📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!

So Bl00dy Slooooowwww!

Options
2

Comments

  • rizla01
    rizla01 Posts: 7,260 Forumite
    Part of the Furniture 1,000 Posts Name Dropper Combo Breaker
    Right. I did all that (Sort of).

    It told me that a couple of apps were running (A-Squared and Avast plus another I thinkl) but they were not showing in MSCONFIG and not showing in windows task manager so I ignored it and carried on having shut down Armour & Avast.

    It then downloaded (asked first) a file from Microsoft telling me that it will not proceed unless RECOVERY CONSOLE was installed so I let it. It then commenced the clean up so I went and had a coffee, watched the end of the Denmark/Camaroon match and returned to a dead screen which jumped into life after a few key clicks.

    Had to reset my IE home page but it is now running like a virgin.

    Too soon to see if everything is working well and it'd be interesting to see what happens on a re-boot but it certainly seems to have done a lot of good.
    Thx

    Here is the log it left behind.

    ComboFix 09-07-28.01 - Terry 29/07/2009 10:32.1.2 - NTFSx86 MINIMAL
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1726 [GMT 1:00]
    Running from: g:\downloads\ComboFix.exe
    AV: a-squared Anti-Malware *On-access scanning disabled* (Updated) {0F8591BB-342B-4493-91C3-4E948ED21255}
    AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
    AV: avast! antivirus 4.8.1229 [VPS 080911-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
    FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    c:\documents and settings\Terry\Application Data\.#
    c:\recycler\S-1-5-21-789336058-1060284298-854245398-500
    c:\windows\Installer\176ea58.msi
    c:\windows\system32\mfc45.dll
    .
    ((((((((((((((((((((((((( Files Created from 2009-06-28 to 2009-07-29 )))))))))))))))))))))))))))))))
    .
    2009-07-29 09:43 . 2009-07-29 09:43
    d
    w- c:\program files\Dell
    2009-07-25 07:44 . 2009-07-25 07:44
    d
    w- c:\windows\system32\wbem\Repository
    2009-07-20 21:13 . 2009-07-20 21:13 15620 ----a-w- c:\windows\system32\SystemRes13.sm.SYS
    2009-07-20 21:11 . 2009-07-25 07:38
    d
    w- c:\program files\SysResources Manager
    2009-07-20 21:11 . 2009-07-20 21:11
    d
    w- c:\windows\SysResources Manager
    2009-07-02 21:31 . 2009-03-30 09:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2009-07-02 21:31 . 2009-03-24 15:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2009-07-02 21:31 . 2009-02-13 11:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
    2009-07-02 21:31 . 2009-02-13 11:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
    2009-07-02 21:31 . 2009-07-02 21:31
    d
    w- c:\program files\Avira
    2009-07-02 21:31 . 2009-07-02 21:31
    d
    w- c:\documents and settings\All Users\Application Data\Avira
    2009-06-29 11:15 . 2009-03-30 14:58 7 ----a-w- c:\windows\sysres10.dat
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-07-29 09:41 . 2009-04-26 08:35
    d
    w- c:\documents and settings\Terry\Application Data\Clipdiary
    2009-07-29 09:15 . 2009-06-23 21:01
    d
    w- c:\documents and settings\Terry\Application Data\Orbit
    2009-07-29 09:13 . 2008-08-05 15:59
    d
    w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2009-07-29 09:13 . 2008-12-14 20:17
    d
    w- c:\documents and settings\Terry\Application Data\Azureus
    2009-07-25 13:28 . 2008-10-01 10:07
    d
    w- c:\program files\MPlayer for Windows
    2009-07-19 18:50 . 2009-05-06 09:24
    d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2009-07-19 13:05 . 2008-08-04 17:04
    d
    w- c:\documents and settings\Terry\Application Data\Canon
    2009-07-19 09:00 . 2008-08-05 09:47 179792 ----a-w- c:\windows\system32\guard32.dll
    2009-07-19 09:00 . 2008-08-05 09:47 132040 ----a-w- c:\windows\system32\drivers\cmdguard.sys
    2009-07-13 12:36 . 2008-12-30 12:24 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-07-13 12:36 . 2008-12-30 12:24 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-07-10 08:55 . 2008-10-30 10:11 141 ----a-w- c:\windows\system32\09wutili.sys
    2009-07-02 21:51 . 2008-08-05 09:47 86976 ----a-w- c:\windows\system32\drivers\inspect.sys
    2009-07-02 21:51 . 2008-08-05 09:47 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
    2009-07-01 09:40 . 2008-08-04 15:15
    d--h--w- c:\program files\InstallShield Installation Information
    2009-07-01 08:01 . 2008-07-15 18:07
    d
    w- c:\documents and settings\Terry\Application Data\ArcticLine
    2009-06-27 17:46 . 2009-06-27 17:46
    d
    w- c:\program files\Microsoft ActiveSync
    2009-06-27 10:19 . 2009-06-27 10:19
    d
    w- c:\documents and settings\Terry\Application Data\GrabPro
    2009-06-26 17:55 . 2009-03-20 09:15
    d
    w- c:\documents and settings\Terry\Application Data\NetStat Agent
    2009-06-23 21:06 . 2008-11-15 13:23 410984 ----a-w- c:\windows\system32\deploytk.dll
    2009-06-23 21:05 . 2009-06-23 21:05 152576 ----a-w- c:\documents and settings\Terry\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
    2009-06-23 20:58 . 2009-06-23 20:58
    d
    w- c:\program files\Opera
    2009-06-23 20:57 . 2009-06-20 17:48
    d
    w- c:\program files\QuickTime
    2009-06-21 15:49 . 2009-06-21 15:40
    d
    w- c:\documents and settings\Terry\Application Data\Audio Recorder Titanium
    2009-06-20 17:48 . 2009-06-20 17:48
    d
    w- c:\documents and settings\All Users\Application Data\Apple Computer
    2009-06-19 09:04 . 2009-06-26 15:35 144246 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Personal_32_1033.dat
    2009-06-18 17:26 . 2009-06-18 17:26
    d
    w- c:\program files\Common Files\Macromedia
    2009-06-17 14:46 . 2009-06-17 14:46
    d
    w- c:\program files\Common Files\SupportSoft
    2009-06-16 21:16 . 2009-06-16 21:16
    d
    w- c:\documents and settings\Terry\Application Data\Jasc
    2009-06-16 14:36 . 2004-08-04 10:00 81920 ----a-w- c:\windows\system32\fontsub.dll
    2009-06-16 14:36 . 2004-08-04 10:00 119808 ----a-w- c:\windows\system32\t2embed.dll
    2009-06-15 08:29 . 2008-08-04 15:09 59232 ----a-w- c:\documents and settings\Terry\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2009-06-15 08:14 . 2009-02-06 12:48
    d
    w- c:\program files\Microsoft Works
    2009-06-14 19:51 . 2009-05-04 16:42
    d
    w- c:\documents and settings\Terry\Application Data\Systweak
    2009-06-14 18:26 . 2009-06-14 18:25 30996544 ----a-w- c:\documents and settings\All Users\Application Data\Systweak\Advanced System Protector\Antispyware_Setup_6_14_2009.exe
    2009-06-13 11:10 . 2009-06-13 11:10
    d
    w- c:\program files\CCleaner
    2009-06-12 22:47 . 2009-06-12 22:47
    d
    w- c:\documents and settings\Terry\Application Data\TeamViewer
    2009-06-12 22:47 . 2009-06-12 22:47
    d
    w- c:\program files\TeamViewer
    2009-06-03 19:09 . 2004-08-04 10:00 1291264 ----a-w- c:\windows\system32\quartz.dll
    2009-06-01 16:16 . 2009-06-15 08:28 96548 ----a-w- c:\windows\Fonts\Mute Fruit Black Krash.ttf
    2009-06-01 16:16 . 2009-06-15 08:28 74416 ----a-w- c:\windows\Fonts\Ravie.ttf
    2009-06-01 16:16 . 2009-06-15 08:28 28452 ----a-w- c:\windows\Fonts\Happy.ttf
    2009-06-01 16:16 . 2009-06-15 08:28 18252 ----a-w- c:\windows\Fonts\Padaloma.ttf
    2009-06-01 16:16 . 2009-06-15 08:28 11436 ----a-w- c:\windows\Fonts\Excelsior.ttf
    2009-06-01 16:16 . 2009-06-15 08:28 27064 ----a-w- c:\windows\Fonts\Big Lou.ttf
    2009-06-01 16:16 . 2009-06-15 08:28 113656 ----a-w- c:\windows\Fonts\Base 02.ttf
    2009-06-01 16:16 . 2009-06-15 08:28 113088 ----a-w- c:\windows\Fonts\Blazed.ttf
    2009-06-01 16:16 . 2009-06-15 08:28 101460 ----a-w- c:\windows\Fonts\Caveman.ttf
    2009-06-01 16:16 . 2009-06-15 08:28 54996 ----a-w- c:\windows\Fonts\ActionIs.ttf
    2009-06-01 16:16 . 2009-06-15 08:28 164604 ----a-w- c:\windows\Fonts\A Cut Above The Rest.ttf
    2009-05-29 14:35 . 2008-08-05 08:42 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
    2009-05-18 18:16 . 2009-05-18 18:16 1144808 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\aimtunes\AIMTunes.exe
    2009-05-13 05:15 . 2006-03-04 03:33 915456 ----a-w- c:\windows\system32\wininet.dll
    2009-05-07 15:32 . 2004-08-04 10:00 345600 ----a-w- c:\windows\system32\localspl.dll
    2009-05-06 18:11 . 2009-05-06 18:11 69120 ----a-w- c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\aimtbres.dll
    2009-05-04 16:41 . 2009-05-04 16:40 17136 ----a-w- c:\windows\system32\sasnative32.exe
    2008-12-30 13:39 . 2008-12-30 13:39 212 ----a-w- c:\program files\daxu.txt
    2006-05-03 09:06 . 2008-11-20 09:47 163328 --sh--r- c:\windows\system32\flvDX.dll
    2007-02-21 10:47 . 2008-11-20 09:47 31232 --sh--r- c:\windows\system32\msfDX.dll
    2008-03-16 12:30 . 2008-11-20 09:47 216064 --sh--r- c:\windows\system32\nbDX.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RoboForm"="d:\roboform\RoboTaskBarIcon.exe" [2009-05-08 160592]
    "SysResources Manager"="c:\program files\SysResources Manager\SysResManager.exe" [2009-06-29 598016]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "COMODO Firewall Pro"="e:\comodo\Firewall\cfp.exe" [2009-07-06 1793808]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-12-04 186904]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
    "COMODO Internet Security"="e:\comodo\Firewall\cfp.exe" [2009-07-06 1793808]
    c:\documents and settings\Terry\Start Menu\Programs\Startup\
    Stardock ObjectDock.lnk - g:\program files\Stardock\ObjectDock\ObjectDock.exe [2008-11-24 3450608]
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Clipdiary.lnk - d:\clipdiary\clipdiary.exe [2009-4-22 1741824]
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{1214FBE7-4464-4A7E-9958-B5851A7A30A3}"= "d:\program files\RecentX\RecentX\RXShell.dll" [2008-06-12 77824]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "UIHost"="c:\documents and settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\WinStyler\tu_logonui.exe"
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0sasnative32
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
    @="Service"
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Calendar Magic.lnk]
    backup=c:\windows\pss\Calendar Magic.lnkCommon Startup
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
    [HKLM\~\startupfolder\C:^Documents and Settings^Terry^Start Menu^Programs^Startup^Alienware Dock.lnk]
    backup=c:\windows\pss\Alienware Dock.lnkStartup
    [HKLM\~\startupfolder\C:^Documents and Settings^Terry^Start Menu^Programs^Startup^Lutloader.lnk]
    backup=c:\windows\pss\Lutloader.lnkStartup
    [HKLM\~\startupfolder\C:^Documents and Settings^Terry^Start Menu^Programs^Startup^RecentX.lnk]
    backup=c:\windows\pss\RecentX.lnkStartup
    [HKLM\~\startupfolder\C:^Documents and Settings^Terry^Start Menu^Programs^Startup^Secunia PSI.lnk]
    backup=c:\windows\pss\Secunia PSI.lnkStartup
    [HKLM\~\startupfolder\C:^Documents and Settings^Terry^Start Menu^Programs^Startup^Stardock ObjectDock.lnk]
    backup=c:\windows\pss\Stardock ObjectDock.lnkStartup
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "ThreatFire"=2 (0x2)
    "ioloSystemService"=2 (0x2)
    "ioloFileInfoList"=2 (0x2)
    "NBService"=3 (0x3)
    "WMPNetworkSvc"=3 (0x3)
    "WLSetupSvc"=3 (0x3)
    "usnjsvc"=3 (0x3)
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
    "HotKeysCmds"=c:\windows\system32\hkcmd.exe
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\WINDOWS\\system32\\mmc.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
    "d:\\PhraseExpress\\phraseexpress.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\AIM6\\aim6.exe"=
    "g:\\Orbitdownloader\\orbitdm.exe"=
    "g:\\Orbitdownloader\\orbitnet.exe"=
    "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
    "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
    "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
    "1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
    "500:UDP"= 500:UDP:@xpsp2res.dll,-22017
    "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
    R0 hotcore3;hotcore3;c:\windows\system32\drivers\hotcore3.sys [29/04/2009 22:56 40368]
    R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [26/12/2008 23:14 28544]
    R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [25/12/2008 12:41 51488]
    R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [25/12/2008 12:41 39200]
    R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [04/08/2008 23:01 78416]
    R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [05/08/2008 10:47 132040]
    R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [05/08/2008 10:47 25160]
    R1 StarPortLite;StarPort Storage Controller (Lite);c:\windows\system32\drivers\StarPortLite.sys [05/08/2008 09:42 95592]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [02/07/2009 22:31 108289]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [04/08/2008 23:01 20560]
    R2 dvdmmg;dvdmmg;c:\windows\system32\drivers\dvdmmg.sys [06/09/2007 11:15 5504]
    R2 VDDriver;Virtual Disk Driver;d:\virtual disk\VDDriver.sys [22/05/2009 13:39 40952]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [18/05/2009 19:15 24652]
    R3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [14/05/2009 12:05 16640]
    S3 BCASPROT;Advanced System Protector;c:\program files\Systweak\Advanced System Protector\sasprot32.sys [04/05/2009 17:42 6656]
    S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [24/03/2009 12:03 7808]
    S3 se_filter;System Explorer Filter Driver;c:\windows\system32\drivers\SE_Filter.sys [02/01/2009 12:18 9216]
    S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [25/12/2008 12:41 33056]
    S4 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [15/08/2008 13:20 596328]
    S4 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [15/08/2008 13:20 596328]
    S4 ThreatFire;ThreatFire;g:\threatfire\TFService.exe service --> g:\threatfire\TFService.exe service [?]
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    UxTuneUp
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
    "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
    .
    Contents of the 'Scheduled Tasks' folder
    2009-07-24 c:\windows\Tasks\1-Click Maintenance.job
    - g:\tune up utilities\SystemOptimizer.exe [2007-08-02 19:35]
    2009-07-25 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
    2009-07-29 c:\windows\Tasks\GlaryInitialize.job
    - g:\glary utilities\initialize.exe [2009-01-12 12:51]
    2009-07-29 c:\windows\Tasks\User_Feed_Synchronization-{8ED07C76-0A78-4661-870E-CF91F4A2F154}.job
    - c:\windows\system32\msfeedssync.exe [2007-08-13 03:31]
    2009-03-27 c:\windows\Tasks\Wise Registry Cleaner 4.job
    - g:\wise registry cleaner\WiseRegistryCleaner.exe [2009-03-27 21:27]
    .
    - - - - ORPHANS REMOVED - - - -
    Notify-WB - (no file)

    .
    Supplementary Scan
    .
    uStart Page = hxxp://mail.live.com/default.aspx?&n=1721578409
    uInternet Connection Wizard,ShellNext = iexplore
    IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
    IE: &Download by Orbit - g:\orbitdownloader\orbitmxt.dll/201
    IE: &Grab video by Orbit - g:\orbitdownloader\orbitmxt.dll/204
    IE: >Search in Linkman - [URL]file://c:\documents[/URL] and settings\Terry\My Documents\Linkman\iescript_search.htm
    IE: Add to Linkman - [URL]file://c:\documents[/URL] and settings\Terry\My Documents\Linkman\iescript_add.htm
    IE: Add to Linkman and Edit - [URL]file://c:\documents[/URL] and settings\Terry\My Documents\Linkman\iescript_edit.htm
    IE: Customize Menu - [URL]file://d:\roboform\RoboFormComCustomizeIEMenu.html[/URL]
    IE: Do&wnload selected by Orbit - g:\orbitdownloader\orbitmxt.dll/203
    IE: Down&load all by Orbit - g:\orbitdownloader\orbitmxt.dll/202
    IE: Fill Forms - [URL]file://d:\roboform\RoboFormComFillForms.html[/URL]
    IE: RoboForm Toolbar - [URL]file://d:\roboform\RoboFormComShowToolbar.html[/URL]
    IE: Save Forms - [URL]file://d:\roboform\RoboFormComSavePass.html[/URL]
    IE: Show Linkman - [URL]file://c:\documents[/URL] and settings\Terry\My Documents\Linkman\iescript_show.htm
    IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    IE: Zoom &in - c:\documents and settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\Web\tuzoomin.htm
    IE: Zoom &out - c:\documents and settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\Web\tuzoomout.htm
    DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
    DPF: {0A43D7AC-D6C1-4622-B309-BF975F427C0E} - hxxps://internetbankingplus2.firstdirect.com/ibplus/frontdoorFD.cab
    FF - ProfilePath - c:\documents and settings\Terry\Application Data\Mozilla\Firefox\Profiles\hcc9h5r6.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
    FF - component: d:\roboform\Firefox\components\rfproxy_27.dll
    FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
    FF - plugin: d:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll
    FF - plugin: d:\program files\Mozilla Firefox\plugins\npdjvu.dll
    FF - plugin: d:\program files\Mozilla Firefox\plugins\npViewpoint.dll
    ---- FIREFOX POLICIES ----
    FF - user.js: network.http.max-connections-per-server - 8
    FF - user.js: network.http.max-persistent-connections-per-server - 4
    FF - user.js: content.max.tokenizing.time - 200000
    FF - user.js: content.notify.interval - 100000
    FF - user.js: content.switch.threshold - 650000
    FF - user.js: nglayout.initialpaint.delay - 300
    .
    .
    File Associations
    .
    JSEFile=NOTEPAD.EXE %1
    VBEFile=NOTEPAD.EXE %1
    VBSFile=NOTEPAD.EXE %1
    .
    **************************************************************************
    catchme 0.3.1398.3 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-07-29 10:43
    Windows 5.1.2600 Service Pack 3 NTFS
    scanning hidden processes ...
    scanning hidden autostart entries ...
    scanning hidden files ...
    scan completed successfully
    hidden files: 0
    **************************************************************************
    .
    LOCKED REGISTRY KEYS
    [HKEY_USERS\S-1-5-21-746137067-606747145-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
    @Denied: (Full) (LocalSystem)
    [HKEY_USERS\S-1-5-21-746137067-606747145-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{63B97F04-9032-2D21-7BE0-EA7F7AE7EE4B}*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    "nanhidfkkcpkpahaeliapjmohhon"=hex:6a,61,65,67,68,69,66,68,66,65,6b,6d,6d,63,
    68,6f,65,68,6b,70,00,0c
    "madhoahnjofkbbmejiepajomch"=hex:6a,61,65,67,68,69,66,68,66,65,6b,6d,6d,63,68,
    6f,65,68,6b,70,00,56
    "abbaoepgoddjdfkamchgkahkhkddfmehpc"=hex:61,62,6b,68,62,64,67,68,65,6c,67,67,
    64,67,6c,6a,64,62,6a,64,63,6d,70,67,70,6a,70,6e,61,6e,6a,63,62,66,00,77
    "maoppejgogbliogaieoebfhdhf"=hex:64,62,64,68,6d,66,65,66,6b,65,6e,68,6a,68,6a,
    63,64,63,66,69,61,62,70,63,61,68,6c,70,6a,61,6d,68,62,65,69,6a,69,64,6c,6b,\
    [HKEY_USERS\S-1-5-21-746137067-606747145-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8AA92D77-C3A3-884A-7EA8-1CD3D0BBD18D}*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    [HKEY_LOCAL_MACHINE\software\Microsoft\EncryptionInterface*]
    "l_encryption_d"="585A4A574A5F"
    .
    DLLs Loaded Under Running Processes
    - - - - - - - > 'explorer.exe'(596)
    c:\windows\system32\WININET.dll
    g:\program files\Stardock\ObjectDock\DockShellHook.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\mshtml.dll
    c:\windows\system32\msls31.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Other Running Processes
    .
    e:\comodo\Firewall\cmdagent.exe
    g:\adaware\aawservice.exe
    c:\windows\system32\devldr32.exe
    e:\asquared\a-squared Anti-Malware\a2service.exe
    g:\a-squared free\a2service.exe
    c:\program files\Avira\AntiVir Desktop\avguard.exe
    c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\system32\msiexec.exe
    c:\windows\system32\msiexec.exe
    c:\progra~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe
    .
    **************************************************************************
    .
    Completion time: 2009-07-29 10:48 - machine was rebooted
    ComboFix-quarantined-files.txt 2009-07-29 09:48
    Pre-Run: 29,898,956,800 bytes free
    Post-Run: 29,935,132,672 bytes free
    317 --- E O F --- 2009-07-20 02:04
    "Unhappiness is not knowing what we want, and killing ourselves to get it."
    Post Count: 4,111 Thanked 3,111 Times in 1,111 Posts (Actual figures as they once were))
    Women and cats will do as they please, and men and dogs should relax and get used to the idea.
  • aliEnRIK
    aliEnRIK Posts: 17,741 Forumite
    Part of the Furniture Combo Breaker
    Can you please run a fresh hijack log
    Combofix seems to think youve all sorts of security on the machine now!
    :idea:
  • aliEnRIK
    aliEnRIK Posts: 17,741 Forumite
    Part of the Furniture Combo Breaker
    (Do this AFTER the fresh hijack log)

    Open notepad and copy/paste the text in RED below

    File::
    c:\windows\system32\SystemRes13.sm.SYS
    c:\windows\sysres10.dat
    c:\windows\system32\09wutili.sys
    c:\windows\system32\sasnative32.exe
    c:\program files\daxu.txt


    Save this as "CFScript" (FULL file will be 'CFScript.txt' EXACTLY as shown)

    Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

    CFScript.gif


    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply

    Combofix should never take more that 30 minutes including the reboot if malware is detected.
    If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
    :idea:
  • rizla01
    rizla01 Posts: 7,260 Forumite
    Part of the Furniture 1,000 Posts Name Dropper Combo Breaker
    edited 20 June 2010 at 7:19PM
    OK Rick,

    First here's the Hijack log.

    Secondly Do I once again close all AV & Firewall progs BEFORE dragging the notepad file to combofix?

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 19:04:25, on 20/06/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Tall Emu\Online Armor\OAcat.exe
    C:\Program Files\Tall Emu\Online Armor\oasrv.exe
    C:\WINDOWS\system32\devldr32.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
    G:\Program Files\Stardock\ObjectDock\ObjectDock.exe
    C:\Program Files\Tall Emu\Online Armor\OAhlp.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Documents and Settings\Terry\Desktop\HijackThis.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by150w.bay150.mail.live.com/default.aspx?&n=1721578409
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - D:\Roboform\roboform.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - D:\Roboform\roboform.dll
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
    O4 - HKCU\..\Run: [StartMenu7] "F:\Start Menu 7\StartMenu7.exe"
    O4 - S-1-5-18 Startup: Lutloader.lnk = I:\Lutcurve\lutloader.exe (User 'SYSTEM')
    O4 - S-1-5-18 Startup: Stardock ObjectDock.lnk = G:\Program Files\Stardock\ObjectDock\ObjectDock.exe (User 'SYSTEM')
    O4 - .DEFAULT Startup: Lutloader.lnk = I:\Lutcurve\lutloader.exe (User 'Default user')
    O4 - .DEFAULT Startup: Stardock ObjectDock.lnk = G:\Program Files\Stardock\ObjectDock\ObjectDock.exe (User 'Default user')
    O4 - Startup: Lutloader.lnk = I:\Lutcurve\lutloader.exe
    O4 - Startup: Stardock ObjectDock.lnk = G:\Program Files\Stardock\ObjectDock\ObjectDock.exe
    O8 - Extra context menu item: Customize Menu - [URL]file://D:\Roboform\RoboFormComCustomizeIEMenu.html[/URL]
    O8 - Extra context menu item: Fill Forms - [URL]file://D:\Roboform\RoboFormComFillForms.html[/URL]
    O8 - Extra context menu item: Password Generator - [URL]file://D:\Roboform\RoboFormComPasswordGenerator.html[/URL]
    O8 - Extra context menu item: RoboForm Toolbar - [URL]file://D:\Roboform\RoboFormComShowToolbar.html[/URL]
    O8 - Extra context menu item: Save Forms - [URL]file://D:\Roboform\RoboFormComSavePass.html[/URL]
    O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    O8 - Extra context menu item: Zoom &in - C:\Documents and Settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\Web\tuzoomin.htm
    O8 - Extra context menu item: Zoom &out - C:\Documents and Settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\Web\tuzoomout.htm
    O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - [URL]file://D:\Roboform\RoboFormComFillForms.html[/URL]
    O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - [URL]file://D:\Roboform\RoboFormComFillForms.html[/URL]
    O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - [URL]file://D:\Roboform\RoboFormComSavePass.html[/URL]
    O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - [URL]file://D:\Roboform\RoboFormComSavePass.html[/URL]
    O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - [URL]file://D:\Roboform\RoboFormComShowToolbar.html[/URL]
    O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - [URL]file://D:\Roboform\RoboFormComShowToolbar.html[/URL]
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - I:\SPYBOT~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - I:\SPYBOT~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
    O16 - DPF: {0A43D7AC-D6C1-4622-B309-BF975F427C0E} (first direct internet banking plus digital safe) - https://internetbankingplus2.firstdirect.com/ibplus/frontdoorFD.cab
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
    O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1218797834562
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
    O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
    O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
    O20 - Winlogon Notify: !SASWinLogon - G:\SUPERAntiSpyware\SASWINLO.DLL
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\OAcat.exe
    O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe
    --
    End of file - 8494 bytes
    "Unhappiness is not knowing what we want, and killing ourselves to get it."
    Post Count: 4,111 Thanked 3,111 Times in 1,111 Posts (Actual figures as they once were))
    Women and cats will do as they please, and men and dogs should relax and get used to the idea.
  • The_Grandmaster
    The_Grandmaster Posts: 1,424 Forumite
    Part of the Furniture Combo Breaker
    I may be wrong but I believe you switch off all your antivirus and firewall etc. first then drag that notepad thing mentioned above.
  • aliEnRIK
    aliEnRIK Posts: 17,741 Forumite
    Part of the Furniture Combo Breaker
    Yes please
    :idea:
  • rizla01
    rizla01 Posts: 7,260 Forumite
    Part of the Furniture 1,000 Posts Name Dropper Combo Breaker
    edited 21 June 2010 at 7:32PM
    Hi Rik,

    Hopefully I have done this OK but although I uninstalled a-Squared Combo-fix still showed it as running and I continued to run it.

    If I were to run it now (having re-booted) I doubt if A-Squared would show up.
    Let me know if you need me to do that, please.

    anyhow, here is the full log that CF left.



    ComboFix 10-06-20.06 - Terry 21/06/2010 18:56:24.3.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1501 [GMT 1:00]
    Running from: G:\querty.exe
    Command switches used :: G:\CFScript.txt
    AV: a-squared Anti-Malware *On-access scanning enabled* (Updated) {0F8591BB-342B-4493-91C3-4E948ED21255}
    AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
    FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
    FW: Online Armor Firewall *disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
    FILE ::
    "c:\program files\daxu.txt"
    "c:\windows\sysres10.dat"
    "c:\windows\system32\09wutili.sys"
    "c:\windows\system32\sasnative32.exe"
    "c:\windows\system32\SystemRes13.sm.SYS"
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    c:\program files\daxu.txt
    c:\windows\sysres10.dat
    c:\windows\system32\09wutili.sys
    c:\windows\system32\sasnative32.exe
    c:\windows\system32\SystemRes13.sm.SYS
    .
    ---- Previous Run
    .
    C:\Thumbs.db
    c:\windows\system32\drivers\is-B3E9A.tmp
    c:\windows\system32\drivers\npf.sys
    c:\windows\system32\ini\DTYPE.CPG
    c:\windows\system32\ini\DTYPE.FLS
    c:\windows\system32\ini\DTYPE.PAT
    c:\windows\system32\ini\DTYPE.PHY
    c:\windows\system32\ini\DTYPE.STL
    c:\windows\system32\ini\gs002.gsl
    c:\windows\system32\ini\gs004.gsl
    c:\windows\system32\ini\gs006.gsl
    c:\windows\system32\ini\gs016.gsl
    c:\windows\system32\ini\gs256.gsl
    c:\windows\system32\ini\gssqrt.gsl
    c:\windows\system32\Packet.dll
    c:\windows\system32\pthreadVC.dll
    c:\windows\system32\SHELLLNK.TLB
    c:\windows\system32\wpcap.dll
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    \Legacy_NPF
    \Service_NPF

    ((((((((((((((((((((((((( Files Created from 2010-05-21 to 2010-06-21 )))))))))))))))))))))))))))))))
    .
    2010-06-19 14:42 . 2010-06-19 14:42
    dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
    2010-06-19 14:42 . 2010-02-04 15:53 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
    2010-06-16 21:05 . 2010-06-16 22:54
    d
    w- c:\documents and settings\All Users\Application Data\OnlineArmor
    2010-06-16 21:05 . 2010-06-16 21:05
    d
    w- c:\documents and settings\Terry\Application Data\OnlineArmor
    2010-06-16 21:04 . 2010-04-20 03:13 24440 ----a-w- c:\windows\system32\drivers\OAmon.sys
    2010-06-16 21:04 . 2010-04-20 03:13 29560 ----a-w- c:\windows\system32\drivers\OAnet.sys
    2010-06-16 21:04 . 2010-04-20 03:13 228216 ----a-w- c:\windows\system32\drivers\OADriver.sys
    2010-06-16 21:04 . 2010-06-16 21:04
    d
    w- c:\program files\Tall Emu
    2010-06-15 21:28 . 2010-05-06 20:59 38848 ----a-w- c:\windows\system32\avastSS.scr
    2010-06-15 21:28 . 2010-06-15 21:28
    d
    w- c:\program files\Alwil Software
    2010-06-15 21:28 . 2010-06-15 21:28
    d
    w- c:\documents and settings\All Users\Application Data\Alwil Software
    2010-06-14 20:44 . 2010-06-21 17:50
    d
    w- c:\documents and settings\Terry\Application Data\Panda Security
    2010-06-14 20:43 . 2010-06-14 20:43
    d
    w- c:\documents and settings\All Users\Application Data\Panda Security
    2010-06-14 16:48 . 2009-06-30 08:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
    2010-06-14 15:49 . 2010-06-14 15:49
    d
    w- c:\windows\system32\wbem\Repository
    2010-06-10 17:46 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
    2010-06-08 08:41 . 2010-06-08 08:41
    d
    w- c:\documents and settings\Terry\Application Data\Ashampoo
    2010-06-08 08:41 . 2010-06-08 08:41
    d
    w- c:\documents and settings\Terry\Local Settings\Application Data\ashampoo
    2010-06-08 08:41 . 2010-06-08 08:41
    d
    w- c:\documents and settings\All Users\Application Data\ashampoo
    2010-05-26 22:02 . 2010-05-26 22:02
    d
    w- c:\documents and settings\Terry\Local Settings\Application Data\Aston2
    2010-05-26 22:02 . 2010-05-26 22:21
    d
    w- c:\documents and settings\Terry\Application Data\Aston2
    2010-05-25 09:21 . 2010-05-25 09:21
    d
    w- c:\documents and settings\All Users\Application Data\explauncher
    2010-05-25 09:21 . 2010-05-25 09:21
    d
    w- c:\documents and settings\All Users\Application Data\launcher
    2010-05-25 09:20 . 2010-05-25 09:20
    d
    w- c:\program files\Paragon Software
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-06-21 17:49 . 2010-06-21 17:49 70 ----a-w- c:\windows\RAVTC.TMP
    2010-06-19 14:54 . 2010-04-24 22:52 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
    2010-06-19 14:42 . 2009-10-15 16:10
    d
    w- c:\program files\Lavasoft
    2010-06-19 14:42 . 2008-08-22 08:46
    d
    w- c:\documents and settings\All Users\Application Data\Lavasoft
    2010-06-18 11:01 . 2009-01-02 11:15
    d
    w- c:\documents and settings\All Users\Application Data\SystemExplorer
    2010-06-17 21:58 . 2009-05-06 09:24
    d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2010-06-17 21:38 . 2010-04-20 08:37
    d
    w- c:\documents and settings\Terry\Application Data\Start Menu 7
    2010-06-16 16:03 . 2009-05-18 18:15
    d
    w- c:\program files\Common Files\AOL
    2010-06-16 15:59 . 2009-10-15 14:00
    d
    w- c:\program files\Opera 10.10 Beta
    2010-06-16 15:55 . 2009-05-18 18:16
    d
    w- c:\documents and settings\All Users\Application Data\AOL Downloads
    2010-06-14 20:43 . 2008-09-12 18:28
    d
    w- c:\program files\Panda Security
    2010-06-14 17:00 . 2009-10-28 09:09
    d
    w- c:\documents and settings\Terry\Application Data\GoodSync
    2010-06-11 18:47 . 2009-09-20 08:30
    d
    w- c:\program files\Microsoft Silverlight
    2010-05-27 21:41 . 2008-09-24 17:20
    d
    w- c:\documents and settings\Terry\Application Data\ArcSoft
    2010-05-22 11:11 . 2008-08-04 17:04
    d
    w- c:\documents and settings\Terry\Application Data\Canon
    2010-05-21 07:14 . 2010-05-21 07:13
    d
    w- c:\documents and settings\Terry\Application Data\ProcessLasso
    2010-05-15 17:26 . 2008-08-04 15:15
    d--h--w- c:\program files\InstallShield Installation Information
    2010-05-15 17:25 . 2010-05-15 17:09
    d--h--w- c:\documents and settings\All Users\Application Data\ArcSoft
    2010-05-15 17:24 . 2010-05-15 17:08
    d
    w- c:\program files\Common Files\ArcSoft
    2010-05-13 09:47 . 2010-05-13 09:47 4254224 ----a-w- c:\windows\system32\qtp-mt334.dll
    2010-05-13 09:46 . 2009-04-29 21:56 40560 ----a-w- c:\windows\system32\drivers\hotcore3.sys
    2010-05-09 17:57 . 2008-12-25 11:41
    d
    w- c:\documents and settings\All Users\Application Data\PC Tools
    2010-05-06 20:59 . 2008-08-04 22:01 165032 ----a-w- c:\windows\system32\aswBoot.exe
    2010-05-06 20:39 . 2008-08-04 22:01 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-05-06 20:39 . 2008-08-04 22:01 164048 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2010-05-06 20:34 . 2008-08-04 22:01 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-05-06 20:33 . 2008-08-04 22:01 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2010-05-06 20:33 . 2008-08-04 22:01 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2010-05-06 20:33 . 2008-08-04 22:01 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2010-05-06 20:33 . 2008-08-04 22:01 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2010-05-06 10:41 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-05-05 13:04 . 2010-04-24 22:33
    dc-h--w- c:\documents and settings\All Users\Application Data\~0
    2010-05-02 22:48 . 2008-08-05 15:59
    d
    w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2010-05-02 22:48 . 2008-12-14 20:17
    d
    w- c:\documents and settings\Terry\Application Data\Azureus
    2010-05-02 22:48 . 2008-08-05 16:09
    d
    w- c:\documents and settings\Terry\Application Data\Media Player Classic
    2010-05-02 18:07 . 2010-05-02 18:07
    d
    w- c:\program files\Trend Micro
    2010-05-02 12:08 . 2010-01-10 00:04 52224 ----a-w- c:\documents and settings\Terry\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
    2010-05-02 12:08 . 2010-01-10 00:03 117760 ----a-w- c:\documents and settings\Terry\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2010-05-02 05:22 . 2004-08-04 10:00 1851264 ----a-w- c:\windows\system32\win32k.sys
    2010-04-29 14:39 . 2008-12-30 12:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-04-29 14:39 . 2008-12-30 12:24 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-04-20 05:30 . 2004-08-04 10:00 285696 ----a-w- c:\windows\system32\atmfd.dll
    2010-04-15 21:42 . 2010-04-15 21:42 65536 ----a-r- c:\documents and settings\Terry\Application Data\Microsoft\Installer\{4D8314D2-11FE-4397-A7CC-7015CFF50BCE}\PalmDesktopShortcut.exe
    2010-04-15 21:42 . 2010-04-15 21:42 65536 ----a-r- c:\documents and settings\Terry\Application Data\Microsoft\Installer\{4D8314D2-11FE-4397-A7CC-7015CFF50BCE}\ARPPRODUCTICON.exe
    2010-04-14 13:39 . 2010-04-14 13:38 43488992 ----a-w- c:\documents and settings\All Users\Application Data\Systweak\Advanced System Protector\Antispyware_Setup_4_14_2010.exe
    2010-04-02 13:10 . 2009-10-29 17:12 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2006-05-03 09:06 . 2008-11-20 09:47 163328 --sh--r- c:\windows\system32\flvDX.dll
    2007-02-21 10:47 . 2008-11-20 09:47 31232 --sh--r- c:\windows\system32\msfDX.dll
    2008-03-16 12:30 . 2008-11-20 09:47 216064 --sh--r- c:\windows\system32\nbDX.dll
    .
    "Unhappiness is not knowing what we want, and killing ourselves to get it."
    Post Count: 4,111 Thanked 3,111 Times in 1,111 Posts (Actual figures as they once were))
    Women and cats will do as they please, and men and dogs should relax and get used to the idea.
  • rizla01
    rizla01 Posts: 7,260 Forumite
    Part of the Furniture 1,000 Posts Name Dropper Combo Breaker
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "StartMenu7"="f:\start menu 7\StartMenu7.exe" [2010-04-19 2919288]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2006-07-21 81920]
    "avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-05-06 2815192]
    "@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2010-04-20 6678008]
    c:\documents and settings\Terry\Start Menu\Programs\Startup\
    Stardock ObjectDock.lnk - g:\program files\Stardock\ObjectDock\ObjectDock.exe [2008-11-24 3450608]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoResolveTrack"= 1 (0x1)
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoResolveTrack"= 1 (0x1)
    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "DisallowRun"= 1 (0x1)
    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\disallowrun]
    "1"= firefox.exe
    "2"= opera.exe
    "3"= chrome.exe
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{1214FBE7-4464-4A7E-9958-B5851A7A30A3}"= "d:\program files\RecentX\RecentX\RXShell.dll" [2008-06-12 77824]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "g:\superantispyware\SASSEH.DLL" [2008-05-13 77824]
    "{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2010-04-20 925688]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "UIHost"="c:\documents and settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\WinStyler\tu_logonui.exe"
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2010-05-02 11:53 548352 ----a-w- g:\superantispyware\SASWINLO.DLL
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0sasnative32
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Calendar Magic.lnk]
    backup=c:\windows\pss\Calendar Magic.lnkCommon Startup
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
    [HKLM\~\startupfolder\C:^Documents and Settings^Terry^Start Menu^Programs^Startup^Alienware Dock.lnk]
    backup=c:\windows\pss\Alienware Dock.lnkStartup
    [HKLM\~\startupfolder\C:^Documents and Settings^Terry^Start Menu^Programs^Startup^Lutloader.lnk]
    backup=c:\windows\pss\Lutloader.lnkStartup
    [HKLM\~\startupfolder\C:^Documents and Settings^Terry^Start Menu^Programs^Startup^RecentX.lnk]
    backup=c:\windows\pss\RecentX.lnkStartup
    [HKLM\~\startupfolder\C:^Documents and Settings^Terry^Start Menu^Programs^Startup^Secunia PSI.lnk]
    backup=c:\windows\pss\Secunia PSI.lnkStartup
    [HKLM\~\startupfolder\C:^Documents and Settings^Terry^Start Menu^Programs^Startup^Stardock ObjectDock.lnk]
    backup=c:\windows\pss\Stardock ObjectDock.lnkStartup
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\a-squared
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\aliim
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO Internet Security
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSUNMain
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinUtilities Quick Launcher
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced SystemCare 3]
    2010-03-29 13:54 2343120 ----a-w- g:\advanced systemcare 3\AWC.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AudioHQ]
    2000-05-11 00:00 205312 ----a-w- c:\program files\Creative\SBLive\AudioHQ\ahqtb.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
    2006-11-16 19:04 139264 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\captrue.exe]
    2008-09-05 16:55 673280
    w- j:\captrue\captrue.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Chameleon System Monitor]
    2009-10-18 11:31 1590784 ----a-w- c:\program files\Common Files\Chameleon Manager\monitor.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Everything]
    2008-09-29 01:54 459776 ----a-w- g:\program files\Everything\Everything.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
    2006-07-21 17:48 98304 ----a-w- c:\windows\system32\igfxtray.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntegryDESK]
    2005-03-22 12:45 618496 ----a-w- i:\integrydesk\IntegryDESK.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:12 1695232
    w- c:\program files\Messenger\msmsgs.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    2006-01-12 15:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pb_scheduler_agent]
    2007-04-19 10:37 44544 ----a-w- g:\premium booster\scheduler.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ProcessGovernor]
    2010-05-19 00:49 252944 ----a-w- f:\process lasso\ProcessGovernor.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ProcessLassoManagementConsole]
    2010-05-19 00:49 414736 ----a-w- f:\process lasso\ProcessLasso.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2009-05-26 16:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoboForm]
    2010-02-05 22:07 160592 ----a-w- d:\roboform\robotaskbaricon.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
    2006-03-20 15:00 282624 ----a-w- c:\windows\stsystra.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
    2009-01-26 15:31 2144088 --sha-r- i:\spybot - search & destroy\Spybot - Search & Destroy\TeaTimer.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2009-06-23 21:06 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
    2010-06-15 11:31 2403568 ----a-w- g:\superantispyware\SUPERANTISPYWARE.EXE
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
    2008-08-22 11:21 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ThreatFire]
    2008-11-17 13:04 263456 ----a-w- g:\threatfire\TFTray.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    2010-04-15 22:45 151597 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "ThreatFire"=2 (0x2)
    "ioloSystemService"=2 (0x2)
    "ioloFileInfoList"=2 (0x2)
    "NBService"=3 (0x3)
    "WMPNetworkSvc"=3 (0x3)
    "WLSetupSvc"=3 (0x3)
    "usnjsvc"=3 (0x3)
    "gusvc"=3 (0x3)
    "Lavasoft Ad-Aware Service"=2 (0x2)
    "cmdAgent"=2 (0x2)
    "TeamViewer4"=2 (0x2)
    "idsvc"=3 (0x3)
    "NetBurnerService"=3 (0x3)
    "IAANTMON"=2 (0x2)
    "AntiVirSchedulerService"=2 (0x2)
    "SvcOnlineArmor"=2 (0x2)
    "RapportMgmtService"=2 (0x2)
    "OAcat"=2 (0x2)
    "JavaQuickStarterService"=2 (0x2)
    "ACDaemon"=2 (0x2)
    "a2free"=2 (0x2)
    "a2AntiMalware"=3 (0x3)
    "NanoServiceMain"=2 (0x2)
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
    "HotKeysCmds"=c:\windows\system32\hkcmd.exe
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    "ArcSoft Connection Service"=c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [29/04/2009 22:56 40560]
    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [24/04/2010 23:52 64288]
    R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [14/06/2010 17:48 28552]
    R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [25/12/2008 12:41 51488]
    R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [25/12/2008 12:41 39200]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [04/08/2008 23:01 164048]
    R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [05/08/2008 10:47 133064]
    R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [05/08/2008 10:47 25160]
    R1 NetBurn;Paragon NetBurning Driver;c:\windows\system32\drivers\NetBurn.sys [13/12/2008 14:48 84488]
    R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [16/06/2010 22:04 228216]
    R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [16/06/2010 22:04 24440]
    R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [16/06/2010 22:04 29560]
    R1 SASDIFSV;SASDIFSV;g:\superantispyware\SASDIFSV.SYS [28/07/2009 10:53 12872]
    R1 SASKUTIL;SASKUTIL;g:\superantispyware\SASKUTIL.SYS [28/07/2009 10:53 67656]
    R1 StarPortLite;StarPort Storage Controller (Lite);c:\windows\system32\drivers\StarPortLite.sys [05/08/2008 09:42 95592]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [04/08/2008 23:01 19024]
    R2 dvdmmg;dvdmmg;c:\windows\system32\drivers\dvdmmg.sys [06/09/2007 11:15 5504]
    R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [16/06/2010 22:04 1284600]
    R2 VDDriver;Virtual Disk Driver;d:\virtual disk\VDDriver.sys [22/05/2009 13:39 40952]
    R3 ArcCD;ArcCD Filter Driver Service;c:\windows\system32\drivers\ArcCD.sys [15/05/2010 18:24 36224]
    R3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [14/05/2009 12:05 16640]
    S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [05/08/2008 09:42 721904]
    S1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [08/06/2010 19:01 0]
    S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [08/06/2010 19:01 0]
    S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [04/02/2010 16:52 1352832]
    S2 SCRCAMHRDRV;ScreenCamera HR;c:\windows\system32\drivers\SCRCAMHRDRV.sys [09/12/2009 10:48 234304]
    S2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [16/06/2010 22:04 3364856]
    S3 BCASPROT;Advanced System Protector;c:\program files\Systweak\Advanced System Protector\sasprot32.sys [04/05/2009 17:42 6656]
    S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [24/03/2009 12:03 7808]
    S3 SASENUM;SASENUM;g:\superantispyware\SASENUM.SYS [28/07/2009 10:53 12872]
    S3 se_filter;System Explorer Filter Driver;c:\windows\system32\drivers\SE_Filter.sys [02/01/2009 12:18 9216]
    S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [25/12/2008 12:41 33056]
    S4 a2AntiMalware;a-squared Anti-Malware Service;e:\asquared\a-squared Anti-Malware\a2service.exe [02/08/2008 18:36 1916080]
    S4 ArcUdfs;ArcUdfs FileSystem Driver Service;c:\windows\system32\drivers\ArcUdfs.sys [15/05/2010 18:24 134912]
    S4 NetBurnerService;Net Burner iSCSI Service;g:\drive back-up\Net Burner Service\NetBurnerService.exe [13/12/2008 14:48 222984]
    S4 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [15/03/2010 14:47 779496]
    S4 TeamViewer4;TeamViewer 4;c:\program files\TeamViewer\Version4\TeamViewer_Service.exe [27/05/2009 13:38 185640]
    S4 ThreatFire;ThreatFire;g:\threatfire\TFService.exe service --> g:\threatfire\TFService.exe service [?]
    "Unhappiness is not knowing what we want, and killing ourselves to get it."
    Post Count: 4,111 Thanked 3,111 Times in 1,111 Posts (Actual figures as they once were))
    Women and cats will do as they please, and men and dogs should relax and get used to the idea.
  • rizla01
    rizla01 Posts: 7,260 Forumite
    Part of the Furniture 1,000 Posts Name Dropper Combo Breaker
    --- Other Services/Drivers In Memory ---
    *Deregistered* - ArcRec
    *Deregistered* - PSINAflt
    *Deregistered* - PSINKNC
    *Deregistered* - PSINProt
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    UxTuneUp
    .
    Contents of the 'Scheduled Tasks' folder
    2010-06-18 c:\windows\Tasks\1-Click Maintenance.job
    - g:\tune up utilities\SystemOptimizer.exe [2007-08-02 19:35]
    2010-06-21 c:\windows\Tasks\Ad-Aware Update (Weekly).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 14:54]
    2010-06-21 c:\windows\Tasks\GlaryInitialize.job
    - g:\glary utilities\initialize.exe [2009-01-12 12:09]
    2010-06-21 c:\windows\Tasks\User_Feed_Synchronization-{8ED07C76-0A78-4661-870E-CF91F4A2F154}.job
    - c:\windows\system32\msfeedssync.exe [2007-08-13 03:31]
    2009-03-27 c:\windows\Tasks\Wise Registry Cleaner 4.job
    - g:\wise registry cleaner\WiseRegistryCleaner.exe [2009-03-27 21:27]
    .
    .
    Supplementary Scan
    .
    uStart Page = hxxp://by150w.bay150.mail.live.com/default.aspx?&n=1721578409
    mStart Page = about:blank
    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyServer = http=127.0.0.1:5555
    uInternet Settings,ProxyOverride = <local>
    IE: Customize Menu - [URL]file://d:\roboform\RoboFormComCustomizeIEMenu.html[/URL]
    IE: Fill Forms - [URL]file://d:\roboform\RoboFormComFillForms.html[/URL]
    IE: Password Generator - [URL]file://d:\roboform\RoboFormComPasswordGenerator.html[/URL]
    IE: RoboForm Toolbar - [URL]file://d:\roboform\RoboFormComShowToolbar.html[/URL]
    IE: Save Forms - [URL]file://d:\roboform\RoboFormComSavePass.html[/URL]
    IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    IE: Zoom &in - c:\documents and settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\Web\tuzoomin.htm
    IE: Zoom &out - c:\documents and settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\Web\tuzoomout.htm
    Trusted Zone: google.com\maps
    DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
    DPF: {0A43D7AC-D6C1-4622-B309-BF975F427C0E} - hxxps://internetbankingplus2.firstdirect.com/ibplus/frontdoorFD.cab
    FF - ProfilePath - c:\documents and settings\Terry\Application Data\Mozilla\Firefox\Profiles\hcc9h5r6.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://by118w.bay118.mail.live.com/default.aspx?n=1721578409&wa=wsignin1.0|http://uk.mc366.mail.yahoo.com/mc/welcome?.rand=1cja0cethg47r#_pg=showFolder&fid=Inbox&order=down&tt=13&pSize=200&.rand=84063249&hash=df4ea4eb438cc73b84386c2cb6607aca&.jsrand=9626687|http://www.hotukdeals.com/all/deals/new|http://www.giveawayoftheday.com/|http://my.ebay.co.uk/ws/eBayISAPI.dll?MyEbayBeta&CurrentPage=MyeBayNextSelling&ssPageName=STRK:ME:LNLK:MESEX|http://groups.yahoo.com/group/WoSFreegle/pending
    FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
    FF - component: d:\roboform\Firefox\components\rfproxy_27.dll
    FF - component: d:\roboform\Firefox\components\rfproxy_31.dll
    FF - plugin: c:\program files\Opera\program\plugins\npdivx32.dll
    FF - plugin: c:\program files\Opera\program\plugins\nppl3260.dll
    FF - plugin: c:\program files\Opera\program\plugins\nprjplug.dll
    FF - plugin: c:\program files\Opera\program\plugins\nprpjplug.dll
    FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
    FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
    FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
    FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
    FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
    FF - plugin: c:\windows\system32\C2MP\npdivx32.dll
    FF - plugin: d:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll
    FF - plugin: d:\program files\Mozilla Firefox\plugins\npdjvu.dll
    FF - plugin: d:\program files\Mozilla Firefox\plugins\npViewpoint.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
    ---- FIREFOX POLICIES ----
    FF - user.js: browser.cache.memory.capacity - 65536
    FF - user.js: browser.chrome.favicons - false
    FF - user.js: browser.display.show_image_placeholders - true
    FF - user.js: browser.turbo.enabled - true
    FF - user.js: browser.urlbar.autocomplete.enabled - true
    FF - user.js: browser.urlbar.autofill - true
    FF - user.js: content.interrupt.parsing - true
    FF - user.js: content.max.tokenizing.time - 2250000
    FF - user.js: content.notify.backoffcount - 5
    FF - user.js: content.notify.interval - 750000
    FF - user.js: content.notify.ontimer - true
    FF - user.js: content.switch.threshold - 750000
    FF - user.js: network.http.max-connections - 48
    FF - user.js: network.http.max-connections-per-server - 16
    FF - user.js: network.http.max-persistent-connections-per-proxy - 16
    FF - user.js: network.http.max-persistent-connections-per-server - 8
    FF - user.js: network.http.pipelining - true
    FF - user.js: network.http.pipelining.firstrequest - true
    FF - user.js: network.http.pipelining.maxrequests - 8
    FF - user.js: network.http.proxy.pipelining - true
    FF - user.js: network.http.request.max-start-delay - 0
    FF - user.js: nglayout.initialpaint.delay - 0
    FF - user.js: plugin.expose_full_path - true
    FF - user.js: ui.submenuDelay - 0
    d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    .
    - - - - ORPHANS REMOVED - - - -
    MSConfigStartUp-AnVir Task Manager - g:\anvir task manager\AnVir.exe
    MSConfigStartUp-cfp - (no file)
    MSConfigStartUp-fkuoehys - c:\documents and settings\Terry\Local Settings\Application Data\xruvrvvaj\muanshntssd.exe
    MSConfigStartUp-lxbumon - (no file)

    **************************************************************************
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-06-21 19:02
    Windows 5.1.2600 Service Pack 3 NTFS
    scanning hidden processes ...
    scanning hidden autostart entries ...
    scanning hidden files ...
    scan completed successfully
    hidden files: 0
    **************************************************************************
    .
    LOCKED REGISTRY KEYS
    [HKEY_USERS\S-1-5-21-746137067-606747145-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
    @Denied: (Full) (LocalSystem)
    [HKEY_USERS\S-1-5-21-746137067-606747145-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{63B97F04-9032-2D21-7BE0-EA7F7AE7EE4B}*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    "nanhidfkkcpkpahaeliapjmohhon"=hex:6a,61,65,67,68,69,66,68,66,65,6b,6d,6d,63,
    68,6f,65,68,6b,70,00,0c
    "madhoahnjofkbbmejiepajomch"=hex:6a,61,65,67,68,69,66,68,66,65,6b,6d,6d,63,68,
    6f,65,68,6b,70,00,56
    "abbaoepgoddjdfkamchgkahkhkddfmehpc"=hex:61,62,6b,68,62,64,67,68,65,6c,67,67,
    64,67,6c,6a,64,62,6a,64,63,6d,70,67,70,6a,70,6e,61,6e,6a,63,62,66,00,77
    "maoppejgogbliogaieoebfhdhf"=hex:64,62,64,68,6d,66,65,66,6b,65,6e,68,6a,68,6a,
    63,64,63,66,69,61,62,70,63,61,68,6c,70,6a,61,6d,68,62,65,69,6a,69,64,6c,6b,\
    [HKEY_USERS\S-1-5-21-746137067-606747145-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8AA92D77-C3A3-884A-7EA8-1CD3D0BBD18D}*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    [HKEY_LOCAL_MACHINE\software\Microsoft\EncryptionInterface*]
    "l_encryption_d"="585A4A574A5F"
    .
    DLLs Loaded Under Running Processes
    - - - - - - - > 'winlogon.exe'(664)
    g:\superantispyware\SASWINLO.DLL
    c:\windows\system32\WININET.dll
    .
    Completion time: 2010-06-21 19:05:24
    ComboFix-quarantined-files.txt 2010-06-21 18:05
    ComboFix2.txt 2009-07-29 09:48
    Pre-Run: 11,821,461,504 bytes free
    Post-Run: 11,808,387,072 bytes free
    - - End Of File - - 5CD44F202F0A07B95BD69CE382EF288B
    "Unhappiness is not knowing what we want, and killing ourselves to get it."
    Post Count: 4,111 Thanked 3,111 Times in 1,111 Posts (Actual figures as they once were))
    Women and cats will do as they please, and men and dogs should relax and get used to the idea.
  • aliEnRIK
    aliEnRIK Posts: 17,741 Forumite
    Part of the Furniture Combo Breaker
    Uninstall ADAWARE. Its next to useless

    TICK and FIX these in hijack ~
    O4 - S-1-5-18 Startup: Lutloader.lnk = I:\Lutcurve\lutloader.exe (User 'SYSTEM')
    O4 - .DEFAULT Startup: Lutloader.lnk = I:\Lutcurve\lutloader.exe (User 'Default user')
    O4 - Startup: Lutloader.lnk = I:\Lutcurve\lutloader.exe
    O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolb...lerControl.cab
    O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -


    Id recommend uninstalling TUNEUP UTILITIES

    Download CCLEANER
    http://www.piriform.com/ccleaner/download/slim
    Run the CLEANER scan (UNTICK 'cookies')
    Then run the REGISTRY scan (Backup the registry when it asks)
    :idea:
This discussion has been closed.
Meet your Ambassadors

🚀 Getting Started

Hi new member!

Our Getting Started Guide will help you get the most out of the Forum

Categories

  • All Categories
  • 351.1K Banking & Borrowing
  • 253.2K Reduce Debt & Boost Income
  • 453.7K Spending & Discounts
  • 244.1K Work, Benefits & Business
  • 599.2K Mortgages, Homes & Bills
  • 177K Life & Family
  • 257.5K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16.1K Discuss & Feedback
  • 37.6K Read-Only Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.
Update Your Picture