Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't remove this-Gen:adware.heur.722ed18181 [Moved]


  • This topic is locked This topic is locked
13 replies to this topic

#1 missyj

missyj

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:12:06 AM

Posted 25 July 2009 - 03:06 PM

Hi,

I was just cleaned by you in the Am I infected? forum, but seems I have another one. Since I know it is infected, I'm posting here. I have been getting popups titled "Contextual Ads by Adzgalore" I went to the Add/Remove programs and Adz is not listed there. Since I have programs for my last problem, I also scanned with DrWeb CureIt, SuperAntiSpyWare, MalWare Bytes, and now my BitDefender. They all found the stuff in quarantine but now BitDefender found this that it can't remove, fix or delete--Gen:adware.heur.722ed18181. This machine was given to me by my son and had Nod32 antivirus installed on it. Since I seem to keep getting stuff, I deleted that and replace it with BitDefender. On my old computer, I very rarely got infected and it had BitD on it. I don't know what direction to go to now. Since this new popup issue, I switched from Firefox to Opera and it hasn't popped up there, but I know it is still on this machine. Can anyone help me---again---to get rid of THIS popup and hopefully help me from getting more.

Thanks!

BC AdBot (Login to Remove)

 


m

#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,719 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:12:06 AM

Posted 25 July 2009 - 03:43 PM

As no logs have been posted, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum.

==>PLEASE DO NOT NOW POST LOGS<== unless a log is specifically requested.
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:01:06 AM

Posted 26 July 2009 - 07:00 PM

Update mbam and run a FULL scan
Please post the results

If you still cannot get into safemode, still run Dr web and SAS in normal mode and post the logs and we'll go from there
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#4 missyj

missyj
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:12:06 AM

Posted 27 July 2009 - 04:47 PM

These scans were run in normal mode---

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/24/2009 at 03:56 PM

Application Version : 4.26.1006

Core Rules Database Version : 4017
Trace Rules Database Version: 1957

Scan type : Quick Scan
Total Scan Time : 00:18:43

Memory items scanned : 495
Memory threats detected : 0
Registry items scanned : 412
Registry threats detected : 1
File items scanned : 11484
File threats detected : 2

Adware.Tracking Cookie
C:\Documents and Settings\user\Cookies\user@paypal.112.2o7[1].txt
C:\Documents and Settings\user\Cookies\user@stats.paypal[1].txt

Rogue.Component/Trace
HKU\S-1-5-21-1085031214-1303643608-839522115-1004\Software\Microsoft\FIAS4057


Malwarebytes' Anti-Malware 1.39
Database version: 2423
Windows 5.1.2600 Service Pack 3

7/24/2009 3:26:04 PM
mbam-log-2009-07-24 (15-26-04).txt

Scan type: Full Scan (C:\|)
Objects scanned: 138028
Time elapsed: 20 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\program files\mozilla firefox\components\d68a1195-204d-cfbd-51fa-6ec19bbd4dc2.dll (Adware.Yoog) -> Quarantined and deleted successfully.


Here is what is on the Stopzilla log. It's quite a list since it has more that one scan on it---


Information Registry enforcer 2009-07-15 16:32:53 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information Registry enforcer 2009-07-15 16:32:50 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2009-07-15 16:32:50 Inspecting registered Browser Helper Objects (BHOs)
Information Process enforcer 2009-07-15 16:32:47 Starting process watcher
Block/Extraction NT Service enforcer 2009-07-14 20:11:28 Disabled service: messenger -
Block/Extraction NT Service enforcer 2009-07-14 20:11:28 Disabled service: messenger -
Warning/Detection Process enforcer 2009-07-14 19:37:25 Monitoring process c:\program files\windows live\messenger\msnmsgr.exe
Information Internet ExplorerSiteguard 2009-07-14 19:37:17 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2009-07-14 19:37:17 Inspecting registered Explorer bars
Information Registry enforcer 2009-07-14 19:37:14 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information Registry enforcer 2009-07-14 19:37:11 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2009-07-14 19:37:10 Inspecting registered Browser Helper Objects (BHOs)
Information Process enforcer 2009-07-14 19:37:06 Starting process watcher
Block/Extraction NT Service enforcer 2009-07-14 18:36:22 Disabled service: messenger -
Block/Extraction NT Service enforcer 2009-07-14 18:36:22 Disabled service: messenger -
Warning/Detection Process enforcer 2009-07-14 18:25:07 Monitoring process c:\program files\windows live\messenger\msnmsgr.exe
Block/Extraction Hosts file 2009-07-14 18:25:04 Deleted 'hosts' file entries: 5 Entries
Information Registry enforcer 2009-07-14 18:25:01 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information Internet ExplorerSiteguard 2009-07-14 18:25:01 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2009-07-14 18:25:01 Inspecting registered Explorer bars
Information Registry enforcer 2009-07-14 18:25:00 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2009-07-14 18:25:00 Inspecting registered Browser Helper Objects (BHOs)
Information Process enforcer 2009-07-14 18:25:00 Starting process watcher
Block/Extraction NT Service enforcer 2009-07-14 18:20:08 Disabled service: messenger -
Block/Extraction NT Service enforcer 2009-07-14 18:20:08 Disabled service: messenger -
Warning/Detection Process enforcer 2009-07-14 18:09:15 Monitoring process c:\program files\windows live\messenger\msnmsgr.exe
Block/Extraction Hosts file 2009-07-14 18:09:12 Deleted 'hosts' file entries: 5 Entries
Information Internet ExplorerSiteguard 2009-07-14 18:09:09 Inspecting registered Internet Explorer toolbars





Can't seem to get a log from BitDefender or DrWeb. I didn't physically save any logs, just assumed the programs would do that. I guess these two don't or, at least I don't know where to find them.

#5 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:01:06 AM

Posted 28 July 2009 - 06:43 PM

Run Dr Web aagain:
  • Put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Seeing how you just were recently here, let's try this scan also

Please download
HERE, and download RootRepeal.zip to your Desktop.
Tutorial with images ,if needed >> L@@K.
Unzip that,(7-zip tool if needed) and then click RootRepeal.exe to open the scanner.
Next click on the Report tab, now click on Scan. A Window will open asking what to include in the scan. Check all of the below and then click OK.

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services


Now you'll be asked which drive to scan. Check C: and click OK again and the scan will start. Please be patient as the scan runs. When the scan has finished, click on Save Report.
Name the log RootRepeal.txt and save it to your Documents folder (it should automatically save it there).
Please copy and paste that into your next reply.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#6 missyj

missyj
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:12:06 AM

Posted 29 July 2009 - 07:50 PM

OK. DrWeb found nothing. Next, I did the RootRepeal as the help file said and there was nothing found under the files tab. Then I scanned like you asked and here is the report--

OOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/07/29 19:42
Program Version: Version 1.3.3.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB4B57000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xB4E3B000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PCI_NTPNP2598
Image Path: \Driver\PCI_NTPNP2598
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xBAAB8000 Size: 49152 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "Lbd.sys" at address 0xba90887e

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "sptd.sys" at address 0xba6c3fb2

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "sptd.sys" at address 0xba6c4340

#: 119 Function Name: NtOpenKey
Status: Hooked by "sptd.sys" at address 0xba6be0b0

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2009\bdselfpr.sys" at address 0xb2c52c90

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2009\bdselfpr.sys" at address 0xb2c52d7e

#: 160 Function Name: NtQueryKey
Status: Hooked by "sptd.sys" at address 0xba6c4418

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "sptd.sys" at address 0xba6c4298

#: 247 Function Name: NtSetValueKey
Status: Hooked by "Lbd.sys" at address 0xba908bfe

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xb4d28df0

#: 258 Function Name: NtTerminateThread
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2009\bdselfpr.sys" at address 0xb2c52ec4

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8afef1e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8afef1e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x8afef1e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x8afef1e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8afef1e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8afef1e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8afef1e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8afef1e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8afef1e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x8afef1e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8afef1e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8afef1e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8afef1e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8afef1e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x8afef1e8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x89e3f790 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x89e3f790 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]
Process: System Address: 0x89e3f790 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]
Process: System Address: 0x89e3f790 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x89e3f790 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x89e3f790 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89e3f790 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89e3f790 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x89e3f790 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]
Process: System Address: 0x89e3f790 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]
Process: System Address: 0x89e3f790 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_CREATE]
Process: System Address: 0x8b03d1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8b03d1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_CLOSE]
Process: System Address: 0x8b03d1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_READ]
Process: System Address: 0x8b03d1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_WRITE]
Process: System Address: 0x8b03d1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8b03d1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8b03d1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_QUERY_EA]
Process: System Address: 0x8b03d1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_SET_EA]
Process: System Address: 0x8b03d1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8b03d1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8b03d1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8b03d1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8b03d1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8b03d1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8b03d1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8b03d1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8b03d1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8b03d1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_CLEANUP]
Process: System Address: 0x8b03d1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8b03d1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8b03d1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8b03d1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_POWER]
Process: System Address: 0x8b03d1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8b03d1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8b03d1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8b03d1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8b03d1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_PNP]
Process: System Address: 0x8b03d1e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x8ad751e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x8ad751e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x8ad751e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x8ad751e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8ad751e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8ad751e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8ad751e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8ad751e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x8ad751e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8ad751e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x8ad751e8 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CREATE]
Process: System Address: 0x88f031e8 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CLOSE]
Process: System Address: 0x88f031e8 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_READ]
Process: System Address: 0x88f031e8 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_WRITE]
Process: System Address: 0x88f031e8 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x88f031e8 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x88f031e8 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_POWER]
Process: System Address: 0x88f031e8 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x88f031e8 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_PNP]
Process: System Address: 0x88f031e8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_CREATE]
Process: System Address: 0x8aeb91e8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_CLOSE]
Process: System Address: 0x8aeb91e8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8aeb91e8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8aeb91e8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_POWER]
Process: System Address: 0x8aeb91e8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8aeb91e8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_PNP]
Process: System Address: 0x8aeb91e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x8b03a1e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x8b03a1e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x8b03a1e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8b03a1e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8b03a1e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8b03a1e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8b03a1e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x8b03a1e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x8b03a1e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8b03a1e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x8b03a1e8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x88f581e8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x88f581e8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x88f581e8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x88f581e8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x88f581e8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x88f581e8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x8ad801e8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x8ad801e8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8ad801e8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8ad801e8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x8ad801e8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8ad801e8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x8ad801e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x89e2e1e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x89e2e1e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x89e2e1e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x89e2e1e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x89e2e1e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x89e2e1e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x89e2e1e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x89e2e1e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x89e2e1e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89e2e1e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x89e2e1e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x89e2e1e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x89e2e1e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x89e2e1e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89e2e1e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89e2e1e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89e2e1e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x89e2e1e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x89e2e1e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x89e2e1e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x89e2e1e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x89e2e1e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x89e2e1e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89e2e1e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x89e2e1e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x89e2e1e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x89e2e1e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x89e2e1e8 Size: 121

Object: Hidden Code [Driver: Cdfs؅ఄ䵃‷沌沌က, IRP_MJ_CREATE]
Process: System Address: 0x8ad923e0 Size: 121

Object: Hidden Code [Driver: Cdfs؅ఄ䵃‷沌沌က, IRP_MJ_CLOSE]
Process: System Address: 0x8ad923e0 Size: 121

Object: Hidden Code [Driver: Cdfs؅ఄ䵃‷沌沌က, IRP_MJ_READ]
Process: System Address: 0x8ad923e0 Size: 121

Object: Hidden Code [Driver: Cdfs؅ఄ䵃‷沌沌က, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8ad923e0 Size: 121

Object: Hidden Code [Driver: Cdfs؅ఄ䵃‷沌沌က, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8ad923e0 Size: 121

Object: Hidden Code [Driver: Cdfs؅ఄ䵃‷沌沌က, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8ad923e0 Size: 121

Object: Hidden Code [Driver: Cdfs؅ఄ䵃‷沌沌က, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8ad923e0 Size: 121

Object: Hidden Code [Driver: Cdfs؅ఄ䵃‷沌沌က, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8ad923e0 Size: 121

Object: Hidden Code [Driver: Cdfs؅ఄ䵃‷沌沌က, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8ad923e0 Size: 121

Object: Hidden Code [Driver: Cdfs؅ఄ䵃‷沌沌က, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8ad923e0 Size: 121

Object: Hidden Code [Driver: Cdfs؅ఄ䵃‷沌沌က, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8ad923e0 Size: 121

Object: Hidden Code [Driver: Cdfs؅ఄ䵃‷沌沌က, IRP_MJ_CLEANUP]
Process: System Address: 0x8ad923e0 Size: 121

Object: Hidden Code [Driver: Cdfs؅ఄ䵃‷沌沌က, IRP_MJ_PNP]
Process: System Address: 0x8ad923e0 Size: 121

==EOF==

Have no idea why it shows up with the little squares--

#7 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:01:06 AM

Posted 30 July 2009 - 06:36 PM

ATF
Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".
--------------------------------

Full tutorial:
http://www.bleepingcomputer.com/forums/t/131299/how-to-use-sdfix/


Please print out and follow these instructions: "How to use SDFix".
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • Please be patient as the scan may take up to 20 minutes to complete.
  • When the process is complete, the SDFix report log will open in Notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • The SDFix report log (Report.txt) will open in Notepad and automatically be saved in the SDFix folder.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to re-enable you anti-virus and and other security programs before connecting to the Internet.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#8 missyj

missyj
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:12:06 AM

Posted 31 July 2009 - 08:59 AM

OK, here is the SD report--

b]SDFix: Version 1.240 [/b]
Run by Administrator on 07/31/2009 Fri at 08:20 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\sdfix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-31 08:29:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:12,62,76,08,47,ef,54,71,23,a6,9d,1f,0c,32,23,36,93,69,da,f7,d1,..
[HKEY_LOCAL_MACHINE\SYSTEM\controlset002\control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000002
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset002\control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000007
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset002\control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000004
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset002\control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000004
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset002\control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000004
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset002\control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000007
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Services\MRxDAV\EncryptedDirectories]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:12,62,76,08,47,ef,54,71,23,a6,9d,1f,0c,32,23,36,93,69,da,f7,d1,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:12,62,76,08,47,ef,54,71,23,a6,9d,1f,0c,32,23,36,93,69,da,f7,d1,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Xfire\\xfire.exe"="C:\\Program Files\\Xfire\\xfire.exe:*:Enabled:Xfire"
"C:\\Program Files\\Softnyx\\Rakion\\Bin\\rakion.bin"="C:\\Program Files\\Softnyx\\Rakion\\Bin\\rakion.bin:*:Enabled:rakion"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"="C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"="C:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe:*:Enabled:PlayOnline Viewer"
"C:\\Program Files\\DNA\\btdna.exe"="C:\\Program Files\\DNA\\btdna.exe:*:Enabled:DNA"
"C:\\Program Files\\Codemasters\\RF Online\\RF.exe"="C:\\Program Files\\Codemasters\\RF Online\\RF.exe:*:Enabled:RFLauncher"
"C:\\Program Files\\Softnyx\\Rakion\\bdrs\\rakion\\bin\\rakion.bin"="C:\\Program Files\\Softnyx\\Rakion\\bdrs\\rakion\\bin\\rakion.bin:*:Enabled:rakion"
"C:\\Rohan\\rohanclient.exe"="C:\\Rohan\\rohanclient.exe:*:Enabled:Rohan Online Game"
"C:\\Program Files\\Abyss Web Server\\abyssws.exe"="C:\\Program Files\\Abyss Web Server\\abyssws.exe:*:Enabled:Abyss Web Server X1"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Softnyx\\Rakion-bdrs\\Bin\\rakion.bin"="C:\\Program Files\\Softnyx\\Rakion-bdrs\\Bin\\rakion.bin:*:Enabled:rakion"
"C:\\Program Files\\Starcraft\\StarCraft.exe"="C:\\Program Files\\Starcraft\\StarCraft.exe:*:Enabled:Starcraft"
"C:\\Program Files\\Free Download Manager\\fdm.exe"="C:\\Program Files\\Free Download Manager\\fdm.exe:*:Enabled:Free Download Manager"
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"="C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe:*:Enabled:Veoh Client"
"C:\\Program Files\\Softnyx\\RakionIS\\Bin\\rakion.bin"="C:\\Program Files\\Softnyx\\RakionIS\\Bin\\rakion.bin:*:Enabled:rakion"
"C:\\Program Files\\Electronic Arts\\EADM\\Core.exe"="C:\\Program Files\\Electronic Arts\\EADM\\Core.exe:*:Enabled:EA Download Manager"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Enabled:Run a DLL as an App"
"C:\\Program Files\\Steam\\steamapps\\theonewhotried\\counter-strike source\\hl2.exe"="C:\\Program Files\\Steam\\steamapps\\theonewhotried\\counter-strike source\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Aspyr\\Guitar Hero III\\GH3.exe"="C:\\Program Files\\Aspyr\\Guitar Hero III\\GH3.exe:*:Enabled:Guitar Hero III"
"C:\\Program Files\\Softnyx\\RakionIS-bdrs\\Bin\\rakion.bin"="C:\\Program Files\\Softnyx\\RakionIS-bdrs\\Bin\\rakion.bin:*:Enabled:rakion"
"C:\\Documents and Settings\\user\\Local Settings\\Temp\\Blizzard Launcher Temporary - ce51be78\\Launcher.exe"="C:\\Documents and Settings\\user\\Local Settings\\Temp\\Blizzard Launcher Temporary - ce51be78\\Launcher.exe:*:Enabled:Blizzard Launcher"
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2009.SP2\\WNt500x86\\RpcSandraSrv.exe"="C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2009.SP2\\WNt500x86\\RpcSandraSrv.exe:*:Enabled:SiSoftware Sandra Agent Service"
"C:\\Program Files\\River Past\\Screen Recorder\\ScreenRecorder.exe"="C:\\Program Files\\River Past\\Screen Recorder\\ScreenRecorder.exe:*:Enabled:River Past Screen Recorder"
"C:\\Rohan_Global\\rohanclient.exe"="C:\\Rohan_Global\\rohanclient.exe:*:Enabled:Rohan Online Game"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\World of Warcraft\\Launcher.exe"="C:\\Program Files\\World of Warcraft\\Launcher.exe:*:Enabled:Blizzard Launcher"
"C:\\Program Files\\World of Warcraft\\WoW-3.0.9.9551-to-3.1.0.9767-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-3.0.9.9551-to-3.1.0.9767-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\Softnyx\\RakionKS\\Bin\\rakion.bin"="C:\\Program Files\\Softnyx\\RakionKS\\Bin\\rakion.bin:*:Enabled:rakion"
"C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"="C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe:*:Enabled:Windows Live Call"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"="C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe:*:Enabled:Windows Live Call"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"

Remaining Files :



Files with Hidden Attributes :

Mon 26 Jan 2009 1,740,632 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 26 Jan 2009 5,365,592 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Thu 5 Mar 2009 2,260,480 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Fri 2 Nov 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 26 Sep 2008 5,107,775 A..HR --- "C:\Documents and Settings\user\Desktop\TindrickFLyff.exe"
Fri 2 Nov 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Thu 7 Dec 2006 3,096,576 A..H. --- "C:\Documents and Settings\user\Application Data\U3\temp\Launchpad Removal.exe"

Finished!

#9 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:01:06 AM

Posted 31 July 2009 - 07:49 PM

I just noticed in that last scab that you use Spybot's Teatimer function
You need to disable that

TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy

Then rerun The scans again
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#10 missyj

missyj
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:12:06 AM

Posted 02 August 2009 - 04:22 PM

OK, here is the new SD log--

b]SDFix: Version 1.240 [/b]
Run by Administrator on 08/02/2009 Sun at 02:52 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\sdfix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-02 15:00:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations"=str(7):"\??\c:\documents and settings\user\local settings\temp\catchme.sys\0\0"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:12,62,76,08,47,ef,54,71,23,a6,9d,1f,0c,32,23,36,93,69,da,f7,d1,..
[HKEY_LOCAL_MACHINE\SYSTEM\controlset002\control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000002
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset002\control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000007
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset002\control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000004
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset002\control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000004
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset002\control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000004
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset002\control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000007
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Services\MRxDAV\EncryptedDirectories]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:12,62,76,08,47,ef,54,71,23,a6,9d,1f,0c,32,23,36,93,69,da,f7,d1,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:12,62,76,08,47,ef,54,71,23,a6,9d,1f,0c,32,23,36,93,69,da,f7,d1,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Xfire\\xfire.exe"="C:\\Program Files\\Xfire\\xfire.exe:*:Enabled:Xfire"
"C:\\Program Files\\Softnyx\\Rakion\\Bin\\rakion.bin"="C:\\Program Files\\Softnyx\\Rakion\\Bin\\rakion.bin:*:Enabled:rakion"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"="C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"="C:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe:*:Enabled:PlayOnline Viewer"
"C:\\Program Files\\DNA\\btdna.exe"="C:\\Program Files\\DNA\\btdna.exe:*:Enabled:DNA"
"C:\\Program Files\\Codemasters\\RF Online\\RF.exe"="C:\\Program Files\\Codemasters\\RF Online\\RF.exe:*:Enabled:RFLauncher"
"C:\\Program Files\\Softnyx\\Rakion\\bdrs\\rakion\\bin\\rakion.bin"="C:\\Program Files\\Softnyx\\Rakion\\bdrs\\rakion\\bin\\rakion.bin:*:Enabled:rakion"
"C:\\Rohan\\rohanclient.exe"="C:\\Rohan\\rohanclient.exe:*:Enabled:Rohan Online Game"
"C:\\Program Files\\Abyss Web Server\\abyssws.exe"="C:\\Program Files\\Abyss Web Server\\abyssws.exe:*:Enabled:Abyss Web Server X1"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Softnyx\\Rakion-bdrs\\Bin\\rakion.bin"="C:\\Program Files\\Softnyx\\Rakion-bdrs\\Bin\\rakion.bin:*:Enabled:rakion"
"C:\\Program Files\\Starcraft\\StarCraft.exe"="C:\\Program Files\\Starcraft\\StarCraft.exe:*:Enabled:Starcraft"
"C:\\Program Files\\Free Download Manager\\fdm.exe"="C:\\Program Files\\Free Download Manager\\fdm.exe:*:Enabled:Free Download Manager"
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"="C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe:*:Enabled:Veoh Client"
"C:\\Program Files\\Softnyx\\RakionIS\\Bin\\rakion.bin"="C:\\Program Files\\Softnyx\\RakionIS\\Bin\\rakion.bin:*:Enabled:rakion"
"C:\\Program Files\\Electronic Arts\\EADM\\Core.exe"="C:\\Program Files\\Electronic Arts\\EADM\\Core.exe:*:Enabled:EA Download Manager"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Enabled:Run a DLL as an App"
"C:\\Program Files\\Steam\\steamapps\\theonewhotried\\counter-strike source\\hl2.exe"="C:\\Program Files\\Steam\\steamapps\\theonewhotried\\counter-strike source\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Aspyr\\Guitar Hero III\\GH3.exe"="C:\\Program Files\\Aspyr\\Guitar Hero III\\GH3.exe:*:Enabled:Guitar Hero III"
"C:\\Program Files\\Softnyx\\RakionIS-bdrs\\Bin\\rakion.bin"="C:\\Program Files\\Softnyx\\RakionIS-bdrs\\Bin\\rakion.bin:*:Enabled:rakion"
"C:\\Documents and Settings\\user\\Local Settings\\Temp\\Blizzard Launcher Temporary - ce51be78\\Launcher.exe"="C:\\Documents and Settings\\user\\Local Settings\\Temp\\Blizzard Launcher Temporary - ce51be78\\Launcher.exe:*:Enabled:Blizzard Launcher"
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2009.SP2\\WNt500x86\\RpcSandraSrv.exe"="C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2009.SP2\\WNt500x86\\RpcSandraSrv.exe:*:Enabled:SiSoftware Sandra Agent Service"
"C:\\Program Files\\River Past\\Screen Recorder\\ScreenRecorder.exe"="C:\\Program Files\\River Past\\Screen Recorder\\ScreenRecorder.exe:*:Enabled:River Past Screen Recorder"
"C:\\Rohan_Global\\rohanclient.exe"="C:\\Rohan_Global\\rohanclient.exe:*:Enabled:Rohan Online Game"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\World of Warcraft\\Launcher.exe"="C:\\Program Files\\World of Warcraft\\Launcher.exe:*:Enabled:Blizzard Launcher"
"C:\\Program Files\\World of Warcraft\\WoW-3.0.9.9551-to-3.1.0.9767-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-3.0.9.9551-to-3.1.0.9767-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\Softnyx\\RakionKS\\Bin\\rakion.bin"="C:\\Program Files\\Softnyx\\RakionKS\\Bin\\rakion.bin:*:Enabled:rakion"
"C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"="C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe:*:Enabled:Windows Live Call"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"="C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe:*:Enabled:Windows Live Call"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"

Remaining Files :



Files with Hidden Attributes :

Mon 26 Jan 2009 1,740,632 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 26 Jan 2009 5,365,592 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Thu 5 Mar 2009 2,260,480 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Fri 2 Nov 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 26 Sep 2008 5,107,775 A..HR --- "C:\Documents and Settings\user\Desktop\TindrickFLyff.exe"
Fri 2 Nov 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Thu 7 Dec 2006 3,096,576 A..H. --- "C:\Documents and Settings\user\Application Data\U3\temp\Launchpad Removal.exe"

Finished!

Here is the Stopzilla log--

Block/Extraction NT Service enforcer 2009-08-02 16:18:13 Disabled service: messenger -
Block/Extraction NT Service enforcer 2009-08-02 16:18:13 Disabled service: messenger -
Block/Extraction Pop-up blocker 2009-08-02 16:17:04 Removed file c:\sdfix\apps\dummy.sys
Block/Extraction Pop-up blocker 2009-08-02 16:17:04 Removed file c:\sdfix\dummy.sys
Block/Extraction Pop-up blocker 2009-08-02 16:17:04 Removed file c:\docume~1\user\locals~1\temp\catchme.sys
Block/Extraction Pop-up blocker 2009-08-02 16:17:03 Removed file c:\documents and settings\user\local settings\temp\catchme.sys
Block/Extraction Pop-up blocker 2009-08-02 16:17:02 Removed file c:\sdfix\apps\swsc.exe
Block/Extraction Pop-up blocker 2009-08-02 16:17:00 Removed file c:\documents and settings\administrator\local settings\temp\catchme.sys
Block/Extraction NT Service enforcer 2009-08-02 16:16:29 Disabled service: messenger -
Block/Extraction NT Service enforcer 2009-08-02 16:16:22 Disabled service: messenger -
Information Internet ExplorerSiteguard 2009-08-02 16:16:20 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2009-08-02 16:16:19 Inspecting registered Explorer bars
Information Registry enforcer 2009-08-02 16:16:15 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information Registry enforcer 2009-08-02 16:16:12 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2009-08-02 16:16:10 Inspecting registered Browser Helper Objects (BHOs)
Block/Extraction NT Service enforcer 2009-08-02 16:16:10 Disabled service: messenger -
Information Process enforcer 2009-08-02 16:16:04 Starting process watcher
Block/Extraction NT Service enforcer 2009-08-02 16:12:36 Removed driver: c:\documents and settings\user\local settings\temp\catchme.sys
Block/Extraction NT Service enforcer 2009-08-02 16:12:34 Disabled service: messenger -
Block/Extraction NT Service enforcer 2009-08-02 16:12:33 Disabled service: messenger -
Block/Extraction NT Service enforcer 2009-08-02 16:12:17 Removed driver: c:\documents and settings\user\local settings\temp\catchme.sys
Block/Extraction NT Service enforcer 2009-08-02 16:12:17 Disabled service: messenger -
Block/Extraction NT Service enforcer 2009-08-02 16:12:17 Disabled service: messenger -
Block/Extraction Pop-up blocker 2009-08-02 16:12:10 Extracted package Swreg
Block/Extraction File enforcer 2009-08-02 16:12:10 Extracted files: path, c:\system volume information\_restore{5aca5edf-d7a3-4d9a-a2f4-de8d11ee6463}\rp27\a0002310.exe
Block/Extraction File enforcer 2009-08-02 16:12:10 Deleted file: c:\system volume information\_restore{5aca5edf-d7a3-4d9a-a2f4-de8d11ee6463}\rp27\a0002310.exe
Block/Extraction File enforcer 2009-08-02 16:12:10 Quarantined file: c:\system volume information\_restore{5aca5edf-d7a3-4d9a-a2f4-de8d11ee6463}\rp27\a0002310.exe
Block/Extraction Pop-up blocker 2009-08-02 16:12:09 Extracted package CatchMe
Block/Extraction Pop-up blocker 2009-08-02 16:12:08 Extracted package Conhook.AG
Block/Extraction Registry enforcer 2009-08-02 16:12:08 Extracted registry key hklm\software\microsoft\windows\currentversion\explorer\browser settings
Block/Extraction Pop-up blocker 2009-08-02 16:12:08 Extracted package Vundo.F
Block/Extraction File enforcer 2009-08-02 16:12:07 Extracted files: path, c:\system volume information\_restore{5aca5edf-d7a3-4d9a-a2f4-de8d11ee6463}\rp25\a0002052.sys
Block/Extraction File enforcer 2009-08-02 16:12:07 Deleted file: c:\system volume information\_restore{5aca5edf-d7a3-4d9a-a2f4-de8d11ee6463}\rp25\a0002052.sys
Block/Extraction File enforcer 2009-08-02 16:12:07 Quarantined file: c:\system volume information\_restore{5aca5edf-d7a3-4d9a-a2f4-de8d11ee6463}\rp25\a0002052.sys
Block/Extraction File enforcer 2009-08-02 16:12:07 Deleted file: c:\system volume information\_restore{5aca5edf-d7a3-4d9a-a2f4-de8d11ee6463}\rp25\a0002051.sys
Block/Extraction File enforcer 2009-08-02 16:12:07 Extracted files: path, c:\system volume information\_restore{5aca5edf-d7a3-4d9a-a2f4-de8d11ee6463}\rp25\a0002051.sys
Block/Extraction File enforcer 2009-08-02 16:12:07 Quarantined file: c:\system volume information\_restore{5aca5edf-d7a3-4d9a-a2f4-de8d11ee6463}\rp25\a0002051.sys
Block/Extraction File enforcer 2009-08-02 16:12:06 Extracted files: path, c:\sdfix\apps\dummy.sys
Block/Extraction File enforcer 2009-08-02 16:12:06 Deleted file: c:\sdfix\apps\dummy.sys
Block/Extraction File enforcer 2009-08-02 16:12:06 Suppressed file: c:\sdfix\apps\dummy.sys
Block/Extraction File enforcer 2009-08-02 16:12:05 Extracted files: path, c:\sdfix\dummy.sys
Block/Extraction File enforcer 2009-08-02 16:12:05 Deleted file: c:\sdfix\dummy.sys
Block/Extraction File enforcer 2009-08-02 16:12:05 Suppressed file: c:\sdfix\dummy.sys
Block/Extraction NT Service enforcer 2009-08-02 15:33:20 Removed driver: c:\documents and settings\user\local settings\temp\catchme.sys
Block/Extraction NT Service enforcer 2009-08-02 15:33:19 Disabled service: messenger -
Block/Extraction NT Service enforcer 2009-08-02 15:33:19 Disabled service: messenger -
Information Registry enforcer 2009-08-02 15:30:36 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2009-08-02 15:30:36 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2009-08-02 15:30:34 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2009-08-02 15:30:34 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Block/Extraction NT Service enforcer 2009-08-02 15:30:34 Removed driver: c:\documents and settings\user\local settings\temp\catchme.sys
Block/Extraction NT Service enforcer 2009-08-02 15:30:32 Disabled service: messenger -
Block/Extraction NT Service enforcer 2009-08-02 15:30:32 Disabled service: messenger -
Information Registry enforcer 2009-08-02 15:30:31 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information Registry enforcer 2009-08-02 15:30:31 Inspecting WinSock registry (LSP Chain)
Block/Extraction NT Service enforcer 2009-08-02 15:30:29 Removed driver: c:\documents and settings\user\local settings\temp\catchme.sys
Block/Extraction NT Service enforcer 2009-08-02 15:30:27 Disabled service: messenger -
Block/Extraction NT Service enforcer 2009-08-02 15:30:27 Disabled service: messenger -
Information General 2009-08-02 15:30:27 Completed system scan.
Information Registry enforcer 2009-08-02 15:30:26 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2009-08-02 15:30:26 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Block/Extraction NT Service enforcer 2009-08-02 15:30:23 Removed driver: c:\documents and settings\user\local settings\temp\catchme.sys
Information Registry enforcer 2009-08-02 15:30:23 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2009-08-02 15:30:23 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Block/Extraction NT Service enforcer 2009-08-02 15:30:22 Disabled service: messenger -
Block/Extraction NT Service enforcer 2009-08-02 15:30:22 Disabled service: messenger -
Block/Extraction NT Service enforcer 2009-08-02 15:10:03 Removed driver: c:\documents and settings\user\local settings\temp\catchme.sys
Block/Extraction NT Service enforcer 2009-08-02 15:10:03 Disabled service: messenger -
Block/Extraction NT Service enforcer 2009-08-02 15:10:03 Disabled service: messenger -
Block/Extraction NT Service enforcer 2009-08-02 15:04:34 Removed driver: c:\documents and settings\user\local settings\temp\catchme.sys
Block/Extraction NT Service enforcer 2009-08-02 15:04:33 Disabled service: messenger -
Block/Extraction NT Service enforcer 2009-08-02 15:04:33 Disabled service: messenger -
Information General 2009-08-02 15:04:32 Started system scan.
Block/Extraction NT Service enforcer 2009-08-02 15:03:47 Removed driver: c:\documents and settings\user\local settings\temp\catchme.sys
Block/Extraction NT Service enforcer 2009-08-02 15:03:46 Disabled service: messenger -
Block/Extraction NT Service enforcer 2009-08-02 15:03:45 Disabled service: messenger -
Block/Extraction NT Service enforcer 2009-08-02 15:00:08 Removed driver: c:\documents and settings\user\local settings\temp\catchme.sys
Block/Extraction NT Service enforcer 2009-08-02 15:00:07 Disabled service: messenger -
Block/Extraction NT Service enforcer 2009-08-02 15:00:07 Disabled service: messenger -
Block/Extraction NT Service enforcer 2009-08-02 15:00:06 Removed service: catchme -
Block/Extraction Registry enforcer 2009-08-02 15:00:05 Extracted registry key HKLM\SYSTEM\CurrentControlSet\Services\catchme
Block/Extraction Registry enforcer 2009-08-02 15:00:05 Extracted registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME
Block/Extraction Registry enforcer 2009-08-02 14:59:58 Deleted registry value system in hklm\software\microsoft\windows nt\currentversion\winlogon
Block/Extraction File enforcer 2009-08-02 14:59:47 Deleted file: c:\sdfix\apps\swsc.exe
Block/Extraction File enforcer 2009-08-02 14:59:47 Suppressed file: c:\sdfix\apps\swsc.exe
Block/Extraction File enforcer 2009-08-02 14:59:46 Deleted file: c:\sdfix\apps\swsc.exe
Block/Extraction File enforcer 2009-08-02 14:59:43 Suppressed file: c:\sdfix\apps\swsc.exe
Block/Extraction NT Service enforcer 2009-08-02 14:59:13 Disabled service: messenger -
Block/Extraction NT Service enforcer 2009-08-02 14:59:13 Disabled service: messenger -
Block/Extraction NT Service enforcer 2009-08-02 14:58:36 Removed driver: c:\documents and settings\administrator\local settings\temp\catchme.sys
Block/Extraction NT Service enforcer 2009-08-02 14:58:36 Removed service: catchme -
Block/Extraction NT Service enforcer 2009-08-02 14:58:25 Disabled service: messenger -
Block/Extraction NT Service enforcer 2009-08-02 14:58:20 Disabled service: messenger -
Information Internet ExplorerSiteguard 2009-08-02 14:58:16 Inspecting registered Internet Explorer toolbars
Block/Extraction Registry enforcer 2009-08-02 14:58:16 Deleted registry value system in hklm\software\microsoft\windows nt\currentversion\winlogon
Information Registry enforcer 2009-08-02 14:58:16 Inspecting registered Explorer bars
Block/Extraction NT Service enforcer 2009-08-02 14:58:12 Removed service: catchme - catchme
Block/Extraction Registry enforcer 2009-08-02 14:58:12 Extracted registry key HKLM\SYSTEM\CurrentControlSet\Services\catchme
Block/Extraction Registry enforcer 2009-08-02 14:58:12 Extracted registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME
Information Registry enforcer 2009-08-02 14:58:08 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information Registry enforcer 2009-08-02 14:58:08 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2009-08-02 14:58:07 Inspecting registered Browser Helper Objects (BHOs)
Block/Extraction NT Service enforcer 2009-08-02 14:58:07 Disabled service: messenger -
Information Process enforcer 2009-08-02 14:58:06 Starting process watcher
Block/Extraction NT Service enforcer 2009-08-02 14:45:38 Disabled service: messenger -
Block/Extraction NT Service enforcer 2009-08-02 14:45:37 Disabled service: messenger -
Block/Extraction NT Service enforcer 2009-08-02 14:39:49 Disabled service: messenger -
Block/Extraction NT Service enforcer 2009-08-02 14:39:49 Disabled service: messenger -
Block/Extraction NT Service enforcer 2009-08-02 14:38:17 Disabled service: messenger -
Block/Extraction NT Service enforcer 2009-08-02 14:38:17 Disabled service: messenger -
Information Registry enforcer 2009-08-02 14:37:02 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information Registry enforcer 2009-08-02 14:37:01 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2009-08-02 14:36:58 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information Registry enforcer 2009-08-02 14:36:57 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2009-08-02 14:36:50 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information Registry enforcer 2009-08-02 14:36:49 Inspecting WinSock registry (LSP Chain)
Information General 2009-08-02 14:36:46 Completed system scan.
Information General 2009-08-02 14:36:38 Started system scan.
Block/Extraction NT Service enforcer 2009-08-02 14:36:18 Disabled service: messenger -
Information Internet ExplorerSiteguard 2009-08-02 14:36:14 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2009-08-02 14:36:13 Inspecting registered Explorer bars
Block/Extraction NT Service enforcer 2009-08-02 14:36:10 Disabled service: messenger -
Information Registry enforcer 2009-08-02 14:36:06 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information Registry enforcer 2009-08-02 14:36:05 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2009-08-02 14:36:05 Inspecting registered Browser Helper Objects (BHOs)
Block/Extraction NT Service enforcer 2009-08-02 14:36:05 Disabled service: messenger -
Information Process enforcer 2009-08-02 14:36:03 Starting process watcher
Block/Extraction NT Service enforcer 2009-08-02 14:32:27 Disabled service: messenger -
Block/Extraction NT Service enforcer 2009-08-02 14:32:26 Disabled service: messenger -
Block/Extraction NT Service enforcer 2009-08-02 14:32:18 Disabled service: messenger -
Block/Extraction NT Service enforcer 2009-08-02 14:32:18 Disabled service: messenger -
Information Registry enforcer 2009-08-02 14:31:45 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2009-08-02 14:31:40 Inspecting WinSock registry (LSP Chain)
Block/Extraction NT Service enforcer 2009-08-02 14:31:37 Disabled service: messenger -
Block/Extraction NT Service enforcer 2009-08-02 14:31:37 Disabled service: messenger -
Information Registry enforcer 2009-08-02 14:31:34 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2009-08-02 14:31:34 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information General 2009-08-02 14:31:32 Request to update definitions completed successfully.
Information General 2009-08-02 14:31:28 Anti-Spyware Incremental definition update 5.0.50.16 successfully applied.
Information General 2009-08-02 14:31:26 Anti-Spyware Incremental definition update 5.0.50.15 successfully applied.
Information General 2009-08-02 14:31:25 Anti-Spyware Incremental definition update 5.0.50.14 successfully applied.
Information General 2009-08-02 14:31:23 Anti-Spyware Incremental definition update 5.0.50.13 successfully applied.
Information General 2009-08-02 14:31:21 Anti-Spyware Incremental definition update 5.0.50.12 successfully applied.
Information General 2009-08-02 14:31:21 Anti-Spyware Incremental definition update 5.0.50.11 successfully applied.
Information General 2009-08-02 14:31:19 Anti-Spyware Incremental definition update 5.0.50.10 successfully applied.
Information General 2009-08-02 14:31:18 Anti-Spyware Incremental definition update 5.0.50.9 successfully applied.
Information General 2009-08-02 14:31:17 Anti-Spyware Incremental definition update 5.0.50.8 successfully applied.
Information General 2009-08-02 14:31:15 Anti-Spyware Incremental definition update 5.0.50.7 successfully applied.
Information Internet ExplorerSiteguard 2009-08-02 14:31:01 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2009-08-02 14:31:01 Inspecting registered Explorer bars
Information Registry enforcer 2009-08-02 14:31:01 Inspecting registered Browser Helper Objects (BHOs)
Information Process enforcer 2009-08-02 14:31:00 Starting process watcher
Block/Extraction File enforcer 2009-08-02 14:27:36 Extracted files: path, c:\sdfix\dummy.sys
Block/Extraction File enforcer 2009-08-02 14:27:36 Deleted file: c:\sdfix\dummy.sys
Block/Extraction File enforcer 2009-08-02 14:27:35 Quarantined file: c:\sdfix\dummy.sys
Information Registry enforcer 2009-08-01 23:20:51 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2009-08-01 23:20:47 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2009-08-01 23:20:43 Inspecting WinSock registry (LSP Chain)
Information General 2009-08-01 23:20:43 Completed system scan.
Information Registry enforcer 2009-08-01 23:20:38 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information Registry enforcer 2009-08-01 23:20:38 Inspecting WinSock registry (LSP Chain)
Information General 2009-08-01 23:00:30 Started scheduled scan.
Information General 2009-07-31 23:26:51 Completed system scan.
Information Registry enforcer 2009-07-31 23:26:50 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information Registry enforcer 2009-07-31 23:26:50 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2009-07-31 23:26:46 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information Registry enforcer 2009-07-31 23:26:46 Inspecting WinSock registry (LSP Chain)
Information General 2009-07-31 23:00:31 Started scheduled scan.
Information General 2009-07-31 19:45:09 SITEguard Incremental definition update 5.0.50.16 successfully applied.
Information Registry enforcer 2009-07-31 19:44:58 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2009-07-31 19:44:58 Inspecting WinSock registry (LSP Chain)
Information Internet ExplorerSiteguard 2009-07-31 19:44:56 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2009-07-31 19:44:56 Inspecting registered Explorer bars
Information Registry enforcer 2009-07-31 19:44:56 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2009-07-31 19:44:56 Inspecting registered Browser Helper Objects (BHOs)
Information General 2009-07-31 19:44:54 Exploit definition update (07/31/2009 10:15 PM GMT) successfully applied.
Information General 2009-07-31 19:44:54 Request to update definitions completed successfully.
Information General 2009-07-31 19:44:51 Anti-Spyware Incremental definition update 5.0.50.16 successfully applied.
Information General 2009-07-31 13:45:16 SITEguard Incremental definition update 5.0.50.15 successfully applied.
Information Registry enforcer 2009-07-31 13:45:09 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2009-07-31 13:45:07 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2009-07-31 13:45:05 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2009-07-31 13:45:04 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2009-07-31 13:45:01 Inspecting WinSock registry (LSP Chain)
Information Internet ExplorerSiteguard 2009-07-31 13:45:00 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2009-07-31 13:45:00 Inspecting registered Explorer bars
Information Registry enforcer 2009-07-31 13:44:59 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2009-07-31 13:44:59 Inspecting registered Browser Helper Objects (BHOs)
Information General 2009-07-31 13:44:58 Malicious Site definition update (07/29/2009 12:52 PM GMT) successfully applied.
Information General 2009-07-31 13:44:58 Exploit definition update (07/30/2009 05:41 PM GMT) successfully applied.
Information General 2009-07-31 13:44:58 Request to update definitions completed successfully.
Information General 2009-07-31 13:44:54 Anti-Spyware Incremental definition update 5.0.50.15 successfully applied.
Information General 2009-07-31 13:44:53 Anti-Spyware Incremental definition update 5.0.50.14 successfully applied.
Information General 2009-07-31 13:44:52 Anti-Spyware Incremental definition update 5.0.50.13 successfully applied.
Information General 2009-07-31 13:44:51 Anti-Spyware Incremental definition update 5.0.50.12 successfully applied.
Warning/Detection Process enforcer 2009-07-31 08:51:37 Monitoring process c:\program files\windows live\messenger\msnmsgr.exe
Information Internet ExplorerSiteguard 2009-07-31 08:51:28 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2009-07-31 08:51:17 Inspecting registered Explorer bars
Information Registry enforcer 2009-07-31 08:50:56 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information Registry enforcer 2009-07-31 08:50:50 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2009-07-31 08:50:49 Inspecting registered Browser Helper Objects (BHOs)
Information Process enforcer 2009-07-31 08:50:47 Starting process watcher
Block/Extraction NT Service enforcer 2009-07-31 08:47:50 Removed driver: c:\documents and settings\user\local settings\temp\catchme.sys
Block/Extraction NT Service enforcer 2009-07-31 08:47:48 Disabled service: messenger -
Block/Extraction NT Service enforcer 2009-07-31 08:47:48 Disabled service: messenger -
Warning/Detection Process enforcer 2009-07-31 08:45:54 Monitoring process c:\program files\windows live\messenger\msnmsgr.exe
Block/Extraction NT Service enforcer 2009-07-31 08:44:47 Removed driver: c:\documents and settings\user\local settings\temp\catchme.sys
Block/Extraction Pop-up blocker 2009-07-31 08:43:48 Removed file c:\documents and settings\user\local settings\temp\catchme.sys
Block/Extraction Pop-up blocker 2009-07-31 08:43:48 Removed file c:\documents and settings\administrator\local settings\temp\catchme.sys
Block/Extraction Pop-up blocker 2009-07-31 08:43:20 Extracted package Swreg
Block/Extraction Pop-up blocker 2009-07-31 08:43:20 Extracted package CatchMe
Block/Extraction NT Service enforcer 2009-07-31 08:29:53 Removed driver: c:\documents and settings\user\local settings\temp\catchme.sys
Block/Extraction NT Service enforcer 2009-07-31 08:29:17 Removed driver: c:\documents and settings\user\local settings\temp\catchme.sys
Block/Extraction NT Service enforcer 2009-07-31 08:29:16 Removed service: catchme -
Block/Extraction Registry enforcer 2009-07-31 08:29:16 Extracted registry key HKLM\SYSTEM\CurrentControlSet\Services\catchme
Block/Extraction Registry enforcer 2009-07-31 08:29:16 Extracted registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME
Block/Extraction Registry enforcer 2009-07-31 08:29:07 Deleted registry value system in hklm\software\microsoft\windows nt\currentversion\winlogon
Block/Extraction File enforcer 2009-07-31 08:28:57 Deleted file: c:\system volume information\_restore{5aca5edf-d7a3-4d9a-a2f4-de8d11ee6463}\rp22\a0001951.exe
Block/Extraction File enforcer 2009-07-31 08:28:55 Quarantined file: c:\system volume information\_restore{5aca5edf-d7a3-4d9a-a2f4-de8d11ee6463}\rp22\a0001951.exe
Block/Extraction File enforcer 2009-07-31 08:28:55 Deleted file: c:\sdfix\apps\swsc.exe
Block/Extraction File enforcer 2009-07-31 08:28:54 Quarantined file: c:\sdfix\apps\swsc.exe
Block/Extraction NT Service enforcer 2009-07-31 08:27:41 Removed driver: c:\documents and settings\administrator\local settings\temp\catchme.sys
Block/Extraction NT Service enforcer 2009-07-31 08:27:41 Removed service: catchme -
Block/Extraction NT Service enforcer 2009-07-31 08:27:19 Removed service: catchme - catchme
Block/Extraction Registry enforcer 2009-07-31 08:27:11 Extracted registry key HKLM\SYSTEM\CurrentControlSet\Services\catchme
Block/Extraction Registry enforcer 2009-07-31 08:27:04 Extracted registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME
Block/Extraction Registry enforcer 2009-07-31 08:27:01 Deleted registry value system in hklm\software\microsoft\windows nt\currentversion\winlogon
Information Internet ExplorerSiteguard 2009-07-31 08:26:54 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2009-07-31 08:26:54 Inspecting registered Explorer bars
Information Registry enforcer 2009-07-31 08:26:52 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information Registry enforcer 2009-07-31 08:26:52 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2009-07-31 08:26:50 Inspecting registered Browser Helper Objects (BHOs)
Information Process enforcer 2009-07-31 08:26:49 Starting process watcher
Block/Extraction NT Service enforcer 2009-07-31 08:12:39 Disabled service: messenger -
Block/Extraction NT Service enforcer 2009-07-31 08:12:38 Disabled service: messenger -
Warning/Detection Process enforcer 2009-07-31 07:29:06 Monitoring process c:\program files\windows live\messenger\msnmsgr.exe
Information Internet ExplorerSiteguard 2009-07-31 07:29:01 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2009-07-31 07:28:59 Inspecting registered Explorer bars
Information Registry enforcer 2009-07-31 07:28:59 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information Registry enforcer 2009-07-31 07:28:59 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2009-07-31 07:28:59 Inspecting registered Browser Helper Objects (BHOs)
Information Process enforcer 2009-07-31 07:28:54 Starting process watcher
Block/Extraction NT Service enforcer 2009-07-31 06:00:38 Disabled service: messenger -
Block/Extraction NT Service enforcer 2009-07-31 06:00:37 Disabled service: messenger -
Information General 2009-07-31 05:58:15 Started scheduled scan.
Warning/Detection Process enforcer 2009-07-31 05:57:54 Monitoring process c:\program files\windows live\messenger\msnmsgr.exe
Information Internet ExplorerSiteguard 2009-07-31 05:57:48 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2009-07-31 05:57:48 Inspecting registered Explorer bars
Information Registry enforcer 2009-07-31 05:57:46 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information Registry enforcer 2009-07-31 05:57:45 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2009-07-31 05:57:45 Inspecting registered Browser Helper Objects (BHOs)
Information Process enforcer 2009-07-31 05:57:39 Starting process watcher
Block/Extraction NT Service enforcer 2009-07-30 20:13:26 Disabled service: messenger -
Block/Extraction NT Service enforcer 2009-07-30 20:13:26 Disabled service: messenger -
Block/Extraction NT Service enforcer 2009-07-30 20:13:13 Disabled service: messenger -
Block/Extraction NT Service enforcer 2009-07-30 20:13:12 Disabled service: messenger -
Warning/Detection Process enforcer 2009-07-30 15:51:59 Monitoring process c:\program files\windows live\messenger\msnmsgr.exe
Information Internet ExplorerSiteguard 2009-07-30 15:51:45 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2009-07-30 15:51:45 Inspecting registered Explorer bars
Information Registry enforcer 2009-07-30 15:51:45 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information Registry enforcer 2009-07-30 15:51:45 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2009-07-30 15:51:41 Inspecting registered Browser Helper Objects (BHOs)
Information Process enforcer 2009-07-30 15:51:38 Starting process watcher
Block/Extraction NT Service enforcer 2009-07-30 03:32:44 Disabled service: messenger -
Block/Extraction NT Service enforcer 2009-07-30 03:32:44 Disabled service: messenger -
Block/Extraction Pop-up blocker 2009-07-30 03:31:17 Extracted package Host file (Not Restorable)
Block/Extraction Hosts file 2009-07-30 03:31:16 Deleted 'hosts' file entries: 5 Entries
Block/Extraction Hosts file 2009-07-30 03:31:14 Deleted 'hosts' file entries: 5 Entries
Block/Extraction Hosts file 2009-07-30 03:31:12 Deleted 'hosts' file entries: 5 Entries
Block/Extraction Hosts file 2009-07-30 03:31:11 Deleted 'hosts' file entries: 5 Entries
Block/Extraction Hosts file 2009-07-30 03:31:09 Deleted 'hosts' file entries: 5 Entries
Warning/Detection Process enforcer 2009-07-30 03:09:20 Monitoring process c:\program files\windows live\messenger\msnmsgr.exe
Block/Extraction Hosts file 2009-07-30 03:09:11 Deleted 'hosts' file entries: 5 Entries
Information Registry enforcer 2009-07-30 03:09:07 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information Internet ExplorerSiteguard 2009-07-30 03:09:07 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2009-07-30 03:09:07 Inspecting registered Explorer bars
Information Registry enforcer 2009-07-30 03:09:04 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2009-07-30 03:09:04 Inspecting registered Browser Helper Objects (BHOs)
Information Process enforcer 2009-07-30 03:09:03 Starting process watcher
Block/Extraction NT Service enforcer 2009-07-30 03:06:24 Disabled service: messenger -
Block/Extraction NT Service enforcer 2009-07-30 03:06:23 Disabled service: messenger -
Information Registry enforcer 2009-07-29 23:28:39 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information Registry enforcer 2009-07-29 23:28:39 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information Registry enforcer 2009-07-29 23:28:36 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information Registry enforcer 2009-07-29 23:28:36 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2009-07-29 23:28:33 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information Registry enforcer 2009-07-29 23:28:32 Inspecting WinSock registry (LSP Chain)
Information General 2009-07-29 23:28:32 Completed system scan.
Information Registry enforcer 2009-07-29 23:28:29 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information Registry enforcer 2009-07-29 23:28:28 Inspecting WinSock registry (LSP Chain)
Information General 2009-07-29 23:00:30 Started scheduled scan.
Information Registry enforcer 2009-07-29 17:50:03 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2009-07-29 17:50:01 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information Registry enforcer 2009-07-29 17:50:01 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2009-07-29 17:49:58 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information Registry enforcer 2009-07-29 17:49:58 Inspecting WinSock registry (LSP Chain)
Information General 2009-07-29 17:49:57 Completed system scan.
Information Registry enforcer 2009-07-29 17:49:54 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information Registry enforcer 2009-07-29 17:49:53 Inspecting WinSock registry (LSP Chain)
Information General 2009-07-29 17:16:25 Started scheduled scan.
Warning/Detection Process enforcer 2009-07-29 17:16:00 Monitoring process c:\program files\windows live\messenger\msnmsgr.exe
Information Internet ExplorerSiteguard 2009-07-29 17:15:54 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2009-07-29 17:15:54 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information Registry enforcer 2009-07-29 17:15:54 Inspecting registered Explorer bars
Information Registry enforcer 2009-07-29 17:15:54 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2009-07-29 17:15:54 Inspecting registered Browser Helper Objects (BHOs)
Information Process enforcer 2009-07-29 17:15:43 Starting process watcher
Block/Extraction Hosts file 2009-07-29 17:15:43 Deleted 'hosts' file entries: 5 Entries
Block/Extraction NT Service enforcer 2009-07-27 18:53:29 Disabled service: messenger -
Block/Extraction NT Service enforcer 2009-07-27 18:53:28 Disabled service: messenger -
Block/Extraction Pop-up blocker 2009-07-27 16:42:58 Extracted package Host file (Not Restorable)
Block/Extraction Hosts file 2009-07-27 16:42:58 Deleted 'hosts' file entries: 5 Entries
Block/Extraction Hosts file 2009-07-27 16:42:56 Deleted 'hosts' file entries: 5 Entries
Block/Extraction Hosts file 2009-07-27 16:42:54 Deleted 'hosts' file entries: 5 Entries
Block/Extraction Hosts file 2009-07-27 16:42:52 Deleted 'hosts' file entries: 5 Entries
Block/Extraction Hosts file 2009-07-27 16:42:50 Deleted 'hosts' file entries: 5 Entries
Information Registry enforcer 2009-07-27 16:42:03 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2009-07-27 16:42:02 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2009-07-27 16:42:01 Inspecting WinSock registry (LSP Chain)
Information General 2009-07-27 16:42:00 Completed system scan.
Information Registry enforcer 2009-07-27 16:41:59 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2009-07-27 16:41:56 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information Registry enforcer 2009-07-27 16:41:55 Inspecting WinSock registry (LSP Chain)
Information General 2009-07-27 16:06:03 Started scheduled scan.
Warning/Detection Process enforcer 2009-07-27 16:05:50 Monitoring process c:\program files\windows live\messenger\msnmsgr.exe
Information Registry enforcer 2009-07-27 16:05:34 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information Internet ExplorerSiteguard 2009-07-27 16:05:33 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2009-07-27 16:05:33 Inspecting registered Explorer bars
Information Registry enforcer 2009-07-27 16:05:33 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2009-07-27 16:05:33 Inspecting registered Browser Helper Objects (BHOs)
Information Process enforcer 2009-07-27 16:05:31 Starting process watcher
Block/Extraction NT Service enforcer 2009-07-26 17:26:58 Disabled service: messenger -
Block/Extraction NT Service enforcer 2009-07-26 17:26:57 Disabled service: messenger -
Information General 2009-07-26 14:25:30 SITEguard Incremental definition update 5.0.50.11 successfully applied.
Block/Extraction Hosts file 2009-07-26 14:25:18 Deleted 'hosts' file entries: 5 Entries
Information Registry enforcer 2009-07-26 14:25:15 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2009-07-26 14:25:14 Inspecting WinSock registry (LSP Chain)
Information Internet ExplorerSiteguard 2009-07-26 14:25:14 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2009-07-26 14:25:13 Inspecting registered Explorer bars
Information Registry enforcer 2009-07-26 14:25:12 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2009-07-26 14:25:12 Inspecting registered Browser Helper Objects (BHOs)
Information General 2009-07-26 14:25:10 Request to update definitions completed successfully.
Information General 2009-07-26 14:25:03 Anti-Spyware Incremental definition update 5.0.50.11 successfully applied.
Block/Extraction Pop-up blocker 2009-07-26 08:25:15 Extracted package Host file (Not Restorable)
Block/Extraction Hosts file 2009-07-26 08:25:15 Deleted 'hosts' file entries: 5 Entries
Block/Extraction Hosts file 2009-07-26 08:25:13 Deleted 'hosts' file entries: 5 Entries
Block/Extraction Hosts file 2009-07-26 08:25:11 Deleted 'hosts' file entries: 5 Entries
Block/Extraction Hosts file 2009-07-26 08:25:09 Deleted 'hosts' file entries: 5 Entries
Block/Extraction Hosts file 2009-07-26 08:25:07 Deleted 'hosts' file entries: 5 Entries
Information Registry enforcer 2009-07-26 08:24:20 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information Registry enforcer 2009-07-26 08:24:17 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information General 2009-07-26 08:24:16 Completed system scan.
Information Registry enforcer 2009-07-26 08:24:12 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information Registry enforcer 2009-07-26 08:24:11 Inspecting WinSock registry (LSP Chain)
Information General 2009-07-26 07:51:31 Started scheduled scan.
Warning/Detection Process enforcer 2009-07-26 07:51:21 Monitoring process c:\program files\windows live\messenger\msnmsgr.exe
Information Registry enforcer 2009-07-26 07:51:00 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information Registry enforcer 2009-07-26 07:50:59 Inspecting WinSock registry (LSP Chain)
Block/Extraction Hosts file 2009-07-26 07:50:59 Deleted 'hosts' file entries: 5 Entries
Information Internet ExplorerSiteguard 2009-07-26 07:50:58 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2009-07-26 07:50:58 Inspecting registered Explorer bars
Information Registry enforcer 2009-07-26 07:50:58 Inspecting registered Browser Helper Objects (BHOs)
Information Process enforcer 2009-07-26 07:50:58 Starting process watcher
Block/Extraction NT Service enforcer 2009-07-25 20:31:19 Disabled service: messenger -
Block/Extraction NT Service enforcer 2009-07-25 20:31:18 Disabled service: messenger -
Block/Extraction Pop-up blocker 2009-07-25 14:45:57 Extracted package Host file (Not Restorable)
Block/Extraction Hosts file 2009-07-25 14:45:57 Deleted 'hosts' file entries: 5 Entries
Block/Extraction Hosts file 2009-07-25 14:45:55 Deleted 'hosts' file entries: 5 Entries
Block/Extraction Hosts file 2009-07-25 14:45:52 Deleted 'hosts' file entries: 5 Entries
Block/Extraction Hosts file 2009-07-25 14:45:51 Deleted 'hosts' file entries: 5 Entries
Block/Extraction Hosts file 2009-07-25 14:45:48 Deleted 'hosts' file entries: 5 Entries
Block/Extraction Pop-up blocker 2009-07-25 14:45:44 Extracted package System Policies.DisableTaskMgr
Block/Extraction Pop-up blocker 2009-07-25 14:45:43 Extracted package System Policies.DisableRegistryTools
Information Registry enforcer 2009-07-25 11:53:01 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information Registry enforcer 2009-07-25 11:52:59 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information Registry enforcer 2009-07-25 11:52:56 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information General 2009-07-25 11:52:55 Completed system scan.
Information Registry enforcer 2009-07-25 11:52:51 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information Registry enforcer 2009-07-25 11:52:51 Inspecting WinSock registry (LSP Chain)
Block/Extraction Registry enforcer 2009-07-25 11:52:50 Deleted registry value DisableRegistryTools in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Warning/Detection COM enforcer 2009-07-25 11:52:50 Detected malicious registry entry DisableRegistryTools in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Information General 2009-07-25 11:28:43 Started system scan.
Block/Extraction Registry enforcer 2009-07-25 11:22:47 Deleted registry value DisableTaskMgr in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Warning/Detection COM enforcer 2009-07-25 11:22:47 Detected malicious registry entry DisableTaskMgr in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Block/Extraction Registry enforcer 2009-07-25 11:22:47 Deleted registry value DisableRegistryTools in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Warning/Detection COM enforcer 2009-07-25 11:22:47 Detected malicious registry entry DisableRegistryTools in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Block/Extraction Registry enforcer 2009-07-25 11:22:46 Deleted registry value DisableTaskMgr in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Warning/Detection COM enforcer 2009-07-25 11:22:46 Detected malicious registry entry DisableTaskMgr in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Block/Extraction Registry enforcer 2009-07-25 11:22:46 Deleted registry value DisableRegistryTools in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Warning/Detection COM enforcer 2009-07-25 11:22:46 Detected malicious registry entry DisableRegistryTools in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Block/Extraction Registry enforcer 2009-07-25 11:22:45 Deleted registry value DisableTaskMgr in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Warning/Detection COM enforcer 2009-07-25 11:22:45 Detected malicious registry entry DisableTaskMgr in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Block/Extraction Registry enforcer 2009-07-25 11:22:45 Deleted registry value DisableRegistryTools in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Warning/Detection COM enforcer 2009-07-25 11:22:45 Detected malicious registry entry DisableRegistryTools in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Block/Extraction Registry enforcer 2009-07-25 11:22:44 Deleted registry value DisableTaskMgr in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Warning/Detection COM enforcer 2009-07-25 11:22:44 Detected malicious registry entry DisableTaskMgr in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Block/Extraction Registry enforcer 2009-07-25 11:22:44 Deleted registry value DisableRegistryTools in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Warning/Detection COM enforcer 2009-07-25 11:22:44 Detected malicious registry entry DisableRegistryTools in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Block/Extraction Registry enforcer 2009-07-25 11:22:43 Deleted registry value DisableTaskMgr in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Warning/Detection COM enforcer 2009-07-25 11:22:43 Detected malicious registry entry DisableTaskMgr in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Block/Extraction Registry enforcer 2009-07-25 11:22:43 Deleted registry value DisableRegistryTools in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Warning/Detection COM enforcer 2009-07-25 11:22:43 Detected malicious registry entry DisableRegistryTools in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Block/Extraction Registry enforcer 2009-07-25 11:22:42 Deleted registry value DisableTaskMgr in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Warning/Detection COM enforcer 2009-07-25 11:22:42 Detected malicious registry entry DisableTaskMgr in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Block/Extraction Registry enforcer 2009-07-25 11:22:42 Deleted registry value DisableRegistryTools in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Warning/Detection COM enforcer 2009-07-25 11:22:41 Detected malicious registry entry DisableRegistryTools in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Block/Extraction Registry enforcer 2009-07-25 11:22:41 Deleted registry value DisableTaskMgr in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Warning/Detection COM enforcer 2009-07-25 11:22:41 Detected malicious registry entry DisableTaskMgr in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Block/Extraction Registry enforcer 2009-07-25 11:22:41 Deleted registry value DisableRegistryTools in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Warning/Detection COM enforcer 2009-07-25 11:22:41 Detected malicious registry entry DisableRegistryTools in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Block/Extraction Registry enforcer 2009-07-25 11:22:39 Deleted registry value DisableTaskMgr in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Warning/Detection COM enforcer 2009-07-25 11:22:39 Detected malicious registry entry DisableTaskMgr in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Block/Extraction Registry enforcer 2009-07-25 11:22:39 Deleted registry value DisableRegistryTools in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Warning/Detection COM enforcer 2009-07-25 11:22:39 Detected malicious registry entry DisableRegistryTools in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Block/Extraction Registry enforcer 2009-07-25 11:22:39 Deleted registry value DisableTaskMgr in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Warning/Detection COM enforcer 2009-07-25 11:22:39 Detected malicious registry entry DisableTaskMgr in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Block/Extraction Registry enforcer 2009-07-25 11:22:39 Deleted registry value DisableRegistryTools in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Warning/Detection COM enforcer 2009-07-25 11:22:39 Detected malicious registry entry DisableRegistryTools in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Block/Extraction Registry enforcer 2009-07-25 11:22:37 Deleted registry value DisableTaskMgr in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Warning/Detection COM enforcer 2009-07-25 11:22:37 Detected malicious registry entry DisableTaskMgr in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Block/Extraction Registry enforcer 2009-07-25 11:22:37 Deleted registry value DisableRegistryTools in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Warning/Detection COM enforcer 2009-07-25 11:22:37 Detected malicious registry entry DisableRegistryTools in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Block/Extraction Registry enforcer 2009-07-25 11:22:36 Deleted registry value DisableTaskMgr in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Warning/Detection COM enforcer 2009-07-25 11:22:36 Detected malicious registry entry DisableTaskMgr in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Block/Extraction Registry enforcer 2009-07-25 11:22:36 Deleted registry value DisableRegistryTools in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Warning/Detection COM enforcer 2009-07-25 11:22:36 Detected malicious registry entry DisableRegistryTools in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Block/Extraction Registry enforcer 2009-07-25 11:22:35 Deleted registry value DisableTaskMgr in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Warning/Detection COM enforcer 2009-07-25 11:22:35 Detected malicious registry entry DisableTaskMgr in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Block/Extraction Registry enforcer 2009-07-25 11:22:35 Deleted registry value DisableRegistryTools in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Warning/Detection COM enforcer 2009-07-25 11:22:35 Detected malicious registry entry DisableRegistryTools in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Block/Extraction Registry enforcer 2009-07-25 11:22:34 Deleted registry value DisableTaskMgr in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Warning/Detection COM enforcer 2009-07-25 11:22:34 Detected malicious registry entry DisableTaskMgr in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Block/Extraction Registry enforcer 2009-07-25 11:22:34 Deleted registry value DisableRegistryTools in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Warning/Detection COM enforcer 2009-07-25 11:22:34 Detected malicious registry entry DisableRegistryTools in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Block/Extraction Registry enforcer 2009-07-25 11:22:33 Deleted registry value DisableTaskMgr in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Warning/Detection COM enforcer 2009-07-25 11:22:32 Detected malicious registry entry DisableTaskMgr in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Block/Extraction Registry enforcer 2009-07-25 11:22:32 Deleted registry value DisableRegistryTools in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Warning/Detection COM enforcer 2009-07-25 11:22:32 Detected malicious registry entry DisableRegistryTools in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Block/Extraction Registry enforcer 2009-07-25 11:22:32 Deleted registry value DisableTaskMgr in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Warning/Detection COM enforcer 2009-07-25 11:22:32 Detected malicious registry entry DisableTaskMgr in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Block/Extraction Registry enforcer 2009-07-25 11:22:32 Deleted registry value DisableRegistryTools in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Warning/Detection COM enforcer 2009-07-25 11:22:31 Detected malicious registry entry DisableRegistryTools in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Block/Extraction Registry enforcer 2009-07-25 11:22:30 Deleted registry value DisableTaskMgr in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Warning/Detection COM enforcer 2009-07-25 11:22:30 Detected malicious registry entry DisableTaskMgr in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Block/Extraction Registry enforcer 2009-07-25 11:22:30 Deleted registry value DisableRegistryTools in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Warning/Detection COM enforcer 2009-07-25 11:22:30 Detected malicious registry entry DisableRegistryTools in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Block/Extraction Registry enforcer 2009-07-25 11:22:28 Deleted registry value DisableTaskMgr in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Warning/Detection COM enforcer 2009-07-25 11:22:28 Detected malicious registry entry DisableTaskMgr in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Block/Extraction Registry enforcer 2009-07-25 11:22:28 Deleted registry value DisableRegistryTools in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Warning/Detection COM enforcer 2009-07-25 11:22:28 Detected malicious registry entry DisableRegistryTools in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Block/Extraction Registry enforcer 2009-07-25 11:22:27 Deleted registry value DisableTaskMgr in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Warning/Detection COM enforcer 2009-07-25 11:22:27 Detected malicious registry entry DisableTaskMgr in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Block/Extraction Registry enforcer 2009-07-25 11:22:27 Deleted registry value DisableRegistryTools in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Warning/Detection COM enforcer 2009-07-25 11:22:27 Detected malicious registry entry DisableRegistryTools in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Block/Extraction Registry enforcer 2009-07-25 11:22:24 Deleted registry value DisableTaskMgr in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Warning/Detection COM enforcer 2009-07-25 11:22:24 Detected malicious registry entry DisableTaskMgr in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Block/Extraction Registry enforcer 2009-07-25 11:22:24 Deleted registry value DisableRegistryTools in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Warning/Detection COM enforcer 2009-07-25 11:22:24 Detected malicious registry entry DisableRegistryTools in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Block/Extraction Registry enforcer 2009-07-25 11:22:24 Deleted registry value DisableTaskMgr in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Warning/Detection COM enforcer 2009-07-25 11:22:24 Detected malicious registry entry DisableTaskMgr in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Block/Extraction Registry enforcer 2009-07-25 11:22:22 Deleted registry value DisableRegistryTools in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Warning/Detection COM enforcer 2009-07-25 11:22:22 Detected malicious registry entry DisableRegistryTools in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Block/Extraction Registry enforcer 2009-07-25 11:22:20 Deleted registry value DisableTaskMgr in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Warning/Detection COM enforcer 2009-07-25 11:22:20 Detected malicious registry entry DisableTaskMgr in hkus\S-1-5-21-1085031214-1303643608-839522115-1004\software\microsoft\windows\currentversion\policies\system
Warning/Detection Process enforcer 2009-07-25 10:23:38 Monitoring process c:\program files\windows live\messenger\msnmsgr.exe
Block/Extraction Hosts file 2009-07-25 10:23:33 Deleted 'hosts' file entries: 5 Entries
Information Registry enforcer 2009-07-25 10:23:29 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information Internet ExplorerSiteguard 2009-07-25 10:23:29 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2009-07-25 10:23:29 Inspecting registered Explorer bars
Information Registry enforcer 2009-07-25 10:23:29 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2009-07-25 10:23:29 Inspecting registered Browser Helper Objects (BHOs)
Information Process enforcer 2009-07-25 10:23:28 Starting process watcher
Block/Extraction NT Service enforcer 2009-07-25 10:20:52 Disabled service: messenger -
Block/Extraction NT Service enforcer 2009-07-25 10:20:52 Disabled service: messenger -
Warning/Detection Process enforcer 2009-07-25 10:13:41 Monitoring process c:\program files\windows live\messenger\msnmsgr.exe
Information Internet ExplorerSiteguard 2009-07-25 10:13:22 Inspecting registered Internet Explorer toolbars
Information Registry enforcer 2009-07-25 10:13:22 Inspecting registered Explorer bars
Information Registry enforcer 2009-07-25 10:13:22 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information Registry enforcer 2009-07-25 10:13:21 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2009-07-25 10:13:21 Inspecting registered Browser Helper Objects (BHOs)
Block/Extraction Hosts file 2009-07-25 10:13:20 Deleted 'hosts' file entries: 5 Entries
Information Process enforcer 2009-07-25 10:13:20 Starting process watcher
Block/Extraction NT Service enforcer 2009-07-25 10:10:02 Disabled service: messenger -
Block/Extraction NT Service enforcer 2009-07-25 10:10:02 Disabled service: messenger -
Block/Extraction Registry enforcer 2009-07-25 08:21:07 Extracted registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\8aa68d26-098c-69f5-96e5-3e80278d3e1d
Block/Extraction Pop-up blocker 2009-07-25 08:20:06 Extracted package Host file (Not Restorable)
Block/Extraction Hosts file 2009-07-25 08:20:06 Deleted 'hosts' file entries: 5 Entries
Block/Extraction Hosts file 2009-07-25 08:20:04 Deleted 'hosts' file entries: 5 Entries
Block/Extraction Hosts file 2009-07-25 08:20:02 Deleted 'hosts' file entries: 5 Entries
Block/Extraction Hosts file 2009-07-25 08:20:00 Deleted 'hosts' file entries: 5 Entries
Block/Extraction Hosts file 2009-07-25 08:19:58 Deleted 'hosts' file entries: 5 Entries
Information General 2009-07-25 08:19:12 Exploit definition update (07/25/2009 03:08 AM GMT) successfully applied.
Information Registry enforcer 2009-07-25 08:18:11 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2009-07-25 08:18:10 Inspecting WinSock registry (LSP Chain)
Information General 2009-07-25 08:18:10 Completed system scan.
Information Registry enforcer 2009-07-25 08:18:10 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2009-07-25 08:18:09 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information Registry enforcer 2009-07-25 08:18:09 Inspecting WinSock registry (LSP Chain)
Information Registry enforcer 2009-07-25 08:18:05 Inspecting WinLogon notification handlers and modules loaded by WinLogon
Information Registry enforcer 2009-07-25 08:18:05 Inspecting WinSock registry (LSP Chain)

Any others you want me to run?

#11 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:01:06 AM

Posted 02 August 2009 - 08:00 PM

A mbam quick scan, SAS and Dr Web
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#12 missyj

missyj
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:12:06 AM

Posted 03 August 2009 - 05:53 PM

OK here you go--MBAM quick scan--

Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 3

8/3/2009 5:38:30 PM
mbam-log-2009-08-03 (17-38-30).txt

Scan type: Quick Scan
Objects scanned: 99615
Time elapsed: 3 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Mozilla Firefox\components\d68a1195-204d-cfbd-51fa-6ec19bbd4dc2.dll (Adware.Yoog) -> Quarantined and deleted successfully.


SAS--

SAS must not have found anything since it didn't save the log.

Dr. Web--

Dr. Web also found nothing

#13 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:01:06 AM

Posted 03 August 2009 - 08:09 PM

I believe it would be best to submit a DDS / HJT log

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". If you cannot complete a step, then skip it and continue with the next. In Step 6 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.
-------------------------------

They are very busy so it will take some time
Please be patient and good luck
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#14 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,719 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:12:06 AM

Posted 04 August 2009 - 10:38 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/246862/cant-remove-this-genadwareheur722ed18181/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days, perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users