5 Star Support - Free Computer Help Forums

5 Star Support - Free Computer Help Forums

5 Star Support Home

Welcome Guest ( Log In | Register )

5 Star Support Forums > Computer Security > Inactive and Resolved HJT Log Room

Trojan Horse warning

333nnn View Member Profile	Mar 8 2009, 11:00 PM Post #1
Junior Member Group: Members Posts: 60 Joined: 9-March 08 Member No.: 7,491	40G HD: Western Digital WD400, enhanced ide 320G HD: Western Digital Caviar SE, ide Motherboard: Elite Group ECS, P4M900T-M2, Socket 775, supports 4G RAM, integrated graphics and video recorder, accommodates two DDR2 unbuffered DIMMS Intel Celeron Dual Core E1200, 1.6Ghz, 512k, 800MB, OEM, Advanced Performance Series Allendale Socket 775 Crucial 1024MB PC4200 DDR2 533MHz Avast Scanner, Comodo firewall, Spybot Search and Destroy, Ad-Aware, CCleaner About five days ago I got a Trojan Horse warning from my Avast scanner. I had my 320G hd installed at that time. I did nothing about the TJ warning and kept using my computer including on the Internet. Yesterday I was not able to connect to the Internet, so I called my isp. After trying several things the tech guy told me it was a problem with my hd. I had the 320G drive installed at that time. So I replaced my hd with an old 40G one, and with the help of the tech at my isp I was able to connect to the Internet with the 40G drive. The tech guy said my computer was not recognizing my moden when the 320G hd was installed. So I have the 40G drive installed right now, and the 320G is not in my computer. I can only access the Internet with the current 40G drive. So in order to run diagnostic software on the 320G drive and post the results do I need to install the 320G drive as the slave and the 40G drive as the master? If the 320G hd is infected when I install it could it infect the 40G hd? When I received the Avast Trojan Horse warning: "Avast Warning, A Trojan Horse was found, Filename: C: malware name:Win32:crypt-IN [Trj], Malware type:TJ/ UPS Version:081010-6, 10/10/2008" it recommended that I choose "Move To Chest", but when I clicked on that I got another message saying: "Avast!: The process can't access the file because it's being used by another process. Cannot process "C:\Program Files\COMODO\Firewall\SCANNERS\heur.cav" file. Later when restarting my computer Avast did an automatic scan and came up with these two infected files: 1)File C;\ProgramFiles\COMODO\Firewall\Repair\heur.cav is infected by Win32:Crypt-IN [Trj] 2)File C:\ProgramFiles\COMODO\Firewall\Scanners\heur.cav is infected by Win32:Crypt-IN [Trj] The Avast automatic scan gave me several options for what to do with these infected files, and I chose to move them to chest which I believe Avast did this time. I am posting the problem here because I know I need to run an HJT scan first but don't know if I should install the 320G hd as the slave in order to do that. Thanks for any replies. My o/s is XP Home SP3. Reason for edit: added information

2 Pages

1 2 >

Start new topic

Replies (1 - 19)

Bio-Hazard View Member Profile	Mar 9 2009, 02:32 PM Post #2
Global Moderator/Security Expert Group: Global Moderator Posts: 85 Joined: 1-February 09 From: Cornwall, UK Member No.: 10,142	Hello! It looks like Avast has detected part of Comodo as an infection which is false positive. So this could explain why you wasnt able to access internet. Can you tell me what did you do with the ISPs tech guy? So i wont try same things. Did you uninstalled Comodo from that 320 harddrive when you were trying to solve your problem? Dont change the harddrive yet. If you want we can check this hardrives HijackThis log. Download HijackThis To get things going i need you to download HijackThis see the instructions below. Click HERE to download HijackThis Installer Save HijackThis Installer to your desktop. Doubleclick on the HijackThis Installer icon on your desktop. By default it will install to C:\Program Files\Trend Micro\HijackThis . Click on Install. It will create a HijackThis icon on the desktop. Once installed it will launch Hijackthis. Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad. Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log. Come back here to this thread and Paste the log in your next reply. DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted. DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required. -------------------- Honors Graduate of Malware Removal University

333nnn View Member Profile	Mar 9 2009, 05:15 PM Post #3
Junior Member Group: Members Posts: 60 Joined: 9-March 08 Member No.: 7,491	I included both the uninstall list and hijackthis list because both are usually asked for. I have had both avast and comodo working on the 320G hd for many months and never had a problem until five days ago. I did not uninstall either comodo or avast from the 320G drive. I did deactivate both at some point to see if they were interfering with my ability to connect to the Internet. I don't remember exactly what I did with the ISP tech person, but we went into run and typed in three letters for some reason I don't remember and opened IE and typed a series of numbers and I believe a series of letters which got us to a black screen. He wanted to get to the black screen to see if there were any numbers listed under "Gateway......" which there weren't and to see if a series of numbers listed above Gateway were correct. From the black screen he also had me type "inconfig" or something like that. By doing this he was either trying to see if my computer was recognizing the isp moden or to get to the main Gateway page to reset the modem. Anyway, I'm vague on exactly what the isp was trying to do at any point or the exact steps. Because we couldn't get my computer to reset the modem with the 320G drive but could with the 40G drive we concluded that the 320G drive was the problem. My modem is a 2Wire model 1070-B made by Gateway. Adobe Flash Player 10 Plugin Ask Toolbar avast! Antivirus COMODO Internet Security COMODO SafeSurf HijackThis 2.0.2 Hotfix for Windows XP (KB952287) Mozilla Firefox (3.0.7) MSN Security Update for Windows Media Player (KB952069) Security Update for Windows XP (KB923789) Security Update for Windows XP (KB938464) Security Update for Windows XP (KB946648) Security Update for Windows XP (KB950760) Security Update for Windows XP (KB950762) Security Update for Windows XP (KB950974) Security Update for Windows XP (KB951066) Security Update for Windows XP (KB951376-v2) Security Update for Windows XP (KB951698) Security Update for Windows XP (KB951748) Security Update for Windows XP (KB952954) Security Update for Windows XP (KB954211) Security Update for Windows XP (KB954459) Security Update for Windows XP (KB954600) Security Update for Windows XP (KB955069) Security Update for Windows XP (KB956802) Security Update for Windows XP (KB956803) Security Update for Windows XP (KB956841) Security Update for Windows XP (KB957097) Security Update for Windows XP (KB958215) Security Update for Windows XP (KB958644) Security Update for Windows XP (KB958687) Security Update for Windows XP (KB960714) Security Update for Windows XP (KB960715) Update for Windows XP (KB898461) Update for Windows XP (KB951978) Update for Windows XP (KB955839) Update for Windows XP (KB967715) VIA Display Driver 6.14.10.0099 VIA Platform Device Manager VIA Rhine-Family Fast-Ethernet Adapter Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:56:24 AM, on 3/9/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\COMODO\SafeSurf\cssurf.exe C:\Program Files\COMODO\COMODO Internet Security\cfp.exe C:\WINDOWS\system32\VTTimer.exe C:\WINDOWS\system32\S3trayp.exe C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wpabaln.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comodo.com/search/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirec...amp;gc=1&q= R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirec...amp;gc=1&q= R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.com/toolbarv/askRedirec...p;gc=1&q=%s R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [COMODO SafeSurf] "C:\Program Files\COMODO\SafeSurf\cssurf.exe" -s O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1 O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O20 - AppInit_DLLs: C:\WINDOWS\system32\cssdll32.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe -- End of file - 3648 bytes

Bio-Hazard View Member Profile	Mar 9 2009, 07:12 PM Post #4
Global Moderator/Security Expert Group: Global Moderator Posts: 85 Joined: 1-February 09 From: Cornwall, UK Member No.: 10,142	Hello! I will do bit more research about your modem and your situation. ATF-Cleaner Please download ATF Cleaner by Atribune. Save it to your desktop Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use Firefox browser Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords please click No at the prompt. Click Exit on the Main menu to close the program. Eset online scannner Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu. Go here to run an online scannner from ESET. Note: You will need to use Internet explorer for this scan Tick the box next to YES, I accept the Terms of Use. Click Start When asked, allow the activex control to install Click Start Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked Click Scan Wait for the scan to finish Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt Copy and paste that log as a reply to this topic Ask toolbar I would remove this toolbar. You can read more about it HERE. Click Start Go to Control Panel Go to Add/Remove Programs Find and click Remove for the following (if present): ASk toolbar NOTE: Take care when answering any questions posed by an uninstaller. Some questions may be worded to deceive you into keeping the program. If you removed the Ask Toolbar then follow these instructions Remove HijackThis entries Run HijackThis Click on the Scan button Put a check beside all of the items listed below (if present): R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirec...amp;gc=1&q= R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirec...amp;gc=1&q= R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.com/toolbarv/askRedirec...p;gc=1&q=%s R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll Close all open windows and browsers/email etc... Click on the Fix Checked button When completed close the application. Delete folders Using Windows Explore by right-clicking the start button and left clicking Explore navigate to and find the following folders: if found, delete them (some may not be present after previous steps): Folders: C:\Program Files\AskBarDis C:\Program Files\AskSearch Logs/Information to Post in Next Reply Please post the following logs/Information in your reply: ESET Log A fresh HijackThis Log ( after all the above has been done) A description of how your computer is behaving -------------------- Honors Graduate of Malware Removal University

333nnn View Member Profile	Mar 9 2009, 07:55 PM Post #5
Junior Member Group: Members Posts: 60 Joined: 9-March 08 Member No.: 7,491	Do I download and run ESET NOD 32 Antivirus 4, and do I choose 64 bit or 32 bit? I don't know if my computer is 64 or 32 bit.

Bio-Hazard View Member Profile	Mar 9 2009, 08:06 PM Post #6
Global Moderator/Security Expert Group: Global Moderator Posts: 85 Joined: 1-February 09 From: Cornwall, UK Member No.: 10,142	QUOTE (333nnn @ Mar 9 2009, 07:55 PM) Do I download and run ESET NOD 32 Antivirus 4, and do I choose 64 bit or 32 bit? I don't know if my computer is 64 or 32 bit. NO, the link i gave you takes you to a online scanner. You have to use Internet Explorer to do this scan. It happens through the webpage. Just follow my instructions. -------------------- Honors Graduate of Malware Removal University

333nnn View Member Profile	Mar 9 2009, 09:01 PM Post #7
Junior Member Group: Members Posts: 60 Joined: 9-March 08 Member No.: 7,491	I clicked on your link for the Eset scanner and checked the agreement box and clicked start. On the next page I got a message saying: "To help protect your security IE stopped this site from installing an ActiveX control on your computer". So I went to cp>network and internet connections>internet options>custom level and clicked enable for "download unsigned Active x controls". Then I went to the first Eset screen and after clicking the agreement box and start got a message on the second screen saying: "Your current security setting put your computer at risk. Click here to change your security setting" and the box below was still blank. I'm using IE8.

Bio-Hazard View Member Profile	Mar 9 2009, 09:11 PM Post #8
Global Moderator/Security Expert Group: Global Moderator Posts: 85 Joined: 1-February 09 From: Cornwall, UK Member No.: 10,142	Hello! Lets try another online scanner. Your HijackThis log says you have IE 6 installed when did you installed IE8? F-Secure Online Scan Note: You will need to use Internet explorer for this scan Go here to run an online scan from F-Secure Click on Start scanning This will open a new internet explorer window It will require an activex control please install it Click Accept Click Full System Scan It will now download the scanner this may take a while please be patient It will then start scanning wait for the scan to finish Click Automatic cleaning (recommended) Wait for it finish the cleaning process Click show report This will open up a window with the results of the scan copy and paste those results as a reply to this topic -------------------- Honors Graduate of Malware Removal University

333nnn View Member Profile	Mar 9 2009, 09:40 PM Post #9
Junior Member Group: Members Posts: 60 Joined: 9-March 08 Member No.: 7,491	I downloaded IE8 after having trouble running Eset today. Scanning Report Monday, March 09, 2009 15:24:40 - 15:36:50 Computer name: JOHN Scanning type: Scan system for malware, rootkits Target: C:\ Result: 5 malware found TrackingCookie.2o7 (spyware) * System TrackingCookie.Adrevolver (spyware) * System TrackingCookie.Atdmt (spyware) * System TrackingCookie.Webtrends (spyware) * System TrackingCookie.Yieldmanager (spyware) * System Statistics Scanned: * Files: 8715 * System: 2188 * Not scanned: 6 Actions: * Disinfected: 0 * Renamed: 0 * Deleted: 0 * None: 5 * Submitted: 0 Files not scanned: * C:\PAGEFILE.SYS * C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT * C:\WINDOWS\SYSTEM32\CONFIG\SAM * C:\WINDOWS\SYSTEM32\CONFIG\SECURITY * C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE * C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Options Scanning engines: * F-Secure USS: 3.0.0 * F-Secure Hydra: 3.6.8511, 2009-03-09 * F-Secure AVP: 7.0.171, 2009-03-09 * F-Secure Pegasus: 1.20.0, 1969-11-31 * F-Secure Blacklight: 0.0.0 Scanning options: * Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR * Use Advanced heuristics Copyright © 1998-2007 Product support \|Send virus sample to F-Secure F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

333nnn View Member Profile	Mar 9 2009, 10:00 PM Post #10
Junior Member Group: Members Posts: 60 Joined: 9-March 08 Member No.: 7,491	Adobe Flash Player 10 ActiveX Adobe Flash Player 10 Plugin avast! Antivirus COMODO Internet Security COMODO SafeSurf HijackThis 2.0.2 Hotfix for Windows XP (KB952287) Mozilla Firefox (3.0.7) MSN Security Update for Windows Media Player (KB952069) Security Update for Windows XP (KB923789) Security Update for Windows XP (KB938464) Security Update for Windows XP (KB946648) Security Update for Windows XP (KB950760) Security Update for Windows XP (KB950762) Security Update for Windows XP (KB950974) Security Update for Windows XP (KB951066) Security Update for Windows XP (KB951376-v2) Security Update for Windows XP (KB951698) Security Update for Windows XP (KB951748) Security Update for Windows XP (KB952954) Security Update for Windows XP (KB954211) Security Update for Windows XP (KB954459) Security Update for Windows XP (KB954600) Security Update for Windows XP (KB955069) Security Update for Windows XP (KB956802) Security Update for Windows XP (KB956803) Security Update for Windows XP (KB956841) Security Update for Windows XP (KB957097) Security Update for Windows XP (KB958215) Security Update for Windows XP (KB958644) Security Update for Windows XP (KB958687) Security Update for Windows XP (KB960714) Security Update for Windows XP (KB960715) Update for Windows XP (KB898461) Update for Windows XP (KB951978) Update for Windows XP (KB955839) Update for Windows XP (KB967715) VIA Display Driver 6.14.10.0099 VIA Platform Device Manager VIA Rhine-Family Fast-Ethernet Adapter Windows Internet Explorer 8 Release Candidate 1 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:58:54 PM, on 3/9/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18372) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\COMODO\SafeSurf\cssurf.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\COMODO\COMODO Internet Security\cfp.exe C:\WINDOWS\system32\VTTimer.exe C:\WINDOWS\system32\S3trayp.exe C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\wpabaln.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comodo.com/search/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirec...amp;gc=1&q= R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.com/toolbarv/askRedirec...p;gc=1&q=%s O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [COMODO SafeSurf] "C:\Program Files\COMODO\SafeSurf\cssurf.exe" -s O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab O20 - AppInit_DLLs: C:\WINDOWS\system32\cssdll32.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe -- End of file - 3968 bytes

Bio-Hazard View Member Profile	Mar 10 2009, 10:08 PM Post #11
Global Moderator/Security Expert Group: Global Moderator Posts: 85 Joined: 1-February 09 From: Cornwall, UK Member No.: 10,142	Remove HijackThis entries Run HijackThis Click on the Scan button Put a check beside all of the items listed below (if present): R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirec...amp;gc=1&q= R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.com/toolbarv/askRedirec...p;gc=1&q=%s Close all open windows and browsers/email etc... Click on the Fix Checked button When completed close the application. ====================================================== I would like to see if i can help you to sort out your other harddrive. Please take the 40 GB harddrive off and put the 320 harddrive on. Remove programs Click Start Go to Control Panel Go to Add/Remove Programs Find and click Remove for the following (if present): COMODO Internet Security COMODO SafeSurf REBOOT your computer!!! Make sure that you have Windows firewall turned on Click Start Click Control Panel Double click on Windows firewall New window will open Make sure ON (recommended) is selected If it is not press choose it and click OK Does your internet work now? -------------------- Honors Graduate of Malware Removal University

333nnn View Member Profile	Mar 10 2009, 11:23 PM Post #12
Junior Member Group: Members Posts: 60 Joined: 9-March 08 Member No.: 7,491	My Internet connection works now with both the 40G and 320G hds. I removed Comodo Safesurf and Comodo Firewall Pro. There was no Comodo Internet Security listed. Did Comodo block my access to the Internet and if so why? Did Avast interfere with Comodo in some way? What firewall do you recommend be used with Avast if I shouldn't use Comodo with Avast? Should I now run scans on the 320G drive especially since I got a TJ warning from Avast or was that a false warning? Running scans is easy, so wouldn't doing so be a good idea regardless of what we think the problem is?

Bio-Hazard View Member Profile	Mar 11 2009, 10:38 PM Post #13
Global Moderator/Security Expert Group: Global Moderator Posts: 85 Joined: 1-February 09 From: Cornwall, UK Member No.: 10,142	QUOTE Did Comodo block my access to the Internet and if so why? I think it did because avast! intefered with it. I assume Comodo became corrupt and that lead to no internet connection. QUOTE Did Avast interfere with Comodo in some way? Yes those files it said was trojan belonged to Comodo, so they were false positive. these are the files: 1)File C;\ProgramFiles\COMODO\Firewall\Repair\heur.cav is infected by Win32:Crypt-IN [Trj] 2)File C:\ProgramFiles\COMODO\Firewall\Scanners\heur.cav is infected by Win32:Crypt-IN [Trj] QUOTE What firewall do you recommend be used with Avast if I shouldn't use Comodo with Avast? If you are happy with Comodo then there is no need to change. You can install it now, make sure you dont install the antivirus module and Ask toolbar. QUOTE Should I now run scans on the 320G drive especially since I got a TJ warning from Avast or was that a false warning? Running scans is easy, so wouldn't doing so be a good idea regardless of what we think the problem is? Yes we will check this harddrive out aswell. Download HijackThis To get things going i need you to download HijackThis see the instructions below. Click HERE to download HijackThis Installer Save HijackThis Installer to your desktop. Doubleclick on the HijackThis Installer icon on your desktop. By default it will install to C:\Program Files\Trend Micro\HijackThis . Click on Install. It will create a HijackThis icon on the desktop. Once installed it will launch Hijackthis. Close the program DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted. DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required. random's system information tool (RSIT) Download random's system information tool (RSIT) by random/random from HERE and save it to your desktop. Double click on RSIT.exe to run RSIT. Click Continue at the disclaimer screen. Once it has finished, two logs will open: log.txt (<<will be maximized) info.txt (<<will be minimized) Post both of these logs in your next reply (Sometimes you have to make several post to get the logs posted.) -------------------- Honors Graduate of Malware Removal University

333nnn View Member Profile	Mar 12 2009, 10:13 PM Post #14
Junior Member Group: Members Posts: 60 Joined: 9-March 08 Member No.: 7,491	Logfile of random's system information tool 1.05 (written by random/random) Run by John Austin Brewder at 2009-03-12 16:09:38 Microsoft Windows XP Home Edition Service Pack 3 System drive C: has 270 GB (89%) free of 305 GB Total RAM: 958 MB (19% free) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:09:39 PM, on 3/12/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16791) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\LimeWire\LimeWire.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\system32\notepad.exe C:\Documents and Settings\John Austin Brewder\Desktop\RSIT.exe C:\Program Files\Trend Micro\HijackThis\John Austin Brewder.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.8.7.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1 O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.8.7.dll/206 (file missing) O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll O20 - AppInit_DLLs: O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe -- End of file - 7983 bytes ======Registry dump====== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}] Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11 75128] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3049C3E9-B461-4BC5-8870-4C09146192CA}] RealPlayer Download and Record Plugin for Internet Explorer - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll [2009-02-24 312928] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}] BitComet Helper - C:\Program Files\BitComet\tools\BitCometBHO_1.2.8.7.dll [2008-08-11 656696] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}] Spybot-S&D IE Protection - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2008-09-15 1562960] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}] Google Toolbar Helper - c:\program files\google\googletoolbar1.dll [2008-10-08 2403392] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}] Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll [2009-01-16 657904] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}] Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-01-17 35840] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}] JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-01-17 73728] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] {2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar1.dll [2008-10-08 2403392] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "PrinTray"=C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe [2000-05-09 36864] "NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [2007-03-15 153136] "avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [2008-07-19 78008] "COMODO Firewall Pro"=C:\Program Files\COMODO\Firewall\cfp.exe -h [] "QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2008-09-06 413696] "iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-10-01 289576] "HDAudDeck"=C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe [2007-06-29 811008] "TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2009-02-24 198160] "SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-01-17 148888] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2008-10-08 68856] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"=C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe [2007-05-07 149040] "ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360] "MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-14 1695232] "SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-01-26 2144088] C:\Documents and Settings\All Users\Start Menu\Programs\Startup Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE C:\Documents and Settings\John Austin Brewder\Start Menu\Programs\Startup LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLS"=" " [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] "dontdisplaylastusername"=0 "legalnoticecaption"= "legalnoticetext"= "shutdownwithoutlogon"=1 "undockwithoutlogon"=1 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer] "NoDriveTypeAutoRun"=145 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer] "HonorAutoRunSetting"= [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000" "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "C:\Program Files\BitComet\BitComet.exe"="C:\Program Files\BitComet\BitComet.exe::Enabled:BitComet - a BitTorrent Client" "C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe::Enabled:iTunes" "C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe::Enabled:LimeWire" "C:\Program Files\Mozilla Firefox\firefox.exe"="C:\Program Files\Mozilla Firefox\firefox.exe::Enabled:Firefox" "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"="C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe::Enabled:Veoh Web Player " [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000" "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" ======List of files/folders created in the last 3 months====== 2009-03-12 16:09:38 ----D---- C:\rsit 2009-03-11 03:00:35 ----HDC---- C:\WINDOWS\$NtUninstallKB960225$ 2009-03-11 03:00:26 ----HDC---- C:\WINDOWS\$NtUninstallKB958690$ 2009-02-26 11:16:55 ----A---- C:\WINDOWS\system32\javaws.exe 2009-02-26 11:16:55 ----A---- C:\WINDOWS\system32\javaw.exe 2009-02-26 11:16:55 ----A---- C:\WINDOWS\system32\java.exe 2009-02-25 04:00:27 ----HDC---- C:\WINDOWS\$NtUninstallKB967715$ 2009-02-24 20:10:46 ----D---- C:\Program Files\Common Files\xing shared 2009-02-24 20:10:39 ----A---- C:\WINDOWS\system32\rmoc3260.dll 2009-02-24 20:10:30 ----D---- C:\Program Files\Real 2009-02-24 20:10:30 ----A---- C:\WINDOWS\system32\pndx5032.dll 2009-02-24 20:10:30 ----A---- C:\WINDOWS\system32\pndx5016.dll 2009-02-24 20:10:29 ----A---- C:\WINDOWS\system32\pncrt.dll 2009-02-24 20:10:27 ----D---- C:\Program Files\Common Files\Real 2009-02-24 20:10:24 ----D---- C:\Documents and Settings\John Austin Brewder\Application Data\Real 2009-02-12 04:01:08 ----HDC---- C:\WINDOWS\$NtUninstallKB960715$ 2009-02-12 04:01:00 ----A---- C:\WINDOWS\imsins.BAK 2009-01-16 19:25:05 ----D---- C:\Documents and Settings\All Users\Application Data\Google Updater 2009-01-14 04:02:31 ----HDC---- C:\WINDOWS\$NtUninstallKB958687$ ======List of files/folders modified in the last 3 months====== 2009-03-12 16:08:20 ----D---- C:\WINDOWS\Prefetch 2009-03-12 12:25:31 ----D---- C:\Program Files\Mozilla Firefox 2009-03-12 12:13:15 ----D---- C:\WINDOWS\Temp 2009-03-12 12:12:52 ----D---- C:\WINDOWS\system32 2009-03-12 12:12:47 ----D---- C:\Documents and Settings\John Austin Brewder\Application Data\LimeWire 2009-03-12 05:49:41 ----A---- C:\WINDOWS\SchedLgU.Txt 2009-03-11 03:07:11 ----D---- C:\WINDOWS 2009-03-11 03:06:00 ----D---- C:\WINDOWS\system32\CatRoot2 2009-03-11 03:00:38 ----HD---- C:\WINDOWS\inf 2009-03-11 03:00:37 ----RSHDC---- C:\WINDOWS\system32\dllcache 2009-03-10 22:09:00 ----D---- C:\WINDOWS\system32\CatRoot 2009-03-10 22:07:05 ----HD---- C:\WINDOWS\$hf_mig$ 2009-03-10 17:13:16 ----D---- C:\Program Files\COMODO 2009-03-10 17:13:16 ----D---- C:\Documents and Settings\John Austin Brewder\Application Data\Comodo 2009-03-10 17:11:48 ----D---- C:\Documents and Settings\All Users\Application Data\comodo 2009-03-10 17:11:47 ----D---- C:\WINDOWS\system32\drivers 2009-03-08 13:14:54 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI 2009-03-06 16:35:17 ----D---- C:\WINDOWS\system32\Macromed 2009-02-27 08:53:25 ----D---- C:\Program Files\S3 2009-02-26 11:18:59 ----D---- C:\WINDOWS\Help 2009-02-26 11:17:07 ----SHD---- C:\WINDOWS\Installer 2009-02-26 11:16:52 ----D---- C:\Program Files\Java 2009-02-26 11:10:00 ----RD---- C:\Program Files 2009-02-24 20:11:58 ----SD---- C:\WINDOWS\Downloaded Program Files 2009-02-24 20:10:46 ----D---- C:\Program Files\Common Files 2009-02-24 13:34:04 ----D---- C:\Downloads 2009-02-23 04:14:34 ----A---- C:\WINDOWS\NeroDigital.ini 2009-02-22 04:39:15 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2009-02-22 04:38:30 ----D---- C:\Program Files\Spybot - Search & Destroy 2009-02-14 03:18:45 ----D---- C:\WINDOWS\Debug 2009-02-12 04:00:50 ----D---- C:\Program Files\Internet Explorer 2009-02-12 04:00:34 ----D---- C:\WINDOWS\ie7updates 2009-02-11 21:56:18 ----A---- C:\WINDOWS\system32\MRT.exe 2009-02-10 06:58:51 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft 2009-01-19 02:57:36 ----D---- C:\Program Files\CCleaner 2009-01-17 14:29:59 ----A---- C:\WINDOWS\system32\deploytk.dll 2009-01-16 22:35:14 ----A---- C:\WINDOWS\system32\mshtml.dll 2009-01-16 19:27:01 ----D---- C:\Documents and Settings\John Austin Brewder\Application Data\Google 2009-01-16 19:26:29 ----D---- C:\Program Files\Google 2009-01-16 05:21:46 ----SD---- C:\Documents and Settings\John Austin Brewder\Application Data\Microsoft 2008-12-20 16:15:41 ----A---- C:\WINDOWS\system32\wininet.dll 2008-12-20 16:15:40 ----A---- C:\WINDOWS\system32\webcheck.dll 2008-12-20 16:15:40 ----A---- C:\WINDOWS\system32\urlmon.dll 2008-12-20 16:15:39 ----A---- C:\WINDOWS\system32\url.dll 2008-12-20 16:15:38 ----N---- C:\WINDOWS\system32\pngfilt.dll 2008-12-20 16:15:38 ----N---- C:\WINDOWS\system32\occache.dll 2008-12-20 16:15:32 ----N---- C:\WINDOWS\system32\mstime.dll 2008-12-20 16:15:31 ----N---- C:\WINDOWS\system32\msrating.dll 2008-12-20 16:15:30 ----N---- C:\WINDOWS\system32\mshtmled.dll 2008-12-20 16:15:24 ----A---- C:\WINDOWS\system32\msfeedsbs.dll 2008-12-20 16:15:23 ----A---- C:\WINDOWS\system32\msfeeds.dll 2008-12-20 16:15:23 ----A---- C:\WINDOWS\system32\jsproxy.dll 2008-12-20 16:15:22 ----A---- C:\WINDOWS\system32\iertutil.dll 2008-12-20 16:15:21 ----N---- C:\WINDOWS\system32\iernonce.dll 2008-12-20 16:15:21 ----A---- C:\WINDOWS\system32\ieframe.dll 2008-12-20 16:15:16 ----N---- C:\WINDOWS\system32\iedkcs32.dll 2008-12-20 16:15:15 ----A---- C:\WINDOWS\system32\ieapfltr.dll 2008-12-20 16:15:14 ----N---- C:\WINDOWS\system32\ieaksie.dll 2008-12-20 16:15:14 ----N---- C:\WINDOWS\system32\ieakeng.dll 2008-12-20 16:15:13 ----N---- C:\WINDOWS\system32\extmgr.dll 2008-12-20 16:15:13 ----N---- C:\WINDOWS\system32\dxtrans.dll 2008-12-20 16:15:13 ----A---- C:\WINDOWS\system32\icardie.dll 2008-12-20 16:15:12 ----N---- C:\WINDOWS\system32\dxtmsft.dll 2008-12-20 16:15:11 ----A---- C:\WINDOWS\system32\advpack.dll 2008-12-19 02:10:15 ----N---- C:\WINDOWS\system32\ie4uinit.exe 2008-12-19 02:10:15 ----A---- C:\WINDOWS\system32\ieudinit.exe 2008-12-18 22:23:56 ----N---- C:\WINDOWS\system32\ieakui.dll ======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R1 Aavmker4;avast! Asynchronous Virus Monitor; C:\WINDOWS\system32\drivers\Aavmker4.sys [2008-07-19 26944] R1 aswSP;avast! Self Protection; C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416] R1 aswTdi;avast! Network Shield Support; C:\WINDOWS\system32\drivers\aswTdi.sys [2008-07-19 42912] R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 36352] R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-14 14592] R2 aswFsBlk;aswFsBlk; C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560] R2 aswMon2;avast! Standard Shield Support; C:\WINDOWS\system32\drivers\aswMon2.sys [2008-07-19 94416] R3 aswRdr;aswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [2008-07-19 23152] R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service; C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2007-04-16 42496] R3 HdAudAddService;VIA High Definition Audio Service; C:\WINDOWS\system32\drivers\viahduaa.sys [2007-06-05 201216] R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-14 144384] R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-14 10368] R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-14 32128] R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208] R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520] R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-14 20608] S3 FETNDIS;VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\fetnd5.sys [2001-08-17 27165] S3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2008-04-17 15464] S3 S3GIGP;S3GIGP; C:\WINDOWS\system32\DRIVERS\S3gIGPm.sys [] S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys [] ======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-09-10 611664] R2 aswUpdSv;avast! iAVS4 Control Service; C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [2008-07-19 16056] R2 avast! Antivirus;avast! Antivirus; C:\Program Files\Alwil Software\Avast4\ashServ.exe [2008-07-19 147640] R2 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-16 168432] R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-01-17 152984] R2 LexBceS;LexBce Server; C:\WINDOWS\system32\LEXBCES.EXE [2000-05-09 287232] R2 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2007-01-17 61440] R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2004-08-11 38912] R3 avast! Mail Scanner;avast! Mail Scanner; C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [2008-07-19 250040] R3 avast! Web Scanner;avast! Web Scanner; C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [2008-07-23 348344] R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-10-01 536872] R3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe [2007-05-07 271920] S3 NBService;NBService; C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe [2007-05-07 779824] -----------------EOF----------------- info.txt logfile of random's system information tool 1.05 2009-03-12 16:09:41 ======Uninstall list====== -->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks\|RealPlayer\|6.0 -->C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL -->C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL -->C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL -->C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL -->C:\WINDOWS\UNNeroVision.exe /UNINSTALL -->C:\WINDOWS\UNRecode.exe /UNINSTALL -->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf Acrobat.com-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe -uninstall com.adobe.mauby 4875E02D9FB21EE389F73B8D1702B320485DF8CE.1 Acrobat.com-->MsiExec.exe /I{77DCDCE3-2DED-62F3-8154-05E745472D07} Ad-Aware-->MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF} Adobe AIR-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe -arp:uninstall Adobe AIR-->MsiExec.exe /I{00203668-8170-44A0-BE44-B632FA4D780F} Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe Adobe Reader 9-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A90000000001} avast! Antivirus-->C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup BitComet 1.05-->C:\Program Files\BitComet\uninst.exe CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe" Google Earth-->MsiExec.exe /I{1D14373E-7970-4F2F-A467-ACA4F0EA21E3} Google Toolbar for Internet Explorer-->MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29} Google Toolbar for Internet Explorer-->regsvr32 /u /s "c:\program files\google\googletoolbar1.dll" Google Updater-->"C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe" iTunes-->MsiExec.exe /I{DDDE0BE3-0CBE-4BF6-B75A-E3F69C947843} Java™ 6 Update 12-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216010FF} LimeWire 4.18.8-->"C:\Program Files\LimeWire\uninstall.exe" Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe" Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe" Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe" Microsoft Office 2000 Standard-->MsiExec.exe /I{00020409-78E1-11D2-B60F-006097C998E7} Mozilla Firefox (3.0.7)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe MSN-->C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF} MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71} Nero 7 Essentials-->MsiExec.exe /X{E11BD6A7-5046-4D25-ABCB-386A54F71033} neroxml-->MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B} OverDrive Media Console-->MsiExec.exe /I{34D6EED8-7650-4E1C-BC26-F5B2DDE185C6} Panda ActiveScan 2.0-->C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe PC Pitstop Optimize2 2.0-->"C:\Program Files\PCPitstop\Optimize2\unins000.exe" QuickTime-->MsiExec.exe /I{8DC42D05-680B-41B0-8878-6C14D24602DB} RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks\|RealPlayer\|6.0 Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe" Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe" Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe" Security Update for Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe" Security Update for Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe" Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe" Security Update for Windows XP (KB923689)-->"C:\WINDOWS\$NtUninstallKB923689$\spuninst\spuninst.exe" Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe" Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe" Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe" Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe" Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe" Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe" Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe" Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe" Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe" Security Update for Windows XP (KB953838)-->"C:\WINDOWS\$NtUninstallKB953838$\spuninst\spuninst.exe" Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe" Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe" Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe" Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe" Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe" Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe" Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe" Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe" Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe" Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe" Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe" Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe" Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe" Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe" Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe" Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe" Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe" Update for Windows XP (KB898461)-->"C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe" Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe" Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe" Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe" Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe" VIA Platform Device Manager-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{20D4A895-748C-4D88-871C-FDB1695B0169} VIA Rhine-Family Fast-Ethernet Adapter-->Rundll32.exe vuins32.dll,vuins32Ex $Rhine $VIA Windows Internet Explorer 7-->"C:\WINDOWS\ie7\spuninst\spuninst.exe" Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll Windows Media Player Firefox Plugin-->MsiExec.exe /I{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4} Xvid 1.1.3 final uninstall-->"C:\Program Files\Xvid\unins000.exe" ======Hosts File====== 127.0.0.1 localhost 127.0.0.1 ad.a8.net 127.0.0.1 asy.a8ww.net 127.0.0.1 a9rhiwa.cn #[Google.Warning] 127.0.0.1 www.a9rhiwa.cn 127.0.0.1 acezip.net #[SiteAdvisor.acezip.net] 127.0.0.1 www.acezip.net #[Win32/Adware.180Solutions] 127.0.0.1 phpadsnew.abac.com 127.0.0.1 a.abnad.net 127.0.0.1 b.abnad.net ======Security center information====== AV: avast! antivirus 4.8.1229 [VPS 090311-1] System event log Computer Name: JOHN Event Code: 4226 Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts. Record Number: 2298 Source Name: Tcpip Time Written: 20081205162946.000000-480 Event Type: warning User: Computer Name: JOHN Event Code: 7036 Message: The Computer Browser service entered the stopped state. Record Number: 2297 Source Name: Service Control Manager Time Written: 20081205134240.000000-480 Event Type: information User: Computer Name: JOHN Event Code: 7036 Message: The Remote Access Connection Manager service entered the running state. Record Number: 2296 Source Name: Service Control Manager Time Written: 20081205134240.000000-480 Event Type: information User: Computer Name: JOHN Event Code: 7036 Message: The Application Layer Gateway Service service entered the running state. Record Number: 2295 Source Name: Service Control Manager Time Written: 20081205134239.000000-480 Event Type: information User: Computer Name: JOHN Event Code: 7035 Message: The Application Layer Gateway Service service was successfully sent a start control. Record Number: 2294 Source Name: Service Control Manager Time Written: 20081205134239.000000-480 Event Type: information User: NT AUTHORITY\SYSTEM Application event log Computer Name: JOHN Event Code: 1000 Message: Performance counters for the ContentIndex (ContentIndex) service were loaded successfully. The Record Data contains the new index values assigned to this service. Record Number: 5 Source Name: LoadPerf Time Written: 20081008170547.000000-420 Event Type: information User: Computer Name: JOHN Event Code: 1000 Message: Performance counters for the TermService (Terminal Services) service were loaded successfully. The Record Data contains the new index values assigned to this service. Record Number: 4 Source Name: LoadPerf Time Written: 20081008170545.000000-420 Event Type: information User: Computer Name: JOHN Event Code: 1000 Message: Performance counters for the RemoteAccess (Routing and Remote Access) service were loaded successfully. The Record Data contains the new index values assigned to this service. Record Number: 3 Source Name: LoadPerf Time Written: 20081008170429.000000-420 Event Type: information User: Computer Name: JOHN Event Code: 1000 Message: Performance counters for the PSched (PSched) service were loaded successfully. The Record Data contains the new index values assigned to this service. Record Number: 2 Source Name: LoadPerf Time Written: 20081008170403.000000-420 Event Type: information User: Computer Name: JOHN Event Code: 1000 Message: Performance counters for the RSVP (QoS RSVP) service were loaded successfully. The Record Data contains the new index values assigned to this service. Record Number: 1 Source Name: LoadPerf Time Written: 20081008170402.000000-420 Event Type: information User: ======Environment variables====== "ComSpec"=%SystemRoot%\system32\cmd.exe "Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\QuickTime\QTSystem\ "windir"=%SystemRoot% "FP_NO_HOST_CHECK"=NO "OS"=Windows_NT "PROCESSOR_ARCHITECTURE"=x86 "PROCESSOR_LEVEL"=6 "PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 13, GenuineIntel "PROCESSOR_REVISION"=0f0d "NUMBER_OF_PROCESSORS"=2 "PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH "TEMP"=%SystemRoot%\TEMP "TMP"=%SystemRoot%\TEMP "CLASSPATH"=.;C:\Program Files\Java\jre6\lib\ext\QTJava.zip "QTJAVA"=C:\Program Files\Java\jre6\lib\ext\QTJava.zip -----------------EOF----------------- Acrobat.com Acrobat.com Ad-Aware Adobe AIR Adobe AIR Adobe Flash Player 10 Plugin Adobe Reader 9 avast! Antivirus BitComet 1.05 CCleaner (remove only) Google Earth Google Toolbar for Internet Explorer Google Toolbar for Internet Explorer Google Updater HijackThis 2.0.2 Hotfix for Windows XP (KB952287) iTunes Java™ 6 Update 12 LimeWire 4.18.8 Malwarebytes' Anti-Malware Microsoft Internationalized Domain Names Mitigation APIs Microsoft National Language Support Downlevel APIs Microsoft Office 2000 Standard Mozilla Firefox (3.0.7) MSN MSXML 4.0 SP2 (KB936181) MSXML 4.0 SP2 (KB954430) Nero 7 Essentials neroxml OverDrive Media Console Panda ActiveScan 2.0 PC Pitstop Optimize2 2.0 QuickTime RealPlayer Security Update for Windows Internet Explorer 7 (KB953838) Security Update for Windows Internet Explorer 7 (KB956390) Security Update for Windows Internet Explorer 7 (KB958215) Security Update for Windows Internet Explorer 7 (KB960714) Security Update for Windows Internet Explorer 7 (KB961260) Security Update for Windows Media Player (KB952069) Security Update for Windows XP (KB923689) Security Update for Windows XP (KB938464) Security Update for Windows XP (KB946648) Security Update for Windows XP (KB950762) Security Update for Windows XP (KB950974) Security Update for Windows XP (KB951066) Security Update for Windows XP (KB951376-v2) Security Update for Windows XP (KB951698) Security Update for Windows XP (KB951748) Security Update for Windows XP (KB952954) Security Update for Windows XP (KB953838) Security Update for Windows XP (KB953839) Security Update for Windows XP (KB954211) Security Update for Windows XP (KB954459) Security Update for Windows XP (KB954600) Security Update for Windows XP (KB955069) Security Update for Windows XP (KB956391) Security Update for Windows XP (KB956802) Security Update for Windows XP (KB956803) Security Update for Windows XP (KB956841) Security Update for Windows XP (KB957095) Security Update for Windows XP (KB957097) Security Update for Windows XP (KB958644) Security Update for Windows XP (KB958687) Security Update for Windows XP (KB958690) Security Update for Windows XP (KB960225) Security Update for Windows XP (KB960715) Spybot - Search & Destroy Update for Windows XP (KB898461) Update for Windows XP (KB951072-v2) Update for Windows XP (KB951978) Update for Windows XP (KB955839) Update for Windows XP (KB967715) VIA Platform Device Manager VIA Rhine-Family Fast-Ethernet Adapter Windows Internet Explorer 7 Windows Media Format Runtime Windows Media Player Firefox Plugin Xvid 1.1.3 final uninstall Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:08:10 PM, on 3/12/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16791) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\LimeWire\LimeWire.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.8.7.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1 O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.8.7.dll/206 (file missing) O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll O20 - AppInit_DLLs: O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe -- End of file - 7844 bytes

Bio-Hazard View Member Profile	Mar 12 2009, 11:10 PM Post #15
Global Moderator/Security Expert Group: Global Moderator Posts: 85 Joined: 1-February 09 From: Cornwall, UK Member No.: 10,142	Hello! Do you know what is in this folder C:\Program Files\S3 ? P2P Warning! BitComet 1.05 LimeWire 4.18.8 I understand that downloading music and other files may be important to you; however, the P2P programs that you are using to do that, even if they are not infected with malware, will bring malware into your system. Therefore, the chances of you becoming infected again are very high. This obviously can result in disabling your computer and could even lead to someone stealing sensitive personal data from your computer. Beyond the inconvenience this causes you, these programs also tend to use your computer as a server to spread more infection over the internet, so your computer becomes a part of the malware problem. Remember that no matter how clean the program you're using for peer-to-peer filesharing may be, it offers no guarantees regarding the cleanliness of files you may choose to download. All files available via p2p filesharing carry a high risk, particularly those that offer you illegitimate methods of using legitimate software programs without paying for them. Any program or file that offers you the ability to access non-freeware programs at no cost, e.g., copyrighted material, pirated software, and/or cracks/key generators for gaining access to legitimate software, is 100% guaranteed to contain malware. An often unanticipated and unintended consequence of using p2p programs is that you may be leaving your computer open to access by others without either your knowledge or consent. This is how you can uninstall it/them: Click Start Go to Control Panel Go to Add/Remove Programs Find and click Remove for the following (if present): BitComet 1.05 LimeWire 4.18.8 NOTE: Take care when answering any questions posed by an uninstaller. Some questions may be worded to deceive you into keeping the program. If you wish to keep them, you MUST NOT use them until your computer is clean. Back Up registry with ERUNT Please use the following link and scroll down to ERUNT and download it on to your desktop. HERE Click on the erunt-setup.exe Follow the prompts to install ERUNT Choose language A set up window will pop up. It will ask: Create ERUNT entry in to the Start up folder, answer NO Backup your registry to the default location Note: To restore your registry (if needed), go to the folder and start ERDNT.exe OTMoveIt3 Download OTMoveIt3 by Old Timer and save it to your Desktop. Double-click OTMoveIt3.exe to run it. Copy the lines in the codebox below. CODE :reg [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLS"="" :commands [EmptyTemp] Return to OTMoveIt3, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste. Click the red Moveit! button. OTMI3 may ask to reboot the machine. Please do so if asked. Copy everything in the Results window (under the green bar), and paste it in your next reply. Close OTMoveIt3 Kaspersky Online Scan Please go to Kaspersky website and perform an online antivirus scan. Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan. Read through the requirements and privacy statement and click on Accept button. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run. When the downloads have finished, click on Settings. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs Archives Click on My Computer under Scan. Once the scan is complete, it will display the results. Click on View Scan Report. You will see a list of infected items there. Click on Save Report As.... Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Please post this log in your next reply along with a fresh HijackThis log. Logs/Information to Post in Next Reply Please post the following logs/Information in your reply: OTMoveit Log Anser to my question about the folder Kaspersky Scan Log A fresh HijackThis Log ( after all the above has been done) A description of how your computer is behaving -------------------- Honors Graduate of Malware Removal University

333nnn View Member Profile	Mar 15 2009, 01:35 PM Post #16
Junior Member Group: Members Posts: 60 Joined: 9-March 08 Member No.: 7,491	When running the Kaspersky Scanner I got this message : "Update has failed. The program has failed to start. Close Scanner and open it again to install the program". I closed the Scanner page and tried to restart it again several times but each time got the same message. I don't know what is in C:\Program Files\S3. I don't remember creating it. I don't want to open it because doing so may activate something. My computer is running fine with both hard drives. I don't notice any problems with either drive. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:32:16 AM, on 3/15/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16791) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\notepad.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\COMODO\COMODO Internet Security\cfp.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1 O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe -- End of file - 7574 bytes Acrobat.com Acrobat.com Ad-Aware Adobe AIR Adobe AIR Adobe Flash Player 10 Plugin Adobe Reader 9 avast! Antivirus CCleaner (remove only) COMODO Internet Security ERUNT 1.1j Google Earth Google Toolbar for Internet Explorer Google Toolbar for Internet Explorer Google Updater HijackThis 2.0.2 Hotfix for Windows XP (KB952287) iTunes Java™ 6 Update 12 Malwarebytes' Anti-Malware Microsoft Internationalized Domain Names Mitigation APIs Microsoft National Language Support Downlevel APIs Microsoft Office 2000 Standard Mozilla Firefox (3.0.7) MSN MSXML 4.0 SP2 (KB936181) MSXML 4.0 SP2 (KB954430) Nero 7 Essentials neroxml OverDrive Media Console Panda ActiveScan 2.0 PC Pitstop Optimize2 2.0 QuickTime RealPlayer Security Update for Windows Internet Explorer 7 (KB953838) Security Update for Windows Internet Explorer 7 (KB956390) Security Update for Windows Internet Explorer 7 (KB958215) Security Update for Windows Internet Explorer 7 (KB960714) Security Update for Windows Internet Explorer 7 (KB961260) Security Update for Windows Media Player (KB952069) Security Update for Windows XP (KB923689) Security Update for Windows XP (KB938464) Security Update for Windows XP (KB946648) Security Update for Windows XP (KB950762) Security Update for Windows XP (KB950974) Security Update for Windows XP (KB951066) Security Update for Windows XP (KB951376-v2) Security Update for Windows XP (KB951698) Security Update for Windows XP (KB951748) Security Update for Windows XP (KB952954) Security Update for Windows XP (KB953838) Security Update for Windows XP (KB953839) Security Update for Windows XP (KB954211) Security Update for Windows XP (KB954459) Security Update for Windows XP (KB954600) Security Update for Windows XP (KB955069) Security Update for Windows XP (KB956391) Security Update for Windows XP (KB956802) Security Update for Windows XP (KB956803) Security Update for Windows XP (KB956841) Security Update for Windows XP (KB957095) Security Update for Windows XP (KB957097) Security Update for Windows XP (KB958644) Security Update for Windows XP (KB958687) Security Update for Windows XP (KB958690) Security Update for Windows XP (KB960225) Security Update for Windows XP (KB960715) Spybot - Search & Destroy Update for Windows XP (KB898461) Update for Windows XP (KB951072-v2) Update for Windows XP (KB951978) Update for Windows XP (KB955839) Update for Windows XP (KB967715) VIA Platform Device Manager VIA Rhine-Family Fast-Ethernet Adapter Windows Internet Explorer 7 Windows Media Format Runtime Windows Media Player Firefox Plugin Xvid 1.1.3 final uninstall ========== REGISTRY ========== HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\"AppInit_DLLS"\|"" /E : value set successfully! ========== COMMANDS ========== File delete failed. C:\DOCUME~1\JOHNAU~1\LOCALS~1\Temp\etilqs_dPe8pgHeMCtjdgv6K5c0 scheduled to be deleted on reboot. User's Temp folder emptied. User's Temporary Internet Files folder emptied. User's Internet Explorer cache folder emptied. Local Service Temp folder emptied. File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot. Local Service Temporary Internet Files folder emptied. File delete failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be deleted on reboot. File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_5c8.dat scheduled to be deleted on reboot. File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_6f0.dat scheduled to be deleted on reboot. Windows Temp folder emptied. Java cache emptied. File delete failed. C:\Documents and Settings\John Austin Brewder\Local Settings\Application Data\Mozilla\Firefox\Profiles\ev44j3zj.default\Cache\_CACHE_001_ scheduled to be deleted on reboot. File delete failed. C:\Documents and Settings\John Austin Brewder\Local Settings\Application Data\Mozilla\Firefox\Profiles\ev44j3zj.default\Cache\_CACHE_002_ scheduled to be deleted on reboot. File delete failed. C:\Documents and Settings\John Austin Brewder\Local Settings\Application Data\Mozilla\Firefox\Profiles\ev44j3zj.default\Cache\_CACHE_003_ scheduled to be deleted on reboot. File delete failed. C:\Documents and Settings\John Austin Brewder\Local Settings\Application Data\Mozilla\Firefox\Profiles\ev44j3zj.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot. File delete failed. C:\Documents and Settings\John Austin Brewder\Local Settings\Application Data\Mozilla\Firefox\Profiles\ev44j3zj.default\urlclassifier3.sqlite scheduled to be deleted on reboot. File delete failed. C:\Documents and Settings\John Austin Brewder\Local Settings\Application Data\Mozilla\Firefox\Profiles\ev44j3zj.default\XUL.mfl scheduled to be deleted on reboot. FireFox cache emptied. Temp folders emptied. OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 03152009_013905 Files moved on Reboot... File C:\DOCUME~1\JOHNAU~1\LOCALS~1\Temp\etilqs_dPe8pgHeMCtjdgv6K5c0 not found! File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot. File move failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be moved on reboot. File C:\WINDOWS\temp\Perflib_Perfdata_5c8.dat not found! File C:\WINDOWS\temp\Perflib_Perfdata_6f0.dat not found! C:\Documents and Settings\John Austin Brewder\Local Settings\Application Data\Mozilla\Firefox\Profiles\ev44j3zj.default\Cache\_CACHE_001_ moved successfully. C:\Documents and Settings\John Austin Brewder\Local Settings\Application Data\Mozilla\Firefox\Profiles\ev44j3zj.default\Cache\_CACHE_002_ moved successfully. C:\Documents and Settings\John Austin Brewder\Local Settings\Application Data\Mozilla\Firefox\Profiles\ev44j3zj.default\Cache\_CACHE_003_ moved successfully. C:\Documents and Settings\John Austin Brewder\Local Settings\Application Data\Mozilla\Firefox\Profiles\ev44j3zj.default\Cache\_CACHE_MAP_ moved successfully. C:\Documents and Settings\John Austin Brewder\Local Settings\Application Data\Mozilla\Firefox\Profiles\ev44j3zj.default\urlclassifier3.sqlite moved successfully. C:\Documents and Settings\John Austin Brewder\Local Settings\Application Data\Mozilla\Firefox\Profiles\ev44j3zj.default\XUL.mfl moved successfully. ERUNT - The Emergency Recovery Utility NT ========================================= Registry Backup and Restore for Windows NT/2000/2003/XP v1.1j, 10/20/2005, Freeware Written by Lars Hederer e-mail: lars.hederer@t-online.de Look for the latest version here: http://www.larshederer.homepage.t-online.de/erunt To find out what's new in this version, please see the "Version history" section later in this file. Introduction ------------ With the invention of Windows 95 Microsoft made the wise decision to organize all computer- and application-specific data which was spread over countless INI files before in a centralized Windows database, called the system "registry". The registry is one of the most important parts in every Windows system today, without which the OS would not even boot. And since the registry is quite sensitive to corruption, it is very advisable to backup its according files from time to time. In MS-DOS based Windows versions (95, 98, Me) the registry consists of the files SYSTEM.DAT and USER.DAT (and CLASSES.DAT in Windows Me). To backup these files, one can easily go to the Windows folder in Explorer and copy the files to a safe location, for example another folder on the hard disk. Microsoft even supplies a utility called ERU which can be used to backup these and a few other critical system files to a safe location. Also, Windows 9x/Me automatically create backups of the registry at startup, with Windows 95 always backing up the registry from the previous Windows session, and Windows 98/Me maintaining up to five registry copies from the last five days where Windows was running. Unfortunately, this is not the case with Windows versions based on the NT kernel. In Windows NT and 2000, the registry is never backed up automatically, and in XP it is backed up only as part of the bloated and resource hogging System Restore program which cannot even be used for a "restore" should a corrupted registry prevent Windows from booting. It has also become impossible to copy the necessary files, now called "hives" and usually named DEFAULT, SAM, SECURITY, SOFTWARE, SYSTEM in the SYSTEM32\CONFIG folder, to another location because they are all in use by the OS. And though the registry in an NT-based Windows is less likely to become corrupted than in other versions, it can still happen, and for these cases NT is simply missing an option for easy registry backup and restore as there is in Windows 9x/Me, to get the system up and running again in no time. In 2001, as Windows XP began to come pre-installed on many new home user PCs and was likely to become the new Windows standard over the next years, I decided to write a program which offers the ease-of-use of Windows 9x/Me ERU by Microsoft (hence the name ERUNT) to backup the registry, as well as providing an auto-backup capability, for example at Windows startup. Or, before installing a new program for testing purposes one could save the registry with ERUNT, install and test the program, uninstall it and restore the registry to be 100% sure that no debris is left. Note: The "Export registry" function in Regedit is USELESS (!) for making a complete backup of the registry. Neither does it export the whole registry (for example, no information from the "SECURITY" hive is saved), nor can the exported file be used later to replace the current registry with the old one. Instead, if you re-import the file, it is merged with the current registry without deleting anything that has been added since the export, leaving you with an absolute mess of old and new entries. Features -------- - Backup the Windows NT/2000/2003/XP registry to a folder of your choice - System and current user registries selectable - Command line switches for automated registry backup and restoration - Restore the registry in Windows 9x/Me/NT/2000/2003/XP and MS-DOS (all-in-one restore program) or the Windows Recovery Console - Included in this package: NTREGOPT program for optimizing the registry - All programs in this package are completely localizable (translate them into your language), German version included Supported operating systems --------------------------- - Windows NT 3.51 - Windows NT 4.0 - Windows 2000 - Windows 2003 - Windows XP - most likely, all future Windows versions based on the NT kernel Additionally supported by the ERDNT restore program: - MS-DOS - Windows 95 - Windows 98 - Windows Me Installation ------------ Use the Setup program to install ERUNT on your computer. Or, if you downloaded the zipped version: Unzip all files into a folder of your choice, and if you want, create shortcuts on your desktop to the ERUNT.EXE and NTREGOPT.EXE files. Uninstallation -------------- Use "Add/Remove Programs" in Windows' control panel to remove ERUNT from your computer. Or, if you downloaded the zipped version: Delete the ERUNT folder, delete the appropriate desktop icons. (You may also want to delete all restore folders you have previously created with the program.) Backing up the registry with ERUNT ---------------------------------- Note: To ensure proper operation of ERUNT, you should be logged in as a system administrator. Start ERUNT, confirm the Welcome message. Type in the name of a restore folder where the backed up registry files should be saved, or click "..." to browse your computer's drives and select a folder. You can also simply leave the default, which is a folder named ERDNT inside your Windows folder, the advantage being that you have access to this folder from the Windows Recovery Console in case Windows does not boot anymore. Note that in the folder edit field, ERUNT by default appends a folder named the current date to the restore folder, which allows you to keep as many registry backups as you wish in the same restore folder, separated into the different creation dates. This feature, as well as the appearance of the date string, can be configured via the ERUNT.INI file, described later in this document. If you want the registry backup to be created directly in the folder you select, you can also simply remove the date from the folder edit field before clicking "OK". Next, select the backup options: - System registry: The current system registry, usually consisting of the files DEFAULT, SAM, SECURITY, SOFTWARE, and SYSTEM. - Current user registy: The registry files for the currently logged-on user, usually NTUSER.DAT and USRCLASS.DAT. - Other open user registries: Sometimes Windows has a few other user registries in memory. Examples for this are "generic" registries, e.g. for user "EVERYONE", or registries of other users if you use Fast Task Switching in Windows XP. Check this option to backup all these additional user registries (if found) as well. Click "OK" and wait until the backup process is complete. (Note that depending on your system configuration this may take some time, and that the first bar is NOT a progress bar, just an indicator that the program is still running.) The ERDNT program for later restoration of the registry is automatically copied to the restore folder. (Technical information: ERUNT saves only registry files which are in use by the system. It obtains information about these files from registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ hivelist. Registry hives not listed there, for example those of other users of the computer, cannot be saved by ERUNT.) ERUNT command line switches --------------------------- ERUNT supports command line switches with which you can perform an automated registry backup, without user interaction. The syntax for the ERUNT command line is as follows: ERUNT DestinationFolder [sysreg] [curuser] [otherusers] [/noconfirmdelete] [/noprogresswindow] DestinationFolder is required for command line operation of ERUNT, all other switches are optional. If you specify a destination folder on the command line, ERUNT automatically runs in "silent" mode and with default backup options (system and current user registry). No user interaction is required, EXCEPT the confirmation of the restore folder deletion if it exists, or any error messages. The confirmation question can be suppressed by using /noconfirmdelete (see below). Description of the command line switches: DestinationFolder The name of the folder where the registry backup should be saved. Example: C:\WINDOWS\ERDNT You can use the strings #Date# and #Time# anywhere in the folder name to have ERUNT insert the current date/time at that position. Example: C:\WINDOWS\ERDNT\#Date# Windows' %SystemRoot% environment variable can be used on the command line as a substitute for the name of the Windows folder. Example: %SystemRoot%\ERDNT\#Date# sysreg Backup the system registry curuser Backup the current user registry otherusers Backup other open user registries (Note: If none of the three above options is given on the command line, ERUNT automatically uses the default backup options, system and current user registry.) /noconfirmdelete Automatically deletes the contents of the destination folder if it exists, without asking the user. BE CAREFUL and only use this option if you are sure that the contents of that folder may really be deleted! /noprogresswindow Hides the progress window during backup. So, to backup the system registry to folder C:\ERDNT each day of the week using subfolders with the name of the current day you could use the integrated scheduler in Windows to schedule seven different ERUNT calls for each day: For Monday you would use the command line C:\ERUNT\ERUNT.EXE C:\ERDNT\Monday sysreg /noconfirmdelete For Tuesday you would use the command line C:\ERUNT\ERUNT.EXE C:\ERDNT\Tuesday sysreg /noconfirmdelete ... well, you get the idea. Or, to have ERUNT automatically backup the registry on each Windows startup to a folder named "ERDNT" inside the Windows folder, including a folder named the current date, you could place a shortcut like the following in your Start Menu/Programs/Startup folder: C:\ERUNT\ERUNT.EXE %SystemRoot%\ERDNT\#Date# /noconfirmdelete If you want old restore folders created this way to be deleted automatically from time to time, you can use AUTOBACK.EXE instead of ERUNT.EXE. The AUTOBACK tool is described later in this document. Also, ERUNT Setup offers the choice to add an AutoBackup shortcut to the Startup folder automatically during the installation process. The ERUNT.INI file ------------------ You can configure various ERUNT settings with this file, for example change the default destination folder displayed in ERUNT's folder edit field, or disable automatic appendation of the current date there. Use Notepad to create a file named ERUNT.INI in your ERUNT folder, and add the following line: [ERUNT] Below this line, enter one or more of the following configuration options: DefaultDestinationFolder The name of the default folder displayed in ERUNT's folder edit field. You may also use environment variables here, for example %SystemRoot% as a substitute for the name of the Windows folder. Default: %SystemRoot%\ERDNT Example: DefaultDestinationFolder=C:\ERDNT AppendDateToFolderEditField Enable or disable automatic appendation of the current date to ERUNT's folder edit field. 0=disable, 1=enable, default: 1 Example: AppendDateToFolderEditField=0 AppendTimeToFolderEditField Enable or disable automatic appendation of the current time to ERUNT's folder edit field. This function can only be enabled in conjunction with AppendDateToFolderEditField also set to 1. 0=disable, 1=enable, default: 0 Example: AppendTimeToFolderEditField=1 DateFormat DateSeparator These settings configure the appearance of the date string in ERUNT's folder edit field, or when #Date# is used on the command line. By default, ERUNT uses Windows' regional settings for the short date format. Note that only "." and "-" are allowed as date separators. Example: DateFormat=mm/dd/yyyy DateSeparator=- TimeFormat TimeSeparator These settings configure the appearance of the time string in ERUNT's folder edit field, or when #Time# is used on the command line. By default, ERUNT uses Windows' regional settings for the short time format. Note that only "." and "-" are allowed as time separators. Example: TimeFormat=hh:mm:ss TimeSeparator=. DisableFastBackup On supported operating systems (including Windows XP and Server 2003) ERUNT by default uses a very fast backup algorithm. If you experience any problems during registry backup, you can try to disable this function and revert back to the conventional (but slow) method. This setting has no effect on unsupported operating systems, where the conventional algorithm is always used. 0=fast method, 1=conventional method, default: 0 Example: DisableFastBackup=1 The AUTOBACK.EXE tool --------------------- The command line tool AUTOBACK.EXE uses the same syntax as ERUNT but performs the additional task of deleting old restore folders after the new backup has been created. For this to work properly, the name of the last folder in the command line option DestinationFolder must begin with the current date, or the #Date# string, respectively. If this is the case AUTOBACK automatically searches the parent folder of the newly created backup for folder names of the same date format and deletes all folders except from the last 30 days where backups have been created. The number of restore folders to keep can be changed using the /days:n command line switch, e.g. /days:7 would only keep the folders from the last 7 backup days. By default AUTOBACK does not create a new backup if one already exists for the current day. Use the /alwayscreate switch to change this behavior and have the program always create a new backup. AUTOBACK is dependent on ERUNT and therefore needs to be executed from the same folder. It uses the same settings for the date format as ERUNT does, so if you specified a new format in ERUNT.INI it will also be used automatically by AUTOBACK. Restoring the registry with ERDNT --------------------------------- Situation: Windows is running normally. To restore a previous registry backup, open Windows Explorer, navigate to the folder where you saved the backup to, and double-click the ERDNT.EXE file to start the restoration program. (Each restore folder has its own copy of ERDNT.EXE in it.) Select which registry components to restore, then click "OK" to start restoration. When the process is complete, click "OK" to restart the computer and activate the restored registry. Note: If you experience any problems restoring the registry, please read "ERDNT technical information" later in this document to learn what ERDNT is actually doing during the process, or simply read on through the following emergency scenarios for other ways of restoring the registry. What to do if Windows does not boot anymore? -------------------------------------------- If Windows refuses to boot normally it can be for a variety of reasons, not the least of which is that the registry is damaged, or you installed a program or driver which is somewhat incompatible with the system or buggy, in which case restoring a registry backup from a point where everything was running smoothly should also help. The first thing to try is to reboot and press the F8 key immediately before the first Windows screen appears, then select the "Last Known Good" option from the menu and see if Windows boots up with this option. If it does, you're all set. If it does not, reboot again with F8, and select the option "Safe Mode". If Windows boots up in safe mode, you can restore a registry backup just as you would in normal mode, as described above. If safe mode also fails, read on... Restoring the registry with ERDNT - Emergency Scenario I -------------------------------------------------------- Situation: Windows fails to boot up in normal and safe mode, but you have a DOS boot disk or another (working) operating system installed on your PC which is supported by the ERDNT restoration program, and from which you have full access to the drive(s) containing the corrupt Windows installation and the registry backup. Boot up to the working OS, and open the folder containing the registry backup you want to restore. If the drive letters are different to as they were in the Windows where you created the registry backup, you need to edit the ERDNT.INF file now to reflect the new drive letters, before trying to restore the registry backup. For example, if the drive with the corrupt Windows installation is now available as D: instead of C:, then you would change all C:\... references in the INF file to D:\... . Editing the file can be done in Windows with the Notepad program, and in DOS with the EDIT command. Now run the ERDNT.EXE file to start the restoration program. Select which registry components to restore (just the system registry will do in most cases), then start restoration. When the process is complete, reboot the computer and check if the other Windows installation is repaired now. Restoring the registry with ERDNT - Emergency Scenario II --------------------------------------------------------- Situation: Windows fails to boot up in normal and safe mode, and you have no other working operating system installed on your PC. The following two rescue methods require that your PC is configured so that it can boot from CD. See your BIOS documentation for more information. 1. Bart's PE Builder Use another computer with Internet access and CD burning capabilities to download this free program from the Internet (do a Google search for it), which will create a bootable Windows CD with full access to all drives (including NTFS). Boot from this CD, open the File Management Utility and follow the directions in "Emergency Scenario I" to run ERDNT and restore the registry. 2. The Windows Recovery Console (Windows 2000 and higher) Note that you can use this method only if you saved the registry backup inside the Windows folder, and that using this procedure only the system registry is restored. This should however get you back into Windows, from where you can run the ERDNT program to restore user registries, if necessary. - Boot your system from the Windows 2000/2003/XP CD-ROM. - At the welcome screen, press "R" (Windows 2000: "R" then "C"). - Type in the number of the Windows installation you want to repair (usually 1), then press ENTER. - Type in the Administrator password (leave blank if you are unsure what it is) and press ENTER. - At the command prompt type cd erdnt or whatever you named your restore folder, then press ENTER. - If you enabled automatic registry backup on system boot during ERUNT installation and want to restore one of these backups, type cd autobackup <ENTER> - If you created subfolders for different registry backups (for example, with the different creation dates), type dir <ENTER> to see a list of available folders, then type cd foldername <ENTER> where foldername is the name of a folder listed by the dir command, to open that folder. - Now type batch erdnt.con <ENTER> to restore the system registry from that folder. - Type exit <ENTER> and remove the CD from the CD-ROM drive. The system will now reboot with the restored registry. ERDNT technical information --------------------------- ERDNT knows two restoration modes. The right mode is usually auto- detected each time ERDNT is run, but read on if you are experiencing problems restoring the registry. "NT" mode is used if you run the ERDNT program from within the same system where you made the backup. This is determined by looking at the [SystemRoot] entry in the ERDNT.INF file and comparing it to the actual %SystemRoot% environment variable. Using "NT" mode is the only way to successfully restore the active registry of the currently running OS. "File copy" mode is used if the currently running OS is NOT NT-based, or if the [SystemRoot] entry does not match the %SystemRoot% environment variable. In this mode the backed up registry files are simply copied back to their original location. MS-DOS based ERDNT only supports "File copy" mode. Note: In restoration mode "NT" backups of the current registry files are automatically created, so that option is grayed out. In restoration mode "File copy" all saved user registries are automatically restored, so you cannot choose between "current user" and "other user" registries. The backups of the current registry files are placed in the same location as the original and are given the extension ".bak". Experienced users don't even need to use the ERDNT program in other operating systems to restore a registry backup. Given access to the appropriate files and folders, the backed up files can simply be copied back to their original location, as that is all ERDNT does in "File copy" mode anyway. Have a look at the ERDNT.INF file to find out what the original file locations are. ERDNT command line switches --------------------------- The ERDNT program also supports command line switches for "silent" operation. The syntax for the ERDNT command line is: ERDNT silent [sysreg] [curuser] [otherusers] [/mode:nt\|filecopy] [/nobackup] [/noprogresswindow] [/reboot] (Switches in brackets are optional.) Description of the command line switches: silent Puts ERDNT into "silent" mode and enables all other switches. sysreg Restore the system registry curuser * Restore the current user registry (This option is ignored in "File copy" restoration mode.) otherusers Restore other saved user registries (Note: If none of the three above options is given on the command line, ERDNT automatically uses the default restoration options, system and current user registry.) /mode:nt or /mode:filecopy * Disables automatic detection of the correct restoration mode and uses mode "NT" or "File copy" instead. /nobackup Don't make backups of the current registry files during restoration. (This switch is ignored in "NT" restoration mode.) /noprogresswindow Hides the progress window during restoration. /reboot * Automatically reboots the computer when restoration of the registry is complete. * = Not supported in the DOS version of ERDNT. Optimizing the registry with NTREGOPT ------------------------------------- Similar to Windows 9x/Me, the registry files in an NT-based system can become fragmented over time, occupying more space on your hard disk than necessary and decreasing overall performance. You should use the NTREGOPT utility regularly, but especially after installing or uninstalling a program, to minimize the size of the registry files and optimize registry access. The program works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. Note that the program does NOT change the contents of the registry in any way, nor does it physically defrag the registry files on the drive (as the PageDefrag program from SysInternals does). The optimization done by NTREGOPT is simply compacting the registry hives to the minimum size possible. To optimize your registry, simply run NTREGOPT, click "OK", and when the process is complete click "OK" to reboot the computer. You should do so immediately because any changes made to the registry after NTREGOPT has been run are lost after the reboot. NTREGOPT command line switches ------------------------------ The syntax for the NTREGOPT command line is: NTREGOPT silent [/noprogresswindow] [/reboot] (Switches in brackets are optional.) Description of the command line switches: silent Puts NTREGOPT into "silent" mode and enables the other switches. /noprogresswindow Hides the progress window during optimization. /reboot Automatically reboots the computer when optimization of the registry is complete. Known problems -------------- ERUNT and NTREGOPT sometimes fail with error 1450 - "Insufficient system resources exist to complete the requested service" - when trying to save a registry hive. I have not yet been able to reproduce this error on any PC, and reports from affected users indicate that it also pops up when trying to back up the critical hive using Microsoft's REGBACK program. This makes it unlikely that there is anything I can do on my (the programmer's) side. Some users reported however that they were able to work around the problem by running ERUNT/NTREGOPT in Windows' safe mode, and in one case uninstalling a Symantec software suite solved it permanently. One user reported that increasing the "IRPStackSize" value as described in Microsoft Knowledge Base article 177078 fixed the problem on his system. When the system is rebooted after a restoration of the registry with ERDNT or optimization with NTREGOPT, Windows Server 2003 will by default display the shutdown event tracker during logon asking why the system has been shut down unexpectedly. This is because the info that the shutdown was in fact an expected one is written to the "old" registry during shutdown of the system which is replaced by the restored/optimized registry next time the system is booted, and therefore the shutdown info is discarded and shutdown event tracker thinks the system crashed. You may want to disable the tracker to avoid this message in the future (see the Windows help for information on how to do this). If you experience any other problems, please email me at lars.hederer@t-online.de with a detailed description and I will see if I can help you. Localization ------------ You can translate all programs from this package into your language by editing the appropriate .LOC file. Keep in mind that the LOC files of the three Windows programs (ERUNT, ERDNTWIN, NTREGOPT) should be edited using a Windows based editor (Notepad), and ERDNTDOS.LOC using an MS-DOS based editor (EDIT.COM). This is to ensure that any OEM characters are displayed correctly in the program. If your language is not yet present on my homepage and you want your localization to be available to the general public, you are welcome to send the four translated files to me. I will then make them available for download, with credits of course. I have included a German language pack. If you want to use the program in German, simply unzip LOC_GER.ZIP into your ERUNT folder. Version history --------------- v1.1j, 10/20/2005 - Fixed compatibility issues with 64-bit Windows (many thanks to Ian Smith and Hajo for all testing) - Enhanced error messages - AutoBackup now supports all date formats - ERUNT.INI: "TimeSeparator" fixed; "DefaultDestinationFolder" now supports all environment variables (previously only %SystemRoot% could be used) - ERDNT now displays the source Windows folder in addition to the backup's creation date v1.1i, 08/17/2005 - AutoBackup: Improved support for complex date formats - NTREGOPT: Optimization results are now calculated correctly when optimization failed on one or more hives v1.1h, 03/06/2005 - Updated homepage address - New ERUNT.INI option: AppendTimeToFolderEditField - Fixed a problem where the current user registry could not be identified on some systems - Changed behavior of AutoBackup's /days:n switch v1.1g, 11/02/2004 - ERUNT is now MUCH faster on Windows XP and Server 2003 - Added time string support on the command line - AutoBackup now by default skips creating a backup for the current day if one already exists v1.1f, 08/26/2004 - Added AUTOBACK.EXE command line tool for automated registry backup and deletion of old restore folders created prior to a specific number of days - Window position is now screen center instead of desktop center, fixing display problem when using multiple monitors (thanks John v1.1e, 07/31/2004 - Appearance of the date string can be configured via ERUNT.INI - NTREGOPT: Optimization results: use thousand separator v1.1d, 07/07/2004 - Optimized error handling - Combined DOS and Windows ERDNT into a single Win32 executable, fixing problems with the previous 16-bit exe stub on some systems and with BartPE - Added Windows Recovery Console support with ERDNT batch file - Default destination folder can now be configured via file ERUNT.INI, replacing #DestinationFolder command line option - Changed the default destination folder to be inside the Windows folder, for easy recovery console access - New folder named the current date is automatically appended to destination folder (can be disabled in ERUNT.INI) - Rewrote major parts of the documentation v1.1c, 05/10/2004 - Fixed problems with dynamic disks - Added browse function for destination folder, as well as the option to change the default name (use #DestinationFolder on the command line) - Re-added support for Windows NT 3.51 (got lost with v1.1) except browse function v1.1b, 04/23/2004 - ERUNT and NTREGOPT are now compatible with Windows Server 2003 and Windows XP Service Pack 2 - Fixed a problem where the registry hives could not be saved/restored/optimized on some systems - Changed naming convention for user subfolders in the ERDNT folder v1.1a, 10/03/2002 - Fixed a problem where the registry hives could not be saved/restored/optimized on some systems v1.1, 09/25/2002 - Fixed "Invalid pointer operation" message which occurred on some systems (many thanks to Russ Cordner for his assistance in isolating the problem) - Fixed "Error opening localization file" message when ERUNT.EXE was called from outside the ERUNT folder - Fixed some problems with UNC path names - Added command line support for ERDNT and NTREGOPT - NTREGOPT: show optimization results (initial and new registry size) v1.0, 11/24/2001 - Initial release Distribution ------------ The ERUNT package (including the programs ERUNT, AUTOBACK, ERDNT and NTREGOPT) is freeware. Please pass it to anyone who you think may find it useful. I explicitly allow this package to be included in any file archive, CD-ROM or other media collection as well as usage in your own programs provided that all files are kept and remain unchanged. A quick note via e-mail where my program has been included is appreciated. Donations --------- Though I chose to make my programs freeware so that no one is required to pay for using them, I accept and appreciate donations. So, if you find my programs helpful and want to support further development, simply visit my homepage and click one of the "PayPal" buttons, or donate directly to my e-mail address via PayPal. Thanks in advance! If you live in Germany and want to make a donation, you may also transfer money directly to my bank account. Contact me for more information. Disclaimer ---------- Use this software at your own risk. I do not take responsibility for anything that might happen to you or the PC upon use of my programs, including but not limited to: registry destruction, hard disk crash, heart attack... Comments and suggestions via e-mail, however, are always welcome!

Bio-Hazard View Member Profile	Mar 15 2009, 02:00 PM Post #17
Global Moderator/Security Expert Group: Global Moderator Posts: 85 Joined: 1-February 09 From: Cornwall, UK Member No.: 10,142	Hello! This folder C:\Program Files\S3 is ok, it is not malicious. Lets try another online scan. There is no need to post the HijackThis uninstall list. Panda Online Scan Please go HERE to run Panda's ActiveScan Once you are on the Panda site, click the Scan your PC now button A new window will open...click the Scan Now button Allow the ActiveX control to be installed. It will start downloading the files it requires for the scan. Note: This may take a couple of minutes Run the ActiveX control, if requested. The screen will then show the scanning progress - the scan will take a while to finish. Please be patient. When the scan has finished, click on Export To Save the file as Activescan.txt to your Desktop Close the Activescan window then go to your Desktop Double-click on Activescan.txt and it will open in Notepad In Notepad, click Edit > Select all, then Edit > Copy Reply to this thread and click Ctrl+V to paste the log in your reply Logs/Information to Post in Next Reply Please post the following logs/Information in your reply: Panda scan Log A fresh HijackThis Log ( after all the above has been done) -------------------- Honors Graduate of Malware Removal University

333nnn View Member Profile	Mar 15 2009, 05:23 PM Post #18
Junior Member Group: Members Posts: 60 Joined: 9-March 08 Member No.: 7,491	The Active Scan did not give a log. A screen came up when the scan was finished saying congratulations there was nothing threatening found. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:20:18 AM, on 3/15/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16791) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\COMODO\COMODO Internet Security\cfp.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1 O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe -- End of file - 7428 bytes

Bio-Hazard View Member Profile	Mar 15 2009, 05:49 PM Post #19
Global Moderator/Security Expert Group: Global Moderator Posts: 85 Joined: 1-February 09 From: Cornwall, UK Member No.: 10,142	Your log now appears to be clean. Congratulations! You can get rid of the tools we used: RSIT and the folder C:/rsit(You can just delete the exe file from your desktop) ERUNT(You can uninstall it from Add/Remove Programs) ATF cleaner(You can just delete the exe file from your desktop) Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints. You need to be registered to post as, unfortunately, we were hit with too many spam posts to allow guest posting to continue. Just find your country room and register your complaint. General Security and Computer Health Below are some steps to follow in order to dramatically lower the chances of reinfection. You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented. Clear Infected System Restore Points Turn System Restore off On the Desktop, right click on the My Computer icon. Click Properties. Click the System Restore tab. Check Turn off System Restore. Click Apply, and then click OK. Restart your computer Turn System Restore on On the Desktop, right click on the My Computer icon. Click Properties. Click the System Restore tab. Uncheck *Turn off System Restore. Click Apply, and then click OK. Note:* only do this once,and not on a regular basis Set correct settings for files Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab. Under Hidden files and folders if necessary select Do not show hidden files and folders. If unchecked please check Hide protected operating system files (Recommended) If necessary check Display content of system folders If necessary Uncheck Hide file extensions for known file types. Click OK Make sure that you keep your antivirus updated New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software. NOTE: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC. Security Updates for Windows, Internet Explorer & Microsoft Office Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis. NOTE: The update process uses ActiveX, so you will need to use internet explorer for it and allow the ActiveX control to install. Update Non-Microsoft Programs Microsoft isn't the only company whose products can contain security vulnerabilities. To check whether other programs running on your PC are in need of an update, you can use the Secunia Software Inspector or F-secure Health Check. I suggest that you run one of them at least once a month. Make Internet Explorer More Secure You are using Internet Explorer v. 7. Therefore please read and follow the recommendations at this SITE Recommended Programs I would recommend the download and installation of some or all of the following programs (if not already present), and the updating of them on a regular basis. WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE. SpywareBlaster SpywareBlaster sets killbits in the registry to prevent known malicious ActiveX controls from installing on your computer. If you don't know what ActiveX controls are, see HERE. You can download SpywareBlaster from HERE. Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start.You can download Malwarebytes' Anti-Malware from HERE. Here are two tutorials: Malwarebytes' Anti-Malware Setup Guide and Malwarebytes' Anti-Malware Scanning Guide. Hosts File For added protection you may also like to add a host file. A simple explanation of what a Hosts file does is HERE and for more information regarding host files read HERE. Use an alternative Internet Browser Many of the exploits are directed to users of Internet Explorer. Try using a different browser instead: Firefox or Opera Here is a great article by miekiemoes How to prevent Malware. Finally I am trying to make one point very clear. It is ABSOLUTELY ESSENTIAL to keep all of your security programs up to date. I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed. Happy surfing and stay clean! Bio-Hazard -------------------- Honors Graduate of Malware Removal University

333nnn View Member Profile	Mar 15 2009, 07:07 PM Post #20
Junior Member Group: Members Posts: 60 Joined: 9-March 08 Member No.: 7,491	Thanks for the help. A forum tech has saved my computer yet again. Online computer techs make using and maintaining pcs possible. We should all never forget the days when we were forced to pay manufacturers ridiculous fees for help. I read everything in your last post and followed the recommendations. I will post a complaint about those creating malware. They are indeed criminals and should be dealt with as such. They're not simply mischievous. One other question I have is I get a lot of notices from Comodo firewall about whether to allow a program to do something it's trying to do. It's difficult oftentimes to tell whether the attempted step is safe. How can I better tell what to allow and not allow?

« Next Oldest · Inactive and Resolved HJT Log Room · Next Newest »

2 Pages

1 2 >

Closed Topic

Start new topic

Display Mode: Switch to: Standard · Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version

Time is now: 20th November 2009 - 11:29 PM

Copyright 2000 - 2009 5 Star Support All Rights Reserved
Usage of these forums constitutes acceptance of our AUP Agreement and our Terms of Use
Terms of Use|AUP

Fight Spam! Click Here!

Powered By IP.Board 2.3.6 © 2009 IPS, Inc.