Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

BHO & Zlob problems ? [Solved]

Started by Emma_uk , Jan 02 2009 09:26 AM

This topic is locked

#1
Emma_uk

Posted 02 January 2009 - 09:26 AM

Member

Member
135 posts

had problems with zlob before and its returned also discovered a BHO
that i could do without

Heres the jack log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:22:33, on 02/01/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Documents and Settings\admin\My Documents\Downloads\Programs\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.search.yah...?fr=mcafee&p=%s
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\WINDOWS\system32\NeroCheck.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.appl...ex/qtplugin.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1212000842109
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.ado...obat/nos/gp.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: MSSQL$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (file missing)
O23 - Service: SQLAgent$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (file missing)

--
End of file - 7288 bytes

Scanning Report
Sunday, January 04, 2009 20:36:32 - 22:19:57

Computer name: OWNER-25KGJLS1N
Scanning type: Scan system for malware, rootkits
Target: C:\ G:\ H:\
Result: 2 malware found
W32/Packed_Nspack.A (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{1A2E542A-B4FA-4FE1-ADA7-F7DED0643FF0}\RP24\A0027396.EXE (Submitted)

W32/Zlob.gen123 (virus)

* C:\WINDOWS\SYSTEM32\AGENT.OMZ.FIX.EXE (Submitted)

Statistics
Scanned:

* Files: 51132
* System: 3196
* Not scanned: 9

Actions:

* Disinfected: 0
* Renamed: 0
* Deleted: 0
* None: 2
* Submitted: 2

Files not scanned:

* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NORTON\COMMON CLIENT\_LCK\_AVPAPP_{BB639333-810A-4BF8-85F5-C537857F55FC}0
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NORTON\COMMON CLIENT\_LCK\_ISDATAPR_{E8EFD4CD-DE52-4444-9511-EFF3B158724B}0
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NORTON\COMMON CLIENT\_LCK\_ISDATAPR_{FF9AC67A-E394-46AE-B150-B3365343F166}G

Options
Scanning engines:

* F-Secure USS: 2.40.0
* F-Secure Hydra: 2.8.8110, 2009-01-04
* F-Secure AVP: 7.0.171, 2009-01-04
* F-Secure Pegasus: 1.20.0, 2008-11-17
* F-Secure Blacklight: 0.0.0

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use Advanced heuristics

Copyright © 1998-2007 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

Edited by Emma_uk, 06 January 2009 - 02:16 PM.

#2
Essexboy

Posted 06 January 2009 - 02:42 PM

GeekU Moderator

Retired Staff
69,964 posts

Hi there Emma sorry for the delay. I will need a fresh look at your system

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTScanit2 to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Close ALL OTHER PROGRAMS.
Open the OTScanit folder and double-click on OTScanit.exe to start the program.
Check the box that says Scan All Users
Check the Radio button for Rootkit check YES
Under Additional Scans check the following:
- File - Lop Check
- File - Purity Scan
- Evnt - EventViewer Errors/Warnings (last 10)
Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

To attach a file, do the following:

Click Add Reply
Under the reply panel is the Attachments Panel
Browse for the attachment file you want to upload, then click the green Upload button
Once it has uploaded, click the Manage Current Attachments drop down box
Click on to insert the attachment into your post

#3
Emma_uk

Posted 07 January 2009 - 10:19 AM

Member

Topic Starter
Member
135 posts

[code=auto:0]OTScanIt2 logfile created on: 07/01/2009 16:07:39 - Run 3
OTScanIt2 by OldTimer - Version 1.0.6.1 Folder = C:\Documents and Settings\admin\Desktop\OTScanIt2
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1.94 Gb Total Physical Memory | 1.34 Gb Available Physical Memory | 68.97% Memory free
3.78 Gb Paging File | 3.36 Gb Available in Paging File | 88.89% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.88 Gb Total Space | 211.29 Gb Free Space | 90.73% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 93.16 Gb Total Space | 57.44 Gb Free Space | 61.66% Space Free | Partition Type: NTFS
Drive H: | 149.05 Gb Total Space | 124.34 Gb Free Space | 83.43% Space Free | Partition Type: NTFS
I: Drive not present or media not loaded

Computer Name: OWNER-25KGJLS1N
Current User Name: admin
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

[Processes - Safe List]
ati2evxx.exe -> %SystemRoot%\system32\ati2evxx.exe -> [2008/08/01 04:21:05 | 00,573,440 | ---- | M] (ATI Technologies Inc.)
ati2evxx.exe -> %SystemRoot%\system32\ati2evxx.exe -> [2008/08/01 04:21:05 | 00,573,440 | ---- | M] (ATI Technologies Inc.)
ccsvchst.exe -> %ProgramFiles%\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe -> [2008/12/12 03:28:25 | 00,115,560 | R--- | M] (Symantec Corporation)
ccsvchst.exe -> %ProgramFiles%\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe -> [2008/12/12 03:28:25 | 00,115,560 | R--- | M] (Symantec Corporation)
idman.exe -> %ProgramFiles%\Internet Download Manager\IDMan.exe -> [2008/07/15 07:39:04 | 00,931,248 | ---- | M] (Tonec Inc.)
iemonitor.exe -> %ProgramFiles%\Internet Download Manager\IEMonitor.exe -> [2008/02/18 13:01:01 | 00,251,312 | ---- | M] (Tonec Inc.)
iexplore.exe -> %ProgramFiles%\Internet Explorer\iexplore.exe -> [2008/10/15 07:06:26 | 00,633,632 | ---- | M] (Microsoft Corporation)
msnmsgr.exe -> %ProgramFiles%\Windows Live\Messenger\msnmsgr.exe -> [2007/10/18 10:34:02 | 05,724,184 | ---- | M] (Microsoft Corporation)
otscanit2.exe -> %UserProfile%\Desktop\OTScanIt2\OTScanIt2.exe -> [2009/01/06 19:57:04 | 00,486,912 | ---- | M] (OldTimer Tools)
pdvdserv.exe -> %ProgramFiles%\CyberLink\PowerDVD\PDVDServ.exe -> [2003/12/08 16:35:14 | 00,032,768 | ---- | M] (Cyberlink Corp.)
sgbhp.exe -> %ProgramFiles%\SpywareGuard\sgbhp.exe -> [2003/08/29 11:14:56 | 00,233,472 | ---- | M] ()
sgmain.exe -> %ProgramFiles%\SpywareGuard\sgmain.exe -> [2003/08/29 19:05:35 | 00,360,448 | ---- | M] ()
usnsvc.exe -> %ProgramFiles%\Windows Live\Messenger\usnsvc.exe -> [2007/10/18 10:31:54 | 00,098,328 | ---- | M] (Microsoft Corporation)

[Win32 Services - Safe List]
(aspnet_state) ASP.NET State Service [Win32_Own | On_Demand | Stopped] -> %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -> [2008/07/25 10:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation)
(Ati HotKey Poller) Ati HotKey Poller [Win32_Own | Auto | Running] -> %SystemRoot%\system32\ati2evxx.exe -> [2008/08/01 04:21:05 | 00,573,440 | ---- | M] (ATI Technologies Inc.)
(ATI Smart) ATI Smart [Win32_Own | Auto | Stopped] -> %SystemRoot%\system32\ati2sgag.exe -> [2008/07/31 20:05:00 | 00,593,920 | ---- | M] ()
(clr_optimization_v2.0.50727_32) .NET Runtime Optimization Service v2.0.50727_X86 [Win32_Own | On_Demand | Stopped] -> %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -> [2008/07/25 10:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation)
(FontCache3.0.0.0) Windows Presentation Foundation Font Cache 3.0.0.0 [Win32_Own | On_Demand | Stopped] -> %SystemRoot%\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -> [2008/07/29 20:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation)
(getPlus(R) Helper) getPlus(R) Helper [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\NOS\bin\getPlus_HelperSvc.exe -> [2008/12/01 10:59:52 | 00,033,752 | ---- | M] (NOS Microsystems Ltd.)
(idsvc) Windows CardSpace [Win32_Shared | Unknown | Stopped] -> %SystemRoot%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -> [2008/07/29 18:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation)
(MSSQL$SONY_MEDIAMGR) MSSQL$SONY_MEDIAMGR [Win32_Own | On_Demand | Stopped] -> -> File not found
(MSSQLServerADHelper) MSSQLServerADHelper [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe -> [2002/12/17 16:23:30 | 00,066,112 | ---- | M] (Microsoft Corporation)
(NetTcpPortSharing) Net.Tcp Port Sharing Service [Win32_Shared | Disabled | Stopped] -> %SystemRoot%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -> [2008/07/29 18:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation)
(Norton Internet Security) Norton Internet Security [Win32_Own | Auto | Running] -> %ProgramFiles%\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe -> [2008/12/12 03:28:25 | 00,115,560 | R--- | M] (Symantec Corporation)
(SQLAgent$SONY_MEDIAMGR) SQLAgent$SONY_MEDIAMGR [Win32_Own | On_Demand | Stopped] -> -> File not found
(usnjsvc) Messenger Sharing Folders USN Journal Reader service [Win32_Own | On_Demand | Running] -> %ProgramFiles%\Windows Live\Messenger\usnsvc.exe -> [2007/10/18 10:31:54 | 00,098,328 | ---- | M] (Microsoft Corporation)
(WLSetupSvc) Windows Live Setup Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Windows Live\installer\WLSetupSvc.exe -> [2007/10/25 14:27:54 | 00,266,240 | ---- | M] (Microsoft Corporation)
(WMPNetworkSvc) Windows Media Player Network Sharing Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Windows Media Player\wmpnetwk.exe -> [2006/10/18 19:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation)

[Driver Services - Safe List]
(AliIde) AliIde [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\aliide.sys -> [2006/02/28 12:00:00 | 00,005,248 | ---- | M] (Acer Laboratories Inc.)
(amdagp) AMD AGP Bus Filter Driver [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\amdagp.sys -> [2008/04/13 18:36:39 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.)
(AmdK7) AMD K7 Processor Driver [Kernel | System | Stopped] -> %SystemRoot%\system32\drivers\amdk7.sys -> [2008/04/13 18:31:33 | 00,037,760 | ---- | M] (Microsoft Corporation)
(asc) asc [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\asc.sys -> [2006/02/28 12:00:00 | 00,026,496 | ---- | M] (Advanced System Products, Inc.)
(asc3550) asc3550 [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\asc3550.sys -> [2006/02/28 12:00:00 | 00,014,848 | ---- | M] (Advanced System Products, Inc.)
(Aspi32) Aspi32 [Kernel | Auto | Running] -> %SystemRoot%\system32\drivers\ASPI32.SYS -> [2002/08/14 14:03:36 | 00,017,005 | ---- | M] (Adaptec)
(ati2mtag) ati2mtag [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\ati2mtag.sys -> [2008/08/01 06:38:20 | 03,266,560 | ---- | M] (ATI Technologies Inc.)
(BHDrvx86) Symantec Heuristics Driver [Kernel | System | Running] -> %SystemRoot%\system32\drivers\NIS\1002000.007\BHDrvx86.sys -> [2008/12/12 03:29:18 | 00,255,536 | ---- | M] (Symantec Corporation)
(ccHP) Symantec Hash Provider [Kernel | System | Running] -> %SystemRoot%\system32\drivers\NIS\1002000.007\cchpx86.sys -> [2009/01/04 18:16:52 | 00,362,544 | ---- | M] (Symantec Corporation)
(CmdIde) CmdIde [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\cmdide.sys -> [2006/02/28 12:00:00 | 00,006,656 | ---- | M] (CMD Technology, Inc.)
(dac2w2k) dac2w2k [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\dac2w2k.sys -> [2006/02/28 12:00:00 | 00,179,584 | ---- | M] (Mylex Corporation)
(eeCtrl) Symantec Eraser Control driver [Kernel | System | Running] -> %CommonProgramFiles%\Symantec Shared\EENGINE\eeCtrl.sys -> [2009/01/04 18:16:52 | 00,371,248 | ---- | M] (Symantec Corporation)
(EraserUtilRebootDrv) EraserUtilRebootDrv [Kernel | On_Demand | Running] -> %CommonProgramFiles%\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -> [2009/01/04 18:16:52 | 00,099,376 | ---- | M] (Symantec Corporation)
(HDAudBus) Microsoft UAA Bus Driver for High Definition Audio [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\hdaudbus.sys -> [2008/04/13 16:36:05 | 00,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider)
(IDSxpx86) IDSxpx86 [Kernel | System | Running] -> %AllUsersProfile%\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20081220.001\IDSxpx86.sys -> [2009/01/04 18:16:52 | 00,274,808 | ---- | M] (Symantec Corporation)
(IntcAzAudAddService) Service for Realtek HD Audio (WDM) [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\RtkHDAud.sys -> [2006/12/22 00:26:48 | 04,405,248 | R--- | M] (Realtek Semiconductor Corp.)
(mfeavfk) McAfee Inc. mfeavfk [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\mfeavfk.sys -> [2008/06/27 05:08:40 | 00,079,240 | ---- | M] (McAfee, Inc.)
(mfebopk) McAfee Inc. mfebopk [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\mfebopk.sys -> [2008/06/27 05:08:40 | 00,035,240 | ---- | M] (McAfee, Inc.)
(mfehidk) McAfee Inc. mfehidk [Kernel | System | Running] -> %SystemRoot%\system32\drivers\mfehidk.sys -> [2008/06/27 05:08:40 | 00,207,656 | ---- | M] (McAfee, Inc.)
(mferkdk) McAfee Inc. mferkdk [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\mferkdk.sys -> [2008/06/20 04:41:38 | 00,034,152 | ---- | M] (McAfee, Inc.)
(mfesmfk) McAfee Inc. mfesmfk [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\mfesmfk.sys -> [2008/06/27 05:08:40 | 00,040,488 | ---- | M] (McAfee, Inc.)
(mraid35x) mraid35x [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\mraid35x.sys -> [2006/02/28 12:00:00 | 00,017,280 | ---- | M] (American Megatrends Inc.)
(MTsensor) ATK0110 ACPI UTILITY [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\ASACPI.sys -> [2004/08/13 02:56:20 | 00,005,810 | R--- | M] ()
(NAVENG) NAVENG [Kernel | On_Demand | Running] -> %AllUsersProfile%\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090106.052\NAVENG.SYS -> [2009/01/04 09:00:00 | 00,089,104 | ---- | M] (Symantec Corporation)
(NAVEX15) NAVEX15 [Kernel | On_Demand | Running] -> %AllUsersProfile%\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090106.052\NAVEX15.SYS -> [2009/01/04 09:00:00 | 00,876,112 | ---- | M] (Symantec Corporation)
(Point32) Microsoft IntelliPoint Filter Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\point32.sys -> [2008/06/10 12:04:28 | 00,031,048 | ---- | M] (Microsoft Corporation)
(PQNTDrv) PQNTDrv [Kernel | System | Running] -> %SystemRoot%\system32\drivers\PQNTDRV.sys -> [2002/09/16 16:14:32 | 00,004,228 | ---- | M] (PowerQuest Corporation)
(Ptilink) Direct Parallel Link Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\ptilink.sys -> [2006/02/28 12:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.)
(ql1080) ql1080 [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\ql1080.sys -> [2006/02/28 12:00:00 | 00,040,320 | ---- | M] (QLogic Corporation)
(ql12160) ql12160 [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\ql12160.sys -> [2006/02/28 12:00:00 | 00,045,312 | ---- | M] (QLogic Corporation)
(ql1280) ql1280 [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\ql1280.sys -> [2006/02/28 12:00:00 | 00,049,024 | ---- | M] (QLogic Corporation)
(RTLE8023xp) Realtek 10/100/1000 PCI-E NIC Family NDIS XP Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\Rtenicxp.sys -> [2007/10/23 09:51:04 | 00,103,296 | ---- | M] (Realtek Semiconductor Corporation )
(Secdrv) Secdrv [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\secdrv.sys -> [2007/11/13 10:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
(Sparrow) Sparrow [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\sparrow.sys -> [2006/02/28 12:00:00 | 00,019,072 | ---- | M] (Adaptec, Inc.)
(SRTSP) Symantec Real Time Storage Protection [File_System | On_Demand | Running] -> %SystemRoot%\system32\drivers\NIS\1002000.007\srtsp.sys -> [2008/12/12 03:29:18 | 00,306,736 | ---- | M] (Symantec Corporation)
(SRTSPX) Symantec Real Time Storage Protection (PEL) [Kernel | System | Running] -> %SystemRoot%\system32\drivers\NIS\1002000.007\srtspx.sys -> [2008/12/12 03:29:18 | 00,043,696 | ---- | M] (Symantec Corporation)
(sscdbus) SAMSUNG USB Composite Device driver (WDM) [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\sscdbus.sys -> [2007/07/03 16:54:24 | 00,080,552 | ---- | M] (MCCI Corporation)
(sscdmdfl) SAMSUNG Mobile Modem Filter [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\sscdmdfl.sys -> [2007/07/03 16:57:24 | 00,011,944 | ---- | M] (MCCI Corporation)
(sscdmdm) SAMSUNG Mobile Modem Drivers [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\sscdmdm.sys -> [2007/07/03 16:58:20 | 00,106,792 | ---- | M] (MCCI Corporation)
(ST330) ST330 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\st330.sys -> [2008/06/02 08:46:21 | 00,030,464 | ---- | M] (THOMSON Telecom Belgium)
(StarOpen) StarOpen [File_System | System | Running] -> %SystemRoot%\system32\drivers\StarOpen.sys -> [2008/12/17 17:40:47 | 00,005,632 | ---- | M] ()
(STBUS) STBUS [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\stbus.sys -> [2008/06/02 08:46:21 | 00,012,672 | ---- | M] (THOMSON Telecom Belgium)
(stppp) Speedtouch PPP Adapter Adapter [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\stppp.sys -> [2008/06/02 08:46:21 | 00,032,000 | ---- | M] (THOMSON Telecom Belgium)
(symc810) symc810 [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\drivers\symc810.sys -> [2006/02/28 12:00:00 | 00,016,256 | ---- | M] (Symbios Logic Inc.)
(symc8xx) symc8xx [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\symc8xx.sys -> [2006/02/28 12:00:00 | 00,032,640 | ---- | M] (LSI Logic)
(SYMDNS) SYMDNS [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\NIS\1002000.007\symdns.sys -> [2008/12/12 03:29:18 | 00,012,976 | ---- | M] (Symantec Corporation)
(SymEFA) Symantec Extended File Attributes [File_System | Boot | Running] -> %SystemRoot%\system32\drivers\NIS\1002000.007\SymEFA.sys -> [2008/12/12 03:29:19 | 00,309,296 | ---- | M] (Symantec Corporation)
(SymEvent) SymEvent [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\SYMEVENT.SYS -> [2009/01/04 18:16:57 | 00,124,464 | ---- | M] (Symantec Corporation)
(SYMFW) SYMFW [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\NIS\1002000.007\symfw.sys -> [2008/12/12 03:29:19 | 00,089,904 | ---- | M] (Symantec Corporation)
(SYMIDS) SYMIDS [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\NIS\1002000.007\symids.sys -> [2008/12/12 03:29:19 | 00,034,608 | ---- | M] (Symantec Corporation)
(SymIM) Symantec Network Security Intermediate Filter Service [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\SymIM.sys -> [2008/12/12 03:28:28 | 00,036,272 | R--- | M] (Symantec Corporation)
(SymIMMP) SymIMMP [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\SymIM.sys -> [2008/12/12 03:28:28 | 00,036,272 | R--- | M] (Symantec Corporation)
(SYMNDIS) SYMNDIS [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\NIS\1002000.007\symndis.sys -> [2008/12/12 03:29:20 | 00,037,424 | ---- | M] (Symantec Corporation)
(SYMREDRV) SYMREDRV [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\NIS\1002000.007\symredrv.sys -> [2008/12/12 03:29:20 | 00,024,624 | ---- | M] (Symantec Corporation)
(SYMTDI) SYMTDI [Kernel | System | Running] -> %SystemRoot%\system32\drivers\NIS\1002000.007\symtdi.sys -> [2008/12/12 03:29:20 | 00,198,192 | ---- | M] (Symantec Corporation)
(sym_hi) sym_hi [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\sym_hi.sys -> [2006/02/28 12:00:00 | 00,028,384 | ---- | M] (LSI Logic)
(sym_u3) sym_u3 [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\sym_u3.sys -> [2006/02/28 12:00:00 | 00,030,688 | ---- | M] (LSI Logic)
(uagp35) Microsoft AGPv3.5 Filter [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\uagp35.sys -> [2008/04/13 18:36:40 | 00,044,672 | ---- | M] (Microsoft Corporation)
(ultra) ultra [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\ultra.sys -> [2006/02/28 12:00:00 | 00,036,736 | ---- | M] (Promise Technology, Inc.)
(usbaudio) USB Audio Driver (WDM) [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\USBAUDIO.sys -> [2008/04/13 18:45:12 | 00,060,032 | ---- | M] (Microsoft Corporation)
(WS2IFSL) Windows Socket 2.0 Non-IFS Service Provider Support Environment [Kernel | System | Running] -> %SystemRoot%\system32\drivers\ws2ifsl.sys -> [2006/02/28 12:00:00 | 00,012,032 | ---- | M] (Microsoft Corporation)

[Registry - Safe List]
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> ->
HKEY_LOCAL_MACHINE\: Main\\"Default_Page_URL" -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKEY_LOCAL_MACHINE\: Main\\"Default_Search_URL" -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKEY_LOCAL_MACHINE\: Main\\"Default_Secondary_Page_URL" -> ->
HKEY_LOCAL_MACHINE\: Main\\"Extensions Off Page" -> about:NoAdd-ons ->
HKEY_LOCAL_MACHINE\: Main\\"Local Page" -> %SystemRoot%\system32\blank.htm ->
HKEY_LOCAL_MACHINE\: Main\\"Search Page" -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKEY_LOCAL_MACHINE\: Main\\"Security Risk Page" -> about:SecurityRisk ->
HKEY_LOCAL_MACHINE\: Main\\"Start Page" -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKEY_LOCAL_MACHINE\: Search\\"CustomizeSearch" -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKEY_LOCAL_MACHINE\: Search\\"SearchAssistant" -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm ->
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> ->
HKEY_CURRENT_USER\: Main\\"Local Page" -> C:\WINDOWS\system32\blank.htm ->
HKEY_CURRENT_USER\: Main\\"Page_Transitions" -> ->
HKEY_CURRENT_USER\: Main\\"Search Page" -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKEY_CURRENT_USER\: Main\\"Start Page" -> http://www.google.com/ ->
HKEY_CURRENT_USER\: SearchURL\\"" -> http://uk.search.yahoo.com/search?fr=mcafee&p=%s ->
HKEY_CURRENT_USER\: "ProxyEnable" -> 0 ->
< Internet Explorer Settings [HKEY_USERS\.DEFAULT\] > -> ->
HKEY_USERS\.DEFAULT\: Main\\"Search Page" -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKEY_USERS\.DEFAULT\: Main\\"Start Page" -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome ->
HKEY_USERS\.DEFAULT\: "ProxyEnable" -> 0 ->
< Internet Explorer Settings [HKEY_USERS\S-1-5-18\] > -> ->
HKEY_USERS\S-1-5-18\: Main\\"Search Page" -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKEY_USERS\S-1-5-18\: Main\\"Start Page" -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome ->
HKEY_USERS\S-1-5-18\: "ProxyEnable" -> 0 ->
< Internet Explorer Settings [HKEY_USERS\S-1-5-19\] > -> ->
HKEY_USERS\S-1-5-19\: "ProxyEnable" -> 0 ->
< Internet Explorer Settings [HKEY_USERS\S-1-5-20\] > -> ->
HKEY_USERS\S-1-5-20\: "ProxyEnable" -> 0 ->
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-2070620897-1754454779-3683679437-1006\] > -> ->
HKEY_USERS\S-1-5-21-2070620897-1754454779-3683679437-1006\: Main\\"Local Page" -> C:\WINDOWS\system32\blank.htm ->
HKEY_USERS\S-1-5-21-2070620897-1754454779-3683679437-1006\: Main\\"Page_Transitions" -> ->
HKEY_USERS\S-1-5-21-2070620897-1754454779-3683679437-1006\: Main\\"Search Page" -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKEY_USERS\S-1-5-21-2070620897-1754454779-3683679437-1006\: Main\\"Start Page" -> http://www.google.com/ ->
HKEY_USERS\S-1-5-21-2070620897-1754454779-3683679437-1006\: SearchURL\\"" -> http://uk.search.yahoo.com/search?fr=mcafee&p=%s ->
HKEY_USERS\S-1-5-21-2070620897-1754454779-3683679437-1006\: "ProxyEnable" -> 0 ->
< FireFox Settings [Default Profile] > -> C:\Documents and Settings\admin\Application Data\Mozilla\FireFox\Profiles\g3dk6h2d.default\prefs.js ->
browser.startup.homepage -> "http://www.google.co.uk/" ->
browser.startup.homepage_override.mstone -> "rv:1.9.0.5" ->
extensions.enabledItems -> [email protected]:5.7 ->
extensions.enabledItems -> {20a82645-c095-46ed-80e3-08825760534b}:1.0 ->
extensions.enabledItems -> {8545daff-ad1e-493f-a37e-eed1ac79682b}:1.0 ->
extensions.enabledItems -> {7BA52691-1876-45ce-9EE6-54BCB3B04BBC}:3.0 ->
extensions.enabledItems -> {73a6fe31-595d-460b-a920-fcc0f8843232}:1.8.8.5 ->
extensions.enabledItems -> {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.5 ->
< HOSTS File > (618303 bytes and 16396 lines) -> C:\WINDOWS\System32\drivers\etc\Hosts ->
First 25 entries...
127.0.0.1 localhost
127.0.0.1 ad.a8.net
127.0.0.1 asy.a8ww.net
127.0.0.1 a9rhiwa.cn #[Google.Warning]
127.0.0.1 www.a9rhiwa.cn
127.0.0.1 acezip.net #[SiteAdvisor.acezip.net]
127.0.0.1 www.acezip.net #[Win32/Adware.180Solutions]
127.0.0.1 phpadsnew.abac.com
127.0.0.1 a.abnad.net
127.0.0.1 b.abnad.net
127.0.0.1 c.abnad.net #[eTrust.Tracking.Cookie]
127.0.0.1 d.abnad.net
127.0.0.1 e.abnad.net
127.0.0.1 t.abnad.net
127.0.0.1 z.abnad.net
127.0.0.1 banners.absolpublisher.com
127.0.0.1 tracking.absolstats.com
127.0.0.1 adv.abv.bg
127.0.0.1 bimg.abv.bg
127.0.0.1 www2.a-counter.kiev.ua
127.0.0.1 track.acclaimnetwork.com
127.0.0.1 accuserveadsystem.com
127.0.0.1 www.accuserveadsystem.com
127.0.0.1 gtb5.acecounter.com
127.0.0.1 gtb19.acecounter.com
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
{0055C089-8582-441B-A0BF-17B458C2A3A8} [HKLM] -> %ProgramFiles%\Internet Download Manager\IDMIECC.dll [IDMIEHlprObj Class] -> [2008/07/09 14:34:03 | 00,132,528 | ---- | M] (Tonec Inc.)
{18DF081C-E8AD-4283-A596-FA578C2EBDC3} [HKLM] -> %CommonProgramFiles%\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [Adobe PDF Link Helper] -> [2008/06/11 22:33:16 | 00,075,128 | ---- | M] (Adobe Systems Incorporated)
{4A368E80-174F-4872-96B5-0B27DDD11DB2} [HKLM] -> %ProgramFiles%\SpywareGuard\dlprotect.dll [SpywareGuardDLBLOCK.CBrowserHelper] -> [2003/08/02 23:24:01 | 00,192,512 | R--- | M] ()
{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} [HKLM] -> %ProgramFiles%\Norton Internet Security\Engine\16.2.0.7\CoIEPlg.dll [Symantec NCO BHO] -> [2008/12/12 03:28:18 | 00,344,944 | R--- | M] (Symantec Corporation)
{6D53EC84-6AAE-4787-AEEE-F4628F01010C} [HKLM] -> %ProgramFiles%\Norton Internet Security\Engine\16.2.0.7\IPSBHO.dll [Symantec Intrusion Prevention] -> [2009/01/04 18:16:44 | 00,107,896 | R--- | M] (Symantec Corporation)
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar ->
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}" [HKLM] -> %ProgramFiles%\Norton Internet Security\Engine\16.2.0.7\CoIEPlg.dll [Norton Toolbar] -> [2008/12/12 03:28:18 | 00,344,944 | R--- | M] (Symantec Corporation)
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ ->
WebBrowser\\"{00000000-0000-0000-0000-000000000000}" [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
WebBrowser\\"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}" [HKLM] -> %ProgramFiles%\Norton Internet Security\Engine\16.2.0.7\CoIEPlg.dll [Norton Toolbar] -> [2008/12/12 03:28:18 | 00,344,944 | R--- | M] (Symantec Corporation)
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-2070620897-1754454779-3683679437-1006\] > -> HKEY_USERS\S-1-5-21-2070620897-1754454779-3683679437-1006\Software\Microsoft\Internet Explorer\Toolbar\ ->
WebBrowser\\"{00000000-0000-0000-0000-000000000000}" [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
WebBrowser\\"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}" [HKLM] -> %ProgramFiles%\Norton Internet Security\Engine\16.2.0.7\CoIEPlg.dll [Norton Toolbar] -> [2008/12/12 03:28:18 | 00,344,944 | R--- | M] (Symantec Corporation)
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
"Adobe Reader Speed Launcher" -> %ProgramFiles%\Adobe\Reader 9.0\Reader\reader_sl.exe ["C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"] -> [2008/06/12 02:38:00 | 00,034,672 | ---- | M] (Adobe Systems Incorporated)
"NeroFilterCheck" -> %SystemRoot%\system32\NeroCheck.exe ["C:\WINDOWS\system32\NeroCheck.exe"] -> [2001/07/09 10:50:42 | 00,155,648 | ---- | M] (Ahead Software Gmbh)
"QuickTime Task" -> %ProgramFiles%\QuickTime\qttask.exe ["C:\Program Files\QuickTime\qttask.exe" -atboottime] -> [2008/11/26 17:28:50 | 00,413,696 | ---- | M] (Apple Inc.)
"RemoteControl" -> %ProgramFiles%\CyberLink\PowerDVD\PDVDServ.exe ["C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"] -> [2003/12/08 16:35:14 | 00,032,768 | ---- | M] (Cyberlink Corp.)
"SSBkgdUpdate" -> %CommonProgramFiles%\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe ["C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot] -> [2003/09/29 23:14:58 | 00,155,648 | R--- | M] (Scansoft, Inc.)
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
"IDMan" -> %ProgramFiles%\Internet Download Manager\IDMan.exe [C:\Program Files\Internet Download Manager\IDMan.exe /onboot] -> [2008/07/15 07:39:04 | 00,931,248 | ---- | M] (Tonec Inc.)
"MsnMsgr" -> %ProgramFiles%\Windows Live\Messenger\msnmsgr.exe ["C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background] -> [2007/10/18 10:34:02 | 05,724,184 | ---- | M] (Microsoft Corporation)
"Privacy Suite RiskMonitor" -> [] -> File not found
< RunOnce [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce ->
"Privacy Suite" -> %ProgramFiles%\Cyberscrub\CyberScrub Privacy Suite\CSPSeraser.exe ["C:\Program Files\Cyberscrub\CyberScrub Privacy Suite\CSPSeraser.exe" "/R:C:\Documents and Settings\admin\Application Data\CyberScrub\Privacy Suite" ] -> [2008/07/23 14:41:38 | 00,876,680 | ---- | M] (CyberScrub LLC)
< Run [HKEY_USERS\S-1-5-21-2070620897-1754454779-3683679437-1006\] > -> HKEY_USERS\S-1-5-21-2070620897-1754454779-3683679437-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
"IDMan" -> %ProgramFiles%\Internet Download Manager\IDMan.exe [C:\Program Files\Internet Download Manager\IDMan.exe /onboot] -> [2008/07/15 07:39:04 | 00,931,248 | ---- | M] (Tonec Inc.)
"MsnMsgr" -> %ProgramFiles%\Windows Live\Messenger\msnmsgr.exe ["C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background] -> [2007/10/18 10:34:02 | 05,724,184 | ---- | M] (Microsoft Corporation)
"Privacy Suite RiskMonitor" -> [] -> File not found
< RunOnce [HKEY_USERS\S-1-5-21-2070620897-1754454779-3683679437-1006\] > -> HKEY_USERS\S-1-5-21-2070620897-1754454779-3683679437-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce ->
"Privacy Suite" -> %ProgramFiles%\Cyberscrub\CyberScrub Privacy Suite\CSPSeraser.exe ["C:\Program Files\Cyberscrub\CyberScrub Privacy Suite\CSPSeraser.exe" "/R:C:\Documents and Settings\admin\Application Data\CyberScrub\Privacy Suite" ] -> [2008/07/23 14:41:38 | 00,876,680 | ---- | M] (CyberScrub LLC)
< admin Startup Folder > -> C:\Documents and Settings\admin\Start Menu\Programs\Startup ->
%UserProfile%\Start Menu\Programs\Startup\SpywareGuard.lnk -> %ProgramFiles%\SpywareGuard\sgmain.exe -> [2003/08/29 19:05:35 | 00,360,448 | ---- | M] ()
< Administrator Startup Folder > -> C:\Documents and Settings\Administrator\Start Menu\Programs\Startup ->
< All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup ->
< Default User Startup Folder > -> C:\Documents and Settings\Default User\Start Menu\Programs\Startup ->
< Software Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer ->
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions
\Infodelivery\Restrictions\\"NoSplash" -> [0] -> File not found
\Infodelivery\Restrictions\\"NoJITSetup" -> [0] -> File not found
< Software Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer ->
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions
\Infodelivery\Restrictions\\"NoSplash" -> [0] -> File not found
\Infodelivery\Restrictions\\"NoJITSetup" -> [0] -> File not found
< Software Policy Settings [HKEY_USERS\S-1-5-21-2070620897-1754454779-3683679437-1006] > -> HKEY_USERS\S-1-5-21-2070620897-1754454779-3683679437-1006\SOFTWARE\Policies\Microsoft\Internet Explorer ->
HKEY_USERS\S-1-5-21-2070620897-1754454779-3683679437-1006\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions
\Infodelivery\Restrictions\\"NoSplash" -> [0] -> File not found
\Infodelivery\Restrictions\\"NoJITSetup" -> [0] -> File not found
< CurrentVersion Policy Settings - Explorer [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoBandCustomize" -> [0] -> File not found
\\"NoDrives" -> [0] -> File not found
\\"NoDriveAutoRun" -> [67108863] -> File not found
\\"NoDriveTypeAutoRun" -> [323] -> File not found
< CurrentVersion Policy Settings - System [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
\\"dontdisplaylastusername" -> [0] -> File not found
\\"legalnoticecaption" -> [] -> File not found
\\"legalnoticetext" -> [] -> File not found
\\"shutdownwithoutlogon" -> [1] -> File not found
\\"undockwithoutlogon" -> [1] -> File not found
\\"HideLegacyLogonScripts" -> [0] -> File not found
\\"HideLogoffScripts" -> [0] -> File not found
\\"RunLogonScriptSync" -> [1] -> File not found
\\"RunStartupScriptSync" -> [0] -> File not found
\\"HideStartupScripts" -> [0] -> File not found
\\"DisableRegistryTools" -> [0] -> File not found
< CurrentVersion Policy Settings - Explorer [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" -> [323] -> File not found
\\"NoBandCustomize" -> [0] -> File not found
\\"NoDriveAutoRun" -> [67108863] -> File not found
\\"NoDrives" -> [0] -> File not found
< CurrentVersion Policy Settings - System [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
\\"HideLegacyLogonScripts" -> [0] -> File not found
\\"HideLogoffScripts" -> [0] -> File not found
\\"HideStartupScripts" -> [0] -> File not found
\\"RunLogonScriptSync" -> [1] -> File not found
\\"RunStartupScriptSync" -> [0] -> File not found
\\"DisableRegistryTools" -> [0] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\.DEFAULT] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" -> [323] -> File not found
\\"NoDriveAutoRun" -> [67108863] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\.DEFAULT] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System ->
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-18] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" -> [323] -> File not found
\\"NoDriveAutoRun" -> [67108863] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-18] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System ->
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-19] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" -> [145] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-20] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" -> [145] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-21-2070620897-1754454779-3683679437-1006] > -> HKEY_USERS\S-1-5-21-2070620897-1754454779-3683679437-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_USERS\S-1-5-21-2070620897-1754454779-3683679437-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" -> [323] -> File not found
\\"NoBandCustomize" -> [0] -> File not found
\\"NoDriveAutoRun" -> [67108863] -> File not found
\\"NoDrives" -> [0] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-21-2070620897-1754454779-3683679437-1006] > -> HKEY_USERS\S-1-5-21-2070620897-1754454779-3683679437-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System ->
HKEY_USERS\S-1-5-21-2070620897-1754454779-3683679437-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
\\"HideLegacyLogonScripts" -> [0] -> File not found
\\"HideLogoffScripts" -> [0] -> File not found
\\"HideStartupScripts" -> [0] -> File not found
\\"RunLogonScriptSync" -> [1] -> File not found
\\"RunStartupScriptSync" -> [0] -> File not found
\\"DisableRegistryTools" -> [0] -> File not found
< Internet Explorer Menu Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ ->
Download all links with IDM -> %ProgramFiles%\Internet Download Manager\IEGetAll.htm [C:\Program Files\Internet Download Manager\IEGetAll.htm] -> [2003/10/20 10:13:13 | 00,000,283 | ---- | M] ()
Download FLV video content with IDM -> %ProgramFiles%\Internet Download Manager\IEGetVL.htm [C:\Program Files\Internet Download Manager\IEGetVL.htm] -> [2007/07/02 06:19:10 | 00,000,278 | ---- | M] ()
Download with IDM -> %ProgramFiles%\Internet Download Manager\IEExt.htm [C:\Program Files\Internet Download Manager\IEExt.htm] -> [2004/12/02 16:31:09 | 00,000,277 | ---- | M] ()
< Internet Explorer Menu Extensions [HKEY_USERS\S-1-5-21-2070620897-1754454779-3683679437-1006\] > -> HKEY_USERS\S-1-5-21-2070620897-1754454779-3683679437-1006\Software\Microsoft\Internet Explorer\MenuExt\ ->
Download all links with IDM -> %ProgramFiles%\Internet Download Manager\IEGetAll.htm [C:\Program Files\Internet Download Manager\IEGetAll.htm] -> [2003/10/20 10:13:13 | 00,000,283 | ---- | M] ()
Download FLV video content with IDM -> %ProgramFiles%\Internet Download Manager\IEGetVL.htm [C:\Program Files\Internet Download Manager\IEGetVL.htm] -> [2007/07/02 06:19:10 | 00,000,278 | ---- | M] ()
Download with IDM -> %ProgramFiles%\Internet Download Manager\IEExt.htm [C:\Program Files\Internet Download Manager\IEExt.htm] -> [2004/12/02 16:31:09 | 00,000,277 | ---- | M] ()
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}:{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_07\bin\npjpi160_07.dll [Menu: Sun Java Console] -> [2008/06/10 04:27:02 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
{e2e2dd38-d088-4134-82b7-f2ba38496583}:Exec [HKLM] -> %SystemRoot%\network diagnostic\xpnetdiag.exe [Menu: @xpsp3res.dll,-20001] -> [2008/04/13 18:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}:Exec [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Button: Messenger] -> File not found
{FB5F1910-F110-11d2-BB9E-00C04F795683}:Exec [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Menu: Windows Messenger] -> File not found
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\ ->
CmdMapping\\"{e2e2dd38-d088-4134-82b7-f2ba38496583}" [HKLM] -> %SystemRoot%\network diagnostic\xpnetdiag.exe [@xpsp3res.dll,-20001] -> [2008/04/13 18:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation)
CmdMapping\\"{FB5F1910-F110-11d2-BB9E-00C04F795683}" [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> File not found
< Internet Explorer Extensions [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\ ->
CmdMapping\\"{e2e2dd38-d088-4134-82b7-f2ba38496583}" [HKLM] -> %SystemRoot%\network diagnostic\xpnetdiag.exe [@xpsp3res.dll,-20001] -> [2008/04/13 18:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation)
CmdMapping\\"{FB5F1910-F110-11d2-BB9E-00C04F795683}" [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> File not found
< Internet Explorer Extensions [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\ ->
CmdMapping\\"{e2e2dd38-d088-4134-82b7-f2ba38496583}" [HKLM] -> %SystemRoot%\network diagnostic\xpnetdiag.exe [@xpsp3res.dll,-20001] -> [2008/04/13 18:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation)
CmdMapping\\"{FB5F1910-F110-11d2-BB9E-00C04F795683}" [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> File not found
< Internet Explorer Extensions [HKEY_USERS\S-1-5-21-2070620897-1754454779-3683679437-1006\] > -> HKEY_USERS\S-1-5-21-2070620897-1754454779-3683679437-1006\Software\Microsoft\Internet Explorer\Extensions\ ->
CmdMapping\\"{e2e2dd38-d088-4134-82b7-f2ba38496583}" [HKLM] -> %SystemRoot%\network diagnostic\xpnetdiag.exe [@xpsp3res.dll,-20001] -> [2008/04/13 18:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation)
CmdMapping\\"{FB5F1910-F110-11d2-BB9E-00C04F795683}" [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> File not found
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ ->
PluginsPageFriendlyName -> Microsoft ActiveX Gallery ->
PluginsPage -> http://activex.microsoft.com/controls/find.asp?ext=%s&mime=%s ->
< Default Prefix > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
"" -> http://
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 1 domain(s) found. ->
1 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. ->
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 3798 domain(s) found. ->
26 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. ->
< Trusted Sites Domains [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. ->
< Trusted Sites Ranges [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. ->
< Trusted Sites Domains [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. ->
< Trusted Sites Ranges [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. ->
< Trusted Sites Domains [HKEY_USERS\S-1-5-19\] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. ->
< Trusted Sites Ranges [HKEY_USERS\S-1-5-19\] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. ->
< Trusted Sites Domains [HKEY_USERS\S-1-5-20\] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. ->
< Trusted Sites Ranges [HKEY_USERS\S-1-5-20\] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. ->
< Trusted Sites Domains [HKEY_USERS\S-1-5-21-2070620897-1754454779-3683679437-1006\] > -> HKEY_USERS\S-1-5-21-2070620897-1754454779-3683679437-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_USERS\S-1-5-21-2070620897-1754454779-3683679437-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 3798 domain(s) found. ->
26 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_USERS\S-1-5-21-2070620897-1754454779-3683679437-1006\] > -> HKEY_USERS\S-1-5-21-2070620897-1754454779-3683679437-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_USERS\S-1-5-21-2070620897-1754454779-3683679437-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. ->
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} [HKLM] -> http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab[QuickTime Object] ->
{48DD0448-9209-4F81-9F6D-D83562940134} [HKLM] -> http://lads.myspace.com/upload/MySpaceUploader1006.cab[MySpace Uploader Control] ->
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} [HKLM] -> http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1212000842109[MUWebControl Class] ->
{8AD9C840-044E-11D1-B3E9-00805F499D93} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab[Reg Error: Key does not exist or could not be opened.] ->
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C} [HKLM] -> http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab[Reg Error: Key does not exist or could not be opened.] ->
{BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} [HKLM] -> http://support.f-secure.com/ols/fscax.cab[F-Secure Online Scanner 3.3] ->
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab[Java Plug-in 1.6.0_07] ->
{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab[Java Plug-in 1.6.0_10] ->
{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab[Reg Error: Key does not exist or could not be opened.] ->
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab[Reg Error: Key does not exist or could not be opened.] ->
{CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} [HKLM] -> http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab[get_atlcom Class] ->
< DNS Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ ->
{3B652397-D1A2-4820-A14F-74BD2C9CD374} ->&nb

#4
Essexboy

Posted 07 January 2009 - 02:19 PM

GeekU Moderator

Retired Staff
69,964 posts

Tsk Tsk

Could you attach the log please Emma as half of it is missing

To attach a file, do the following:

Click Add Reply
Under the reply panel is the Attachments Panel
Browse for the attachment file you want to upload, then click the green Upload button
Once it has uploaded, click the Manage Current Attachments drop down box
Click on to insert the attachment into your post

#5
Emma_uk

Posted 07 January 2009 - 02:32 PM

Member

Topic Starter
Member
135 posts

here ya go sorry about that

mediafired it

http://www.mediafire...2db6fb9a8902bda

#6
Emma_uk

Posted 07 January 2009 - 02:35 PM

Member

Topic Starter
Member
135 posts

didnt know if you wanted the catchme report as well . here it is anyway

catchme 0.3.1319 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-07 16:11:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden files ...

IPC error: 2 The system cannot find the file specified.
C:\Documents and Settings\admin\Favorites\eBay .url:favicon 1406 bytes
C:\Documents and Settings\admin\Favorites\Free Virus Scan - Kaspersky Lab.url:favicon 7078 bytes
C:\Documents and Settings\admin\Favorites\Geeks to Go! Tech experts answer your questions!.url:favicon 22486 bytes
C:\Documents and Settings\admin\Favorites\Google.url:favicon 1150 bytes
C:\Documents and Settings\admin\Favorites\Katz Downloads.url:favicon 1406 bytes
C:\Documents and Settings\admin\Favorites\Login Facebook.url:favicon 1150 bytes
C:\Documents and Settings\admin\Favorites\Microsoft Update.url:favicon 25214 bytes
C:\Documents and Settings\admin\Favorites\Movie list.url:favicon 1150 bytes
C:\Documents and Settings\admin\Favorites\TV Guide UK TV Listings - UK's No 1 TV Listing site for Freeview, Sky, Virgin Media, Freesat & Tiscali TV.url:favicon 3638 bytes
C:\Documents and Settings\admin\My Documents\My Pictures\superjumper\superjumper pics\Thumbs.db.7E16506C:encryptable 0 bytes
C:\Documents and Settings\admin\My Documents\My Pictures\superjumper\Thumbs.db.E34FC621:encryptable 0 bytes
C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\SRTSP\SrtETmp\5A169E4C.TMP 0 bytes
C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\SRTSP\SrtETmp\F4F59EFA.TMP 0 bytes
C:\Documents and Settings\All Users\Application Data\TEMP:08948D52 106 bytes
C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34 120 bytes
C:\Documents and Settings\All Users\Application Data\TEMP:B3D74A13 158 bytes
C:\Documents and Settings\All Users\Application Data\TEMP:B4AF47A7 186 bytes

scan completed successfully
hidden files: 18

#7
Essexboy

Posted 07 January 2009 - 02:49 PM

GeekU Moderator

Retired Staff
69,964 posts

Catchme was included in the OTScanit report

But thankee anyway

Start OTScanit. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{00000000-0000-0000-0000-000000000000}" [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-2070620897-1754454779-3683679437-1006\] > -> HKEY_USERS\S-1-5-21-2070620897-1754454779-3683679437-1006\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{00000000-0000-0000-0000-000000000000}" [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "Privacy Suite RiskMonitor" -> []
< Run [HKEY_USERS\S-1-5-21-2070620897-1754454779-3683679437-1006\] > -> HKEY_USERS\S-1-5-21-2070620897-1754454779-3683679437-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "Privacy Suite RiskMonitor" -> []
[Files/Folders - Created Within 30 Days]
NY -> fsaua.data -> %SystemDrive%\fsaua.data
NY -> Iedit.INI -> %SystemRoot%\Iedit.INI
[Empty Temp Folders]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new Hijackthis log.

I will review the information when it comes back in.

THEN

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

#8
Emma_uk

Posted 07 January 2009 - 03:01 PM

Member

Topic Starter
Member
135 posts

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:58:10, on 07/01/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\admin\My Documents\Downloads\Programs\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.search.yah...?fr=mcafee&p=%s
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\IPSBHO.DLL
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\coIEPlg.dll
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\WINDOWS\system32\NeroCheck.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.appl...ex/qtplugin.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1212000842109
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.ado...obat/nos/gp.cab
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\coIEPlg.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: MSSQL$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (file missing)
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe
O23 - Service: SQLAgent$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (file missing)

--
End of file - 6609 bytes

[Registry - Safe List]
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{00000000-0000-0000-0000-000000000000} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000000-0000-0000-0000-000000000000}\ not found.
Registry value HKEY_USERS\S-1-5-21-2070620897-1754454779-3683679437-1006\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{00000000-0000-0000-0000-000000000000} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000000-0000-0000-0000-000000000000}\ not found.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Privacy Suite RiskMonitor not found.
Registry value HKEY_USERS\S-1-5-21-2070620897-1754454779-3683679437-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Privacy Suite RiskMonitor not found.
[Files/Folders - Created Within 30 Days]
File C:\fsaua.data not found!
File C:\WINDOWS\Iedit.INI not found!
[Empty Temp Folders]
File delete failed. C:\Documents and Settings\admin\Local Settings\temp\~DF1775.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\admin\Local Settings\temp\~DF1788.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\JETF107.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_418.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Opera cache emptied.
RecycleBin -> emptied.
< End of fix log >
OTScanIt2 by OldTimer - Version 1.0.6.1 fix logfile created on 01072009_205345

Files moved on Reboot...
File C:\Documents and Settings\admin\Local Settings\temp\~DF2A10.tmp not found!
File C:\Documents and Settings\admin\Local Settings\temp\~DF3807.tmp not found!
File C:\Documents and Settings\admin\Local Settings\temp\~DFC8FF.tmp not found!
File C:\Documents and Settings\admin\Local Settings\temp\~DFC912.tmp not found!
File C:\Documents and Settings\admin\Local Settings\temp\~DFD44E.tmp not found!
File C:\Documents and Settings\admin\Local Settings\temp\~DFD461.tmp not found!
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat moved successfully.
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat moved successfully.
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat moved successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat moved successfully.
File C:\WINDOWS\temp\JETF107.tmp not found!
File C:\WINDOWS\temp\Perflib_Perfdata_418.dat not found!
File C:\Documents and Settings\admin\Local Settings\temp\~DF1775.tmp not found!
File C:\Documents and Settings\admin\Local Settings\temp\~DF1788.tmp not found!

Registry entries deleted on Reboot...

doing rest now

#9
Emma_uk

Posted 07 January 2009 - 03:13 PM

Member

Topic Starter
Member
135 posts

Malwarebytes' Anti-Malware 1.32
Database version: 1629
Windows 5.1.2600 Service Pack 3

07/01/2009 21:12:29
mbam-log-2009-01-07 (21-12-29).txt

Scan type: Quick Scan
Objects scanned: 54347
Time elapsed: 4 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#10
Essexboy

Posted 07 January 2009 - 03:21 PM

GeekU Moderator

Retired Staff
69,964 posts

So how be your system running now ?

#11
Emma_uk

Posted 07 January 2009 - 03:24 PM

Member

Topic Starter
Member
135 posts

seems t be ok. gonna do an fsecure scan thats what found it in the first place. will let you know results

#12
Emma_uk

Posted 07 January 2009 - 04:04 PM

Member

Topic Starter
Member
135 posts

its still there the bleedin zlob

Scanning Report
Wednesday, January 07, 2009 21:28:50 - 22:02:08

Computer name: OWNER-25KGJLS1N
Scanning type: Scan system for malware, rootkits
Target: C:\ G:\ H:\
Result: 1 malware found
W32/Zlob.gen123 (virus)

* C:\WINDOWS\SYSTEM32\AGENT.OMZ.FIX.EXE (Submitted)

Statistics
Scanned:

* Files: 26896
* System: 3141
* Not scanned: 9

Actions:

* Disinfected: 0
* Renamed: 0
* Deleted: 0
* None: 1
* Submitted: 1

Files not scanned:

* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NORTON\COMMON CLIENT\_LCK\_AVPAPP_{BB639333-810A-4BF8-85F5-C537857F55FC}0
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NORTON\COMMON CLIENT\_LCK\_ISDATAPR_{E8EFD4CD-DE52-4444-9511-EFF3B158724B}0
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NORTON\COMMON CLIENT\_LCK\_ISDATAPR_{FF9AC67A-E394-46AE-B150-B3365343F166}G

Options
Scanning engines:

* F-Secure USS: 2.40.0
* F-Secure Hydra: 2.8.8110, 2009-01-07
* F-Secure AVP: 7.0.171, 2009-01-07
* F-Secure Pegasus: 1.20.0, 2008-11-17
* F-Secure Blacklight: 0.0.0

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use Advanced heuristics

Copyright © 1998-2007 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

#13
Essexboy

Posted 07 January 2009 - 04:11 PM

GeekU Moderator

Retired Staff
69,964 posts

You must have had that a while as it did not show on my 30 day scan

Please download the OTMoveIt3 by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
```
:Files
C:\WINDOWS\SYSTEM32\AGENT.OMZ.FIX.EXE 

:Commands
[purity]
[emptytemp]
```
Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

#14
Emma_uk

Posted 08 January 2009 - 04:42 AM

Member

Topic Starter
Member
135 posts

There ya go

========== FILES ==========
C:\WINDOWS\SYSTEM32\Agent.OMZ.Fix.exe moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\admin\LOCALS~1\Temp\~DF37C3.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\admin\LOCALS~1\Temp\~DF433A.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\admin\LOCALS~1\Temp\~DFBF0B.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\admin\LOCALS~1\Temp\~DFBF49.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\admin\LOCALS~1\Temp\~DFCF26.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\admin\LOCALS~1\Temp\~DFCF39.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\JETF424.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_49c.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Opera cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01082009_103203

Files moved on Reboot...
C:\DOCUME~1\admin\LOCALS~1\Temp\~DF37C3.tmp moved successfully.
C:\DOCUME~1\admin\LOCALS~1\Temp\~DF433A.tmp moved successfully.
File C:\DOCUME~1\admin\LOCALS~1\Temp\~DFBF0B.tmp not found!
File C:\DOCUME~1\admin\LOCALS~1\Temp\~DFBF49.tmp not found!
File C:\DOCUME~1\admin\LOCALS~1\Temp\~DFCF26.tmp not found!
File C:\DOCUME~1\admin\LOCALS~1\Temp\~DFCF39.tmp not found!
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat moved successfully.
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat moved successfully.
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat moved successfully.
File C:\WINDOWS\temp\JETF424.tmp not found!
File C:\WINDOWS\temp\Perflib_Perfdata_49c.dat not found!

#15
Emma_uk

Posted 08 January 2009 - 07:40 AM

Member

Topic Starter
Member
135 posts

fsecure scan still gets a positive

Scanning Report
Thursday, January 08, 2009 12:54:15 - 13:37:46

Computer name: OWNER-25KGJLS1N
Scanning type: Scan system for malware, rootkits
Target: C:\ G:\ H:\
Result: 1 malware found
W32/Zlob.gen123 (virus)

* C:\_OTMOVEIT\MOVEDFILES\01082009_103203\WINDOWS\SYSTEM32\AGENT.OMZ.FIX.EXE (Submitted)

Statistics
Scanned:

* Files: 26889
* System: 3142
* Not scanned: 9

Actions:

* Disinfected: 0
* Renamed: 0
* Deleted: 0
* None: 1
* Submitted: 1

Files not scanned:

* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NORTON\COMMON CLIENT\_LCK\_AVPAPP_{BB639333-810A-4BF8-85F5-C537857F55FC}0
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NORTON\COMMON CLIENT\_LCK\_ISDATAPR_{E8EFD4CD-DE52-4444-9511-EFF3B158724B}0
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NORTON\COMMON CLIENT\_LCK\_ISDATAPR_{FF9AC67A-E394-46AE-B150-B3365343F166}G

Options
Scanning engines:

* F-Secure USS: 2.40.0
* F-Secure Hydra: 2.8.8110, 2009-01-08
* F-Secure AVP: 7.0.171, 2009-01-08
* F-Secure Pegasus: 1.20.0, 2008-11-17
* F-Secure Blacklight: 0.0.0

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use Advanced heuristics

Copyright © 1998-2007 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.