[NatPortmanYUM]

Since I wasn't able to post in the other topic with the exact same problem I have, I made a new one. Just recently(yesterday) I started to get random pop-ups, even when I wasn't using internet explorer. I then tried to start up zonealarm, but with no prevail, it didn't start up. So now I'm using my sisters laptop, I sent avast over msn to my computer to run a virus scan. So avast restarted my pc and started to scan, quite a few files from the windows folder popped up, I ignored them because they were in the windows folder and didn't wasnt to delete anything just incase. So now I'm here because I'm all out of ideas. So I'm hoping you guys to push me in the right direction of getting rid of this problem. Thanks.

Edit: While avast did a virus scan, I did happen to delete 3 dlls, they were tdssserf.dll, tdssserf1.dll and tdsslog.dll. Don't know if they will cause any damage now that I have delted them.

Edited by NatPortmanYUM, 05 October 2008 - 03:41 PM.

[Advertisements]

Hello NatPortmanYUM and welcome to GeeksToGo. Let's see what we can find. Boot to the profile that works and then do the following:

Before running a new scan let's clean out the temporoary folders.

Download ATF Cleaner to your Desktop.

• Double-click ATF-Cleaner.exe to run the program.
• Click Select All found at the bottom of the list.
• Click the Empty Selected button.

If you use Firefox browser, do this also:

• Click Firefox at the top and choose Select All from the list.
• Click the Empty Selected button.
• NOTE : If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:

• Click Opera at the top and choose Select All from the list.
• Close ALL Internet browsers (very important).
• Click the Empty Selected button.
• NOTE : If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Now download OTScanIt2.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt2 on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.

• Close ALL OTHER PROGRAMS.
• Open the OTScanIt2 folder and double-click on OTScanIt2.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
• Do not change any settings.
• Now click the Run Scan button on the toolbar.
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. Make sure that the first line is code with brackets around it [] and that the last line is /code with brackets around it [].

If, after posting, the last line is not <End of Report> then the log is too big to fit into a single post and you will need to split it into multiple posts or attach it as a file.

Cheers.

OT

[OldTimer]

Hello NatPortmanYUM and welcome to GeeksToGo. Let's see what we can find. Boot to the profile that works and then do the following:

Before running a new scan let's clean out the temporoary folders.

Download ATF Cleaner to your Desktop.

• Double-click ATF-Cleaner.exe to run the program.
• Click Select All found at the bottom of the list.
• Click the Empty Selected button.

If you use Firefox browser, do this also:

• Click Firefox at the top and choose Select All from the list.
• Click the Empty Selected button.
• NOTE : If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:

• Click Opera at the top and choose Select All from the list.
• Close ALL Internet browsers (very important).
• Click the Empty Selected button.
• NOTE : If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Now download OTScanIt2.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt2 on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.

• Close ALL OTHER PROGRAMS.
• Open the OTScanIt2 folder and double-click on OTScanIt2.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
• Do not change any settings.
• Now click the Run Scan button on the toolbar.
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. Make sure that the first line is code with brackets around it [] and that the last line is /code with brackets around it [].

If, after posting, the last line is not <End of Report> then the log is too big to fit into a single post and you will need to split it into multiple posts or attach it as a file.

Cheers.

OT

[NatPortmanYUM]

Hello there and thanks for replying! Here is the log
[code=auto:0]OTScanIt logfile created on: 05/10/2008 2:31:43 AM - Run 2
OTScanIt2 by OldTimer - Version 1.0.0.1b Folder = C:\Documents and Settings\Compaq_Administrator\Desktop\OTScanIt2
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

1022.48 Mb Total Physical Memory | 690.60 Mb Available Physical Memory | 67.54% Memory free
2.40 Gb Paging File | 2.11 Gb Available in Paging File | 88.05% Paging File free
Paging file location(s): C:\pagefile.sys 0 0;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 177.74 Gb Total Space | 152.54 Gb Free Space | 85.82% Space Free | Partition Type: NTFS
Drive D: | 8.56 Gb Total Space | 0.58 Gb Free Space | 6.81% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: COURTNEY
Current User Name: Compaq_Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Whitelist: On
File Age = 30 Days

[Processes - Safe List]
aswupdsv.exe -> %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe -> [2008/07/19 10:25:06 | 00,016,056 | ---- | M] (ALWIL Software)
ashserv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashServ.exe -> [2008/07/19 10:38:28 | 00,147,640 | ---- | M] (ALWIL Software)
applemobiledeviceservice.exe -> %CommonProgramFiles%\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -> [2007/10/31 15:09:16 | 00,110,592 | ---- | M] (Apple, Inc.)
arservice.exe -> %SystemRoot%\arservice.exe -> [2005/08/03 02:19:16 | 00,058,880 | ---- | M] (Microsoft)
ehrecvr.exe -> %SystemRoot%\ehome\ehrecvr.exe -> [2006/10/09 17:16:56 | 00,237,568 | ---- | M] (Microsoft Corporation)
ehsched.exe -> %SystemRoot%\ehome\ehSched.exe -> [2005/08/05 23:56:32 | 00,102,912 | ---- | M] (Microsoft Corporation)
lssrvc.exe -> %CommonProgramFiles%\LightScribe\LSSrvc.exe -> [2006/06/21 07:08:48 | 00,049,152 | ---- | M] (Hewlett-Packard Company)
nvsvc32.exe -> %SystemRoot%\system32\nvsvc32.exe -> [2008/09/17 09:55:00 | 00,163,908 | ---- | M] (NVIDIA Corporation)
pnkbstra.exe -> %SystemRoot%\system32\PnkBstrA.exe -> [2007/09/01 04:20:08 | 00,066,872 | ---- | M] ()
wwsecure.exe -> %SystemRoot%\system32\wwSecure.exe -> [2005/04/20 11:34:12 | 00,487,936 | ---- | M] (Webroot Software, Inc.)
mcrdsvc.exe -> %SystemRoot%\ehome\mcrdsvc.exe -> [2005/08/05 23:27:08 | 00,099,328 | ---- | M] (Microsoft Corporation)
ashmaisv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe -> [2008/07/19 10:38:04 | 00,250,040 | ---- | M] (ALWIL Software)
ashwebsv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe -> [2008/07/23 10:25:45 | 00,348,344 | ---- | M] (ALWIL Software)
ehtray.exe -> %SystemRoot%\ehome\ehtray.exe -> [2005/08/05 23:56:34 | 00,064,512 | ---- | M] (Microsoft Corporation)
ehmsas.exe -> %SystemRoot%\ehome\ehmsas.exe -> [2005/08/05 23:56:28 | 00,046,592 | ---- | M] (Microsoft Corporation)
rthdcpl.exe -> %SystemRoot%\RTHDCPL.EXE -> [2006/06/13 23:05:26 | 16,239,616 | ---- | M] (Realtek Semiconductor Corp.)
arpwrmsg.exe -> %SystemRoot%\arpwrmsg.exe -> [2005/08/03 02:19:16 | 00,077,312 | ---- | M] (Microsoft)
rundll32.exe -> %SystemRoot%\system32\rundll32.exe -> [2008/04/13 20:12:33 | 00,033,280 | ---- | M] (Microsoft Corporation)
wuauclt.exe -> %SystemRoot%\system32\wuauclt.exe -> [2008/07/18 22:10:42 | 00,053,448 | ---- | M] (Microsoft Corporation)
wscntfy.exe -> %SystemRoot%\system32\wscntfy.exe -> [2008/04/13 20:12:41 | 00,013,824 | ---- | M] (Microsoft Corporation)
otscanit2.exe -> %UserProfile%\Desktop\OTScanIt2\OTScanIt2.exe -> [2008/10/04 19:54:08 | 00,415,744 | ---- | M] (OldTimer Tools)

[Win32 Services - Safe List]
(Apple Mobile Device) Apple Mobile Device [Win32_Own | Auto | Running] -> %CommonProgramFiles%\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -> [2007/10/31 15:09:16 | 00,110,592 | ---- | M] (Apple, Inc.)
(ARSVC) ARSVC [Win32_Own | Auto | Running] -> %SystemRoot%\arservice.exe -> [2005/08/03 02:19:16 | 00,058,880 | ---- | M] (Microsoft)
(aspnet_state) ASP.NET State Service [Win32_Own | On_Demand | Stopped] -> %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -> [2007/04/13 03:20:52 | 00,033,632 | ---- | M] (Microsoft Corporation)
(aswupdsv) avast! iAVS4 Control Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe -> [2008/07/19 10:25:06 | 00,016,056 | ---- | M] (ALWIL Software)
(avast! antivirus) avast! antivirus [Win32_Own | Auto | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashServ.exe -> [2008/07/19 10:38:28 | 00,147,640 | ---- | M] (ALWIL Software)
(avast! mail scanner) avast! mail scanner [Win32_Own | On_Demand | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe -> [2008/07/19 10:38:04 | 00,250,040 | ---- | M] (ALWIL Software)
(avast! web scanner) avast! web scanner [Win32_Own | On_Demand | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe -> [2008/07/23 10:25:45 | 00,348,344 | ---- | M] (ALWIL Software)
(CiSvc) Indexing Service [Win32_Shared | On_Demand | Stopped] -> %SystemRoot%\system32\cisvc.exe -> [2008/04/13 20:12:14 | 00,005,632 | ---- | M] (Microsoft Corporation)
(clr_optimization_v2.0.50727_32) .NET Runtime Optimization Service v2.0.50727_X86 [Win32_Own | On_Demand | Stopped] -> %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -> [2007/04/13 03:21:18 | 00,068,952 | ---- | M] (Microsoft Corporation)
(ehrecvr) Media Center Receiver Service [Win32_Own | Auto | Running] -> %SystemRoot%\ehome\ehrecvr.exe -> [2006/10/09 17:16:56 | 00,237,568 | ---- | M] (Microsoft Corporation)
(ehsched) Media Center Scheduler Service [Win32_Own | Auto | Running] -> %SystemRoot%\ehome\ehSched.exe -> [2005/08/05 23:56:32 | 00,102,912 | ---- | M] (Microsoft Corporation)
(Fax) Fax [Win32_Own | On_Demand | Stopped] -> %SystemRoot%\system32\fxssvc.exe -> [2008/04/13 20:12:21 | 00,267,776 | ---- | M] (Microsoft Corporation)
(gusvc) Google Updater Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Google\Common\Google Updater\GoogleUpdaterService.exe -> [2008/07/11 16:00:15 | 00,138,168 | ---- | M] (Google)
(IDriverT) InstallDriver Table Manager [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\InstallShield\Driver\1050\Intel 32\IDriverT.exe -> [2004/10/22 13:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation)
(LightScribeService) LightScribeService Direct Disc Labeling Service [Win32_Own | Auto | Running] -> %CommonProgramFiles%\LightScribe\LSSrvc.exe -> [2006/06/21 07:08:48 | 00,049,152 | ---- | M] (Hewlett-Packard Company)
(McrdSvc) Media Center Extender Service [Win32_Own | Auto | Running] -> %SystemRoot%\ehome\mcrdsvc.exe -> [2005/08/05 23:27:08 | 00,099,328 | ---- | M] (Microsoft Corporation)
(NVSvc) NVIDIA Display Driver Service [Win32_Own | Auto | Running] -> %SystemRoot%\system32\nvsvc32.exe -> [2008/09/17 09:55:00 | 00,163,908 | ---- | M] (NVIDIA Corporation)
(PnkBstrA) PnkBstrA [Win32_Own | Auto | Running] -> %SystemRoot%\system32\PnkBstrA.exe -> [2007/09/01 04:20:08 | 00,066,872 | ---- | M] ()
(TlntSvr) Telnet [Win32_Own | Disabled | Stopped] -> %SystemRoot%\system32\tlntsvr.exe -> [2008/04/13 20:12:38 | 00,073,216 | ---- | M] (Microsoft Corporation)
(usnjsvc) Messenger Sharing Folders USN Journal Reader service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\MSN Messenger\usnsvc.exe -> [2007/01/19 13:54:14 | 00,097,136 | ---- | M] (Microsoft Corporation)
(vsmon) TrueVector Internet Monitor [Win32_Own | Auto | Stopped] -> %SystemRoot%\system32\ZoneLabs\vsmon.exe -> [2008/07/09 09:05:18 | 00,075,304 | ---- | M] (Zone Labs, LLC)
(wmpnetworksvc) Windows Media Player Network Sharing Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Windows Media Player\wmpnetwk.exe -> [2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation)
(wwSecSvc) Washer AutoComplete [Win32_Own | Auto | Running] -> %SystemRoot%\system32\wwSecure.exe -> [2005/04/20 11:34:12 | 00,487,936 | ---- | M] (Webroot Software, Inc.)

[Driver Services - Safe List]
(aavmker4) avast! Asynchronous Virus Monitor [Kernel | System | Running] -> %SystemRoot%\System32\drivers\aavmker4.sys -> [2008/07/19 10:32:15 | 00,026,944 | ---- | M] (ALWIL Software)
(AmdK8) AMD Processor Driver [Kernel | System | Running] -> %SystemRoot%\system32\drivers\AmdK8.sys -> [2005/03/09 17:53:00 | 00,036,352 | ---- | M] (Advanced Micro Devices)
(aracpi) aracpi [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\aracpi.sys -> [2005/08/03 02:19:14 | 00,022,784 | ---- | M] (Microsoft Corporation)
(arhidfltr) MS Ar HID Filter Driver [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\arhidfltr.sys -> [2005/08/03 02:19:14 | 00,019,200 | ---- | M] (Microsoft Corporation)
(arkbcfltr) Microsoft PS2 Keyboard Filter [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\arkbcfltr.sys -> [2005/08/03 02:19:16 | 00,005,376 | ---- | M] (Microsoft Corporation)
(armoucfltr) Microsoft PS2 Mouse Filter [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\armoucfltr.sys -> [2005/08/03 02:19:16 | 00,004,992 | ---- | M] (Microsoft Corporation)
(ARPolicy) ARPolicy [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\arpolicy.sys -> [2005/08/03 02:19:14 | 00,010,112 | ---- | M] (Microsoft Corporation)
(aswfsblk) aswfsblk [File_System | Auto | Running] -> %SystemRoot%\system32\drivers\aswFsBlk.sys -> [2008/07/19 10:37:42 | 00,020,560 | ---- | M] (ALWIL Software)
(aswmon2) avast! Standard Shield Support [File_System | Auto | Running] -> %SystemRoot%\System32\drivers\aswmon2.sys -> [2008/07/19 10:37:21 | 00,094,416 | ---- | M] (ALWIL Software)
(aswrdr) aswrdr [Kernel | On_Demand | Running] -> %SystemRoot%\System32\drivers\aswRdr.sys -> [2008/07/19 10:33:42 | 00,023,152 | ---- | M] (ALWIL Software)
(aswsp) avast! Self Protection [Kernel | System | Running] -> %SystemRoot%\System32\drivers\aswSP.sys -> [2008/07/19 10:35:18 | 00,078,416 | ---- | M] (ALWIL Software)
(aswTdi) avast! Network Shield Support [Kernel | System | Running] -> %SystemRoot%\System32\drivers\aswTdi.sys -> [2008/07/19 10:32:36 | 00,042,912 | ---- | M] (ALWIL Software)
(catchme) catchme [Kernel | On_Demand | Stopped] -> %SystemDrive%\ComboFix\catchme.sys -> File not found
(CCDECODE) Closed Caption Decoder [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\ccdecode.sys -> [2008/04/13 14:46:23 | 00,017,024 | ---- | M] (Microsoft Corporation)
(HDAudBus) Microsoft UAA Bus Driver for High Definition Audio [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\hdaudbus.sys -> [2008/04/13 12:36:05 | 00,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider)
(HPZid412) IEEE-1284.4 Driver HPZid412 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\HPZid412.sys -> [2006/12/06 02:02:28 | 00,049,920 | R--- | M] (HP)
(HPZipr12) Print Class Driver for IEEE-1284.4 HPZipr12 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\HPZipr12.sys -> [2006/12/06 02:02:28 | 00,016,496 | R--- | M] (HP)
(HPZius12) USB to IEEE-1284.4 Translation Driver HPZius12 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\HPZius12.sys -> [2006/12/06 02:02:29 | 00,021,568 | R--- | M] (HP)
(HSXHWBS2) HSXHWBS2 [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\HSXHWBS2.sys -> [2005/12/06 14:20:50 | 00,241,664 | ---- | M] (Conexant Systems, Inc.)
(HSX_DP) HSX_DP [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\HSX_DP.sys -> [2005/12/06 14:20:40 | 00,936,448 | ---- | M] (Conexant Systems, Inc.)
(IntcAzAudAddService) Service for Realtek HD Audio (WDM) [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\RtkHDAud.sys -> [2006/06/14 14:04:12 | 04,299,264 | ---- | M] (Realtek Semiconductor Corp.)
(intelppm) Intel Processor Driver [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\drivers\intelppm.sys -> [2008/04/13 14:31:32 | 00,036,352 | ---- | M] (Microsoft Corporation)
(KLIF) KLIF [File_System | System | Running] -> %SystemRoot%\system32\drivers\klif.sys -> [2007/07/19 15:10:28 | 00,127,768 | ---- | M] (Kaspersky Lab)
(mdmxsdk) mdmxsdk [Kernel | Auto | Running] -> %SystemRoot%\system32\drivers\mdmxsdk.sys -> [2005/10/05 18:57:08 | 00,012,544 | ---- | M] (Conexant)
(MHNDRV) MHN driver [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\mhndrv.sys -> [2004/08/10 05:45:04 | 00,011,008 | ---- | M] (Microsoft Corporation)
(MSTEE) Microsoft Streaming Tee/Sink-to-Sink Converter [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\mstee.sys -> [2008/04/13 14:39:50 | 00,005,504 | ---- | M] (Microsoft Corporation)
(NABTSFEC) NABTS/FEC VBI Codec [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\nabtsfec.sys -> [2008/04/13 14:46:25 | 00,085,248 | ---- | M] (Microsoft Corporation)
(NdisIP) Microsoft TV/Video Connection [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\ndisip.sys -> [2008/04/13 14:46:22 | 00,010,880 | ---- | M] (Microsoft Corporation)
(NTProcDrv) Process creation detector for NT. [Kernel | On_Demand | Stopped] -> %ProgramFiles%\Silkroad\Bot\NTProcDrv.sys -> [2005/02/23 15:08:16 | 00,003,584 | ---- | M] ()
(nv) nv [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\nv4_mini.sys -> [2008/09/17 09:55:00 | 06,132,576 | ---- | M] (NVIDIA Corporation)
(NVENETFD) NVIDIA nForce Networking Controller Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\NVENETFD.sys -> [2006/03/03 18:31:02 | 00,034,176 | ---- | M] (NVIDIA Corporation)
(nvndis) NVIDIA NDIS IO Control Driver [Kernel | Auto | Stopped] -> %SystemRoot%\system32\Drivers\NvNdis.sys -> File not found
(nvnetbus) NVIDIA Network Bus Enumerator [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\nvnetbus.sys -> [2006/03/03 18:31:04 | 00,013,056 | ---- | M] (NVIDIA Corporation)
(PCIIde) PCIIde [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\pciide.sys -> [2001/08/17 23:51:52 | 00,003,328 | ---- | M] (Microsoft Corporation)
(pfc) Padus ASPI Shell [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\pfc.sys -> [2004/10/11 11:28:18 | 00,009,856 | ---- | M] (Padus, Inc.)
(Processor) Processor Driver [Kernel | System | Stopped] -> %SystemRoot%\system32\drivers\processr.sys -> [2008/04/13 14:31:30 | 00,035,840 | ---- | M] (Microsoft Corporation)
(Ptilink) Direct Parallel Link Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\ptilink.sys -> [2004/08/10 00:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.)
(PxHelp20) PxHelp20 [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\pxhelp20.sys -> [2006/03/09 14:00:00 | 00,046,080 | ---- | M] (Sonic Solutions)
(rtl8139) Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\RTL8139.sys -> [2004/08/03 17:31:34 | 00,020,992 | ---- | M] (Realtek Semiconductor Corporation)
(Secdrv) Secdrv [Kernel | Auto | Running] -> %SystemRoot%\system32\drivers\secdrv.sys -> [2007/11/13 06:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
(SLIP) BDA Slip De-Framer [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\slip.sys -> [2008/04/13 14:46:23 | 00,011,136 | ---- | M] (Microsoft Corporation)
(sptd) sptd [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\sptd.sys -> [2008/08/16 16:26:36 | 00,717,296 | ---- | M] ()
(SQTECH905C) DualCamera [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Capt905c.sys -> [2005/07/13 11:08:20 | 00,033,890 | ---- | M] (Service & Quality Technology.)
(streamip) BDA IPSink [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\streamip.sys -> [2008/04/13 14:46:21 | 00,015,232 | ---- | M] (Microsoft Corporation)
(tsp) tsp [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\klif.sys -> [2007/07/19 15:10:28 | 00,127,768 | ---- | M] (Kaspersky Lab)
(USBAAPL) Apple Mobile USB Driver [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\usbaapl.sys -> [2007/10/31 15:09:14 | 00,030,464 | ---- | M] (Apple, Inc.)
(usbehci) Microsoft USB 2.0 Enhanced Host Controller Miniport Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\usbehci.sys -> [2008/04/13 14:45:35 | 00,030,208 | ---- | M] (Microsoft Corporation)
(usbohci) Microsoft USB Open Host Controller Miniport Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\usbohci.sys -> [2008/04/13 14:45:35 | 00,017,152 | ---- | M] (Microsoft Corporation)
(ViaIde) ViaIde [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\viaide.sys -> [2008/04/13 14:40:31 | 00,005,376 | ---- | M] (Microsoft Corporation)
(vsdatant) vsdatant [Kernel | Auto | Running] -> %SystemRoot%\system32\vsdatant.sys -> [2008/07/09 09:05:22 | 00,394,952 | ---- | M] (Zone Labs, LLC)
(winachsx) winachsx [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\HSX_CNXT.sys -> [2005/12/06 14:20:42 | 00,670,208 | ---- | M] (Conexant Systems, Inc.)
(WpdUsb) WpdUsb [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\wpdusb.sys -> [2006/10/18 20:00:00 | 00,038,528 | ---- | M] (Microsoft Corporation)
(WSTCODEC) World Standard Teletext Codec [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\wstcodec.sys -> [2008/04/13 14:46:24 | 00,019,200 | ---- | M] (Microsoft Corporation)
(WudfPf) Windows Driver Foundation - User-mode Driver Framework Platform Driver [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\WudfPf.sys -> [2006/09/28 19:55:50 | 00,077,568 | ---- | M] (Microsoft Corporation)
(WudfRd) Windows Driver Foundation - User-mode Driver Framework Reflector [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\WudfRd.sys -> [2006/09/28 20:00:34 | 00,082,944 | ---- | M] (Microsoft Corporation)

[Registry - Safe List]
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> ->
HKEY_LOCAL_MACHINE\: Main\\Default_Page_URL -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKEY_LOCAL_MACHINE\: Main\\Default_Search_URL -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKEY_LOCAL_MACHINE\: Main\\Default_Secondary_Page_URL -> ->
HKEY_LOCAL_MACHINE\: Main\\Extensions Off Page -> about:NoAdd-ons ->
HKEY_LOCAL_MACHINE\: Main\\Local Page -> %SystemRoot%\system32\blank.htm ->
HKEY_LOCAL_MACHINE\: Main\\Search Page -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKEY_LOCAL_MACHINE\: Main\\Security Risk Page -> about:SecurityRisk ->
HKEY_LOCAL_MACHINE\: Main\\Start Page -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKEY_LOCAL_MACHINE\: Search\\CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKEY_LOCAL_MACHINE\: Search\\CustomSearch -> http://us.rd.yahoo.com/customize/ie/defaults/cs/msgr8/*http://www.yahoo.com/ext/search/search.html ->
HKEY_LOCAL_MACHINE\: Search\\SearchAssistant -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm ->
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> ->
HKEY_CURRENT_USER\: Main\\Local Page -> C:\WINDOWS\system32\blank.htm ->
HKEY_CURRENT_USER\: Main\\Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKEY_CURRENT_USER\: Main\\SearchMigratedDefaultName -> Yahoo! Search ->
HKEY_CURRENT_USER\: Main\\SearchMigratedDefaultURL -> http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 ->
HKEY_CURRENT_USER\: Main\\Start Page -> http://www.plentyoffish.com/ ->
HKEY_CURRENT_USER\: URLSearchHooks\\{CFBFAE00-17A6-11D0-99CB-00C04FD64497} [HKLM] -> %SystemRoot%\system32\ieframe.dll [Microsoft Url Search Hook] -> [2008/06/23 12:57:33 | 06,066,176 | ---- | M] (Microsoft Corporation)
HKEY_CURRENT_USER\: URLSearchHooks\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKLM] -> Reg Error: Key does not exist or could not be opened. [Yahoo! Toolbar] -> File not found
HKEY_CURRENT_USER\: ProxyEnable -> 0 ->
< HOSTS File > (27 bytes and 1 lines) -> C:\WINDOWS\System32\drivers\etc\Hosts ->
127.0.0.1 localhost
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [AcroIEHlprObj Class] -> [2005/09/24 06:12:08 | 00,063,136 | ---- | M] (Adobe Systems Incorporated)
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_07\bin\ssv.dll [SSVHelper Class] -> [2008/06/10 04:27:02 | 00,509,328 | ---- | M] (Sun Microsystems, Inc.)
{AA58ED58-01DD-4d91-8333-CF10577473F7} [HKLM] -> %ProgramFiles%\Google\GoogleToolbar1.dll [Google Toolbar Helper] -> [2008/07/11 16:00:15 | 02,403,392 | R--- | M] (Google Inc.)
{bdb8325a-1b1b-422c-bce8-085654f17b32} [HKLM] -> %SystemRoot%\system32\nxdsht.dll [Reg Error: Value does not exist or could not be read.] -> [2008/10/03 18:19:14 | 00,123,904 | ---- | M] ()
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar ->
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" [HKLM] -> %ProgramFiles%\Google\GoogleToolbar1.dll [&Google] -> [2008/07/11 16:00:15 | 02,403,392 | R--- | M] (Google Inc.)
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ ->
WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKLM] -> %ProgramFiles%\Google\GoogleToolbar1.dll [&Google] -> [2008/07/11 16:00:15 | 02,403,392 | R--- | M] (Google Inc.)
WebBrowser\\{C4069E3A-68F1-403E-B40E-20066696354B} [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKLM] -> Reg Error: Key does not exist or could not be opened. [Yahoo! Toolbar] -> File not found
WebBrowser\\{F2CF5485-4E02-4F68-819C-B92DE9277049} [HKLM] -> %SystemRoot%\system32\ieframe.dll [&Links] -> [2008/06/23 12:57:33 | 06,066,176 | ---- | M] (Microsoft Corporation)
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
"AlwaysReady Power Message APP" -> %SystemRoot%\arpwrmsg.exe [ARPWRMSG.EXE] -> [2005/08/03 02:19:16 | 00,077,312 | ---- | M] (Microsoft)
"ehTray" -> %SystemRoot%\ehome\ehtray.exe [C:\WINDOWS\ehome\ehtray.exe] -> [2005/08/05 23:56:34 | 00,064,512 | ---- | M] (Microsoft Corporation)
"NvCplDaemon" -> %SystemRoot%\system32\nvcpl.dll [RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup] -> [2008/09/17 09:55:00 | 13,574,144 | ---- | M] (NVIDIA Corporation)
"NvMediaCenter" -> %SystemRoot%\system32\nvmctray.dll [RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit] -> [2008/09/17 09:55:00 | 00,086,016 | ---- | M] (NVIDIA Corporation)
"nwiz" -> %SystemRoot%\system32\nwiz.exe [nwiz.exe /install] -> [2008/09/17 09:55:00 | 01,657,376 | ---- | M] ()
"PCDrProfiler" -> [] -> File not found
"RTHDCPL" -> %SystemRoot%\RTHDCPL.EXE [RTHDCPL.EXE] -> [2006/06/13 23:05:26 | 16,239,616 | ---- | M] (Realtek Semiconductor Corp.)
"ZoneAlarm Client" -> %ProgramFiles%\Zone Labs\ZoneAlarm\zlclient.exe ["C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"] -> [2008/07/09 09:05:20 | 00,919,016 | ---- | M] (Zone Labs, LLC)
< All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup ->
< Compaq_Administrator Startup Folder > -> C:\Documents and Settings\Compaq_Administrator\Start Menu\Programs\Startup ->
< Software Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer ->
< CurrentVersion Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" -> [227] -> File not found
\\"NoDrives" -> [0] -> File not found
\\"NoDriveAutoRun" -> [67108863] -> File not found
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
\\"dontdisplaylastusername" -> [0] -> File not found
\\"legalnoticecaption" -> [] -> File not found
\\"legalnoticetext" -> [] -> File not found
\\"shutdownwithoutlogon" -> [1] -> File not found
\\"undockwithoutlogon" -> [1] -> File not found
\\"InstallVisualStyle" -> %SystemRoot%\Resources\Themes\Royale\Royale.mss [C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles] -> File not found
\\"InstallTheme" -> %SystemRoot%\Resources\Themes\Royale.the [C:\WINDOWS\Resources\Themes\Royale.theme] -> File not found
\\"DisableRegistryTools" -> [0] -> File not found
\\"HideLegacyLogonScripts" -> [0] -> File not found
\\"HideLogoffScripts" -> [0] -> File not found
\\"RunLogonScriptSync" -> [1] -> File not found
\\"RunStartupScriptSync" -> [0] -> File not found
\\"HideStartupScripts" -> [0] -> File not found
< CurrentVersion Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDrives" -> [0] -> File not found
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
\\"HideLegacyLogonScripts" -> [0] -> File not found
\\"HideLogoffScripts" -> [0] -> File not found
\\"HideStartupScripts" -> [0] -> File not found
\\"RunLogonScriptSync" -> [1] -> File not found
\\"RunStartupScriptSync" -> [0] -> File not found
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}:{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_07\bin\npjpi160_07.dll [Menu: Sun Java Console] -> [2008/06/10 04:27:02 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
{E2D4D26B-0180-43a4-B05F-462D6D54C789}:C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm [HKLM] -> %SystemRoot%\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm [Button: Internet Connection Help] -> [2008/09/24 14:49:29 | 00,000,706 | ---- | M] ()
{E2D4D26B-0180-43a4-B05F-462D6D54C789}:C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm [HKLM] -> %SystemRoot%\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm [Menu: Internet Connection Help] -> [2008/09/24 14:49:29 | 00,000,706 | ---- | M] ()
{fb5f1910-f110-11d2-bb9e-00c04f795683}:Exec [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Button: Messenger] -> [2008/04/13 20:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)
{fb5f1910-f110-11d2-bb9e-00c04f795683}:Exec [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Menu: Windows Messenger] -> [2008/04/13 20:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\ ->
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_07\bin\npjpi160_07.dll [Sun Java Console] -> [2008/06/10 04:27:02 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
CmdMapping\\{E2D4D26B-0180-43a4-B05F-462D6D54C789} [HKLM] -> [Internet Connection Help] -> File not found
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/13 20:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ ->
PluginsPageFriendlyName -> Microsoft ActiveX Gallery ->
PluginsPage -> http://activex.microsoft.com/controls/find.asp?ext=%s&mime=%s ->
< Default Prefix > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
"" -> http://
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 1 domain(s) found. ->
1 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. ->
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. ->
< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. ->
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
{166B1BCA-3F9C-11CF-8075-444553540000} [HKLM] -> http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab[Shockwave ActiveX Control] ->
{17492023-C23A-453E-A040-C7C580BBF700} [HKLM] -> http://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab[Windows Genuine Advantage Validation Tool] ->
{20A60F0D-9AFA-4515-A0FD-83BD84642501} [HKLM] -> http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab[Checkers Class] ->
{233C1507-6A77-46A4-9443-F871F945D258} [HKLM] -> http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab[Shockwave ActiveX Control] ->
{67DABFBF-D0AB-41FA-9C46-CC0F21721616} [HKLM] -> http://download.divx.com/player/DivXBrowserPlugin.cab[DivXBrowserPlugin Object] ->
{8AD9C840-044E-11D1-B3E9-00805F499D93} [HKLM] -> http://sdlc-esd.sun.com/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab?AuthParam=1216700393_42e961975d53e50d0437a73c55ee9081&GroupName=JSC&BHost=javadl.sun.com&FilePath=/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab&File=jinstall-6u7-windows-i586-jc.cab[Java Plug-in 1.6.0_07] ->
{B8BE5E93-A60C-4D26-A2DC-220313175592} [HKLM] -> http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab[MSN Games - Installer] ->
{BD393C14-72AD-4790-A095-76522973D6B8} [HKLM] -> http://messenger.zone.msn.com/binary/Bankshot.cab57213.cab[CBreakshotControl Class] ->
{C3F79A2B-B9B4-4A66-B012-3EE46475B072} [HKLM] -> http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab[MessengerStatsClient Class] ->
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab[Java Plug-in 1.6.0_07] ->
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab[Java Plug-in 1.6.0_07] ->
{D27CDB6E-AE6D-11CF-96B8-444553540000} [HKLM] -> http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab[Shockwave Flash Object] ->
{E6187999-9FEC-46A1-A20F-F4CA977D5643} [HKLM] -> http://messenger.zone.msn.com/binary/Chess.cab57176.cab[ZoneChess Object] ->
{F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} [HKLM] -> https://secure.gopetslive.com/dev/GoPetsWeb.cab[GoPetsWeb Control] ->
< DNS Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ ->
{5459ECE3-DE17-424A-81ED-010F81C934A8} -> (NVIDIA nForce Networking Controller) ->
{5DF7AE14-91FB-46C7-A971-83A58B97C9B8} -> () ->
{892900FC-9814-4488-99C0-81491C1EE93D} -> (HP EN1207D-TX PCI 10/100 Fast Ethernet Adapter) ->
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs ->
*AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls ->
nxdsht.dll -> %SystemRoot%\system32\nxdsht.dll -> [2008/10/03 18:19:14 | 00,123,904 | ---- | M] ()
*MultiFile Done* -> ->
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ ->
WgaLogon -> %SystemRoot%\system32\WgaLogon.dll -> [2007/03/15 18:16:42 | 00,236,928 | ---- | M] (Microsoft Corporation)
< SSODL [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad ->
"{AAA288BA-9A4C-45B0-95D7-94D524869DB5}" [HKLM] -> %SystemRoot%\system32\WPDShServiceObj.dll [WPDShServiceObj] -> [2006/10/18 21:47:22 | 00,133,632 | ---- | M] (Microsoft Corporation)
< Domain Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List ->
"%windir%\Network Diagnostic\xpnetdiag.exe" -> C:\WINDOWS\network diagnostic\xpnetdiag.exe [%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000] -> [2008/04/13 14:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation)
"%windir%\system32\sessmgr.exe" -> C:\WINDOWS\system32\sessmgr.exe [%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019] -> [2008/04/13 20:12:34 | 00,141,312 | ---- | M] (Microsoft Corporation)
"C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe" -> C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe [C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe:*:Enabled:Compaq Connections] -> [2006/08/08 08:54:08 | 00,036,903 | ---- | M] (Hewlett-Packard)
"C:\Program Files\MSN Messenger\livecall.exe" -> C:\Program Files\MSN Messenger\livecall.exe [C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)] -> [2007/01/04 17:10:02 | 00,297,752 | ---- | M] (Microsoft Corporation)
"C:\Program Files\MSN Messenger\msnmsgr.exe" -> C:\Program Files\MSN Messenger\msnmsgr.exe [C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1] -> [2007/01/19 13:54:56 | 05,674,352 | ---- | M] (Microsoft Corporation)
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List ->
"%windir%\Network Diagnostic\xpnetdiag.exe" -> C:\WINDOWS\network diagnostic\xpnetdiag.exe [%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000] -> [2008/04/13 14:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation)
"%windir%\system32\sessmgr.exe" -> C:\WINDOWS\system32\sessmgr.exe [%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019] -> [2008/04/13 20:12:34 | 00,141,312 | ---- | M] (Microsoft Corporation)
"C:\Program Files\Azureus\Azureus.exe" -> C:\Program Files\Azureus\Azureus.exe [C:\Program Files\Azureus\Azureus.exe:*:Enabled:Azureus] -> [2008/04/06 00:39:21 | 00,254,976 | ---- | M] (Azureus Inc)
"C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe" -> C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe [C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe:*:Enabled:Compaq Connections] -> [2006/08/08 08:54:08 | 00,036,903 | ---- | M] (Hewlett-Packard)
"C:\Program Files\LimeWire\LimeWire.exe" -> C:\Program Files\LimeWire\LimeWire.exe [C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire] -> [2008/06/18 14:58:16 | 00,147,456 | ---- | M] (Lime Wire, LLC)
"C:\Program Files\Messenger\msmsgs.exe" -> C:\Program Files\Messenger\msmsgs.exe [C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger] -> [2008/04/13 20:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)
"C:\Program Files\MSN Messenger\livecall.exe" -> C:\Program Files\MSN Messenger\livecall.exe [C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)] -> [2007/01/04 17:10:02 | 00,297,752 | ---- | M] (Microsoft Corporation)
"C:\Program Files\MSN Messenger\msnmsgr.exe" -> C:\Program Files\MSN Messenger\msnmsgr.exe [C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1] -> [2007/01/19 13:54:56 | 05,674,352 | ---- | M] (Microsoft Corporation)
"C:\Program Files\NovaLogic\Delta Force Xtreme\dfx.exe" -> C:\Program Files\NovaLogic\Delta Force Xtreme\dfx.exe [C:\Program Files\NovaLogic\Delta Force Xtreme\dfx.exe:*:Enabled:dfx] -> [2005/11/08 15:19:42 | 04,497,408 | ---- | M] ()
"C:\Program Files\NovaLogic\Joint Operations Typhoon Rising\Jointops.exe" -> C:\Program Files\NovaLogic\Joint Operations Typhoon Rising\Jointops.exe [C:\Program Files\NovaLogic\Joint Operations Typhoon Rising\Jointops.exe:*:Enabled:Jointops] -> [2005/10/13 19:53:34 | 04,517,888 | ---- | M] ()
"C:\Program Files\NovaLogic\Joint Operations Typhoon Rising\UPDATE.EXE" -> C:\Program Files\NovaLogic\Joint Operations Typhoon Rising\update.exe [C:\Program Files\NovaLogic\Joint Operations Typhoon Rising\UPDATE.EXE:*:Enabled:UPDATE] -> [2005/09/26 14:31:48 | 00,266,240 | ---- | M] (NovaLogic)
"C:\Program Files\Silkroad\Bot\srobot.exe" -> C:\Program Files\Silkroad\Bot\srobot.exe [C:\Program Files\Silkroad\Bot\srobot.exe:*:Enabled:HookSrv] -> [2008/09/23 14:55:34 | 00,065,536 | ---- | M] ()
"C:\Program Files\Silkroad\SilkErrSender.exe" -> C:\Program Files\Silkroad\SilkErrSender.exe [C:\Program Files\Silkroad\SilkErrSender.exe:*:Enabled:FTPSender MFC ?? ????] -> [2005/01/31 17:39:32 | 00,139,264 | ---- | M] ()
< SafeBoot AlternateShell [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot ->
"AlternateShell" -> cmd.exe ->
< CDROM Autorun Setting [HKEY_LOCAL_MACHINE]> -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom ->
"AutoRun" -> 1 ->
"DisplayName" -> CD-ROM Driver ->
"ImagePath" -> %SystemRoot%\system32\drivers\cdrom.sys [system32\DRIVERS\cdrom.sys] -> [2008/04/13 14:40:46 | 00,062,976 | ---- | M] (Microsoft Corporation)
< Drives with AutoRun files > -> ->
AUTOEXEC.BAT [] -> %SystemDrive%\AUTOEXEC.BAT [ NTFS ] -> [2005/08/31 00:02:02 | 00,000,000 | ---- | M] ()
AUTOEXEC.BAT [] -> D:\AUTOEXEC.BAT [ FAT32 ] -> [2001/07/27 08:07:38 | 00,000,000 | -HS- | M] ()
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 ->


[Files/Folders - Created Within 30 Days]
70 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp ->
3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp ->
OTScanIt2 -> %UserProfile%\Desktop\OTScanIt2 -> [2008/10/05 02:23:44 | 00,000,000 | ---D | C]
OTScanIt2.exe -> %UserProfile%\Desktop\OTScanIt2.exe -> [2008/10/05 02:23:23 | 00,586,451 | ---- | C] ()
fidbox.dat -> %SystemRoot%\System32\drivers\fidbox.dat -> [2008/10/04 17:10:04 | 00,172,064 | -HS- | C] ()
fidbox.idx -> %SystemRoot%\System32\drivers\fidbox.idx -> [2008/10/04 17:10:04 | 00,003,020 | -HS- | C] ()
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [2008/10/04 17:10:03 | 10,722,22208 | -HS- | C] ()
d3d9caps.dat -> %SystemRoot%\System32\d3d9caps.dat -> [2008/10/04 15:24:04 | 00,000,664 | ---- | C] ()
klif.sys -> %SystemRoot%\System32\drivers\klif.sys -> [2008/10/04 00:45:13 | 00,127,768 | ---- | C] (Kaspersky Lab)
RECYCLER -> %SystemDrive%\RECYCLER -> [2008/10/03 20:36:56 | 00,000,000 | -HSD | C]
wpa.dbl -> %SystemRoot%\System32\wpa.dbl -> [2008/10/03 20:13:00 | 00,002,148 | ---- | C] ()
erdnt -> %SystemRoot%\erdnt -> [2008/10/03 20:10:00 | 00,000,000 | ---D | C]
swxcacls.exe -> %SystemRoot%\swxcacls.exe -> [2008/10/03 20:05:54 | 00,212,480 | ---- | C] (SteelWerX)
SWREG.exe -> %SystemRoot%\SWREG.exe -> [2008/10/03 20:05:54 | 00,161,792 | ---- | C] (SteelWerX)
SWSC.exe -> %SystemRoot%\SWSC.exe -> [2008/10/03 20:05:54 | 00,136,704 | ---- | C] (SteelWerX)
sed.exe -> %SystemRoot%\sed.exe -> [2008/10/03 20:05:54 | 00,098,816 | ---- | C] ()
fdsv.exe -> %SystemRoot%\fdsv.exe -> [2008/10/03 20:05:54 | 00,089,504 | ---- | C] (Smallfrogs Studio)
grep.exe -> %SystemRoot%\grep.exe -> [2008/10/03 20:05:54 | 00,080,412 | ---- | C] ()
zip.exe -> %SystemRoot%\zip.exe -> [2008/10/03 20:05:54 | 00,068,096 | ---- | C] ()
VFind.exe -> %SystemRoot%\VFind.exe -> [2008/10/03 20:05:54 | 00,049,152 | ---- | C] ()
Nircmd.exe -> %SystemRoot%\Nircmd.exe -> [2008/10/03 20:05:54 | 00,028,672 | ---- | C] (NirSoft)
ComboFix.exe -> %UserProfile%\Desktop\ComboFix.exe -> [2008/10/03 20:01:31 | 02,889,194 | R--- | C] ()
nxdsht.dll -> %SystemRoot%\System32\nxdsht.dll -> [2008/10/03 18:19:14 | 00,123,904 | ---- | C] ()
Windows Live Messenger.lnk -> %AllUsersProfile%\Desktop\Windows Live Messenger.lnk -> [2008/10/03 17:53:36 | 00,001,744 | ---- | C] ()
HijackThis.lnk -> %UserProfile%\Desktop\HijackThis.lnk -> [2008/10/03 14:22:15 | 00,001,742 | ---- | C] ()
Trend Micro -> %ProgramFiles%\Trend Micro -> [2008/10/03 14:22:15 | 00,000,000 | ---D | C]
ascbalon.dll -> %SystemRoot%\System32\ascbalon.dll -> [2008/10/02 20:51:28 | 00,036,864 | ---- | C] ()
ascbalo3N.dll -> %SystemRoot%\System32\ascbalo3N.dll -> [2008/10/02 20:51:28 | 00,036,864 | ---- | C] ()
Spybot - Search & Destroy -> %AllUsersProfile%\Application Data\Spybot - Search & Destroy -> [2008/10/02 18:26:03 | 00,000,000 | ---D | C]
Spybot - Search & Destroy -> %ProgramFiles%\Spybot - Search & Destroy -> [2008/10/02 18:25:31 | 00,000,000 | ---D | C]
FNTCACHE.DAT -> %SystemRoot%\System32\FNTCACHE.DAT -> [2008/10/02 17:53:56 | 00,173,080 | ---- | C] ()
aswTdi.sys -> %SystemRoot%\System32\drivers\aswTdi.sys -> [2008/10/02 12:31:37 | 00,042,912 | ---- | C] (ALWIL Software)
aswRdr.sys -> %SystemRoot%\System32\drivers\aswRdr.sys -> [2008/10/02 12:31:37 | 00,023,152 | ---- | C] (ALWIL Software)
avast! Antivirus.lnk -> %AllUsersProfile%\Desktop\avast! Antivirus.lnk -> [2008/10/02 12:31:37 | 00,001,717 | ---- | C] ()
aavmker4.sys -> %SystemRoot%\System32\drivers\aavmker4.sys -> [2008/10/02 12:31:36 | 00,026,944 | ---- | C] (ALWIL Software)
aswmon2.sys -> %SystemRoot%\System32\drivers\aswmon2.sys -> [2008/10/02 12:31:30 | 00,094,416 | ---- | C] (ALWIL Software)
aswmon.sys -> %SystemRoot%\System32\drivers\aswmon.sys -> [2008/10/02 12:31:30 | 00,093,264 | ---- | C] (ALWIL Software)
aswSP.sys -> %SystemRoot%\System32\drivers\aswSP.sys -> [2008/10/02 12:31:30 | 00,078,416 | ---- | C] (ALWIL Software)
aswFsBlk.sys -> %SystemRoot%\System32\drivers\aswFsBlk.sys -> [2008/10/02 12:31:30 | 00,020,560 | ---- | C] (ALWIL Software)
aswBoot.exe -> %SystemRoot%\System32\aswBoot.exe -> [2008/10/02 12:31:17 | 01,163,960 | ---- | C] (ALWIL Software)
actskin4.ocx -> %SystemRoot%\System32\actskin4.ocx -> [2008/10/02 12:31:17 | 00,380,928 | ---- | C] ()
Gifs -> %UserProfile%\Desktop\Gifs -> [2008/09/29 18:25:02 | 00,000,000 | ---D | C]
Thumbs.db -> %SystemRoot%\Thumbs.db -> [2008/09/28 01:25:58 | 00,007,680 | -HS- | C] ()
JO ICE Mod.lnk -> %UserProfile%\Desktop\JO ICE Mod.lnk -> [2008/09/27 15:33:14 | 00,001,937 | ---- | C] ()
Joint Operations Escalation.lnk -> %AllUsersProfile%\Desktop\Joint Operations Escalation.lnk -> [2008/09/27 14:44:30 | 00,001,949 | ---- | C] ()
Prefetch -> %SystemRoot%\Prefetch -> [2008/09/24 19:32:12 | 00,000,000 | ---D | C]
nvapps.nvb -> %SystemRoot%\System32\nvapps.nvb -> [2008/09/24 19:29:13 | 00,201,050 | ---- | C] ()
scripting -> %SystemRoot%\System32\scripting -> [2008/09/24 14:46:37 | 00,000,000 | ---D | C]
l2schemas -> %SystemRoot%\l2schemas -> [2008/09/24 14:46:37 | 00,000,000 | ---D | C]
en -> %SystemRoot%\System32\en -> [2008/09/24 14:46:37 | 00,000,000 | ---D | C]
bits -> %SystemRoot%\System32\bits -> [2008/09/24 14:46:36 | 00,000,000 | ---D | C]
ServicePackFiles -> %SystemRoot%\ServicePackFiles -> [2008/09/24 14:45:05 | 00,000,000 | ---D | C]
$NtServicePackUninstall$ -> %SystemRoot%\$NtServicePackUninstall$ -> [2008/09/24 14:39:39 | 00,000,000 | -H-D | C]
wmphoto.dll -> %SystemRoot%\System32\wmphoto.dll -> [2008/09/20 11:49:37 | 00,276,992 | ---- | C] (Microsoft Corporation)
wlanapi.dll -> %SystemRoot%\System32\wlanapi.dll -> [2008/09/20 11:49:35 | 00,069,120 | ---- | C] (Microsoft Corporation)
windowscodecs.dll -> %SystemRoot%\System32\windowscodecs.dll -> [2008/09/20 11:49:34 | 00,712,704 | ---- | C] (Microsoft Corporation)
windowscodecsext.dll -> %SystemRoot%\System32\windowscodecsext.dll -> [2008/09/20 11:49:34 | 00,346,112 | ---- | C] (Microsoft Corporation)
viaagp.sys -> %SystemRoot%\System32\drivers\viaagp.sys -> [2008/09/20 11:49:32 | 00,042,240 | ---- | C] (Microsoft Corporation)
wacompen.sys -> %SystemRoot%\System32\drivers\wacompen.sys -> [2008/09/20 11:49:32 | 00,014,208 | ---- | C] (Microsoft Corporation)
usbvideo.sys -> %SystemRoot%\System32\drivers\usbvideo.sys -> [2008/09/20 11:49:30 | 00,121,984 | ---- | C] (Microsoft Corporation)
usb8023x.sys -> %SystemRoot%\System32\drivers\usb8023x.sys -> [2008/09/20 11:49:30 | 00,012,800 | ---- | C] (Microsoft Corporation)
uagp35.sys -> %SystemRoot%\System32\drivers\uagp35.sys -> [2008/09/20 11:49:28 | 00,044,672 | ---- | C] (Microsoft Corporation)
tsgqec.dll -> %SystemRoot%\System32\tsgqec.dll -> [2008/09/20 11:49:27 | 00,053,248 | ---- | C] (Microsoft Corporation)
tspkg.dll -> %SystemRoot%\System32\tspkg.dll -> [2008/09/20 11:49:27 | 00,050,688 | ---- | C] (Microsoft Corporation)
spupdwxp.exe -> %SystemRoot%\System32\spupdwxp.exe -> [2008/09/20 11:49:21 | 00,020,992 | ---- | C] (Microsoft Corporation)
spdwnwxp.exe -> %SystemRoot%\System32\spdwnwxp.exe -> [2008/09/20 11:49:19 | 00,007,680 | ---- | C] (Microsoft Corporation)
smbali.sys -> %SystemRoot%\System32\drivers\smbali.sys -> [2008/09/20 11:49:18 | 00,005,888 | ---- | C] (Microsoft Corporation)
sffp_mmc.sys -> %SystemRoot%\System32\drivers\sffp_mmc.sys -> [2008/09/20 11:49:16 | 00,010,240 | ---- | C] (Microsoft Corporation)
setupn.exe -> %SystemRoot%\System32\setupn.exe -> [2008/09/20 11:49:15 | 00,032,768 | ---- | C] (Microsoft Corporation)
rhttpaa.dll -> %SystemRoot%\System32\rhttpaa.dll -> [2008/09/20 11:49:12 | 00,290,304 | ---- | C] (Microsoft Corporation)
rfcomm.sys -> %SystemRoot%\System32\drivers

[OldTimer]

Hi NatPortmanYUM. The log is too big to fit into a single post. It needs to be attached (use the Browse and Upload buttons below the reply input window) or uploaded in multiple posts. The log above was cut-off and is incomplete.

Cheers.

OT

[NatPortmanYUM]

Here you go.

Attached Files

•  OTScanIt.Txt   120.4KB   146 downloads

[OldTimer]

Hi NatPortmanYUM. Let's see what we can do. Follow the steps below in order:

Step #1

Start OTScanIt2. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> 
YN -> HKEY_CURRENT_USER\: URLSearchHooks\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKLM] -> Reg Error: Key does not exist or could not be opened. [Yahoo! Toolbar]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YY -> {bdb8325a-1b1b-422c-bce8-085654f17b32} [HKLM] -> %SystemRoot%\system32\nxdsht.dll [Reg Error: Value  does not exist or could not be read.]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\{C4069E3A-68F1-403E-B40E-20066696354B} [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKLM] -> Reg Error: Key does not exist or could not be opened. [Yahoo! Toolbar]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "PCDrProfiler" -> []
< CurrentVersion Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
YN -> \\"DisableRegistryTools" -> [0]
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
*AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls
YY -> nxdsht.dll -> %SystemRoot%\system32\nxdsht.dll
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
[Files/Folders - Created Within 30 Days]
NY -> 70 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> 3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> nxdsht.dll -> %SystemRoot%\System32\nxdsht.dll
NY -> ascbalon.dll -> %SystemRoot%\System32\ascbalon.dll
NY -> ascbalo3N.dll -> %SystemRoot%\System32\ascbalo3N.dll
[Files/Folders - Modified Within 30 Days]
NY -> 70 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> 3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
NY -> qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
NY -> nxdsht.dll -> %SystemRoot%\System32\nxdsht.dll
NY -> ascbalon.dll -> %SystemRoot%\System32\ascbalon.dll
NY -> ascbalo3N.dll -> %SystemRoot%\System32\ascbalo3N.dll
[Empty Temp Folders]
[Start Explorer]

The fix should only take a very short time. When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt2 will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that log back here in your next reply.

Step #2

Now let's run an online virus scan. Both of these require Internet Explorer. Try F-Secure first. Sometimes it doesn't play nice with other system components so if it cannot complete then try the Kaspersky scan. You only need to complete one of the two.

Run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!

• Click on Online Services and then Online Scanner
• Accept the License Agreement.
• Once the ActiveX installs,Click Full System Scan
• Once the download completes,the scan will begin automatically.
• The scan will take some time to finish,so please be patient.
• When the scan completes, click the Automatic cleaning (recommended) button.
• Click the Show Report button and Copy&Paste the entire report in your next reply.

If the F-Secure scan did not work then try an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  
  • Scan using the following Anti-Virus database:
    
    • Extended (if available otherwise Standard)
  • Scan Options:
    Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  Select My Computer
• The program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
• Click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

Step #3

Run a new OTScanIt2 scan with the following options

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.

• Close ALL OTHER PROGRAMS.
• Open the OTScanIt2 folder and double-click on OTScanIt2.exe to start the program.
• Just use the default settings.
• Do not change any other settings.
• Now click the Run Scan button on the toolbar.
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it and close Notepad (save changes if necessary).
• Close OTScanIt2 and locate the OTScanIt.txt file in the folder where OTScanIt2.exe is located.
• Attach that file back here in your next reply.

Step #4

Copy/paste the following back here in your next reply:

• The latest OTScanIt2 fix log (look in the OTScanIt2 folder for a file with a name in the form of mmddyyyy_hhmmss.log for month, day, year, hours, minutes, and seconds that the scan was run. )
• The online virus scan report (whichever one you ran)

Attach the following back here in your next reply:

• The new OTScanIt2 scan log

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

Cheers.

OT

[NatPortmanYUM]

Hi

Here is the log from step 1

Explorer killed successfully
[Registry - Safe List]
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKLM] not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKLM]\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bdb8325a-1b1b-422c-bce8-085654f17b32}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{bdb8325a-1b1b-422c-bce8-085654f17b32}\ deleted successfully.
LoadLibrary failed for C:\WINDOWS\system32\nxdsht.dll
C:\WINDOWS\system32\nxdsht.dll NOT unregistered.
C:\WINDOWS\system32\nxdsht.dll moved successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{C4069E3A-68F1-403E-B40E-20066696354B} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C4069E3A-68F1-403E-B40E-20066696354B}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\PCDrProfiler deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\\DisableRegistryTools not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:nxdsht.dll deleted successfully.
File C:\WINDOWS\system32\nxdsht.dll not found.
[Files/Folders - Created Within 30 Days]
File C:\WINDOWS\System32\nxdsht.dll not found!
LoadLibrary failed for C:\WINDOWS\System32\ascbalon.dll
C:\WINDOWS\System32\ascbalon.dll NOT unregistered.
C:\WINDOWS\System32\ascbalon.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\System32\ascbalo3N.dll
C:\WINDOWS\System32\ascbalo3N.dll NOT unregistered.
C:\WINDOWS\System32\ascbalo3N.dll moved successfully.
[Files/Folders - Modified Within 30 Days]
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat moved successfully.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat moved successfully.
File C:\WINDOWS\System32\nxdsht.dll not found!
File C:\WINDOWS\System32\ascbalon.dll not found!
File C:\WINDOWS\System32\ascbalo3N.dll not found!
[Empty Temp Folders]
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_7d0.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
OTScanIt2 by OldTimer - Version 1.0.0.1b fix logfile created on 10062008_142828

Edited by NatPortmanYUM, 06 October 2008 - 02:09 PM.

[OldTimer]

Hi NatPortmanYUM. If all the settings are on high Internet Explorer will have a difficult time getting anywhere. Reset all zones to the defualts by doing the following:

Click Tools -> Options
Click the Security tab
Click the button at the bottom which says Reset all zones to defaults
Click the Apply button and then the Ok button

Close Internet Explorer and then open it again and try the scans again. It might be a good idea to shut down ZoneAlarm also while doing the scans.

Cheers.

OT

[NatPortmanYUM]

Thanks, I just made sure zonealarm didn't start up when I booted the computer and the inter worked.

Here is the report from the scan
Scanning Report
Monday, October 06, 2008 15:12:31 - 16:07:08
Computer name: COURTNEY
Scanning type: Scan system for malware, rootkits
Target: C:\ D:\


--------------------------------------------------------------------------------

Result: 2 malware found
TrackingCookie.Atdmt (spyware)
System
W32/Vundo.EUG (virus)
C:\_OTSCANIT\MOVEDFILES\10062008_142828\C_WINDOWS\SYSTEM32\NXDSHT.DLL (Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 43580
System: 3690
Not scanned: 9
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 2
Submitted: 1
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\DRIVERS\SPTD.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\DOCUMENTS AND SETTINGS\COMPAQ_ADMINISTRATOR\LOCAL SETTINGS\TEMP\HSPERFDATA_COMPAQ_ADMINISTRATOR\3808


Log for step 3

Attached Files

•  OTScanIt.Txt   133.08KB   157 downloads

Edited by NatPortmanYUM, 06 October 2008 - 02:22 PM.

[OldTimer]

Hi NatPortmanYUM. Everything looks pretty good. How are things running? Any further issues?

There was one registry key that did not delete. There was a bug in the delete routine in the program. You were my test subject to see if I had it working

Let's take care of that:

Step #1

Start OTScanIt2. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Custom Items]
:reg
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}]

The fix should only take a very short time. When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt2 will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that log back here in your next reply.

That's it! Quick and painless. If everything is running fine then we can do some final cleanup and you'll be all set.

Cheers.

OT

[NatPortmanYUM]

Hi there, I seem to get an error when I click run fix after I have pasted it in.

It reads: Access violation at address 004C629D in module 'OTScanIt.exe', Read of address 00000000.

[OldTimer]

Hi NatPortmanYUM. Yeah, there was a bug in that too. Delete the current OTScanIt2.exe that you downloaded previously and teh folder it created and then follow the directions below:

Now download OTScanIt2.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt2 on your desktop.

Start OTScanIt2. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Custom Items]
:reg
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}]

The fix should only take a very short time. When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt2 will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that log back here in your next reply.

That's it! Quick and painless. If everything is running fine then we can do some final cleanup and you'll be all set.

Cheers.

OT

[NatPortmanYUM]

Hi, you wrote this in an earlier post in this thread

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer

The only difference I tend to notice is when I'm gaming, when I check my fps, (it brings up your fps,max & min fps and also cpu. My cpu usually stays at 0, but yesterday it started jumping up and down at times. So my question is , do you think this virus/spyware I have encountered could of slowed or maybe mess up my system by any chances?

Here is the OTScanIt log and thanks for all your help again.

[Custom Items]
========== REGISTRY ==========
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ not found.
< End of fix log >
OTScanIt2 by OldTimer - Version 1.0.0.4b fix logfile created on 10072008_182334

[OldTimer]

Hi NatPortmanYUM. I wouldn't think so. There is always going to be some activity on the processor (unless the system is turned off). My first guess would be that if any new software was installed recently then look there first. The first itemthat would come to mind would be Avast (mentioned int he first post). Avast runs loads several scanners that are constantly monitoring the system. You could check which process has activity with Task Manager or a program like Process Explorer from SysInternals.

Now let's do some final cleanup to reset the System Restore points and remove all of the tools we used during the fix and then you are all set.

Step #1

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]System Restore will now be active again.

Step #2

To remove all of the tools we used and the files and folders they created do the following:

• Start OTScanIt2
  Click the CleanUp button
• OTScanIt2 will delete any tools downloaded and files/folders created and then ask you to reboot so it can remove itself. Click Yes.

After that you are good to go.

Cheers and Happy Computing!

OT

[NatPortmanYUM]

Hi, as unfortunate as it is after you helped me to get rid of this problem. Yesterday I turned off zonealarm because it causes games to run somewhat slower than usual. Later when I was done gaming, I must of went on the internet without starting up zonealarm again and noticed pop-ups when I wasn't on the internet no more. I remembered this from last time and deleted the dlls that were added in my system32 folder, ran zonealarm's ant-vire/spyware spftware, spybot and also F-Sercures online scanner. But I still have a dll I can not delete and in the hijackthis log it shows that dll is being started up by winlogon. So once again I'm waist deep in trouble again. I'll upload a OTScanIt log for you.

Attached Files

•  OTScanIt.Txt   110.42KB   295 downloads

Edited by NatPortmanYUM, 12 October 2008 - 05:20 AM.