Trojan problem [Solved]

Geeks to Go Forums > Security > Virus, Spyware, Malware Removal

Today's New Content

Trojan problem [Solved] Win32.Zafi.B is the name

#1 Elsino

Group: Member
Posts: 27
Joined: 31-October 07

Posted 30 January 2009 - 02:20 PM

Hi guys, got a problem the the computer its some kind of trojan which is stopping me from opening browsers, antivirus and antispyware programs just stop working and close so I cant do the first steps of the "before posting log"
I have used the ATF cleaner thta worked but avast and the other one just closed.

Here is the log anyway, hopefully you guys can point in the right direction:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:59:24, on 30/01/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
F:\Windows\system32\Dwm.exe
F:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Windows\System32\rundll32.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\Windows Sidebar\sidebar.exe
F:\Windows\System32\ctfmon.exe
F:\Windows\ehome\ehtray.exe
F:\Program Files\DAEMON Tools Lite\daemon.exe
F:\Program Files\Windows Media Player\wmpnscfg.exe
F:\Windows\ehome\ehmsas.exe
F:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
F:\Windows\system32\taskeng.exe
F:\Program Files\Ventrilo\Ventrilo.exe
F:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
F:\Windows\explorer.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Windows\system32\SearchFilterHost.exe
F:\Users\Peter\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [JMB36X Configure] F:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [JMB36X IDE Setup] F:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] F:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [Sidebar] F:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ehTray.exe] F:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "F:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [WMPNSCFG] F:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: ERUNT AutoBackup.lnk = F:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: DSLMON.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B9429F49-0C1D-4797-A260-ED7EB096DE7D}: NameServer = 212.139.132.56 212.139.132.57
O17 - HKLM\System\CCS\Services\Tcpip\..\{C48A4093-4944-4A54-85DD-38695D49F54A}: NameServer = 212.139.132.56 212.139.132.57
O23 - Service: Apple Mobile Device - Apple Inc. - F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - F:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - F:\Windows\system32\nvvsvc.exe
O23 - Service: PnkBstrA - Unknown owner - F:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - F:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Steam Client Service - Valve Corporation - F:\Program Files\Common Files\Steam\SteamService.exe

--
End of file - 6193 bytes

Thanks alot.

EDIT: was to add the name of the virus as I couldnt remember it (I have to use another computer to post things as browsers dont open on my PC.

#2 handhfan

Group: Malware Removal
Posts: 13,659
Joined: 15-June 06

Posted 31 January 2009 - 08:17 AM

Hello, Elsino, and welcome to GeeksToGo!

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  -----------------------------------------------------------
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

#3 Elsino

Group: Member
Posts: 27
Joined: 31-October 07

Posted 31 January 2009 - 09:28 AM

Hi handhfan,

i've been trying to run combofix but its not working, I open it on the computer and a progress bar comes up, it then says its out of date click yes for limited functionability, which I do, then it opens up "administrator" and says please wait, Combofix is initalising or something to that effect. then doesnt do anything, when I ran combo fix on this computer it took about 3 seconds for the computer to bleep and bring up the next screen, that isnt happening on my PC.

Other things to note, when I run combofix for the first time my computer went a bit crazy and said windows explorer shutting down and then shut explorer down but then it just re-opened it back.

Since the last Hijack this log I did manage to get avast installed and to do a boot scan, I also updated using windows update which worked. so i'll post the current log, this is still without running combofix.

(Note also I am having to download combofix on this computer and use a pen drive to move the program onto my computer. that wouldnt cause any problems would it?) <-- I managed after much fighting against my browser closing to download it directly to my desktop and it still didnt work. below is the current log.

EDIT: Just on an aside, I have been closing down alot of processes (which I deemed to be bad) in the task manager, it seemed to help with the whole fighting against the browser closing. I dont know if that will effect the log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:25:17, on 31/01/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
F:\Windows\system32\Dwm.exe
F:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Windows\System32\rundll32.exe
F:\Program Files\Alwil Software\Avast4\ashDisp.exe
F:\Program Files\DAEMON Tools Lite\daemon.exe
F:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
F:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
F:\Windows\Explorer.exe
F:\Program Files\Windows Media Player\wmpnscfg.exe
F:\Windows\system32\taskeng.exe
F:\Users\Peter\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [JMB36X Configure] F:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [JMB36X IDE Setup] F:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Sidebar] F:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ehTray.exe] F:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "F:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [WMPNSCFG] F:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: ERUNT AutoBackup.lnk = F:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: DSLMON.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B9429F49-0C1D-4797-A260-ED7EB096DE7D}: NameServer = 212.139.132.56 212.139.132.57
O17 - HKLM\System\CCS\Services\Tcpip\..\{C48A4093-4944-4A54-85DD-38695D49F54A}: NameServer = 212.139.132.56 212.139.132.57
O23 - Service: Apple Mobile Device - Apple Inc. - F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - F:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - F:\Windows\system32\nvvsvc.exe
O23 - Service: PnkBstrA - Unknown owner - F:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - F:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Steam Client Service - Valve Corporation - F:\Program Files\Common Files\Steam\SteamService.exe

--
End of file - 6325 bytes

#4 handhfan

Group: Malware Removal
Posts: 13,659
Joined: 15-June 06

Posted 31 January 2009 - 09:35 AM

We'll do things manually, no problem. ComboFix hasn't been updated in over a week, and it has a feature where it will only let you run Reduced Functionality mode if it goes past a week, so that's why it was doing that. If you weren't able to run it, no big deal, we'll use something else.

Download OTListIt2 to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Under the Standard Registry box change it to All.
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTListIt2.
- Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

The log for OTListIt2 will be very long and may not fit in one post. Please make sure that it didn't get cut off, and feel free to post the rest of it in a separate reply.

#5 Elsino

Group: Member
Posts: 27
Joined: 31-October 07

Posted 31 January 2009 - 04:12 PM

Righto here goes, I ran the scan and it created 2 files the OTlistit log and an extra log. I am only going to paste the normal log, if you require the extra one too let me know

OTListIt logfile created on: 31/01/2009 22:03:08 - Run
OTListIt2 by OldTimer - Version 1.0.4.1 Folder = F:\Users\Peter\Desktop
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): c:\pagefile.sys 2500 16000;e:\pagefile.sys 0 0;f:\pagefile.sys 5000 10000;

%SystemDrive% = F: | %SystemRoot% = F:\Windows | %ProgramFiles% = F:\Program Files
Drive C: | 186.28 Gb Total Space | 27.42 Gb Free Space | 14.72% Space Free | Partition Type: NTFS
Drive D: | 480.69 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive E: | 24.41 Gb Total Space | 5.39 Gb Free Space | 22.06% Space Free | Partition Type: NTFS
Drive F: | 208.46 Gb Total Space | 52.31 Gb Free Space | 25.09% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
Drive H: | 3.79 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive I: | 957.94 Mb Total Space | 542.89 Mb Free Space | 56.67% Space Free | Partition Type: FAT

Computer Name: PETE
Current User Name: Peter
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

F:\Windows\System32\wininit.exe (Microsoft Corporation)
F:\Windows\System32\lsm.exe (Microsoft Corporation)
F:\Windows\System32\nvvsvc.exe (NVIDIA Corporation)
F:\Windows\System32\SLsvc.exe (Microsoft Corporation)
F:\Windows\System32\rundll32.exe (Microsoft Corporation)
F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (ALWIL Software)
F:\Program Files\Alwil Software\Avast4\ashServ.exe (ALWIL Software)
F:\Windows\System32\dwm.exe (Microsoft Corporation)
F:\Program Files\Java\jre1.6.0_07\bin\jusched.exe (Sun Microsystems, Inc.)
F:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
F:\Windows\System32\rundll32.exe (Microsoft Corporation)
F:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
F:\Program Files\DAEMON Tools Lite\daemon.exe (DT Soft Ltd)
F:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe ()
F:\Windows\System32\taskeng.exe (Microsoft Corporation)
F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
F:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)
F:\Windows\System32\PnkBstrA.exe ()
F:\Windows\System32\SearchIndexer.exe (Microsoft Corporation)
F:\Program Files\Spybot - Search & Destroy\SDWinSec.exe (Safer Networking Ltd.)
F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (ALWIL Software)
F:\Program Files\Alwil Software\Avast4\ashWebSv.exe (ALWIL Software)
F:\Program Files\Windows Media Player\wmpnetwk.exe (Microsoft Corporation)
F:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
F:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe (Sun Microsystems, Inc.)
F:\Windows\System32\WUDFHost.exe (Microsoft Corporation)
F:\Program Files\Windows Media Player\wmpnscfg.exe (Microsoft Corporation)
F:\Users\Peter\Desktop\OTListIt2.exe (OldTimer Tools)

========== (O23) Win32 Services (SafeList) ==========

(AeLookupSvc [Auto | Running]) -- F:\Windows\System32\aelupsvc.dll (Microsoft Corporation)
(Appinfo [On_Demand | Stopped]) -- F:\Windows\System32\appinfo.dll (Microsoft Corporation)
(Apple Mobile Device [Auto | Running]) -- F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
(aswUpdSv [Auto | Running]) -- F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (ALWIL Software)
(avast! Antivirus [Auto | Running]) -- F:\Program Files\Alwil Software\Avast4\ashServ.exe (ALWIL Software)
(avast! Mail Scanner [On_Demand | Running]) -- F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (ALWIL Software)
(avast! Web Scanner [On_Demand | Running]) -- F:\Program Files\Alwil Software\Avast4\ashWebSv.exe (ALWIL Software)
(BFE [Auto | Running]) -- F:\Windows\System32\BFE.DLL (Microsoft Corporation)
(Bonjour Service [Auto | Running]) -- F:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)
(CertPropSvc [Unknown | Stopped]) -- F:\Windows\System32\certprop.dll (Microsoft Corporation)
(clr_optimization_v2.0.50727_32 [On_Demand | Stopped]) -- F:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
(DFSR [On_Demand | Stopped]) -- F:\Windows\System32\dfsr.exe (Microsoft Corporation)
(DPS [Unknown | Running]) -- F:\Windows\System32\dps.dll (Microsoft Corporation)
(ehRecvr [On_Demand | Stopped]) -- F:\Windows\ehome\ehrecvr.exe (Microsoft Corporation)
(ehSched [On_Demand | Stopped]) -- F:\Windows\ehome\ehsched.exe (Microsoft Corporation)
(ehstart [Auto | Stopped]) -- F:\Windows\ehome\ehstart.dll (Microsoft Corporation)
(EMDMgmt [Auto | Running]) -- F:\Windows\System32\emdmgmt.dll (Microsoft Corporation)
(fdPHost [On_Demand | Running]) -- F:\Windows\System32\fdPHost.dll (Microsoft Corporation)
(FDResPub [Auto | Running]) -- F:\Windows\System32\FDResPub.dll (Microsoft Corporation)
(FontCache3.0.0.0 [On_Demand | Stopped]) -- F:\Windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe (Microsoft Corporation)
(gpsvc [Unknown | Running]) -- F:\Windows\System32\gpsvc.dll (Microsoft Corporation)
(idsvc [Unknown | Stopped]) -- F:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (Microsoft Corporation)
(IKEEXT [Auto | Running]) -- F:\Windows\System32\IKEEXT.DLL (Microsoft Corporation)
(IPBusEnum [On_Demand | Stopped]) -- F:\Windows\System32\IPBusEnum.dll (Microsoft Corporation)
(iphlpsvc [Auto | Running]) -- F:\Windows\System32\iphlpsvc.dll (Microsoft Corporation)
(iPod Service [On_Demand | Running]) -- F:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
(KtmRm [Auto | Running]) -- F:\Windows\System32\msdtckrm.dll (Microsoft Corporation)
(lltdsvc [On_Demand | Stopped]) -- F:\Windows\System32\lltdsvc.dll (Microsoft Corporation)
(Mcx2Svc [Disabled | Stopped]) -- F:\Windows\System32\Mcx2Svc.dll (Microsoft Corporation)
(MMCSS [Auto | Running]) -- F:\Windows\System32\mmcss.dll (Microsoft Corporation)
(MpsSvc [Auto | Running]) -- F:\Windows\System32\MPSSVC.dll (Microsoft Corporation)
(MSiSCSI [On_Demand | Stopped]) -- F:\Windows\System32\iscsiexe.dll (Microsoft Corporation)
(netprofm [Auto | Running]) -- F:\Windows\System32\netprofm.dll (Microsoft Corporation)
(NetTcpPortSharing [Disabled | Stopped]) -- F:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe (Microsoft Corporation)
(NlaSvc [Auto | Running]) -- F:\Windows\System32\nlasvc.dll (Microsoft Corporation)
(nsi [Auto | Running]) -- F:\Windows\System32\nsisvc.dll (Microsoft Corporation)
(nvsvc [Auto | Running]) -- F:\Windows\System32\nvvsvc.exe (NVIDIA Corporation)
(p2pimsvc [On_Demand | Stopped]) -- F:\Windows\System32\p2psvc.dll (Microsoft Corporation)
(p2psvc [On_Demand | Stopped]) -- F:\Windows\System32\p2psvc.dll (Microsoft Corporation)
(PcaSvc [Auto | Running]) -- F:\Windows\System32\pcasvc.dll (Microsoft Corporation)
(pla [On_Demand | Stopped]) -- F:\Windows\System32\pla.dll (Microsoft Corporation)
(PlugPlay [Auto | Running]) -- F:\Windows\System32\umpnpmgr.dll (Microsoft Corporation)
(PnkBstrA [Auto | Running]) -- F:\Windows\System32\PnkBstrA.exe ()
(PNRPAutoReg [On_Demand | Stopped]) -- F:\Windows\System32\p2psvc.dll (Microsoft Corporation)
(PNRPsvc [On_Demand | Stopped]) -- F:\Windows\System32\p2psvc.dll (Microsoft Corporation)
(PolicyAgent [Auto | Running]) -- F:\Windows\System32\IPSECSVC.DLL (Microsoft Corporation)
(ProfSvc [Auto | Running]) -- F:\Windows\System32\profsvc.dll (Microsoft Corporation)
(QWAVE [On_Demand | Stopped]) -- F:\Windows\System32\qwave.dll (Microsoft Corporation)
(SBSDWSCService [Auto | Running]) -- F:\Program Files\Spybot - Search & Destroy\SDWinSec.exe (Safer Networking Ltd.)
(SCardSvr [Unknown | Stopped]) -- F:\Windows\System32\SCardSvr.dll (Microsoft Corporation)
(SCPolicySvc [Unknown | Stopped]) -- F:\Windows\System32\certprop.dll (Microsoft Corporation)
(SDRSVC [On_Demand | Stopped]) -- F:\Windows\System32\sdrsvc.dll (Microsoft Corporation)
(SessionEnv [On_Demand | Stopped]) -- F:\Windows\System32\SessEnv.dll (Microsoft Corporation)
(slsvc [Auto | Running]) -- F:\Windows\System32\SLsvc.exe (Microsoft Corporation)
(SLUINotify [On_Demand | Stopped]) -- F:\Windows\System32\SLUINotify.dll (Microsoft Corporation)
(SNMPTRAP [On_Demand | Stopped]) -- F:\Windows\System32\snmptrap.exe (Microsoft Corporation)
(SstpSvc [On_Demand | Running]) -- F:\Windows\System32\sstpsvc.dll (Microsoft Corporation)
(Steam Client Service [On_Demand | Stopped]) -- F:\Program Files\Common Files\Steam\SteamService.exe (Valve Corporation)
(swprv [On_Demand | Stopped]) -- F:\Windows\System32\swprv.dll (Microsoft Corporation)
(SysMain [Auto | Running]) -- F:\Windows\System32\sysmain.dll (Microsoft Corporation)
(TabletInputService [Auto | Running]) -- F:\Windows\System32\TabSvc.dll (Microsoft Corporation)
(TBS [Auto | Stopped]) -- F:\Windows\System32\tbssvc.dll (Microsoft Corporation)
(THREADORDER [On_Demand | Stopped]) -- F:\Windows\System32\mmcss.dll (Microsoft Corporation)
(TrustedInstaller [Unknown | Stopped]) -- F:\Windows\servicing\TrustedInstaller.exe (Microsoft Corporation)
(UI0Detect [On_Demand | Stopped]) -- F:\Windows\System32\UI0Detect.exe (Microsoft Corporation)
(usnjsvc [On_Demand | Stopped]) -- F:\Program Files\Windows Live\Messenger\usnsvc.exe (Microsoft Corporation)
(UxSms [Auto | Running]) -- F:\Windows\System32\uxsms.dll (Microsoft Corporation)
(vds [On_Demand | Stopped]) -- F:\Windows\System32\vds.exe (Microsoft Corporation)
(wcncsvc [On_Demand | Running]) -- F:\Windows\System32\wcncsvc.dll (Microsoft Corporation)
(WcsPlugInService [On_Demand | Stopped]) -- F:\Windows\System32\WcsPlugInService.dll (Microsoft Corporation)
(WdiServiceHost [Unknown | Stopped]) -- F:\Windows\System32\wdi.dll (Microsoft Corporation)
(WdiSystemHost [Unknown | Running]) -- F:\Windows\System32\wdi.dll (Microsoft Corporation)
(Wecsvc [On_Demand | Stopped]) -- F:\Windows\System32\wecsvc.dll (Microsoft Corporation)
(wercplsupport [On_Demand | Stopped]) -- F:\Windows\System32\wercplsupport.dll (Microsoft Corporation)
(WerSvc [Auto | Running]) -- F:\Windows\System32\wersvc.dll (Microsoft Corporation)
(WinDefend [Auto | Running]) -- F:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
(WinHttpAutoProxySvc [On_Demand | Stopped]) -- F:\Windows\System32\winhttp.dll (Microsoft Corporation)
(WinRM [On_Demand | Stopped]) -- F:\Windows\System32\WsmSvc.dll (Microsoft Corporation)
(Wlansvc [On_Demand | Stopped]) -- F:\Windows\System32\wlansvc.dll (Microsoft Corporation)
(WLSetupSvc [On_Demand | Stopped]) -- F:\Program Files\Windows Live\installer\WLSetupSvc.exe (Microsoft Corporation)
(WMPNetworkSvc [On_Demand | Running]) -- F:\Program Files\Windows Media Player\wmpnetwk.exe (Microsoft Corporation)
(WPCSvc [On_Demand | Stopped]) -- F:\Windows\System32\wpcsvc.dll (Microsoft Corporation)
(WPDBusEnum [Auto | Running]) -- F:\Windows\System32\wpdbusenum.dll (Microsoft Corporation)
(WSearch [Auto | Running]) -- F:\Windows\System32\SearchIndexer.exe (Microsoft Corporation)
(wuauserv [Auto | Running]) -- F:\Windows\System32\wuaueng.dll (Microsoft Corporation)
(wudfsvc [Auto | Running]) -- F:\Windows\System32\WUDFSvc.dll (Microsoft Corporation)

========== Driver Services (SafeList) ==========

(adp94xx [Disabled | Stopped]) -- F:\Windows\System32\drivers\adp94xx.sys (Adaptec, Inc.)
(adpahci [Disabled | Stopped]) -- F:\Windows\System32\drivers\adpahci.sys (Adaptec, Inc.)
(adpu160m [Disabled | Stopped]) -- F:\Windows\System32\drivers\adpu160m.sys (Adaptec, Inc.)
(adpu320 [Disabled | Stopped]) -- F:\Windows\System32\drivers\adpu320.sys (Adaptec, Inc.)
(aic78xx [Disabled | Stopped]) -- F:\Windows\System32\drivers\djsvs.sys (Adaptec, Inc.)
(aliide [Disabled | Stopped]) -- F:\Windows\System32\drivers\aliide.sys (Acer Laboratories Inc.)
(amdagp [On_Demand | Stopped]) -- F:\Windows\System32\drivers\AMDAGP.SYS (Microsoft Corporation)
(amdide [Disabled | Stopped]) -- F:\Windows\System32\drivers\amdide.sys (Microsoft Corporation)
(AmdK7 [Disabled | Stopped]) -- F:\Windows\System32\drivers\amdk7.sys (Microsoft Corporation)
(AmdK8 [Disabled | Stopped]) -- F:\Windows\System32\drivers\amdk8.sys (Microsoft Corporation)
(arc [Disabled | Stopped]) -- F:\Windows\System32\drivers\arc.sys (Adaptec, Inc.)
(arcsas [Disabled | Stopped]) -- F:\Windows\System32\drivers\arcsas.sys (Adaptec, Inc.)
(aswFsBlk [Auto | Running]) -- F:\Windows\System32\drivers\aswFsBlk.sys (ALWIL Software)
(aswMonFlt [Auto | Running]) -- F:\Windows\System32\drivers\aswMonFlt.sys (ALWIL Software)
(aswRdr [System | Running]) -- F:\Windows\System32\drivers\aswRdr.sys (ALWIL Software)
(aswSP [System | Running]) -- F:\Windows\System32\drivers\aswSP.sys (ALWIL Software)
(aswTdi [System | Running]) -- F:\Windows\System32\drivers\aswTdi.sys (ALWIL Software)
(bowser [On_Demand | Running]) -- F:\Windows\System32\drivers\bowser.sys (Microsoft Corporation)
(BrFiltLo [On_Demand | Stopped]) -- F:\Windows\System32\drivers\BrFiltLo.sys (Brother Industries, Ltd.)
(BrFiltUp [On_Demand | Stopped]) -- F:\Windows\System32\drivers\BrFiltUp.sys (Brother Industries, Ltd.)
(Brserid [Disabled | Stopped]) -- F:\Windows\System32\drivers\BrSerId.sys (Brother Industries Ltd.)
(BrSerWdm [Disabled | Stopped]) -- F:\Windows\System32\drivers\BrSerWdm.sys (Brother Industries Ltd.)
(BrUsbMdm [Disabled | Stopped]) -- F:\Windows\System32\drivers\BrUsbMdm.sys (Brother Industries Ltd.)
(BrUsbSer [On_Demand | Stopped]) -- F:\Windows\System32\drivers\BrUsbSer.sys (Brother Industries Ltd.)
(BTHMODEM [Disabled | Stopped]) -- F:\Windows\System32\drivers\bthmodem.sys (Microsoft Corporation)
(circlass [Disabled | Stopped]) -- F:\Windows\System32\drivers\circlass.sys (Microsoft Corporation)
(CLFS [Unknown | Running]) -- F:\Windows\System32\clfs.sys (Microsoft Corporation)
(cmdide [Disabled | Stopped]) -- F:\Windows\System32\drivers\cmdide.sys (CMD Technology, Inc.)
(crcdisk [Boot | Running]) -- F:\Windows\System32\drivers\crcdisk.sys (Microsoft Corporation)
(Crusoe [Disabled | Stopped]) -- F:\Windows\System32\drivers\crusoe.sys (Microsoft Corporation)
(DfsC [System | Running]) -- F:\Windows\System32\drivers\dfsc.sys (Microsoft Corporation)
(DXGKrnl [On_Demand | Running]) -- F:\Windows\System32\drivers\dxgkrnl.sys (Microsoft Corporation)
(E1G60 [On_Demand | Stopped]) -- F:\Windows\System32\drivers\E1G60I32.sys (Intel Corporation)
(e4usbaw [On_Demand | Running]) -- F:\Windows\System32\drivers\e4usbaw.sys (Analog Devices Inc.)
(Ecache [Boot | Running]) -- F:\Windows\System32\drivers\ecache.sys (Microsoft Corporation)
(elxstor [Disabled | Stopped]) -- F:\Windows\System32\drivers\elxstor.sys (Emulex)
(exfat [On_Demand | Stopped]) -- F:\Windows\System32\drivers\exfat.sys (Microsoft Corporation)
(FileInfo [Boot | Running]) -- F:\Windows\System32\drivers\fileinfo.sys (Microsoft Corporation)
(Filetrace [On_Demand | Stopped]) -- F:\Windows\System32\drivers\filetrace.sys (Microsoft Corporation)
(gagp30kx [On_Demand | Stopped]) -- F:\Windows\System32\drivers\GAGP30KX.SYS (Microsoft Corporation)
(GEARAspiWDM [On_Demand | Running]) -- F:\Windows\System32\drivers\GEARAspiWDM.sys (GEAR Software Inc.)
(HdAudAddService [On_Demand | Running]) -- F:\Windows\System32\drivers\HdAudio.sys (Microsoft Corporation)
(HDAudBus [On_Demand | Running]) -- F:\Windows\System32\drivers\hdaudbus.sys (Microsoft Corporation)
(HidBth [Disabled | Stopped]) -- F:\Windows\System32\drivers\hidbth.sys (Microsoft Corporation)
(HidIr [Disabled | Stopped]) -- F:\Windows\System32\drivers\hidir.sys (Microsoft Corporation)
(HpCISSs [Disabled | Stopped]) -- F:\Windows\System32\drivers\HpCISSs.sys (Hewlett-Packard Company)
(iaStorV [Disabled | Stopped]) -- F:\Windows\System32\drivers\iaStorV.sys (Intel Corporation)
(iirsp [Disabled | Stopped]) -- F:\Windows\System32\drivers\iirsp.sys (Intel Corp./ICP vortex GmbH)
(IKANLOADER2 [Auto | Stopped]) -- F:\Windows\System32\drivers\e4ldr.sys (Analog Deivces)
(IPMIDRV [Disabled | Stopped]) -- F:\Windows\System32\drivers\IPMIDrv.sys (Microsoft Corporation)
(iScsiPrt [On_Demand | Running]) -- F:\Windows\System32\drivers\msiscsi.sys (Microsoft Corporation)
(iteatapi [Disabled | Stopped]) -- F:\Windows\System32\drivers\iteatapi.sys (Integrated Technology Express, Inc.)
(iteraid [Disabled | Stopped]) -- F:\Windows\System32\drivers\iteraid.sys (Integrated Technology Express, Inc.)
(JGOGO [Boot | Running]) -- F:\Windows\System32\drivers\JGOGO.sys (JMicron )
(JRAID [Boot | Running]) -- F:\Windows\System32\drivers\jraid.sys (JMicron Technology Corp.)
(kbdhid [Disabled | Stopped]) -- F:\Windows\System32\drivers\kbdhid.sys (Microsoft Corporation)
(lltdio [Auto | Running]) -- F:\Windows\System32\drivers\lltdio.sys (Microsoft Corporation)
(LSI_FC [Disabled | Stopped]) -- F:\Windows\System32\drivers\lsi_fc.sys (LSI Logic)
(LSI_SAS [Disabled | Stopped]) -- F:\Windows\System32\drivers\lsi_sas.sys (LSI Logic)
(LSI_SCSI [Disabled | Stopped]) -- F:\Windows\System32\drivers\lsi_scsi.sys (LSI Logic)
(luafv [Auto | Running]) -- F:\Windows\System32\drivers\luafv.sys (Microsoft Corporation)
(MBAMSwissArmy [On_Demand | Stopped]) -- F:\Windows\System32\drivers\mbamswissarmy.sys (Malwarebytes Corporation)
(megasas [Disabled | Stopped]) -- F:\Windows\System32\drivers\megasas.sys (LSI Logic Corporation)
(monitor [On_Demand | Running]) -- F:\Windows\System32\drivers\monitor.sys (Microsoft Corporation)
(mpio [Disabled | Stopped]) -- F:\Windows\System32\drivers\mpio.sys (Microsoft Corporation)
(mpsdrv [On_Demand | Running]) -- F:\Windows\System32\drivers\mpsdrv.sys (Microsoft Corporation)
(Mraid35x [Disabled | Stopped]) -- F:\Windows\System32\drivers\Mraid35x.sys (LSI Logic Corporation)
(mrxsmb10 [On_Demand | Running]) -- F:\Windows\System32\drivers\mrxsmb10.sys (Microsoft Corporation)
(mrxsmb20 [On_Demand | Running]) -- F:\Windows\System32\drivers\mrxsmb20.sys (Microsoft Corporation)
(msahci [Disabled | Stopped]) -- F:\Windows\System32\drivers\msahci.sys (Microsoft Corporation)
(msdsm [Disabled | Stopped]) -- F:\Windows\System32\drivers\msdsm.sys (Microsoft Corporation)
(msisadrv [Boot | Running]) -- F:\Windows\System32\drivers\msisadrv.sys (Microsoft Corporation)
(MsRPC [On_Demand | Stopped]) -- F:\Windows\System32\drivers\msrpc.sys (Microsoft Corporation)
(MTsensor [On_Demand | Running]) -- F:\Windows\System32\drivers\ASACPI.sys ()
(NativeWifiP [On_Demand | Stopped]) -- F:\Windows\System32\drivers\nwifi.sys (Microsoft Corporation)
(nfrd960 [Disabled | Stopped]) -- F:\Windows\System32\drivers\nfrd960.sys (IBM Corporation)
(nsiproxy [System | Running]) -- F:\Windows\System32\drivers\nsiproxy.sys (Microsoft Corporation)
(ntrigdigi [Disabled | Stopped]) -- F:\Windows\System32\drivers\ntrigdigi.sys (N-trig Innovative Technologies)
(nvlddmkm [On_Demand | Running]) -- F:\Windows\System32\drivers\nvlddmkm.sys (NVIDIA Corporation)
(nvraid [Disabled | Stopped]) -- F:\Windows\System32\drivers\nvraid.sys (NVIDIA Corporation)
(nvstor [Disabled | Stopped]) -- F:\Windows\System32\drivers\nvstor.sys (NVIDIA Corporation)
(nv_agp [On_Demand | Stopped]) -- F:\Windows\System32\drivers\NV_AGP.SYS (Microsoft Corporation)
(pcouffin [On_Demand | Stopped]) -- F:\Windows\System32\drivers\pcouffin.sys (VSO Software)
(PEAUTH [Auto | Running]) -- F:\Windows\System32\drivers\PEAuth.sys (Microsoft Corporation)
(PSched [System | Running]) -- F:\Windows\System32\drivers\pacer.sys (Microsoft Corporation)
(PxHelp20 [Boot | Running]) -- F:\Windows\System32\drivers\PxHelp20.sys (Sonic Solutions)
(ql2300 [Disabled | Stopped]) -- F:\Windows\System32\drivers\ql2300.sys (QLogic Corporation)
(ql40xx [Disabled | Stopped]) -- F:\Windows\System32\drivers\ql40xx.sys (QLogic Corporation)
(QWAVEdrv [On_Demand | Stopped]) -- F:\Windows\System32\drivers\qwavedrv.sys (Microsoft Corporation)
(RasSstp [On_Demand | Running]) -- F:\Windows\System32\drivers\rassstp.sys (Microsoft Corporation)
(RDPENCDD [System | Running]) -- F:\Windows\System32\drivers\RDPENCDD.sys (Microsoft Corporation)
(rspndr [Auto | Running]) -- F:\Windows\System32\drivers\rspndr.sys (Microsoft Corporation)
(RTL8169 [On_Demand | Running]) -- F:\Windows\System32\drivers\Rtlh86.sys (Realtek Corporation )
(sbp2port [Disabled | Stopped]) -- F:\Windows\System32\drivers\sbp2port.sys (Microsoft Corporation)
(secdrv [Auto | Running]) -- F:\Windows\System32\drivers\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
(sermouse [Disabled | Stopped]) -- F:\Windows\System32\drivers\sermouse.sys (Microsoft Corporation)
(sffdisk [Disabled | Stopped]) -- F:\Windows\System32\drivers\sffdisk.sys (Microsoft Corporation)
(sffp_mmc [On_Demand | Stopped]) -- F:\Windows\System32\drivers\sffp_mmc.sys (Microsoft Corporation)
(sffp_sd [On_Demand | Stopped]) -- F:\Windows\System32\drivers\sffp_sd.sys (Microsoft Corporation)
(sisagp [On_Demand | Stopped]) -- F:\Windows\System32\drivers\SISAGP.SYS (Microsoft Corporation)
(SiSRaid2 [Disabled | Stopped]) -- F:\Windows\System32\drivers\sisraid2.sys (Silicon Integrated Systems Corp.)
(SiSRaid4 [Disabled | Stopped]) -- F:\Windows\System32\drivers\sisraid4.sys (Silicon Integrated Systems)
(Smb [System | Running]) -- F:\Windows\System32\drivers\smb.sys (Microsoft Corporation)
(spldr [Boot | Running]) -- F:\Windows\System32\drivers\spldr.sys (Microsoft Corporation)
(sptd [Boot | Running]) -- F:\Windows\System32\drivers\sptd.sys ()
(srv2 [On_Demand | Running]) -- F:\Windows\System32\drivers\srv2.sys (Microsoft Corporation)
(srvnet [On_Demand | Running]) -- F:\Windows\System32\drivers\srvnet.sys (Microsoft Corporation)
(Symc8xx [Disabled | Stopped]) -- F:\Windows\System32\drivers\symc8xx.sys (LSI Logic)
(Sym_hi [Disabled | Stopped]) -- F:\Windows\System32\drivers\sym_hi.sys (LSI Logic)
(Sym_u3 [Disabled | Stopped]) -- F:\Windows\System32\drivers\sym_u3.sys (LSI Logic)
(tcpipreg [Auto | Running]) -- F:\Windows\System32\drivers\tcpipreg.sys (Microsoft Corporation)
(tdx [System | Running]) -- F:\Windows\System32\drivers\tdx.sys (Microsoft Corporation)
(tssecsrv [On_Demand | Stopped]) -- F:\Windows\System32\drivers\tssecsrv.sys (Microsoft Corporation)
(tunmp [On_Demand | Running]) -- F:\Windows\System32\drivers\TUNMP.SYS (Microsoft Corporation)
(tunnel [On_Demand | Running]) -- F:\Windows\System32\drivers\tunnel.sys (Microsoft Corporation)
(uagp35 [On_Demand | Stopped]) -- F:\Windows\System32\drivers\UAGP35.SYS (Microsoft Corporation)
(uliagpkx [On_Demand | Stopped]) -- F:\Windows\System32\drivers\ULIAGPKX.SYS (Microsoft Corporation)
(uliahci [Disabled | Stopped]) -- F:\Windows\System32\drivers\uliahci.sys (ULi Electronics Inc.)
(UlSata [Disabled | Stopped]) -- F:\Windows\System32\drivers\ulsata.sys (Promise Technology, Inc.)
(ulsata2 [Disabled | Stopped]) -- F:\Windows\System32\drivers\ulsata2.sys (Promise Technology, Inc.)
(umbus [On_Demand | Running]) -- F:\Windows\System32\drivers\umbus.sys (Microsoft Corporation)
(USBAAPL [On_Demand | Stopped]) -- F:\Windows\System32\drivers\usbaapl.sys (Apple, Inc.)
(usbaudio [On_Demand | Running]) -- F:\Windows\System32\drivers\USBAUDIO.sys (Microsoft Corporation)
(usbcir [Disabled | Stopped]) -- F:\Windows\System32\drivers\usbcir.sys (Microsoft Corporation)
(vga [On_Demand | Stopped]) -- F:\Windows\System32\drivers\vgapnp.sys (Microsoft Corporation)
(ViaC7 [Disabled | Stopped]) -- F:\Windows\System32\drivers\viac7.sys (Microsoft Corporation)
(viaide [Disabled | Stopped]) -- F:\Windows\System32\drivers\viaide.sys (VIA Technologies, Inc.)
(volmgr [Boot | Running]) -- F:\Windows\System32\drivers\volmgr.sys (Microsoft Corporation)
(volmgrx [Boot | Running]) -- F:\Windows\System32\drivers\volmgrx.sys (Microsoft Corporation)
(vsmraid [Disabled | Stopped]) -- F:\Windows\System32\drivers\vsmraid.sys (VIA Technologies Inc.,Ltd)
(WacomPen [Disabled | Stopped]) -- F:\Windows\System32\drivers\wacompen.sys (Microsoft Corporation)
(Wd [Disabled | Stopped]) -- F:\Windows\System32\drivers\wd.sys (Microsoft Corporation)
(Wdf01000 [Boot | Running]) -- F:\Windows\System32\drivers\Wdf01000.sys (Microsoft Corporation)
(WmiAcpi [Disabled | Stopped]) -- F:\Windows\System32\drivers\wmiacpi.sys (Microsoft Corporation)
(ws2ifsl [Disabled | Stopped]) -- F:\Windows\System32\drivers\ws2ifsl.sys (Microsoft Corporation)

========== Standard Registry (All) ==========

========== Internet Explorer ==========

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm

HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = F:\Windows\system32\blank.htm
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache =
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

O1 HOSTS File: (292023 bytes) - F:\Windows\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 10057 more lines...
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - Reg Error: Key does not exist or could not be opened. File not found
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" (Adobe Systems Incorporated)
O4 - HKLM..\Run: [avast!] F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe" (Apple Inc.)
O4 - HKLM..\Run: [JMB36X Configure] F:\WINDOWS\system32\JMRaidSetup.exe boot (JMicron Technology Corp.)
O4 - HKLM..\Run: [JMB36X IDE Setup] F:\WINDOWS\JM\JMInsIDE.exe ()
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE F:\Windows\system32\NvCpl.dll,NvStartup (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE F:\Windows\system32\NvMcTray.dll,NvTaskbarInit (NVIDIA Corporation)
O4 - HKLM..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot (RealNetworks, Inc.)
O4 - HKLM..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide (Microsoft Corporation)
O4 - HKCU..\Run: [CTFMON.EXE] F:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)
O4 - HKCU..\Run: [DAEMON Tools Lite] "F:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun (DT Soft Ltd)
O4 - HKCU..\Run: [ehTray.exe] F:\Windows\ehome\ehTray.exe (Microsoft Corporation)
O4 - HKCU..\Run: [Sidebar] F:\Program Files\Windows Sidebar\sidebar.exe /autoRun (Microsoft Corporation)
O4 - HKCU..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
O4 - HKCU..\Run: [WMPNSCFG] F:\Program Files\Windows Media Player\WMPNSCFG.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableInstallerDetection = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableSecureUIAPaths = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableVirtualization = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ValidateAdminCodeSignatures = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: scforceoption = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: FilterAdministratorToken = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableUIADesktopToggle = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_TEXT = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_BITMAP = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_OEMTEXT = 7
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIB = 8
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_PALETTE = 9
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_UNICODETEXT = 13
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIBV5 = 17
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll (Sun Microsystems, Inc.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O13 - gopher Prefix: missing
O15 - HKLM\..Trusted Sites: 49 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Sites: 48 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab (QuickTime Object)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O18 - Protocol\Handler: - about - F:\Windows\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler: - cdl - F:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler: - dvd - F:\Windows\System32\MSVidCtl.dll (Microsoft Corporation)
O18 - Protocol\Handler: - file - F:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler: - ftp - F:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler: - http - F:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler: - http\0x00000001 - F:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler: - http\oledb - F:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler: - https - F:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler: - https\0x00000001 - F:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler: - https\oledb - F:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler: - ipp - No CLSID value found
O18 - Protocol\Handler: - ipp\0x00000001 - F:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler: - its - F:\Windows\System32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler: - javascript - F:\Windows\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler: - livecall - F:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler: - local - F:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler: - mailto - F:\Windows\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler: - mhtml - F:\Windows\System32\inetcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler: - mk - F:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler: - msdaipp - No CLSID value found
O18 - Protocol\Handler: - msdaipp\0x00000001 - F:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler: - msdaipp\oledb - F:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler: - ms-its - F:\Windows\System32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler: - msnim - F:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler: - res - F:\Windows\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler: - tv - F:\Windows\System32\MSVidCtl.dll (Microsoft Corporation)
O18 - Protocol\Handler: - vbscript - F:\Windows\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Filter: - application/octet-stream - F:\Windows\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter: - application/x-complus - F:\Windows\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter: - application/x-msdownload - F:\Windows\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter: - deflate - F:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter: - gzip - F:\Windows\System32\urlmon.dll (Microsoft Corporation)
O20 - See sections below for AppInitDlls and Winlogon settings
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED}F:\Windows\System32\webcheck.dll (Microsoft Corporation)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5}F:\Windows\System32\WPDShServiceObj.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: (Component Categories cache daemon) - {8C7461EF-2B13-11d2-BE35-3078302C2030} - F:\Windows\System32\browseui.dll (Microsoft Corporation)

========== HKLM Winlogon Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = Explorer.exe
>F:\Windows\explorer.exe (Microsoft Corporation)

"UserInit" = F:\Windows\system32\userinit.exe,
>F:\Windows\System32\userinit.exe (Microsoft Corporation)

"VMApplet" = rundll32 shell32,Control_RunDLL "sysdm.cpl"
>F:\Windows\System32\shell32.dll (Microsoft Corporation)
>F:\Windows\System32\sysdm.cpl (Microsoft Corporation)

========== HKLM *SecurityProviders* ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders]
"SecurityProviders" = credssp.dll
>F:\Windows\System32\credssp.dll (Microsoft Corporation)

========== LSA *Authentication Packages* ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages" = msv1_0,
>F:\Windows\System32\msv1_0.dll (Microsoft Corporation)

========== LSA *Security Packages* ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Security Packages" = kerberos,msv1_0,schannel,wdigest,tspkg,
>F:\Windows\System32\kerberos.dll (Microsoft Corporation)
>F:\Windows\System32\msv1_0.dll (Microsoft Corporation)
>F:\Windows\System32\schannel.dll (Microsoft Corporation)
>F:\Windows\System32\wdigest.dll (Microsoft Corporation)
>F:\Windows\System32\TSpkg.dll (Microsoft Corporation)

========== Safeboot Options ==========

"AlternateShell" = cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1

========== Autorun Files on Drives ==========

AUTOEXEC.BAT []
C:\AUTOEXEC.BAT () -- [ NTFS ]

autoplay.exe [MZ | ]
D:\autoplay.exe () -- [ CDFS ]

autorun.inf [[autorun] | open=autoplay.exe | icon=appicon.ico | | ]
D:\autorun.inf () -- [ CDFS ]

autoexec.bat [REM Dummy file for NTVDM | ]
F:\autoexec.bat () -- [ NTFS ]

autorun.inf [[AutoRun] | open=LaunchU3.exe | icon=LaunchU3.exe,0 | | [Definitions] | Launchpad=LaunchPad.exe | | [CopyFiles] | FileNumber=1 | File1=LaunchPad.zip | ]
H:\autorun.inf () -- [ CDFS ]

========== MountPoints2 ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{15efdcec-e629-11dc-aecb-806e6f6e6963}\Shell]
"" = AutoRun

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{15efdcec-e629-11dc-aecb-806e6f6e6963}\Shell\AutoRun\command]
"" = D:\autoplay.exe -- [2003/05/21 17:11:08 | 00,061,440 | R--- | M] ()

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{94ef64cd-fd76-11dc-a51b-000000000000}\Shell]
"" = AutoRun

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{94ef64cd-fd76-11dc-a51b-000000000000}\Shell\AutoRun\command]
"" = G:\setup.exe -- File not found

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a310c167-edba-11dc-8ec6-000000000000}\Shell]
"" = AutoRun

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a310c167-edba-11dc-8ec6-000000000000}\Shell\AutoRun\command]
"" = H:\LaunchU3.exe -- [2006/02/13 19:09:04 | 00,921,600 | R--- | M] ()

========== Files/Folders - Created Within 30 Days ==========

[4 F:\Windows\*.tmp files]
[2009/01/31 17:47:27 | 00,419,328 | ---- | C] (OldTimer Tools) -- F:\Users\Peter\Desktop\OTListIt2.exe
[2009/01/31 15:22:59 | 00,000,000 | ---D | C] -- F:\ComboFix
[2009/01/31 15:22:58 | 00,318,976 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\CF5875.exe
[2009/01/31 15:22:40 | 03,048,418 | R--- | C] () -- F:\Users\Peter\Desktop\ComboFix.exe
[2009/01/31 15:10:33 | 00,318,976 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\CF3439.exe
[2009/01/31 15:05:20 | 00,318,976 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\CF2417.exe
[2009/01/31 15:01:02 | 00,318,976 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\CF1575.exe
[2009/01/31 14:55:14 | 00,318,976 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\CF438.exe
[2009/01/31 14:53:39 | 00,000,000 | ---D | C] -- F:\Qoobox
[2009/01/31 14:53:38 | 00,318,976 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\CF33.exe
[2009/01/31 14:53:18 | 00,031,744 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\swsc.exe
[2009/01/31 14:53:15 | 00,000,000 | ---D | C] -- F:\Users\Peter\AppData\Local\Adobe
[2009/01/31 04:24:34 | 00,050,864 | ---- | C] (ALWIL Software) -- F:\Windows\System32\drivers\aswTdi.sys
[2009/01/31 04:24:34 | 00,023,152 | ---- | C] (ALWIL Software) -- F:\Windows\System32\drivers\aswRdr.sys
[2009/01/31 04:24:34 | 00,001,849 | ---- | C] () -- F:\Users\Public\Desktop\avast! Antivirus.lnk
[2009/01/31 04:24:33 | 00,097,480 | ---- | C] (ALWIL Software) -- F:\Windows\System32\AvastSS.scr
[2009/01/31 04:24:32 | 00,111,184 | ---- | C] (ALWIL Software) -- F:\Windows\System32\drivers\aswSP.sys
[2009/01/31 04:24:32 | 00,020,560 | ---- | C] (ALWIL Software) -- F:\Windows\System32\drivers\aswFsBlk.sys
[2009/01/31 04:24:16 | 01,236,208 | ---- | C] (ALWIL Software) -- F:\Windows\System32\aswBoot.exe
[2009/01/31 04:24:16 | 01,060,864 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\MFC71.dll
[2009/01/31 04:24:16 | 00,380,928 | ---- | C] () -- F:\Windows\System32\actskin4.ocx
[2009/01/31 04:24:16 | 00,051,792 | ---- | C] (ALWIL Software) -- F:\Windows\System32\drivers\aswMonFlt.sys
[2009/01/31 04:24:14 | 00,000,000 | ---D | C] -- F:\Program Files\Alwil Software
[2009/01/30 22:09:54 | 03,578,880 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\mshtml.dll
[2009/01/30 22:09:52 | 01,383,424 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\mshtml.tlb
[2009/01/30 22:04:40 | 00,002,048 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\tzres.dll
[2009/01/30 21:53:42 | 00,105,016 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\PresentationCFFRasterizerNative_v0300.dll
[2009/01/30 21:53:42 | 00,097,800 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\infocardapi.dll
[2009/01/30 21:53:41 | 00,622,080 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\icardagt.exe
[2009/01/30 21:53:41 | 00,043,544 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\PresentationHostProxy.dll
[2009/01/30 21:53:41 | 00,037,384 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\infocardcpl.cpl
[2009/01/30 21:53:41 | 00,011,264 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\icardres.dll
[2009/01/30 21:53:40 | 00,781,344 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\PresentationNative_v0300.dll
[2009/01/30 21:53:38 | 00,326,160 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\PresentationHost.exe
[2009/01/30 21:46:34 | 00,096,760 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\dfshim.dll
[2009/01/30 21:46:30 | 00,282,112 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\mscoree.dll
[2009/01/30 21:46:30 | 00,041,984 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\netfxperf.dll
[2009/01/30 21:46:20 | 00,158,720 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\mscorier.dll
[2009/01/30 21:46:16 | 00,083,968 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\mscories.dll
[2009/01/30 21:43:18 | 06,068,736 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\ieframe.dll
[2009/01/30 21:43:17 | 01,166,336 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\urlmon.dll
[2009/01/30 21:43:17 | 00,827,392 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\wininet.dll
[2009/01/30 21:43:16 | 00,671,232 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\mstime.dll
[2009/01/30 21:43:16 | 00,270,336 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\iertutil.dll
[2009/01/30 21:43:16 | 00,028,160 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\jsproxy.dll
[2009/01/30 21:43:11 | 00,428,544 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\EncDec.dll
[2009/01/30 21:43:11 | 00,217,088 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\psisrndr.ax
[2009/01/30 21:43:10 | 00,293,376 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\psisdecd.dll
[2009/01/30 21:43:10 | 00,177,664 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\mpg2splt.ax
[2009/01/30 21:43:10 | 00,080,896 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\MSNP.ax
[2009/01/30 21:42:18 | 00,288,768 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\drivers\srv.sys
[2009/01/30 21:42:14 | 00,028,672 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\Apphlpdm.dll
[2009/01/30 21:42:13 | 04,240,384 | ---- | C] (Microsoft) -- F:\Windows\System32\GameUXLegacyGDFs.dll
[2009/01/30 21:42:10 | 00,443,392 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\win32spl.dll
[2009/01/30 21:42:08 | 00,466,944 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\netapi32.dll
[2009/01/30 21:42:07 | 02,868,736 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\mf.dll
[2009/01/30 21:42:07 | 02,386,944 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\WMVCORE.DLL
[2009/01/30 21:42:06 | 00,996,352 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\WMNetMgr.dll
[2009/01/30 21:42:06 | 00,094,720 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\logagent.exe
[2009/01/30 21:42:04 | 00,296,960 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\gdi32.dll
[2009/01/30 21:42:02 | 00,712,704 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\WindowsCodecs.dll
[2009/01/30 21:42:02 | 00,425,472 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\PhotoMetadataHandler.dll
[2009/01/30 21:42:02 | 00,347,136 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\WindowsCodecsExt.dll
[2009/01/30 21:42:00 | 02,927,104 | ---- | C] (Microsoft Corporation) -- F:\Windows\explorer.exe
[2009/01/30 21:41:57 | 00,147,456 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\Faultrep.dll
[2009/01/30 21:41:57 | 00,125,952 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\wersvc.dll
[2009/01/30 21:41:54 | 00,212,480 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\drivers\mrxsmb10.sys
[2009/01/30 21:41:49 | 11,580,928 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\shell32.dll
[2009/01/30 21:41:40 | 01,191,936 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\msxml3.dll
[2009/01/30 21:41:38 | 02,032,640 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\win32k.sys
[2009/01/30 21:41:37 | 00,241,152 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\PortableDeviceApi.dll
[2009/01/30 21:41:36 | 01,645,568 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\connect.dll
[2009/01/30 21:38:32 | 03,601,464 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\ntkrnlpa.exe
[2009/01/30 21:38:32 | 03,549,240 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\ntoskrnl.exe
[2009/01/30 21:36:16 | 01,334,272 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\msxml6.dll
[2009/01/30 21:27:35 | 01,524,736 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\wucltux.dll
[2009/01/30 21:27:35 | 00,051,224 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\wuauclt.exe
[2009/01/30 21:27:35 | 00,043,544 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\wups2.dll
[2009/01/30 21:27:34 | 01,809,944 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\wuaueng.dll
[2009/01/30 21:27:09 | 00,561,688 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\wuapi.dll
[2009/01/30 21:27:09 | 00,083,456 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\wudriver.dll
[2009/01/30 21:27:09 | 00,034,328 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\wups.dll
[2009/01/30 21:27:02 | 00,162,064 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\wuwebv.dll
[2009/01/30 21:27:02 | 00,031,232 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\wuapp.exe
[2009/01/30 19:58:52 | 00,000,000 | ---D | C] -- F:\Users\Peter\AppData\Roaming\Malwarebytes
[2009/01/30 19:58:51 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- F:\Windows\System32\drivers\mbam.sys
[2009/01/30 19:58:51 | 00,000,818 | ---- | C] () -- F:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/01/30 19:58:49 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- F:\Windows\System32\drivers\mbamswissarmy.sys
[2009/01/30 19:58:48 | 00,000,000 | ---D | C] -- F:\ProgramData\Malwarebytes
[2009/01/30 19:58:47 | 00,000,

#6 Elsino

Group: Member
Posts: 27
Joined: 31-October 07

Posted 31 January 2009 - 04:14 PM

oh right, I just read the post again you do need the extra, so I am putting that one on this post

OTListIt Extras logfile created on: 31/01/2009 22:03:08 - Run
OTListIt2 by OldTimer - Version 1.0.4.1 Folder = F:\Users\Peter\Desktop
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): c:\pagefile.sys 2500 16000;e:\pagefile.sys 0 0;f:\pagefile.sys 5000 10000;

%SystemDrive% = F: | %SystemRoot% = F:\Windows | %ProgramFiles% = F:\Program Files
Drive C: | 186.28 Gb Total Space | 27.42 Gb Free Space | 14.72% Space Free | Partition Type: NTFS
Drive D: | 480.69 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive E: | 24.41 Gb Total Space | 5.39 Gb Free Space | 22.06% Space Free | Partition Type: NTFS
Drive F: | 208.46 Gb Total Space | 52.31 Gb Free Space | 25.09% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
Drive H: | 3.79 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive I: | 957.94 Mb Total Space | 542.89 Mb Free Space | 56.67% Space Free | Partition Type: FAT

Computer Name: PETE
Current User Name: Peter
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" =
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"DisableNotifications" = 0
"EnableFirewall" = 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\IcmpSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 File not found

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 File not found
C:\call of Duty 4 - Modern Warfare\iw3mp.exe:*:Enabled:Call of Duty® 4 - Modern Warfare™ ()
C:\Neverwinter Nights 2\nwn2main.exe:*:Enabled:Neverwinter Nights 2 Main File not found
C:\Neverwinter Nights 2\nwn2main_amdxp.exe:*:Enabled:Neverwinter Nights 2 AMD File not found
C:\Neverwinter Nights 2\nwn2server.exe:*:Enabled:Neverwinter Nights 2 Server File not found
C:\Neverwinter Nights 2\nwupdate.exe:*:Enabled:Neverwinter Nights 2 Updater File not found
C:\NWN2\nwn2main.exe:*:Enabled:Neverwinter Nights 2 Main (Obsidian Entertainment, Inc.)
C:\NWN2\nwn2main_amdxp.exe:*:Enabled:Neverwinter Nights 2 AMD (Obsidian Entertainment, Inc.)
C:\NWN2\nwn2server.exe:*:Enabled:Neverwinter Nights 2 Server (Obsidian Entertainment, Inc.)
C:\NWN2\nwupdate.exe:*:Enabled:Neverwinter Nights 2 Updater (Obsidian Entertainment, Inc.)
F:\games\Crysis\Bin32\Crysis.exe:*:Enabled:Crysis_32 (Crytek GmbH)
F:\games\Crysis\Bin32\CrysisDedicatedServer.exe:*:Enabled:CrysisDedicatedServer_32 (Crytek GmbH)
F:\WINDOWS\system32\PnkBstrA.exe:*:Enabled:PnkBstrA ()
F:\WINDOWS\system32\PnkBstrB.exe:*:Enabled:PnkBstrB ()

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{000E79B7-E725-4F01-870A-C12942B7F8E4}" = Crysis®
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{318AB667-3230-41B5-A617-CB3BF748D371}" = iTunes
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3A1B5D40-41E9-43FA-8C7B-A8667F5586EF}" = JMB36X Raid Configurer
"{3BD633E0-4BF8-4499-9149-88F0767D449C}" = Call of Duty® 4 - Modern Warfare™ 1.4 Patch
"{45235788-142C-44BE-8A4D-DDE9A84492E5}" = AGEIA PhysX v7.09.13
"{4AE3A0CB-87B0-4F51-BECD-3D1F8DFDD62F}" = SAGEM F@st 800-840
"{508CE775-4BA4-4748-82DF-FE28DA9F03B0}" = Windows Live Messenger
"{582D2A53-F426-4C5E-A2E6-43C1AB36B907}" = Safari
"{61150C85-DC0A-4976-922F-5575F388ADA6}" = Notation Player 2.1.2
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo Client
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{8503C901-85D7-4262-88D2-8D8B2A7B08B8}" = Call of Duty® 4 - Modern Warfare™ 1.5 Patch
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}" = Windows Live installer
"{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2
"{AEB9948B-4FF2-47C9-990E-47014492A0FE}" = MSXML 6.0 Parser
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{BFA90209-7AFF-4DB6-8E4B-E57305751AD7}" = Unreal Tournament 3
"{C6AA3FB7-804F-4808-AD91-B62D6ED9B788}" = Windows Vista Upgrade Advisor
"{C9BED750-1211-4480-B1A5-718A3BE15525}" = REALTEK GbE & FE Ethernet PCI-E NIC Driver
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{E48469CC-635E-4FD5-A122-1497C286D217}" = Call of Duty® 4 - Modern Warfare™
"{E7DFB6A3-E5F2-4BCC-8B23-A0EACD7B4C63}_is1" = Age of Empires 2 + Conquerors Uninstaller
"{EC4455AB-F155-4CC1-A4C5-88F3777F9886}" = Apple Mobile Device Support
"{F20C1251-1D0A-4944-B2AE-678581B33B19}" = Neverwinter Nights 2
"{F958CA02-BB40-4007-894B-258729456EE4}" = QuickTime
"4f6dcc3b-179d-4b1b-80f0-b6083a0b3ce6_is1" = The Lord of the Rings Online™: Shadows of Angmar™ v01.04.00.806
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Age of Conan_is1" = Age of Conan - Hyborian Adventures
"avast!" = avast! Antivirus
"Azureus Vuze" = Azureus Vuze
"Diablo II" = Diablo II
"ERUNT_is1" = ERUNT 1.1j
"HijackThis" = HijackThis 2.0.2
"InstallShield_{3BD633E0-4BF8-4499-9149-88F0767D449C}" = Call of Duty® 4 - Modern Warfare™ 1.4 Patch
"InstallShield_{8503C901-85D7-4262-88D2-8D8B2A7B08B8}" = Call of Duty® 4 - Modern Warfare™ 1.5 Multiplayer Patch
"InstallShield_{E48469CC-635E-4FD5-A122-1497C286D217}" = Call of Duty® 4 - Modern Warfare™
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.0.5)" = Mozilla Firefox (3.0.5)
"NexusTK" = NexusTK
"NVIDIA Drivers" = NVIDIA Drivers
"PunkBusterSvc" = PunkBuster Services
"RealPlayer 6.0" = RealPlayer
"SystemRequirementsLab" = System Requirements Lab
"Teamspeak 2 RC2_is1" = TeamSpeak 2 RC2
"The Lost Crown_is1" = The Lost Crown version 1.2
"Warcraft III" = Warcraft III
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinRAR archiver" = WinRAR archiver
"World of Warcraft" = World of Warcraft

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"727d1ea1876aa06e" = WowAceUpdater
"Diablo II" = Diablo II
"InstallShield_{BFA90209-7AFF-4DB6-8E4B-E57305751AD7}" = Unreal Tournament 3
"Warcraft III" = Warcraft III: All Products

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 31/01/2009 11:44:58 | Computer Name = pete | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.9.0.3257, time stamp 0x4934ead8,
faulting module kernel32.dll, version 6.0.6001.18000, time stamp 0x4791a76d, exception
code 0xe06d7363, fault offset 0x000442eb, process id 0xd20, application start time
0x01c983bade24c882.

Error - 31/01/2009 11:46:35 | Computer Name = pete | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.9.0.3257, time stamp 0x4934ead8,
faulting module kernel32.dll, version 6.0.6001.18000, time stamp 0x4791a76d, exception
code 0xe06d7363, fault offset 0x000442eb, process id 0x65c, application start time
0x01c983bae2c99872.

Error - 31/01/2009 11:49:22 | Computer Name = pete | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.9.0.3257, time stamp 0x4934ead8,
faulting module kernel32.dll, version 6.0.6001.18000, time stamp 0x4791a76d, exception
code 0xe06d7363, fault offset 0x000442eb, process id 0x954, application start time
0x01c983bb7a53d892.

Error - 31/01/2009 13:49:36 | Computer Name = pete | Source = Application Error | ID = 1000
Description = Faulting application Explorer.exe, version 6.0.6001.18164, time stamp
0x4907e242, faulting module ntdll.dll, version 6.0.6001.18000, time stamp 0x4791a7a6,
exception code 0xc0000005, fault offset 0x00043111, process id 0xf38, application
start time 0x01c983b95bdda322.

Error - 31/01/2009 13:50:16 | Computer Name = pete | Source = Application Error | ID = 1000
Description = Faulting application Explorer.exe, version 6.0.6001.18164, time stamp
0x4907e242, faulting module ntdll.dll, version 6.0.6001.18000, time stamp 0x4791a7a6,
exception code 0xc0000005, fault offset 0x00043118, process id 0x8a0, application
start time 0x01c983cc48e1d352.

Error - 31/01/2009 13:50:17 | Computer Name = pete | Source = Application Error | ID = 1000
Description = Faulting application Explorer.exe, version 6.0.6001.18164, time stamp
0x4907e242, faulting module ntdll.dll, version 6.0.6001.18000, time stamp 0x4791a7a6,
exception code 0xc0000005, fault offset 0x00043118, process id 0x83c, application
start time 0x01c983cc5ffe1da2.

Error - 31/01/2009 13:50:26 | Computer Name = pete | Source = Application Error | ID = 1000
Description = Faulting application Explorer.exe, version 6.0.6001.18164, time stamp
0x4907e242, faulting module ntdll.dll, version 6.0.6001.18000, time stamp 0x4791a7a6,
exception code 0xc0000005, fault offset 0x0004311a, process id 0x6f0, application
start time 0x01c983cc60977772.

Error - 31/01/2009 15:00:18 | Computer Name = pete | Source = Application Error | ID = 1000
Description = Faulting application Launcher.exe_Blizzard Launcher, version 2.0.0.446,
time stamp 0x496ed03c, faulting module dfxspc.dll, version 0.0.0.0, time stamp
0x2a425e19, exception code 0xc0000005, fault offset 0x00001efe, process id 0xc58,
application start time 0x01c983d625bf55a2.

Error - 31/01/2009 16:13:47 | Computer Name = pete | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.9.0.3257, time stamp 0x4934ead8,
faulting module ntdll.dll, version 6.0.6001.18000, time stamp 0x4791a7a6, exception
code 0xc0000005, fault offset 0x0003d02b, process id 0x8a0, application start time
0x01c983e051ff6a12.

Error - 31/01/2009 17:59:14 | Computer Name = pete | Source = Application Error | ID = 1000
Description = Faulting application Ventrilo.exe, version 3.0.4.0, time stamp 0x49186014,
faulting module dfxspc.dll, version 0.0.0.0, time stamp 0x2a425e19, exception code
0xc0000005, fault offset 0x000022f6, process id 0xca8, application start time 0x01c983cf38cb24f2.

[ Media Center Events ]
Error - 16/03/2008 07:17:49 | Computer Name = pete | Source = Media Center Guide | ID = 0
Description = Event Info: ERROR: SqmApiWrapper.SqmFlushSession failed; Win32 GetLastError
returned 0D Process: DefaultDomain Object Name: Media Center Guide

Error - 18/04/2008 12:34:39 | Computer Name = pete | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package MCESpotlight.

Error - 24/05/2008 04:04:30 | Computer Name = pete | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package MCESpotlight.

Error - 24/05/2008 14:40:03 | Computer Name = pete | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package MCESpotlight.

Error - 27/05/2008 12:53:58 | Computer Name = pete | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package MCESpotlight.

Error - 07/06/2008 04:27:13 | Computer Name = pete | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package MCESpotlight.

[ System Events ]
Error - 04/09/2008 12:43:13 | Computer Name = pete | Source = Service Control Manager | ID = 7000
Description = The General Purpose USB Driver (e4ldr.sys) service failed to start
due to the following error: %%1058

Error - 05/09/2008 12:30:16 | Computer Name = pete | Source = HTTP | ID = 15016
Description =

Error - 05/09/2008 12:31:34 | Computer Name = pete | Source = Service Control Manager | ID = 7000
Description = The General Purpose USB Driver (e4ldr.sys) service failed to start
due to the following error: %%1058

Error - 05/09/2008 15:20:13 | Computer Name = pete | Source = EventLog | ID = 6008
Description = The previous system shutdown at 20:16:07 on 05/09/2008 was unexpected.

Error - 05/09/2008 15:20:15 | Computer Name = pete | Source = HTTP | ID = 15016
Description =

Error - 05/09/2008 15:21:45 | Computer Name = pete | Source = Service Control Manager | ID = 7000
Description = The General Purpose USB Driver (e4ldr.sys) service failed to start
due to the following error: %%1058

Error - 06/09/2008 04:56:44 | Computer Name = pete | Source = HTTP | ID = 15016
Description =

Error - 06/09/2008 04:58:10 | Computer Name = pete | Source = Service Control Manager | ID = 7000
Description = The General Purpose USB Driver (e4ldr.sys) service failed to start
due to the following error: %%1058

Error - 07/09/2008 03:43:58 | Computer Name = pete | Source = HTTP | ID = 15016
Description =

Error - 07/09/2008 03:45:28 | Computer Name = pete | Source = Service Control Manager | ID = 7000
Description = The General Purpose USB Driver (e4ldr.sys) service failed to start
due to the following error: %%1058

< End of report >

#7 handhfan

Group: Malware Removal
Posts: 13,659
Joined: 15-June 06

Posted 31 January 2009 - 04:20 PM

Please download JavaRa to your desktop and unzip it to its own folder

Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
Accept any prompts.
Open JavaRa.exe again and select Search For Updates.
Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

Please do an online scan with Kaspersky WebScanner

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure the following is checked.
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply, along with a new HijackThis log.

#8 Elsino

Group: Member
Posts: 27
Joined: 31-October 07

Posted 31 January 2009 - 06:55 PM

I cant do the next step, everytime I to go onto a browser it says "high risk security blah blah" and gives me 2 choices to find protection or to continue unprotected, i'm not going to click the find protection becuase i'm pretty sure thats the whole point of the virus. and its instantly shuts down the browser if I click continue unprotected, or if it doesnt do it immediately it will shortly after. therefore when Javara tells me to click the button to poen the website it just doesnt let me. i've been spamming it to try and get it to work long enough to let me download it but I cant. I did however clear all older versions of Java.

Im pretty sure the IE Defender thats come up is the cause of all the problems theres no way to shut it off or delete it in the options. i'll keep trying but I thought i'd let you know these problems as there might be another way.

Thanks

#9 handhfan

Group: Malware Removal
Posts: 13,659
Joined: 15-June 06

Posted 31 January 2009 - 06:58 PM

Please click here to download AVP Tool by Kaspersky.

Save it to your desktop.
Reboot your computer into SafeMode.

You can do this by restarting your computer and continually tapping the F8 key until a menu appears.
Use your up arrow key to highlight SafeMode then hit enter.
Double click the setup file to run it.
Click Next to continue.
It will by default install it to your desktop folder.Click Next.
Hit ok at the prompt for scanning in Safe Mode.
It will then open a box There will be a tab that says Automatic scan.
Under Automatic scan make sure these are checked.

System Memory

Startup Objects

Disk Boot Sectors.

My Computer.

Also any other drives (Removable that you may have)

After that click on Security level then choose Customize then click on the tab that says Heuristic Analyzer then choose Enable Deep rootkit search then choose ok.
Then choose OK again then you are back to the main screen.

Then click on Scan at the to right hand Corner.
It will automatically Neutralize any objects found.
If some objects are left un-neutralized then click the button that says Neutralize all
If it says it cannot be Neutralized then chooose The delete option when prompted.
After that is done click on the reports button at the bottom and save it to file name it Kas.
Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.

Note: This tool will self uninstall when you close it so please save the log before closing it.

#10 Elsino

Group: Member
Posts: 27
Joined: 31-October 07

Posted 01 February 2009 - 03:43 AM

Ok, I dont understand this at all, it wouldnt let me stay on the java site but when I decided to skip doing the java part and just going on kapersky the thing didnt close and let me run the scan.
so heres the report from the kapersky page:

Sunday, February 1, 2009
Operating System: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, February 01, 2009 01:12:15
Records in database: 1733657

Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan statistics
Files scanned 211755
Threat name 6
Infected objects 7
Suspicious objects 0
Duration of the scan 03:53:14

File name Threat name Threats count
F:\Users\Peter\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ALK5YODY\lc10044[1].htm Infected: Trojan-Downloader.JS.Agent.rn 1

F:\Users\Peter\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\QFFV9M81\us10044[1].anr Infected: Trojan-Downloader.Win32.Ani.c 1

F:\Users\Peter\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\3e448391-6a941d9b Infected: Exploit.Java.ByteVerify 1

F:\Users\Peter\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\47\5224156f-61fc9bcc Infected: Trojan-Downloader.Java.OpenConnection.ao 2

F:\Users\Peter\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\47\5224156f-61fc9bcc Infected: Trojan.Java.ClassLoader.au 1

F:\Users\Peter\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\63\59ef263f-36764693 Infected: Trojan-Downloader.Java.OpenConnection.ar 1

The selected area was scanned.

and a new Hijackthis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:38:53, on 01/02/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\Alwil Software\Avast4\ashDisp.exe
F:\Program Files\DAEMON Tools Lite\daemon.exe
F:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
F:\Windows\system32\taskeng.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Windows\System32\mobsync.exe
F:\Windows\system32\SearchFilterHost.exe
F:\Windows\system32\DllHost.exe
F:\Windows\Explorer.exe
F:\Users\Peter\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [JMB36X Configure] F:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [JMB36X IDE Setup] F:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Sidebar] F:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ehTray.exe] F:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "F:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [WMPNSCFG] F:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: ERUNT AutoBackup.lnk = F:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: DSLMON.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B9429F49-0C1D-4797-A260-ED7EB096DE7D}: NameServer = 212.139.132.56 212.139.132.57
O23 - Service: Apple Mobile Device - Apple Inc. - F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - F:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - F:\Windows\system32\nvvsvc.exe
O23 - Service: PnkBstrA - Unknown owner - F:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - F:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Steam Client Service - Valve Corporation - F:\Program Files\Common Files\Steam\SteamService.exe

--
End of file - 6138 bytes

#11 handhfan

Group: Malware Removal
Posts: 13,659
Joined: 15-June 06

Posted 01 February 2009 - 04:24 AM

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

Please download the OTMoveIt3 by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).

Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

:Processes
explorer.exe

:Files
F:\Users\Peter\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ALK5YODY\lc10044[1].htm
F:\Users\Peter\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\QFFV9M81\us10044[1].anr
F:\Users\Peter\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\3e448391-6a941d9b
F:\Users\Peter\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\47\5224156f-61fc9bcc
F:\Users\Peter\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\63\59ef263f-36764693

:Commands
[emptytemp]
[start explorer]
[Reboot]

Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

Please post the OTMoveIt3 log, the Uninstall list, and a new HijackThis log in your next reply.

#12 Elsino

Group: Member
Posts: 27
Joined: 31-October 07

Posted 01 February 2009 - 11:38 AM

Right well the OTmoveit had some problems, it went not responding and then decided to work after a long pause, I have a feeling spybot S&D was stopping it from working but i'm not sure. either way, I have the 3 logs you requested so here goes:

First the OTMoveit log:

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
File/Folder F:\Users\Peter\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ALK5YODY\lc10044[1].htm not found.
File/Folder F:\Users\Peter\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\QFFV9M81\us10044[1].anr not found.
File/Folder F:\Users\Peter\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\3e448391-6a941d9b not found.
File/Folder F:\Users\Peter\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\47\5224156f-61fc9bcc not found.
File/Folder F:\Users\Peter\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\63\59ef263f-36764693 not found.
========== COMMANDS ==========
File delete failed. F:\Users\Peter\AppData\Local\Temp\~DF7237.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
File delete failed. F:\Windows\temp\_avast4_\Webshlock.txt scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02012009_172038

Files moved on Reboot...
F:\Users\Peter\AppData\Local\Temp\~DF7237.tmp moved successfully.
File move failed. F:\Windows\temp\_avast4_\Webshlock.txt scheduled to be moved on reboot.

Then the uninstall log:

Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 8.1.2
Age of Conan - Hyborian Adventures
Age of Empires 2 + Conquerors Uninstaller
AGEIA PhysX v7.09.13
Apple Mobile Device Support
Apple Software Update
avast! Antivirus
Azureus Vuze
Bonjour
Call of Duty® 4 - Modern Warfare™
Call of Duty® 4 - Modern Warfare™ 1.4 Patch
Call of Duty® 4 - Modern Warfare™ 1.5 Multiplayer Patch
Crysis®
Diablo II
DivX Codec
DivX Converter
DivX Player
DivX Web Player
ERUNT 1.1j
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
iTunes
Java™ 6 Update 7
JMB36X Raid Configurer
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB929729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.5)
MSXML 6.0 Parser
Neverwinter Nights 2
NexusTK
Notation Player 2.1.2
NVIDIA Drivers
PunkBuster Services
QuickTime
RealPlayer
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Safari
SAGEM F@st 800-840
Spybot - Search & Destroy
System Requirements Lab
TeamSpeak 2 RC2
The Lord of the Rings Online™: Shadows of Angmar™ v01.04.00.806
The Lost Crown version 1.2
Unreal Tournament 3
Ventrilo Client
Warcraft III
Windows Live installer
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows Vista Upgrade Advisor
WinRAR archiver
World of Warcraft

Then the new hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:29:44, on 01/02/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
F:\Windows\system32\Dwm.exe
F:\Windows\Explorer.EXE
F:\Windows\system32\taskeng.exe
F:\Windows\notepad.exe
F:\Program Files\Windows Defender\MSASCui.exe
F:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
F:\Windows\System32\rundll32.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\Alwil Software\Avast4\ashDisp.exe
F:\Program Files\Windows Sidebar\sidebar.exe
F:\Windows\ehome\ehtray.exe
F:\Program Files\DAEMON Tools Lite\daemon.exe
F:\Program Files\Windows Media Player\wmpnscfg.exe
F:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
F:\Windows\ehome\ehmsas.exe
F:\Users\Peter\Desktop\HiJackThis.exe
F:\Windows\system32\NOTEPAD.EXE
F:\Windows\system32\SearchFilterHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [JMB36X Configure] F:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [JMB36X IDE Setup] F:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Sidebar] F:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ehTray.exe] F:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "F:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [WMPNSCFG] F:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: ERUNT AutoBackup.lnk = F:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: DSLMON.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B9429F49-0C1D-4797-A260-ED7EB096DE7D}: NameServer = 212.139.132.56 212.139.132.57
O23 - Service: Apple Mobile Device - Apple Inc. - F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - F:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - F:\Windows\system32\nvvsvc.exe
O23 - Service: PnkBstrA - Unknown owner - F:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - F:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Steam Client Service - Valve Corporation - F:\Program Files\Common Files\Steam\SteamService.exe

--
End of file - 6424 bytes

#13 handhfan

Group: Malware Removal
Posts: 13,659
Joined: 15-June 06

Posted 01 February 2009 - 09:51 PM

Okay, time to try to install Java a little differently:

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

Upgrading Java:

Download the latest version of Java SE Runtime Environment (JRE) 6 Update 11.
Click the "Download" button to the right.
Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
Click on Continue.
Click on the link to download Windows Offline Installation (jre-6u11-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u11-windows-i586-p.exe and select "Run as an Administrator.")

#14 Elsino

Group: Member
Posts: 27
Joined: 31-October 07

Posted 02 February 2009 - 11:34 AM

Ok I did that, I decided for the sake of things I should post another hijackthis log, just incase its needed

before the install started it connected me to the internet, which I found odd considering I downloaded an "offline" version, but oh well, it opened up some sort of install thing and did java.

But here is the hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:30:13, on 02/02/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
F:\Windows\system32\taskeng.exe
F:\Windows\system32\Dwm.exe
F:\Windows\System32\mobsync.exe
F:\Program Files\Windows Defender\MSASCui.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Windows\System32\rundll32.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\Alwil Software\Avast4\ashDisp.exe
F:\Program Files\Windows Sidebar\sidebar.exe
F:\Windows\ehome\ehtray.exe
F:\Program Files\DAEMON Tools Lite\daemon.exe
F:\Program Files\Windows Media Player\wmpnscfg.exe
F:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
F:\Windows\ehome\ehmsas.exe
F:\Windows\system32\DllHost.exe
F:\Windows\Explorer.exe
F:\Windows\system32\SearchFilterHost.exe
F:\Users\Peter\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (file missing)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - F:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] F:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ehTray.exe] F:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "F:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [WMPNSCFG] F:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: ERUNT AutoBackup.lnk = F:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: DSLMON.lnk = ?
O13 - Gopher Prefix:
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B9429F49-0C1D-4797-A260-ED7EB096DE7D}: NameServer = 212.139.132.56 212.139.132.57
O17 - HKLM\System\CCS\Services\Tcpip\..\{C48A4093-4944-4A54-85DD-38695D49F54A}: NameServer = 212.139.132.56 212.139.132.57
O23 - Service: Apple Mobile Device - Apple Inc. - F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - F:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - F:\Windows\system32\nvvsvc.exe
O23 - Service: PnkBstrA - Unknown owner - F:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Steam Client Service - Valve Corporation - F:\Program Files\Common Files\Steam\SteamService.exe

--
End of file - 5499 bytes

#15 handhfan

Group: Malware Removal
Posts: 13,659
Joined: 15-June 06

Posted 02 February 2009 - 11:35 AM

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

Java™ 6 Update 7

Your logs look clean. There is only a bit of cleanup that we will deal with in this post, as well as prevention from future infections. If you have any questions or other problems, please let me know. Other than that, and the steps below, you should be all set.

Make sure you have an Internet Connection.
Download OTCleanIt to your desktop and run it
A list of tool components used in the Cleanup of malware will be downloaded.
If your Firewall or Real Time protection attempts to block OTCleanUp to reach the Internet, please allow the application to do so.
Click Yes to beging the Cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

Please update Adobe Reader, by downloading and installing Adobe Reader 9.

Next, let's clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

1. Turn off System Restore.

My Computer

Properties

System Restore

Turn off System Restore

Apply

2. Restart your computer.

3. Turn ON System Restore.

My Computer

Properties

System Restore

Turn off System Restore

Apply

System Restore will now be active again.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

SpywareBlaster to help prevent spyware from installing in the first place.
SpywareGuard gives you realtime protection from spyware.
Super Antispyware OR Malwarebytes' Anti-Malware to help remove any spyware that may have gotten on your computer.
MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites.
ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed.
Recent trends appear to indicate that future infections will include attacks to the boot sector of the computer. The installation of the Recovery Console in the computer will be our only defense against this threat. For more information and steps to install the Recovery Console see this article. Should you need assistance in installing the Recovery Console, please do not hesitate to ask.

To keep your operating system up to date visit Microsoft Windows Update monthly. Remember to be aware of what emails you open and websites you visit.

Have a safe and happy computing day!

Back to Virus, Spyware, Malware Removal

Share this topic:

2 Pages
1
2
→

Please log in to reply

Trojan problem [Solved] - Geeks to Go Forums