000000521957} - hxxp://www.xblock.com/download/xclean_micro.exe
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-01.sun.com/s/ESD5/JSCDL/jre/6u11-b90/jinstall-6u11-windows-i586-jc.cab?e=1232712093267&h=7b793aa34dd3eb547ec1bfd52dff7ad5/&filename=jinstall-6u11-windows-i586-jc.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SpywareGuard.Handler: {81559c35-8464-49f7-bb0e-07a383bef910} - c:\program files\spywareguard\spywareguard.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-1-20 28544]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-22 55024]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-7-22 353680]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2004-12-27 247160]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2005-3-29 345464]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R4 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2004-12-27 140664]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-22 7408]
S3 WebSTARNdis;WebSTAR DPX USB Cable Modem Adapter;c:\windows\system32\drivers\WebSTAR.sys [2004-12-27 15417]

=============== Created Last 30 ================

2009-01-26 20:12 <DIR> --d----- c:\program files\EsetOnlineScanner
2009-01-23 12:03 73,728 a------- c:\windows\system32\javacpl.cpl
2009-01-23 12:03 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-20 11:50 <DIR> --d----- C:\fsaua.data
2009-01-20 09:57 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-01-20 09:56 <DIR> --d----- c:\program files\Panda Security
2009-01-19 23:21 250 a------- c:\windows\gmer.ini
2009-01-16 17:08 <DIR> --d----- c:\program files\Trend Micro
2009-01-15 21:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-01-15 21:25 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-01-15 21:25 <DIR> --d----- c:\docume~1\ben\applic~1\SUPERAntiSpyware.com
2009-01-15 21:24 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-01-14 22:14 <DIR> --d----- c:\docume~1\ben\applic~1\Malwarebytes
2009-01-14 22:13 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-14 22:13 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 22:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-14 22:13 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-14 22:08 <DIR> --d----- c:\program files\SpywareGuard

==================== Find3M ====================

2009-01-26 23:04 1,536 ac------ c:\windows\system32\TrueSoft.dat
2008-12-11 10:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-05 11:09 4,212 a---h--- c:\windows\system32\zllictbl.dat
2008-11-13 15:18 1,221,008 a------- c:\windows\system32\zpeng25.dll
2008-05-20 21:30 46,318 ac------ c:\docume~1\ben\applic~1\wklnhst.dat
2008-09-28 16:46 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092820080929\index.dat

============= FINISH: 23:44:19.29 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:48 AM

Posted 05 February 2009 - 01:30 PM

Hi Leeford,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log. :thumbup2:

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

Please avoid changing anything on your computer (ie, downloading software) or taking unsupervised steps to remove any malware as this can make helping you much more difficult.

So give me some time to go through your log and, in the meantime, let me know if you have already solved the issues or no longer need my help.

Thanks. :)
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:48 AM

Posted 07 February 2009 - 12:06 PM

Hi Leeford,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.

There are some things that require attention and I will go over these step by step. If you are unsure of anything I am saying then don’t continue, just post a query and I will get you back on track.

Please avoid changing anything on your computer (ie, downloading software) or taking unsupervised steps to remove any malware as this can make helping you much more difficult.

What I am finding doesn't correspond with the major problems you are having so we need to look a bit deeper.

Please download DDS and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds.scr to run the tool.
  • When done, DDS.txt will open.
  • Click Yes at the next prompt for Optional Scan.
  • Save both reports to your desktop.
Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.

Thanks. :thumbup2:
Posted Image
m0le is a proud member of UNITE

#4 Leeford

Leeford
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:48 PM

Posted 08 February 2009 - 08:01 AM

Hey m0le,

Thank you for your help. I can see how busy you guys are and its very much appreciated.
I hope you forgive my ignorance but I wasn't exactly sure what to turn off to disable script blocking, seeing as the problem computer is disconnected from the internet I shut down my anti virus and firewall and hoped that was all I needed to do, if its not please let me know because, like I say, I really wasn't certain.

Here are the new logs.
Thanks again, Leeford.


DDS (Ver_09-02-01.01) - NTFSx86
Run by Ben at 12:49:18.25 on 08/02/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.223.81 [GMT 0:00]

AV: avast! antivirus 4.7.1098 [VPS 090126-0] *On-access scanning disabled* (Outdated)
FW: ZoneAlarm Firewall *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\pctspk.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Ben\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = hxxp://www.microsoft.com
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SpywareGuardDLBLOCK.CBrowserHelper: {4a368e80-174f-4872-96b5-0b27ddd11db2} - c:\program files\spywareguard\dlprotect.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: MSN Search Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn toolbar suite\tb\02.05.0000.1082\en-gb\msntb.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: MSN Search Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn toolbar suite\tb\02.05.0000.1082\en-gb\msntb.dll
TB: Wanadoo: {8b68564d-53fd-4293-b80c-993a9f3988ee} - c:\progra~1\wanadoo\wsbar\WSBar.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [<NO NAME>]
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [PCTVOICE] pctspk.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [WorksFUD] c:\program files\microsoft works\wkfud.exe
mRun: [Microsoft Works Update Detection] c:\program files\microsoft works\WkDetect.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [ctfmon.exe] c:\windows\system32\CTFMON.EXE
dRunOnce: [Magnify] Magnify.exe
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\ben\startm~1\programs\startup\spywar~1.lnk - c:\program files\spywareguard\sgmain.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\msn toolbar suite\ds\02.05.0001.1119\en-gb\bin\WindowsSearch.exe
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - hxxp://static.windupdates.com/cab/CDT/ie/bridge-c10.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://www.pandasecurity.com/activescan/cabs/as2stubie.cab
DPF: {556DDE35-E955-11D0-A707-000000521957} - hxxp://www.xblock.com/download/xclean_micro.exe
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-01.sun.com/s/ESD5/JSCDL/jre/6u11-b90/jinstall-6u11-windows-i586-jc.cab?e=1232712093267&h=7b793aa34dd3eb547ec1bfd52dff7ad5/&filename=jinstall-6u11-windows-i586-jc.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-1-20 28544]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-22 55024]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-7-22 353680]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2004-12-27 140664]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2004-12-27 247160]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2005-3-29 345464]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-22 7408]
S3 WebSTARNdis;WebSTAR DPX USB Cable Modem Adapter;c:\windows\system32\drivers\WebSTAR.sys [2004-12-27 15417]

=============== Created Last 30 ================

2009-01-26 20:12 <DIR> --d----- c:\program files\EsetOnlineScanner
2009-01-23 12:03 73,728 a------- c:\windows\system32\javacpl.cpl
2009-01-23 12:03 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-20 11:50 <DIR> --d----- C:\fsaua.data
2009-01-20 09:57 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-01-20 09:56 <DIR> --d----- c:\program files\Panda Security
2009-01-19 23:21 250 a------- c:\windows\gmer.ini
2009-01-16 17:08 <DIR> --d----- c:\program files\Trend Micro
2009-01-15 21:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-01-15 21:25 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-01-15 21:25 <DIR> --d----- c:\docume~1\ben\applic~1\SUPERAntiSpyware.com
2009-01-15 21:24 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-01-14 22:14 <DIR> --d----- c:\docume~1\ben\applic~1\Malwarebytes
2009-01-14 22:13 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-14 22:13 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 22:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-14 22:13 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-14 22:08 <DIR> --d----- c:\program files\SpywareGuard

==================== Find3M ====================

2009-02-08 12:15 1,536 ac------ c:\windows\system32\TrueSoft.dat
2008-12-11 10:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-05 11:09 4,212 a---h--- c:\windows\system32\zllictbl.dat
2008-11-13 15:18 1,221,008 a------- c:\windows\system32\zpeng25.dll
2008-05-20 21:30 46,318 ac------ c:\docume~1\ben\applic~1\wklnhst.dat
2008-09-28 16:46 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092820080929\index.dat

============= FINISH: 12:50:38.19 ===============

Attached Files



#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:48 AM

Posted 08 February 2009 - 01:29 PM

Thanks for the updated scan, Leeford.

The scan isn't showing anything much so I would like you to do two things for me.

Please download F-Secure Blacklight (fsbl.exe) and save to your C:\ drive.
  • Open a command window by going to Start > Run and typing: cmd
  • Copy/paste or type the following in the command window: C:\fsbl.exe /expert
  • Hit "Enter" to start the program and then close the cmd box.
  • Accept the user agreement and click "Next".
  • Click "Scan".
  • After the scan is complete, click "Next", then "Exit".
  • BlackLight will create a log in C:\ drive named "fsbl-xxxxxxx.log" (the xxxxxxx will be the date and time of the scan).
  • The log will have a list of all items found. Do not choose to rename any yet!
    I want to see the log first because legitimate items can also be present...like "wbemtest.exe" and "tcptest.exe.
  • Exit Blacklight and post the contents of the log in your next reply.
  • Then download OTViewIt by OldTimer.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
  • OTViewIt.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
So that's the F-Secure Blacklight log and the two files from OTViewIt posted in your next reply.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#6 Leeford

Leeford
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:48 PM

Posted 09 February 2009 - 05:16 AM

Ok, here you go. Hopefully these will help.

Thanks again. Leeford.

02/09/09 09:57:37 [Info]: BlackLight Engine 2.2.1092 initialized
02/09/09 09:57:37 [Info]: OS: 5.1 build 2600 (Service Pack 3)
02/09/09 09:57:38 [Note]: 7019 4
02/09/09 09:57:38 [Note]: 7005 0
02/09/09 09:57:43 [Note]: 7006 0
02/09/09 09:57:43 [Note]: 7022 0
02/09/09 09:57:43 [Note]: 7011 1316
02/09/09 09:57:43 [Note]: 7035 0
02/09/09 09:57:43 [Note]: 7026 0
02/09/09 09:57:44 [Note]: 7026 0
02/09/09 09:57:44 [Note]: FSRAW library version 1.7.1024
02/09/09 10:05:11 [Note]: 7007 0




OTViewIt logfile created on: 09/02/2009 10:07:12 - Run
OTViewIt by OldTimer - Version 1.0.21.0 Folder = C:\Documents and Settings\Ben\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

223.48 Mb Total Physical Memory | 90.44 Mb Available Physical Memory | 40.47% Memory free
544.30 Mb Paging File | 251.73 Mb Available in Paging File | 46.25% Paging File free
Paging file location(s): C:\pagefile.sys 336 672;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 33.28 Gb Total Space | 20.75 Gb Free Space | 62.36% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ROOM-57
Current User Name: Ben
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== Processes ==========

[2008/11/13 15:18:56 | 02,405,776 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINDOWS\system32\ZoneLabs\vsmon.exe
[2008/09/10 13:01:28 | 00,611,664 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
[2007/12/04 14:36:33 | 00,017,272 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
[2007/12/04 13:00:16 | 00,140,664 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe
[2008/11/07 14:28:16 | 00,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
[2004/03/29 15:08:16 | 00,049,152 | ---- | M] () -- C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
[2008/08/29 10:18:44 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
[2005/06/13 14:45:54 | 00,827,392 | ---- | M] () -- C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
[2009/01/23 12:02:55 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
[2007/12/04 12:59:53 | 00,247,160 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
[2007/12/04 12:59:01 | 00,345,464 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
[2008/04/14 00:12:41 | 00,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wscntfy.exe
[2003/03/27 09:43:38 | 00,110,592 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
[2003/03/27 09:43:18 | 00,634,880 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
[2003/01/06 16:00:00 | 00,176,128 | ---- | M] () -- C:\WINDOWS\system32\pctspk.exe
[2007/12/04 13:00:23 | 00,079,224 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashDisp.exe
[2004/12/27 16:27:56 | 00,180,269 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[2008/11/13 15:18:56 | 00,981,904 | ---- | M] (Check Point Software Technologies LTD) -- C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
[2008/11/20 13:20:54 | 00,290,088 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
[2009/01/23 12:02:57 | 00,136,600 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
[2009/01/19 20:08:24 | 00,039,408 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[2003/08/29 19:05:35 | 00,360,448 | ---- | M] () -- C:\Program Files\SpywareGuard\sgmain.exe
[2003/08/29 11:14:56 | 00,233,472 | ---- | M] () -- C:\Program Files\SpywareGuard\sgbhp.exe
[2008/11/20 13:20:44 | 00,536,872 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
[2009/02/09 09:53:48 | 00,422,912 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Ben\Desktop\OTViewIt.exe

========== (O23) Win32 Services ==========

[2008/09/10 13:01:28 | 00,611,664 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe -- (aawservice [Auto | Running])
[2008/11/07 14:28:16 | 00,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Running])
[2007/10/24 00:47:22 | 00,033,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
[2007/12/04 14:36:33 | 00,017,272 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv [Auto | Running])
[2007/12/04 13:00:16 | 00,140,664 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus [Auto | Running])
[2007/12/04 12:59:53 | 00,247,160 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner [On_Demand | Running])
[2007/12/04 12:59:01 | 00,345,464 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner [On_Demand | Running])
[2004/03/29 15:08:16 | 00,049,152 | ---- | M] () -- C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe -- (Belkin Wireless USB Network Adapter Service [Auto | Running])
[2008/08/29 10:18:44 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Auto | Running])
[2007/10/24 00:47:40 | 00,070,144 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
[2009/01/19 20:08:20 | 00,137,200 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [On_Demand | Stopped])
[2005/04/04 00:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
[2008/11/20 13:20:44 | 00,536,872 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Running])
[2009/01/23 12:02:55 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
[2003/04/16 14:52:28 | 00,091,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
[2003/03/09 04:31:02 | 00,065,795 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12 [On_Demand | Stopped])
[2008/11/13 15:18:56 | 02,405,776 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINDOWS\system32\ZoneLabs\vsmon.exe -- (vsmon [Auto | Running])
[2006/10/18 19:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])

========== Driver Services ==========

[2007/12/04 14:49:02 | 00,026,624 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4 [System | Running])
[2006/10/22 18:31:21 | 00,020,747 | ---- | M] (Meetinghouse Data Communications) -- C:\WINDOWS\system32\drivers\AegisP.sys -- (AegisP [Auto | Running])
[2004/10/08 01:16:04 | 00,035,840 | ---- | M] (Oak Technology Inc.) -- C:\WINDOWS\System32\drivers\AFS2K.SYS -- (AFS2K [System | Running])
[2003/12/08 11:53:48 | 00,053,600 | ---- | M] (THOMSON) -- C:\WINDOWS\system32\drivers\alcan5wn.sys -- (alcan5wn [On_Demand | Stopped])
[2003/12/08 11:53:46 | 00,070,688 | ---- | M] (THOMSON) -- C:\WINDOWS\system32\drivers\alcaudsl.sys -- (alcaudsl [On_Demand | Stopped])
[2004/08/04 12:00:00 | 00,005,248 | ---- | M] (Acer Laboratories Inc.) -- C:\WINDOWS\system32\drivers\aliide.sys -- (AliIde [Boot | Running])
[2008/04/13 18:36:39 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.) -- C:\WINDOWS\system32\drivers\amdagp.sys -- (amdagp [Boot | Running])
[2004/08/04 12:00:00 | 00,026,496 | ---- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\system32\drivers\asc.sys -- (asc [Boot | Running])
[2004/08/04 12:00:00 | 00,014,848 | ---- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\system32\drivers\asc3550.sys -- (asc3550 [Boot | Running])
[2007/12/04 14:55:46 | 00,094,544 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2 [Auto | Running])
[2007/12/04 14:53:39 | 00,023,152 | ---- | M] (ALWIL Software) -- C:\WINDOWS\system32\drivers\aswRdr.sys -- (aswRdr [On_Demand | Running])
[2007/12/04 14:51:52 | 00,042,912 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi [System | Running])
[2006/10/18 03:00:00 | 00,002,432 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\drivers\cdr4_xp.sys -- (Cdr4_xp [System | Running])
[2006/10/18 03:00:00 | 00,002,560 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\drivers\cdralw2k.sys -- (Cdralw2k [System | Running])
[2004/08/04 12:00:00 | 00,006,656 | ---- | M] (CMD Technology, Inc.) -- C:\WINDOWS\system32\drivers\cmdide.sys -- (CmdIde [Boot | Running])
[2004/08/04 12:00:00 | 00,179,584 | ---- | M] (Mylex Corporation) -- C:\WINDOWS\system32\drivers\dac2w2k.sys -- (dac2w2k [Boot | Running])
[2006/12/20 06:00:38 | 00,045,568 | ---- | M] (VIA Technologies, Inc. ) -- C:\WINDOWS\system32\drivers\fetnd5bv.sys -- (FET5X86V [On_Demand | Running])
[2006/12/20 06:00:38 | 00,045,568 | ---- | M] (VIA Technologies, Inc. ) -- C:\WINDOWS\system32\drivers\fetnd5bv.sys -- (FETND5BV [On_Demand | Stopped])
[2001/08/17 11:13:08 | 00,027,165 | ---- | M] (VIA Technologies, Inc. ) -- C:\WINDOWS\system32\drivers\fetnd5.sys -- (FETNDIS [On_Demand | Stopped])
[2003/04/24 03:28:04 | 00,041,984 | ---- | M] (VIA Technologies, Inc. ) -- C:\WINDOWS\system32\drivers\fetnd5b.sys -- (FETNDISB [On_Demand | Stopped])
[2008/04/17 13:12:54 | 00,015,464 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])
[2009/01/19 23:20:59 | 00,085,969 | ---- | M] (GMER) -- C:\WINDOWS\system32\drivers\gmer.sys -- (gmer [On_Demand | Stopped])
[2003/03/09 04:31:00 | 00,051,024 | ---- | M] (HP) -- C:\WINDOWS\system32\drivers\hpzid412.sys -- (HPZid412 [On_Demand | Stopped])
[2003/03/09 04:31:02 | 00,016,080 | ---- | M] (HP) -- C:\WINDOWS\system32\drivers\HPZipr12.sys -- (HPZipr12 [On_Demand | Stopped])
[2003/03/09 04:31:02 | 00,021,456 | ---- | M] (HP) -- C:\WINDOWS\system32\drivers\HPZius12.sys -- (HPZius12 [On_Demand | Stopped])
[2001/08/17 12:57:38 | 00,016,128 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA [On_Demand | Running])
[2004/08/04 12:00:00 | 00,017,280 | ---- | M] (American Megatrends Inc.) -- C:\WINDOWS\system32\drivers\mraid35x.sys -- (mraid35x [Boot | Running])
[2001/08/17 14:00:04 | 00,002,944 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\msmpu401.sys -- (ms_mpu401 [On_Demand | Stopped])
[2004/09/23 10:50:33 | 00,006,912 | ---- | M] (NewTech Infosystems, Inc.) -- C:\WINDOWS\system32\drivers\NTIDrvr.sys -- (NTIDrvr [On_Demand | Running])
[2003/04/10 03:27:26 | 00,007,040 | ---- | M] (VIA Networking, Inc. ) -- C:\WINDOWS\system32\ntsim.sys -- (NTSIM [On_Demand | Stopped])
[2008/06/19 17:24:30 | 00,028,544 | ---- | M] (Panda Security, S.L.) -- C:\WINDOWS\system32\drivers\pavboot.sys -- (pavboot [Boot | Running])
[2004/08/04 12:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink [On_Demand | Running])
[2003/04/07 07:15:00 | 00,137,015 | ---- | M] (PCTEL, INC.) -- C:\WINDOWS\system32\drivers\ptserial.sys -- (Ptserial [On_Demand | Running])
[2004/08/04 12:00:00 | 00,040,320 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\drivers\ql1080.sys -- (ql1080 [Boot | Running])
[2004/08/04 12:00:00 | 00,045,312 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\drivers\ql12160.sys -- (ql12160 [Boot | Running])
[2004/08/04 12:00:00 | 00,049,024 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\drivers\ql1280.sys -- (ql1280 [Boot | Running])
[2005/08/02 22:00:36 | 00,232,192 | ---- | M] (Ralink Technology, Corp.) -- C:\WINDOWS\system32\drivers\rt73.sys -- (RT73 [On_Demand | Stopped])
[2008/12/22 11:06:00 | 00,008,944 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV [System | Running])
[2008/12/22 11:06:02 | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM [On_Demand | Stopped])
[2008/12/22 11:05:58 | 00,055,024 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL [System | Running])
[2007/11/13 10:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv [On_Demand | Stopped])
[2008/04/13 18:36:39 | 00,040,960 | ---- | M] (Silicon Integrated Systems Corporation) -- C:\WINDOWS\system32\drivers\sisagp.sys -- (sisagp [Boot | Running])
[2004/08/04 12:00:00 | 00,019,072 | ---- | M] (Adaptec, Inc.) -- C:\WINDOWS\system32\drivers\sparrow.sys -- (Sparrow [Boot | Running])
[2008/04/21 07:19:58 | 00,051,648 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINDOWS\system32\ZoneLabs\srescan.sys -- (srescan [Boot | Running])
[2005/03/29 20:47:42 | 00,052,416 | ---- | M] (MCCI) -- C:\WINDOWS\system32\drivers\ssm_bus.sys -- (ssm_bus [On_Demand | Stopped])
[2005/03/29 20:47:58 | 00,006,096 | ---- | M] (MCCI) -- C:\WINDOWS\system32\drivers\ssm_mdfl.sys -- (ssm_mdfl [On_Demand | Stopped])
[2005/03/29 20:48:02 | 00,084,512 | ---- | M] (MCCI) -- C:\WINDOWS\system32\drivers\ssm_mdm.sys -- (ssm_mdm [On_Demand | Stopped])
[2004/08/04 12:00:00 | 00,016,256 | ---- | M] (Symbios Logic Inc.) -- C:\WINDOWS\system32\drivers\symc810.sys -- (symc810 [Boot | Running])
[2004/08/04 12:00:00 | 00,032,640 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\drivers\symc8xx.sys -- (symc8xx [Boot | Running])
[2004/08/04 12:00:00 | 00,028,384 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\drivers\sym_hi.sys -- (sym_hi [Boot | Running])
[2004/08/04 12:00:00 | 00,030,688 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\drivers\sym_u3.sys -- (sym_u3 [Boot | Running])
[2003/03/27 09:35:52 | 00,268,784 | ---- | M] (Synaptics, Inc.) -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP [On_Demand | Running])
[2004/08/04 12:00:00 | 00,036,736 | ---- | M] (Promise Technology, Inc.) -- C:\WINDOWS\system32\drivers\ultra.sys -- (ultra [Boot | Running])
[2008/11/07 14:23:30 | 00,032,000 | ---- | M] (Apple, Inc.) -- C:\WINDOWS\system32\drivers\usbaapl.sys -- (USBAAPL [On_Demand | Stopped])
[2002/12/27 03:41:00 | 00,026,880 | ---- | M] (VIA Technologies, Inc.) -- C:\WINDOWS\system32\drivers\VIAAGP1.SYS -- (viaagp1 [Boot | Running])
[2003/11/07 02:46:56 | 00,117,888 | ---- | M] (Copyright © VIA/S3 Graphics, Inc.) -- C:\WINDOWS\system32\drivers\vtmini.sys -- (viagfx [On_Demand | Running])
[2003/02/26 08:04:00 | 00,370,048 | ---- | M] (VIA Technologies, Inc.) -- C:\WINDOWS\system32\drivers\viaudios.sys -- (VIAudio [On_Demand | Running])
[2003/01/14 16:00:00 | 00,697,629 | ---- | M] (PCTEL, INC.) -- C:\WINDOWS\system32\drivers\vmodem.sys -- (Vmodem [Boot | Running])
[2003/01/14 16:00:00 | 00,551,883 | ---- | M] (PCtel, Inc.) -- C:\WINDOWS\system32\drivers\vpctcom.sys -- (Vpctcom [Boot | Running])
[2008/11/13 15:19:00 | 00,353,680 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant [System | Running])
[2002/10/24 08:07:00 | 00,006,912 | ---- | M] (VIA Technologies, Inc.) -- C:\WINDOWS\system32\drivers\vulfnth.sys -- (vulfnths [On_Demand | Stopped])
[2002/11/13 09:34:06 | 00,010,496 | ---- | M] (VIA Technologies, Inc.) -- C:\WINDOWS\system32\drivers\vulfntr.sys -- (vulfntrs [On_Demand | Running])
[2003/01/14 16:00:00 | 00,065,343 | ---- | M] (PCtel, Inc.) -- C:\WINDOWS\system32\drivers\vvoice.sys -- (Vvoice [Boot | Running])
[2001/12/17 11:25:58 | 00,015,417 | R--- | M] (Scientific Atlanta) -- C:\WINDOWS\system32\drivers\WebSTAR.sys -- (WebSTARNdis [On_Demand | Stopped])

========== (R ) Internet Explorer ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://go.microsoft.com/fwlink/?LinkId=69157
"Default_Search_URL"=http://go.microsoft.com/fwlink/?LinkId=54896
"Default_Secondary_Page_URL"=
"Extensions Off Page"=about:NoAdd-ons
"Local Page"=%SystemRoot%\system32\blank.htm
"Search Page"=http://go.microsoft.com/fwlink/?LinkId=54896
"Security Risk Page"=about:SecurityRisk
"Start Page"=http://go.microsoft.com/fwlink/?LinkId=69157

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"SearchAssistant"=http://www.google.com/ie

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINDOWS\system32\blank.htm
"Page_Transitions"=
"Search Page"=http://www.google.com
"Start Page"=http://www.google.co.uk/

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL]
"(Default)"=frsv

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0
"ProxyOverride" = 127.0.0.1;*.local

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main]
"Start Page"=http://www.pcservicecall.co.uk

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main]
"Start Page"=http://www.pcservicecall.co.uk

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]
"Start Page"=http://www.pcservicecall.co.uk

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]
"Start Page"=http://www.pcservicecall.co.uk

[HKEY_USERS\S-1-5-21-784535805-2976035688-2074254852-1007\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINDOWS\system32\blank.htm
"Page_Transitions"=
"Search Page"=http://www.google.com
"Start Page"=http://www.google.co.uk/

[HKEY_USERS\S-1-5-21-784535805-2976035688-2074254852-1007\Software\Microsoft\Internet Explorer\SearchURL]
"(Default)"=frsv

[HKEY_USERS\S-1-5-21-784535805-2976035688-2074254852-1007\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-784535805-2976035688-2074254852-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0
"ProxyOverride" = 127.0.0.1;*.local

========== (O1) Hosts File ==========

HOSTS File = (287238 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 www.1001namen.com
127.0.0.1 1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 100sexlinks.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 10sek.com
127.0.0.1 www.10sek.com
127.0.0.1 www.123haustiereundmehr.com
127.0.0.1 123haustiereundmehr.com
9901 more lines...

========== (O2) BHO's ==========

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (HKLM) -- C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
{4A368E80-174F-4872-96B5-0B27DDD11DB2} (HKLM) -- C:\Program Files\SpywareGuard\dlprotect.dll ()
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (HKLM) -- C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
{AA58ED58-01DD-4d91-8333-CF10577473F7} (HKLM) -- c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (HKLM) -- C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll (Google Inc.)
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} (HKLM) -- C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll (Microsoft Corporation)
{C84D72FE-E17D-4195-BB24-76C02E2E7C4E} (HKLM) -- C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll (Google Inc.)
{DBC80044-A445-435b-BC74-9C25C1C588A9} (HKLM) -- C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
{E7E6F031-17CE-4C07-BC86-EABFE594F69C} (HKLM) -- C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)

========== (O3) Toolbars ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" (HKLM) -- c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{8B68564D-53FD-4293-B80C-993A9F3988EE}" (HKLM) -- C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" (HKLM) -- C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser]
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" (HKLM) -- C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" (HKLM) -- c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" (HKLM) -- C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-784535805-2976035688-2074254852-1007\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser]
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" (HKLM) -- C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-784535805-2976035688-2074254852-1007\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" (HKLM) -- c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)

[HKEY_USERS\S-1-5-21-784535805-2976035688-2074254852-1007\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" (HKLM) -- C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll (Microsoft Corporation)

========== (O4) Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
""= File not found
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe (ALWIL Software)
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" (Apple Inc.)
"Microsoft Works Update Detection"=C:\Program Files\Microsoft Works\WkDetect.exe (Microsoft® Corporation)
"PCTVOICE"=pctspk.exe ()
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Inc.)
"Recguard"=C:\WINDOWS\SMINST\RECGUARD.EXE ()
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" (Sun Microsystems, Inc.)
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
"SynTPLpr"=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.)
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot (RealNetworks, Inc.)
"WorksFUD"=C:\Program Files\Microsoft Works\wkfud.exe (Microsoft® Corporation)
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" (Check Point Software Technologies LTD)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)

[HKEY_USERS\S-1-5-21-784535805-2976035688-2074254852-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)

========== (O4) RunOnce Keys ==========

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Magnify"=Magnify.exe (Microsoft Corporation)
"RunNarrator"=Narrator.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Magnify"=Magnify.exe (Microsoft Corporation)
"RunNarrator"=Narrator.exe (Microsoft Corporation)

========== (O4) Startup Folders ==========

[2005/09/20 18:10:04 | 00,238,080 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-gb\bin\WindowsSearch.exe
[2003/08/29 19:05:35 | 00,360,448 | ---- | M] () -- C:\Documents and Settings\Ben\Start Menu\Programs\Startup\SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

========== (O6 & O7) Current Version Policies ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145
"CDRAutoRun"=0

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-21-784535805-2976035688-2074254852-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

========== (O9) IE Extensions ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
{85d1f590-48f4-11d9-9669-0800200c9a66}: Menu: Uninstall BitDefender Online Scanner v8 -- %SystemRoot%\bdoscandel.exe [2008/01/09 15:01:48 | 00,053,248 | ---- | M] ()
{92780B25-18CC-41C8-B9BE-3C9C571A8263}: Button: Research -- %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [2003/04/18 19:10:18 | 00,041,024 | ---- | M] (Microsoft Corporation)
{e2e2dd38-d088-4134-82b7-f2ba38496583}: Menu: @xpsp3res.dll,-20001 -- %SystemRoot%\network diagnostic\xpnetdiag.exe [2008/04/13 18:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Button: Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2008/04/14 00:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Menu: Windows Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2008/04/14 00:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %SystemRoot%\system32\msjava.dll [Web Browser Applet Control] -> [2003/02/28 18:26:26 | 00,947,472 | ---- | M] (Microsoft Corporation)
CmdMapping\\{e2e2dd38-d088-4134-82b7-f2ba38496583} [HKLM] -> %SystemRoot%\network diagnostic\xpnetdiag.exe [@xpsp3res.dll,-20001] -> [2008/04/13 18:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/14 00:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/14 00:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/14 00:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-784535805-2976035688-2074254852-1007\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %SystemRoot%\system32\msjava.dll [Web Browser Applet Control] -> [2003/02/28 18:26:26 | 00,947,472 | ---- | M] (Microsoft Corporation)
CmdMapping\\{e2e2dd38-d088-4134-82b7-f2ba38496583} [HKLM] -> %SystemRoot%\network diagnostic\xpnetdiag.exe [@xpsp3res.dll,-20001] -> [2008/04/13 18:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/14 00:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

========== (O12) Internet Explorer Plugins ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\]
PluginsPage: "" = http://activex.microsoft.com/controls/find...=%s&mime=%s
PluginsPageFriendlyName: "" = Microsoft ActiveX Gallery

========== (O13) Default Prefixes ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
""=http://

========== (O15) Trusted Sites ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
26 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
48 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
48 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\S-1-5-21-784535805-2976035688-2074254852-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
26 domain(s) and sub-domain(s) not assigned to a zone.

========== (O16) DPF ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\]
{15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6}: http://static.windupdates.com/cab/CDT/ie/bridge-c10.cab -- Reg Error: Key does not exist or could not be opened.
{17492023-C23A-453E-A040-C7C580BBF700}: http://go.microsoft.com/fwlink/?linkid=39204 -- Windows Genuine Advantage Validation Tool
{193C772A-87BE-4B19-A7BB-445B226FE9A1}: http://downloads.ewido.net/ewidoOnlineScan.cab -- ewidoOnlineScan Control
{2D8ED06D-3C30-438B-96AE-4D110FDC1FB8}: http://www.pandasecurity.com/activescan/cabs/as2stubie.cab -- ActiveScan 2.0 Installer Class
{556DDE35-E955-11D0-A707-000000521957}: http://www.xblock.com/download/xclean_micro.exe -- Reg Error: Key does not exist or could not be opened.
{56762DEC-6B0D-4AB4-A8AD-989993B5D08B}: http://www.eset.eu/buxus/docs/OnlineScanner.cab -- OnlineScanner Control
{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}: http://download.bitdefender.com/resources/scan8/oscan8.cab -- BDSCANONLINE Control
{8AD9C840-044E-11D1-B3E9-00805F499D93}: http://dl8-cdn-01.sun.com/s/ESD5/JSCDL/jre...ows-i586-jc.cab -- Java Plug-in 1.6.0_11
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}: http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab -- Reg Error: Key does not exist or could not be opened.
{BDBDE413-7B1C-4C68-A8FF-C5B2B4090876}: http://support.f-secure.com/ols/fscax.cab -- F-Secure Online Scanner 3.3
{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA}: http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab -- Java Plug-in 1.5.0_05
{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}: http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab -- Java Plug-in 1.5.0_10
{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_11
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_11
Microsoft XML Parser for Java: file://C:\WINDOWS\Java\classes\xmldso.cab -- Reg Error: Key does not exist or could not be opened.

========== (O17) DNS Name Servers ==========

{30FA0506-19F9-4056-AAFA-5C7B47938591} (Servers: | Description: VIA Rhine II Fast Ethernet Adapter)
{9E8E1690-9E95-4749-BD17-383EBE624304} (Servers: | Description: WebSTAR DPX USB Cable Modem Adapter)
{B8B47CB8-483B-4A72-84CC-C0C22E860271} (Servers: | Description: Belkin 54g Wireless USB Network Adapter)

========== (O20) Winlogon Notify Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\]
!SASWinLogon: "DllName" = C:\Program Files\SUPERAntiSpyware\SASWINLO.dll -- C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)

========== Shell Execute Hooks ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" (HKLM) -- C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)

========== Safeboot Options ==========

"AlternateShell"=cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1


========== MountPoints2 ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\Z\Shell\AutoRun\command]
""=Z:\Info.exe -- File not found

========== Files/Folders - Created Within 30 Days ==========

[1 C:\WINDOWS\*.tmp files]
[2009/02/09 10:06:26 | 00,422,912 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Ben\Desktop\OTViewIt.exe
[2009/02/09 09:55:46 | 01,137,360 | ---- | C] (F-Secure Corporation) -- C:\fsbl.exe
[2009/01/27 14:58:30 | 00,002,382 | ---- | C] () -- C:\Documents and Settings\Ben\Desktop\Attach.zip
[2009/01/26 23:37:24 | 00,025,088 | ---- | C] () -- C:\Documents and Settings\Ben\My Documents\Hello all.doc
[2009/01/26 23:19:16 | 00,368,961 | ---- | C] () -- C:\Documents and Settings\Ben\Desktop\dds.scr
[2009/01/26 20:12:34 | 00,000,000 | ---D | C] -- C:\Program Files\EsetOnlineScanner
[2009/01/26 16:58:05 | 23,440,9984 | -HS- | C] () -- C:\hiberfil.sys
[2009/01/22 22:27:37 | 00,144,292 | ---- | C] () -- C:\Documents and Settings\Ben\Desktop\Eversheds.htm
[2009/01/20 15:28:50 | 00,000,000 | ---D | C] -- C:\WINDOWS\BDOSCAN8
[2009/01/20 11:50:12 | 00,000,000 | ---D | C] -- C:\fsaua.data
[2009/01/20 09:57:18 | 00,028,544 | ---- | C] (Panda Security, S.L.) -- C:\WINDOWS\System32\drivers\pavboot.sys
[2009/01/20 09:56:44 | 00,000,000 | ---D | C] -- C:\Program Files\Panda Security
[2009/01/19 23:21:06 | 00,000,250 | ---- | C] () -- C:\WINDOWS\gmer.ini
[2009/01/19 23:20:59 | 00,085,969 | ---- | C] (GMER) -- C:\WINDOWS\System32\drivers\gmer.sys
[2009/01/19 23:20:59 | 00,000,080 | ---- | C] () -- C:\WINDOWS\gmer_uninstall.cmd
[2009/01/19 23:20:58 | 00,884,736 | ---- | C] () -- C:\WINDOWS\gmer.dll
[2009/01/19 23:20:58 | 00,811,008 | ---- | C] () -- C:\WINDOWS\gmer.exe
[2009/01/19 15:07:22 | 00,082,882 | ---- | C] () -- C:\Documents and Settings\Ben\Desktop\eversheds.pdf
[2009/01/19 14:37:26 | 00,268,288 | ---- | C] () -- C:\Documents and Settings\Ben\Desktop\Thursday 15th January 2009 (2).doc
[2009/01/16 17:08:09 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/01/15 21:26:28 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2009/01/15 21:25:55 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2009/01/15 21:25:54 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Ben\Application Data\SUPERAntiSpyware.com
[2009/01/15 21:24:44 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2009/01/14 22:14:08 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Ben\Application Data\Malwarebytes
[2009/01/14 22:13:59 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/01/14 22:13:55 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/01/14 22:13:52 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/01/14 22:13:51 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/01/14 22:08:32 | 00,000,650 | ---- | C] () -- C:\Documents and Settings\Ben\Start Menu\Programs\Startup\SpywareGuard.lnk
[2009/01/14 22:08:27 | 00,000,000 | ---D | C] -- C:\Program Files\SpywareGuard

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[1 C:\WINDOWS\*.tmp files]
[2009/02/09 09:53:48 | 00,422,912 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Ben\Desktop\OTViewIt.exe
[2009/02/09 09:53:30 | 01,137,360 | ---- | M] (F-Secure Corporation) -- C:\fsbl.exe
[2009/02/09 09:52:03 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/02/09 09:51:46 | 00,348,440 | -H-- | M] () -- C:\WINDOWS\System32\vsconfig.xml
[2009/02/09 09:51:03 | 00,001,536 | ---- | M] () -- C:\WINDOWS\System32\TrueSoft.dat
[2009/02/09 09:50:16 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/02/09 09:49:01 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/02/09 09:49:00 | 23,440,9984 | -HS- | M] () -- C:\hiberfil.sys
[2009/02/08 14:24:34 | 04,312,840 | -H-- | M] () -- C:\Documents and Settings\Ben\Local Settings\Application Data\IconCache.db
[2009/02/08 12:18:12 | 00,368,961 | ---- | M] () -- C:\Documents and Settings\Ben\Desktop\dds.scr
[2009/01/27 14:58:30 | 00,002,382 | ---- | M] () -- C:\Documents and Settings\Ben\Desktop\Attach.zip
[2009/01/26 23:37:25 | 00,025,088 | ---- | M] () -- C:\Documents and Settings\Ben\My Documents\Hello all.doc
[2009/01/26 23:28:47 | 00,002,497 | ---- | M] () -- C:\Documents and Settings\Ben\Desktop\Microsoft Office Word 2003.lnk
[2009/01/22 22:27:39 | 00,144,292 | ---- | M] () -- C:\Documents and Settings\Ben\Desktop\Eversheds.htm
[2009/01/19 23:21:06 | 00,000,250 | ---- | M] () -- C:\WINDOWS\gmer.ini
[2009/01/19 23:20:59 | 00,085,969 | ---- | M] (GMER) -- C:\WINDOWS\System32\drivers\gmer.sys
[2009/01/19 23:20:59 | 00,000,080 | ---- | M] () -- C:\WINDOWS\gmer_uninstall.cmd
[2009/01/19 23:20:58 | 00,884,736 | ---- | M] () -- C:\WINDOWS\gmer.dll
[2009/01/19 15:07:23 | 00,082,882 | ---- | M] () -- C:\Documents and Settings\Ben\Desktop\eversheds.pdf
[2009/01/19 14:37:30 | 00,268,288 | ---- | M] () -- C:\Documents and Settings\Ben\Desktop\Thursday 15th January 2009 (2).doc
[2009/01/17 18:03:03 | 00,000,739 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/01/17 18:03:03 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/01/17 18:03:03 | 00,000,211 | RHS- | M] () -- C:\boot.ini
[2009/01/15 21:31:06 | 00,002,137 | ---- | M] () -- C:\Documents and Settings\Ben\Desktop\iTunes.lnk
[2009/01/14 22:25:10 | 00,411,784 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/01/14 22:25:10 | 00,065,896 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/01/14 22:25:09 | 00,484,656 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/01/14 22:08:32 | 00,000,650 | ---- | M] () -- C:\Documents and Settings\Ben\Start Menu\Programs\Startup\SpywareGuard.lnk
[2009/01/14 16:11:32 | 00,038,496 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/01/14 16:11:28 | 00,015,504 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/01/14 10:11:41 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
< End of report >








OTViewIt Extras logfile created on: 09/02/2009 10:07:13 - Run
OTViewIt by OldTimer - Version 1.0.21.0 Folder = C:\Documents and Settings\Ben\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

223.48 Mb Total Physical Memory | 90.44 Mb Available Physical Memory | 40.47% Memory free
544.30 Mb Paging File | 251.73 Mb Available in Paging File | 46.25% Paging File free
Paging file location(s): C:\pagefile.sys 336 672;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 33.28 Gb Total Space | 20.75 Gb Free Space | 62.36% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ROOM-57
Current User Name: Ben
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled"=1
"AntiVirusDisableNotify"=0
"FirewallDisableNotify"=0
"UpdatesDisableNotify"=0
"AntiVirusOverride"=0
"FirewallOverride"=0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall"=0
"DoNotAllowExceptions"=0
"DisableNotifications"=0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2008/04/14 00:12:34 | 00,141,312 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2008/04/13 18:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
File not found -- C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1
File not found -- C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2008/04/14 00:12:34 | 00,141,312 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2008/04/14 00:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger
[2008/04/13 18:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
File not found -- C:\Program Files\Kontiki\KService.exe:*:Enabled:Delivery Manager Service
File not found -- C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1
File not found -- C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)
[2008/08/29 10:18:44 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour
[2008/11/20 13:20:48 | 14,294,824 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes

========== (O10) Winsock2 Catalogs ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\]
NameSpace_Catalog5\Catalog_Entries\000000000004 [mdnsNSP] -- C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

========== (O18) Protocol Handlers ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
ipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/04/03 18:50:18 | 00,876,640 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL ipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
msdaipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/04/03 18:50:18 | 00,876,640 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/04/03 18:50:18 | 00,876,640 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\oledb:{E1D2BF40-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAIPP.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2001/06/20 16:26:46 | 00,221,184 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (ms-itss:{0A9007C0-4076-11D3-8789-0000F8105754} (HKLM) [Microsoft Infotech Storage Protocol for IE 4.0])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2003/04/16 15:44:46 | 08,080,440 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (mso-offdap11:{32505114-5902-49B2-880A-1F7738E5A384} (HKLM) [Data Page Plugable Protocal mso-offdap11 Handler])

========== (O18) Protocol Filters ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\] - Protocol Filters
[2003/04/18 19:17:18 | 00,041,024 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL text/xml:{807553E5-5146-11D5-A672-00B0D022E945} (HKLM) [Reg Error: Value does not exist or could not be read.]

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{20110409-6000-11D3-8CFE-0150048383C9}"=Microsoft Office Professional Edition 2003
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}"=Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}"=Java™ 6 Update 11
"{318AB667-3230-41B5-A617-CB3BF748D371}"=iTunes
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}"=Apple Software Update
"{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}"=Bonjour
"{A040AC77-C1AA-4CC9-8931-9F648AF178F6}"=VC 9.0 Runtime
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1"=Spybot - Search & Destroy
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}"=SUPERAntiSpyware Free Edition
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}"=Ad-Aware
"{EC4455AB-F155-4CC1-A4C5-88F3777F9886}"=Apple Mobile Device Support
"{F958CA02-BB40-4007-894B-258729456EE4}"=QuickTime
"ActiveScan 2.0"=Panda ActiveScan 2.0
"Adobe Flash Player ActiveX"=Adobe Flash Player ActiveX
"Entriq MediaSphere_is1"=Uninstall Entriq MediaSphere
"EsetOnlineScanner"=ESET Online Scanner
"FreeZip"=FreeZip
"HijackThis"=HijackThis 2.0.2
"Malwarebytes' Anti-Malware_is1"=Malwarebytes' Anti-Malware
"SpywareGuard_is1"=SpywareGuard v2.2
"Windows XP Service Pack"=Windows XP Service Pack 3
"ZoneAlarm"=ZoneAlarm

========== Last 10 Event Log Errors ==========

[ Antivirus Events ]
Error - 31/08/2005 11:57:38 | Computer Name = ROOM-57 | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\WINDOWS\Prefetch\LOGONUI.EXE-0AF22957.pf failed, 0000A474.

Error - 29/11/2005 16:47:33 | Computer Name = ROOM-57 | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\DOCUME~1\Ben\LOCALS~1\Temp\TFR29.tmp failed, 0000A477.

Error - 29/11/2005 17:00:26 | Computer Name = ROOM-57 | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\DOCUME~1\Ben\LOCALS~1\Temp\TFR2B.tmp failed, 0000A477.

Error - 20/02/2006 16:12:37 | Computer Name = ROOM-57 | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\Documents and Settings\Ben\Local Settings\Temporary Internet Files\Content.IE5\GHOJOV8V\2075865745[1].ppt
failed, 0000A477.

Error - 08/03/2006 16:42:51 | Computer Name = ROOM-57 | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\Documents and Settings\Ben\Local Settings\Temporary Internet Files\Content.IE5\DWWZDTWH\Lecture%203[1].ppt
failed, 0000A477.

Error - 02/05/2006 15:06:13 | Computer Name = ROOM-57 | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\Documents and Settings\Ben\Local Settings\Temporary Internet Files\Content.IE5\S5K123O1\2waySlidesjn20[1].ppt
failed, 0000A477.

Error - 10/05/2006 11:04:33 | Computer Name = ROOM-57 | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\Documents and Settings\Ben\Local Settings\Temporary Internet Files\Content.IE5\A9AF8L2R\2110383422[1].ppt
failed, 0000A477.

Error - 11/05/2006 07:07:07 | Computer Name = ROOM-57 | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\Documents and Settings\Ben\Local Settings\Temporary Internet Files\Content.IE5\G16BKX6N\2113357497[1].ppt
failed, 0000A477.

Error - 13/05/2006 07:57:09 | Computer Name = ROOM-57 | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\Documents and Settings\Ben\Local Settings\Temporary Internet Files\Content.IE5\MVEH6T0R\2119926532[1].ppt
failed, 0000A477.

Error - 19/01/2009 18:26:30 | Computer Name = ROOM-57 | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\Documents and Settings\Ben\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\PROCESSLIST.BIN
failed, 0000A413.

[ Application Events ]
Error - 26/01/2009 12:31:57 | Computer Name = ROOM-57 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.16762, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 26/01/2009 12:32:05 | Computer Name = ROOM-57 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.16762, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 26/01/2009 12:32:05 | Computer Name = ROOM-57 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.16762, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 26/01/2009 12:32:13 | Computer Name = ROOM-57 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.16762, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 26/01/2009 12:32:13 | Computer Name = ROOM-57 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.16762, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 26/01/2009 12:34:00 | Computer Name = ROOM-57 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.16762, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 26/01/2009 12:34:02 | Computer Name = ROOM-57 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.16762, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 26/01/2009 16:31:15 | Computer Name = ROOM-57 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.16762, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 08/02/2009 08:28:34 | Computer Name = ROOM-57 | Source = Microsoft Office 11 | ID = 2000
Description =

Error - 08/02/2009 08:29:17 | Computer Name = ROOM-57 | Source = Microsoft Office 11 | ID = 1000
Description =

[ System Events ]
Error - 26/01/2009 12:44:23 | Computer Name = ROOM-57 | Source = Service Control Manager | ID = 7001
Description = The TCP/IP NetBIOS Helper service depends on the AFD service which
failed to start because of the following error: %%31

Error - 26/01/2009 12:44:23 | Computer Name = ROOM-57 | Source = Service Control Manager | ID = 7001
Description = The TrueVector Internet Monitor service depends on the vsdatant service
which failed to start because of the following error: %%31

Error - 26/01/2009 12:44:23 | Computer Name = ROOM-57 | Source = Service Control Manager | ID = 7001
Description = The Apple Mobile Device service depends on the TCP/IP Protocol Driver
service which failed to start because of the following error: %%31

Error - 26/01/2009 12:44:23 | Computer Name = ROOM-57 | Source = Service Control Manager | ID = 7001
Description = The Bonjour Service service depends on the TCP/IP Protocol Driver
service which failed to start because of the following error: %%31

Error - 26/01/2009 12:44:23 | Computer Name = ROOM-57 | Source = Service Control Manager | ID = 7001
Description = The IPSEC Services service depends on the IPSEC driver service which
failed to start because of the following error: %%31

Error - 26/01/2009 12:44:23 | Computer Name = ROOM-57 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Aavmker4 AFD aswTdi Fips IPSec MRxSmb NetBIOS NetBT pavboot Processor RasAcd Rdbss SASDIFSV
SASKUTIL
Tcpip
vsdatant

Error - 26/01/2009 12:57:13 | Computer Name = ROOM-57 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 26/01/2009 13:07:20 | Computer Name = ROOM-57 | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the Dnscache service.

Error - 27/01/2009 18:51:13 | Computer Name = ROOM-57 | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.2.2 for the Network Card with network
address 00173F12696B has been denied by the DHCP server 0.0.0.0 (The DHCP Server
sent a DHCPNACK message).

Error - 08/02/2009 08:16:45 | Computer Name = ROOM-57 | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.


< End of report >

Attached Files



#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:48 AM

Posted 09 February 2009 - 02:02 PM

Hi Leeford,

Nothing much is coming up but we have to deal with what is there.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall prior to our fix..

We need to backup your registry as we will be making changes there.
  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

We need to execute an OTMoveIt3 script
  • Please download OTMoveIt3 by OldTimer and save it to your desktop.
  • Double click (or if your PC is running Vista, right-click and select Run As Adminstrator) the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6]
  • Push the large Posted Image button.
  • OTMI3 may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Please also perform another MalwareBytes Anti-malware scan, make sure you set it to perform a full scan. Post the log that is generated.

So just to recap, I would like the OTMoveIt and MBAM logs and also lease also a new DDS log and a description of any remaining problems.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#8 Leeford

Leeford
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:48 PM

Posted 12 February 2009 - 02:51 PM

Hey here.

Sorry again for the delay. Just a guess, but I don't think I got the OTMoveIt to work correctly....
Thanks, Leeford


Error: Unable to interpret <[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6]> in the current context!

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02122009_180723


Malwarebytes' Anti-Malware 1.33
Database version: 1695
Windows 5.1.2600 Service Pack 3

12/02/2009 19:39:04
mbam-log-2009-02-12 (19-39-04).txt

Scan type: Full Scan (C:\|)
Objects scanned: 108060
Time elapsed: 38 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



DDS (Ver_09-02-01.01) - NTFSx86
Run by Ben at 19:39:38.43 on 12/02/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.223.66 [GMT 0:00]

AV: avast! antivirus 4.7.1098 [VPS 090126-0] *On-access scanning disabled* (Outdated)
FW: ZoneAlarm Firewall *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\pctspk.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Ben\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = hxxp://www.microsoft.com
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SpywareGuardDLBLOCK.CBrowserHelper: {4a368e80-174f-4872-96b5-0b27ddd11db2} - c:\program files\spywareguard\dlprotect.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: MSN Search Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn toolbar suite\tb\02.05.0000.1082\en-gb\msntb.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: MSN Search Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn toolbar suite\tb\02.05.0000.1082\en-gb\msntb.dll
TB: Wanadoo: {8b68564d-53fd-4293-b80c-993a9f3988ee} - c:\progra~1\wanadoo\wsbar\WSBar.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [<NO NAME>]
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [PCTVOICE] pctspk.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [WorksFUD] c:\program files\microsoft works\wkfud.exe
mRun: [Microsoft Works Update Detection] c:\program files\microsoft works\WkDetect.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [ctfmon.exe] c:\windows\system32\CTFMON.EXE
dRunOnce: [Magnify] Magnify.exe
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\ben\startm~1\programs\startup\spywar~1.lnk - c:\program files\spywareguard\sgmain.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\msn toolbar suite\ds\02.05.0001.1119\en-gb\bin\WindowsSearch.exe
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - hxxp://static.windupdates.com/cab/CDT/ie/bridge-c10.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://www.pandasecurity.com/activescan/cabs/as2stubie.cab
DPF: {556DDE35-E955-11D0-A707-000000521957} - hxxp://www.xblock.com/download/xclean_micro.exe
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-01.sun.com/s/ESD5/JSCDL/jre/6u11-b90/jinstall-6u11-windows-i586-jc.cab?e=1232712093267&h=7b793aa34dd3eb547ec1bfd52dff7ad5/&filename=jinstall-6u11-windows-i586-jc.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-1-20 28544]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-22 55024]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-7-22 353680]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2004-12-27 140664]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2004-12-27 247160]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2005-3-29 345464]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-22 7408]
S3 WebSTARNdis;WebSTAR DPX USB Cable Modem Adapter;c:\windows\system32\drivers\WebSTAR.sys [2004-12-27 15417]

=============== Created Last 30 ================

2009-02-12 18:01 <DIR> --d----- C:\_OTMoveIt
2009-02-09 09:55 1,137,360 a------- C:\fsbl.exe
2009-01-26 20:12 <DIR> --d----- c:\program files\EsetOnlineScanner
2009-01-23 12:03 73,728 a------- c:\windows\system32\javacpl.cpl
2009-01-23 12:03 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-20 11:50 <DIR> --d----- C:\fsaua.data
2009-01-20 09:57 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-01-20 09:56 <DIR> --d----- c:\program files\Panda Security
2009-01-19 23:21 250 a------- c:\windows\gmer.ini
2009-01-16 17:08 <DIR> --d----- c:\program files\Trend Micro
2009-01-15 21:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-01-15 21:25 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-01-15 21:25 <DIR> --d----- c:\docume~1\ben\applic~1\SUPERAntiSpyware.com
2009-01-15 21:24 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-01-14 22:14 <DIR> --d----- c:\docume~1\ben\applic~1\Malwarebytes
2009-01-14 22:13 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-14 22:13 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 22:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-14 22:13 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-14 22:08 <DIR> --d----- c:\program files\SpywareGuard

==================== Find3M ====================

2009-02-12 16:54 1,536 ac------ c:\windows\system32\TrueSoft.dat
2008-12-05 11:09 4,212 a---h--- c:\windows\system32\zllictbl.dat
2008-05-20 21:30 46,318 ac------ c:\docume~1\ben\applic~1\wklnhst.dat
2008-09-28 16:46 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092820080929\index.dat

============= FINISH: 19:40:46.68 ===============

Attached Files



#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:48 AM

Posted 13 February 2009 - 12:02 PM

Hi Leeford,

Let's try the OTMoveIt again.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall prior to our fix and make sure the registry is backed up.

Paste the following code under the Posted Image area. Do not include the word "Code".
:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6]
  • Push the large Posted Image button.
  • OTMI3 may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Can I have a new DDS log as well.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#10 Leeford

Leeford
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:48 PM

Posted 13 February 2009 - 12:44 PM

Hey there. Thanks again for all your help.

A couple of windows opened up again as I was doing this but it wasn't an onslaught so they were ok to shut. So I guess whatever it is is still there, somewhere...

Thanks, Leeford.


========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6\\ not found.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02132009_172928




DDS (Ver_09-02-01.01) - NTFSx86
Run by Ben at 17:35:05.72 on 13/02/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.223.84 [GMT 0:00]

AV: avast! antivirus 4.7.1098 [VPS 090126-0] *On-access scanning disabled* (Outdated)
FW: ZoneAlarm Firewall *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\pctspk.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Ben\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = hxxp://www.microsoft.com
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SpywareGuardDLBLOCK.CBrowserHelper: {4a368e80-174f-4872-96b5-0b27ddd11db2} - c:\program files\spywareguard\dlprotect.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: MSN Search Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn toolbar suite\tb\02.05.0000.1082\en-gb\msntb.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: MSN Search Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn toolbar suite\tb\02.05.0000.1082\en-gb\msntb.dll
TB: Wanadoo: {8b68564d-53fd-4293-b80c-993a9f3988ee} - c:\progra~1\wanadoo\wsbar\WSBar.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [<NO NAME>]
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [PCTVOICE] pctspk.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [WorksFUD] c:\program files\microsoft works\wkfud.exe
mRun: [Microsoft Works Update Detection] c:\program files\microsoft works\WkDetect.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [ctfmon.exe] c:\windows\system32\CTFMON.EXE
dRunOnce: [Magnify] Magnify.exe
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\ben\startm~1\programs\startup\spywar~1.lnk - c:\program files\spywareguard\sgmain.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\msn toolbar suite\ds\02.05.0001.1119\en-gb\bin\WindowsSearch.exe
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - hxxp://static.windupdates.com/cab/CDT/ie/bridge-c10.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://www.pandasecurity.com/activescan/cabs/as2stubie.cab
DPF: {556DDE35-E955-11D0-A707-000000521957} - hxxp://www.xblock.com/download/xclean_micro.exe
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-01.sun.com/s/ESD5/JSCDL/jre/6u11-b90/jinstall-6u11-windows-i586-jc.cab?e=1232712093267&h=7b793aa34dd3eb547ec1bfd52dff7ad5/&filename=jinstall-6u11-windows-i586-jc.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-1-20 28544]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-22 55024]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-7-22 353680]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2004-12-27 140664]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2004-12-27 247160]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2005-3-29 345464]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-22 7408]
S3 WebSTARNdis;WebSTAR DPX USB Cable Modem Adapter;c:\windows\system32\drivers\WebSTAR.sys [2004-12-27 15417]

=============== Created Last 30 ================

2009-02-12 18:01 <DIR> --d----- C:\_OTMoveIt
2009-02-09 09:55 1,137,360 a------- C:\fsbl.exe
2009-01-26 20:12 <DIR> --d----- c:\program files\EsetOnlineScanner
2009-01-23 12:03 73,728 a------- c:\windows\system32\javacpl.cpl
2009-01-23 12:03 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-20 11:50 <DIR> --d----- C:\fsaua.data
2009-01-20 09:57 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-01-20 09:56 <DIR> --d----- c:\program files\Panda Security
2009-01-19 23:21 250 a------- c:\windows\gmer.ini
2009-01-16 17:08 <DIR> --d----- c:\program files\Trend Micro
2009-01-15 21:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-01-15 21:25 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-01-15 21:25 <DIR> --d----- c:\docume~1\ben\applic~1\SUPERAntiSpyware.com
2009-01-15 21:24 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-01-14 22:14 <DIR> --d----- c:\docume~1\ben\applic~1\Malwarebytes
2009-01-14 22:13 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-14 22:13 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 22:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-14 22:13 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-14 22:08 <DIR> --d----- c:\program files\SpywareGuard

==================== Find3M ====================

2009-02-13 17:20 1,536 ac------ c:\windows\system32\TrueSoft.dat
2008-12-05 11:09 4,212 a---h--- c:\windows\system32\zllictbl.dat
2008-05-20 21:30 46,318 ac------ c:\docume~1\ben\applic~1\wklnhst.dat
2008-09-28 16:46 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092820080929\index.dat

============= FINISH: 17:35:44.35 ===============

Attached Files



#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:48 AM

Posted 13 February 2009 - 02:23 PM

Hi Leeford,

Yes, it hasn't gone so we will try another method.

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it to your desktop (click file, save as) as fixit.reg In the same open notepad, at the bottom select:(filetype = any).

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6}]

NOTICE: This file was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Locate fixit.reg on your Desktop and double-click on it.
You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer "Yes" and wait for a message to appear similar to "Merged Successfully".

Please reply back letting me know if it merged correctly and provide another DDS log so we can see if we got it this time :thumbup2:
Posted Image
m0le is a proud member of UNITE

#12 Leeford

Leeford
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:48 PM

Posted 13 February 2009 - 03:26 PM

Yes, that worked fine. Here're the new logs.

Thanks for all this help! Leeford.



DDS (Ver_09-02-01.01) - NTFSx86
Run by Ben at 20:21:17.84 on 13/02/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.223.90 [GMT 0:00]

AV: avast! antivirus 4.7.1098 [VPS 090126-0] *On-access scanning enabled* (Outdated)
FW: ZoneAlarm Firewall *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\pctspk.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Ben\Desktop\dds.scr
C:\Program Files\Real\RealPlayer\RealPlay.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = hxxp://www.microsoft.com
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SpywareGuardDLBLOCK.CBrowserHelper: {4a368e80-174f-4872-96b5-0b27ddd11db2} - c:\program files\spywareguard\dlprotect.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: MSN Search Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn toolbar suite\tb\02.05.0000.1082\en-gb\msntb.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: MSN Search Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn toolbar suite\tb\02.05.0000.1082\en-gb\msntb.dll
TB: Wanadoo: {8b68564d-53fd-4293-b80c-993a9f3988ee} - c:\progra~1\wanadoo\wsbar\WSBar.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [<NO NAME>]
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [PCTVOICE] pctspk.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [WorksFUD] c:\program files\microsoft works\wkfud.exe
mRun: [Microsoft Works Update Detection] c:\program files\microsoft works\WkDetect.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [ctfmon.exe] c:\windows\system32\CTFMON.EXE
dRunOnce: [Magnify] Magnify.exe
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\ben\startm~1\programs\startup\spywar~1.lnk - c:\program files\spywareguard\sgmain.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\msn toolbar suite\ds\02.05.0001.1119\en-gb\bin\WindowsSearch.exe
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://www.pandasecurity.com/activescan/cabs/as2stubie.cab
DPF: {556DDE35-E955-11D0-A707-000000521957} - hxxp://www.xblock.com/download/xclean_micro.exe
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-01.sun.com/s/ESD5/JSCDL/jre/6u11-b90/jinstall-6u11-windows-i586-jc.cab?e=1232712093267&h=7b793aa34dd3eb547ec1bfd52dff7ad5/&filename=jinstall-6u11-windows-i586-jc.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-1-20 28544]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-22 55024]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-7-22 353680]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2004-12-27 140664]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2004-12-27 247160]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2005-3-29 345464]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-22 7408]
S3 WebSTARNdis;WebSTAR DPX USB Cable Modem Adapter;c:\windows\system32\drivers\WebSTAR.sys [2004-12-27 15417]

=============== Created Last 30 ================

2009-02-12 18:01 <DIR> --d----- C:\_OTMoveIt
2009-02-09 09:55 1,137,360 a------- C:\fsbl.exe
2009-01-26 20:12 <DIR> --d----- c:\program files\EsetOnlineScanner
2009-01-23 12:03 73,728 a------- c:\windows\system32\javacpl.cpl
2009-01-23 12:03 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-20 11:50 <DIR> --d----- C:\fsaua.data
2009-01-20 09:57 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-01-20 09:56 <DIR> --d----- c:\program files\Panda Security
2009-01-19 23:21 250 a------- c:\windows\gmer.ini
2009-01-16 17:08 <DIR> --d----- c:\program files\Trend Micro
2009-01-15 21:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-01-15 21:25 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-01-15 21:25 <DIR> --d----- c:\docume~1\ben\applic~1\SUPERAntiSpyware.com
2009-01-15 21:24 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-01-14 22:14 <DIR> --d----- c:\docume~1\ben\applic~1\Malwarebytes
2009-01-14 22:13 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-14 22:13 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 22:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-14 22:13 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-14 22:08 <DIR> --d----- c:\program files\SpywareGuard

==================== Find3M ====================

2009-02-13 20:15 1,536 ac------ c:\windows\system32\TrueSoft.dat
2008-12-05 11:09 4,212 a---h--- c:\windows\system32\zllictbl.dat
2008-05-20 21:30 46,318 ac------ c:\docume~1\ben\applic~1\wklnhst.dat
2008-09-28 16:46 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092820080929\index.dat

============= FINISH: 20:22:52.90 ===============

Attached Files



#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:48 AM

Posted 14 February 2009 - 06:39 AM

Okay, your log is clean. Good stuff! :thumbup2:

Let's firstly do some housekeeping

Please download OTCleanIt and save it to Desktop.

Make sure you have internet connection.
  • Double-click OTCleanIt.exe
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes
Please set your system to hide all hidden files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, uncheck Show hidden files and folders.
Check: Hide file extensions for known file types
Check the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
Here's a few things you can do to avoid problems in the future:

Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

That's it Leeford, happy surfing!

Cheers,


m0le
Posted Image
m0le is a proud member of UNITE

#14 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:48 AM

Posted 15 February 2009 - 06:04 AM

Since this issue appears resolved ... this Topic is closed. Glad we could help.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Microsoft MVP Consumer Security
Posted Image

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users