Trojan Horse warning

(2 Pages)
1
2
→

You cannot start a new topic
This topic is locked

#1 333nnn

Junior Member

Group: Members
Posts: 60
Joined: 08-March 08

Posted 08 March 2009 - 04:00 PM

40G HD: Western Digital WD400, enhanced ide
320G HD: Western Digital Caviar SE, ide
Motherboard: Elite Group ECS, P4M900T-M2, Socket 775, supports 4G RAM, integrated graphics and video recorder, accommodates two DDR2 unbuffered DIMMS
Intel Celeron Dual Core E1200, 1.6Ghz, 512k, 800MB, OEM, Advanced Performance Series Allendale Socket 775
Crucial 1024MB PC4200 DDR2 533MHz
Avast Scanner, Comodo firewall, Spybot Search and Destroy, Ad-Aware, CCleaner

About five days ago I got a Trojan Horse warning from my Avast scanner. I had my 320G hd installed at that time. I did nothing about the TJ warning and kept using my computer including on the Internet. Yesterday I was not able to connect to the Internet, so I called my isp. After trying several things the tech guy told me it was a problem with my hd. I had the 320G drive installed at that time. So I replaced my hd with an old 40G one, and with the help of the tech at my isp I was able to connect to the Internet with the 40G drive. The tech guy said my computer was not recognizing my moden when the 320G hd was installed. So I have the 40G drive installed right now, and the 320G is not in my computer. I can only access the Internet with the current 40G drive. So in order to run diagnostic software on the 320G drive and post the results do I need to install the 320G drive as the slave and the 40G drive as the master? If the 320G hd is infected when I install it could it infect the 40G hd? When I received the Avast Trojan Horse warning: "Avast Warning, A Trojan Horse was found, Filename: C: malware name:Win32:crypt-IN [Trj], Malware type:TJ/ UPS Version:081010-6, 10/10/2008" it recommended that I choose "Move To Chest", but when I clicked on that I got another message saying: "Avast!: The process can't access the file because it's being used by another process. Cannot process "C:\Program Files\COMODO\Firewall\SCANNERS\heur.cav" file. Later when restarting my computer Avast did an automatic scan and came up with these two infected files:
1)File C;\ProgramFiles\COMODO\Firewall\Repair\heur.cav is infected by Win32:Crypt-IN [Trj]
2)File C:\ProgramFiles\COMODO\Firewall\Scanners\heur.cav is infected by Win32:Crypt-IN [Trj]
The Avast automatic scan gave me several options for what to do with these infected files, and I chose to move them to chest which I believe Avast did this time. I am posting the problem here because I know I need to run an HJT scan first but don't know if I should install the 320G hd as the slave in order to do that. Thanks for any replies.

My o/s is XP Home SP3.

Back to top of the page up there ^
MultiQuote
Reply

(2 Pages)
1
2
→

You cannot start a new topic
This topic is locked

Other Replies To This Topic

#2 Bio-Hazard

Global Moderator/Security Expert

Group: Global Moderator
Posts: 85
Joined: 01-February 09
Gender:Male
Location:Cornwall, UK

Posted 09 March 2009 - 07:32 AM

Hello!

It looks like Avast has detected part of Comodo as an infection which is false positive. So this could explain why you wasnt able to access internet. Can you tell me what did you do with the ISPs tech guy? So i wont try same things. Did you uninstalled Comodo from that 320 harddrive when you were trying to solve your problem? Dont change the harddrive yet.

If you want we can check this hardrives HijackThis log.

Download HijackThis

To get things going i need you to download HijackThis see the instructions below.

Click HERE to download HijackThis Installer
Save HijackThis Installer to your desktop.
Doubleclick on the HijackThis Installer icon on your desktop.
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed it will launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.

DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

Honors Graduate of Malware Removal University

Back to top of the page up there ^
MultiQuote
Reply

#3 333nnn

Junior Member

Group: Members
Posts: 60
Joined: 08-March 08

Posted 09 March 2009 - 10:15 AM

I included both the uninstall list and hijackthis list because both are usually asked for. I have had both avast and comodo working on the 320G hd for many months and never had a problem until five days ago. I did not uninstall either comodo or avast from the 320G drive. I did deactivate both at some point to see if they were interfering with my ability to connect to the Internet. I don't remember exactly what I did with the ISP tech person, but we went into run and typed in three letters for some reason I don't remember and opened IE and typed a series of numbers and I believe a series of letters which got us to a black screen. He wanted to get to the black screen to see if there were any numbers listed under "Gateway......" which there weren't and to see if a series of numbers listed above Gateway were correct. From the black screen he also had me type "inconfig" or something like that. By doing this he was either trying to see if my computer was recognizing the isp moden or to get to the main Gateway page to reset the modem. Anyway, I'm vague on exactly what the isp was trying to do at any point or the exact steps. Because we couldn't get my computer to reset the modem with the 320G drive but could with the 40G drive we concluded that the 320G drive was the problem. My modem is a 2Wire model 1070-B made by Gateway.

Adobe Flash Player 10 Plugin
Ask Toolbar
avast! Antivirus
COMODO Internet Security
COMODO SafeSurf
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
Mozilla Firefox (3.0.7)
MSN
Security Update for Windows Media Player (KB952069)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VIA Display Driver 6.14.10.0099
VIA Platform Device Manager
VIA Rhine-Family Fast-Ethernet Adapter

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:56:24 AM, on 3/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\COMODO\SafeSurf\cssurf.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\S3trayp.exe
C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wpabaln.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comodo.com/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://toolbar.ask.c...c...amp;gc=1&q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.c...c...amp;gc=1&q=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.c...c...p;gc=1&q=%s
R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [COMODO SafeSurf] "C:\Program Files\COMODO\SafeSurf\cssurf.exe" -s
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe
O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\cssdll32.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe

--
End of file - 3648 bytes

Back to top of the page up there ^
MultiQuote
Reply

#4 Bio-Hazard

Global Moderator/Security Expert

Group: Global Moderator
Posts: 85
Joined: 01-February 09
Gender:Male
Location:Cornwall, UK

Posted 09 March 2009 - 12:12 PM

Hello!

I will do bit more research about your modem and your situation.

ATF-Cleaner

Please download ATF Cleaner by Atribune.

Save it to your desktop
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords please click No at the prompt.
Click Exit on the Main menu to close the program.

Eset online scannner

Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

Go here to run an online scannner from ESET.

Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic

Ask toolbar

I would remove this toolbar. You can read more about it HERE.

Click Start
Go to Control Panel
Go to Add/Remove Programs
Find and click Remove for the following (if present):

ASk toolbar

NOTE: Take care when answering any questions posed by an uninstaller. Some questions may be worded to deceive you into keeping the program.

If you removed the Ask Toolbar then follow these instructions

Remove HijackThis entries

Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://toolbar.ask.c...c...amp;gc=1&q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.c...c...amp;gc=1&q=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.c...c...p;gc=1&q=%s
R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
Close all open windows and browsers/email etc...
Click on the Fix Checked button
When completed close the application.

Delete folders

Using Windows Explore by right-clicking the start button and left clicking Explore navigate to and find the following folders: if found, delete them (some may not be present after previous steps):

Folders:

AskBarDis

AskSearch

Logs/Information to Post in Next Reply

Please post the following logs/Information in your reply:

ESET Log
A fresh HijackThis Log ( after all the above has been done)
A description of how your computer is behaving

Honors Graduate of Malware Removal University

Back to top of the page up there ^
MultiQuote
Reply

#5 333nnn

Junior Member

Group: Members
Posts: 60
Joined: 08-March 08

Posted 09 March 2009 - 12:55 PM

Do I download and run ESET NOD 32 Antivirus 4, and do I choose 64 bit or 32 bit? I don't know if my computer is 64 or 32 bit.

Back to top of the page up there ^
MultiQuote
Reply

#6 Bio-Hazard

Global Moderator/Security Expert

Group: Global Moderator
Posts: 85
Joined: 01-February 09
Gender:Male
Location:Cornwall, UK

Posted 09 March 2009 - 01:06 PM

QUOTE (333nnn @ Mar 9 2009, 07:55 PM) <{POST_SNAPBACK}>

Do I download and run ESET NOD 32 Antivirus 4, and do I choose 64 bit or 32 bit? I don't know if my computer is 64 or 32 bit.

NO, the link i gave you takes you to a online scanner. You have to use Internet Explorer to do this scan. It happens through the webpage. Just follow my instructions.

Honors Graduate of Malware Removal University

Back to top of the page up there ^
MultiQuote
Reply

#7 333nnn

Junior Member

Group: Members
Posts: 60
Joined: 08-March 08

Posted 09 March 2009 - 02:01 PM

I clicked on your link for the Eset scanner and checked the agreement box and clicked start. On the next page I got a message saying: "To help protect your security IE stopped this site from installing an ActiveX control on your computer". So I went to cp>network and internet connections>internet options>custom level and clicked enable for "download unsigned Active x controls". Then I went to the first Eset screen and after clicking the agreement box and start got a message on the second screen saying: "Your current security setting put your computer at risk. Click here to change your security setting" and the box below was still blank. I'm using IE8.

Back to top of the page up there ^
MultiQuote
Reply

#8 Bio-Hazard

Global Moderator/Security Expert

Group: Global Moderator
Posts: 85
Joined: 01-February 09
Gender:Male
Location:Cornwall, UK

Posted 09 March 2009 - 02:11 PM

Hello!

Lets try another online scanner.

Your HijackThis log says you have IE 6 installed when did you installed IE8?

F-Secure Online Scan

Note: You will need to use Internet explorer for this scan
Go here to run an online scan from F-Secure
Click on Start scanning
This will open a new internet explorer window
It will require an activex control please install it
Click Accept
Click Full System Scan
It will now download the scanner this may take a while please be patient
It will then start scanning wait for the scan to finish
Click Automatic cleaning (recommended)
Wait for it finish the cleaning process
Click show report
This will open up a window with the results of the scan copy and paste those results as a reply to this topic

Honors Graduate of Malware Removal University

Back to top of the page up there ^
MultiQuote
Reply

#9 333nnn

Junior Member

Group: Members
Posts: 60
Joined: 08-March 08

Posted 09 March 2009 - 02:40 PM

I downloaded IE8 after having trouble running Eset today.

Scanning Report
Monday, March 09, 2009 15:24:40 - 15:36:50

Computer name: JOHN
Scanning type: Scan system for malware, rootkits
Target: C:\
Result: 5 malware found
TrackingCookie.2o7 (spyware)

* System

TrackingCookie.Adrevolver (spyware)

* System

TrackingCookie.Atdmt (spyware)

* System

TrackingCookie.Webtrends (spyware)

* System

TrackingCookie.Yieldmanager (spyware)

* System

Statistics
Scanned:

* Files: 8715
* System: 2188
* Not scanned: 6

Actions:

* Disinfected: 0
* Renamed: 0
* Deleted: 0
* None: 5
* Submitted: 0

Files not scanned:

* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

Options
Scanning engines:

* F-Secure USS: 3.0.0
* F-Secure Hydra: 3.6.8511, 2009-03-09
* F-Secure AVP: 7.0.171, 2009-03-09
* F-Secure Pegasus: 1.20.0, 1969-11-31
* F-Secure Blacklight: 0.0.0

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use Advanced heuristics

Copyright © 1998-2007 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

Back to top of the page up there ^
MultiQuote
Reply

#10 333nnn

Junior Member

Group: Members
Posts: 60
Joined: 08-March 08

Posted 09 March 2009 - 03:00 PM

Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
avast! Antivirus
COMODO Internet Security
COMODO SafeSurf
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
Mozilla Firefox (3.0.7)
MSN
Security Update for Windows Media Player (KB952069)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VIA Display Driver 6.14.10.0099
VIA Platform Device Manager
VIA Rhine-Family Fast-Ethernet Adapter
Windows Internet Explorer 8 Release Candidate 1

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:58:54 PM, on 3/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18372)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\COMODO\SafeSurf\cssurf.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\S3trayp.exe
C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wpabaln.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comodo.com/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.c...c...amp;gc=1&q=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.c...c...p;gc=1&q=%s
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [COMODO SafeSurf] "C:\Program Files\COMODO\SafeSurf\cssurf.exe" -s
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe
O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ent/swflash.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\cssdll32.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe

--
End of file - 3968 bytes

Back to top of the page up there ^
MultiQuote
Reply

#11 Bio-Hazard

Global Moderator/Security Expert

Group: Global Moderator
Posts: 85
Joined: 01-February 09
Gender:Male
Location:Cornwall, UK

Posted 10 March 2009 - 03:08 PM

Remove HijackThis entries

Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.c...c...amp;gc=1&q=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.c...c...p;gc=1&q=%s
Close all open windows and browsers/email etc...
Click on the Fix Checked button
When completed close the application.

======================================================
I would like to see if i can help you to sort out your other harddrive. Please take the 40 GB harddrive off and put the 320 harddrive on.

Remove programs

Click Start
Go to Control Panel
Go to Add/Remove Programs
Find and click Remove for the following (if present):

COMODO Internet Security
COMODO SafeSurf

REBOOT your computer!!!

Make sure that you have Windows firewall turned on

Click Start
Click Control Panel
Double click on Windows firewall
New window will open
Make sure ON (recommended) is selected
If it is not press choose it and click OK

Does your internet work now?

Honors Graduate of Malware Removal University

Back to top of the page up there ^
MultiQuote
Reply

#12 333nnn

Junior Member

Group: Members
Posts: 60
Joined: 08-March 08

Posted 10 March 2009 - 04:23 PM

My Internet connection works now with both the 40G and 320G hds. I removed Comodo Safesurf and Comodo Firewall Pro. There was no Comodo Internet Security listed. Did Comodo block my access to the Internet and if so why? Did Avast interfere with Comodo in some way? What firewall do you recommend be used with Avast if I shouldn't use Comodo with Avast? Should I now run scans on the 320G drive especially since I got a TJ warning from Avast or was that a false warning? Running scans is easy, so wouldn't doing so be a good idea regardless of what we think the problem is?

Back to top of the page up there ^
MultiQuote
Reply

#13 Bio-Hazard

Global Moderator/Security Expert

Group: Global Moderator
Posts: 85
Joined: 01-February 09
Gender:Male
Location:Cornwall, UK

Posted 11 March 2009 - 03:38 PM

QUOTE

Did Comodo block my access to the Internet and if so why?

I think it did because avast! intefered with it. I assume Comodo became corrupt and that lead to no internet connection.

QUOTE

Did Avast interfere with Comodo in some way?

Yes those files it said was trojan belonged to Comodo, so they were false positive.

these are the files:
1)File C;\ProgramFiles\COMODO\Firewall\Repair\heur.cav is infected by Win32:Crypt-IN [Trj]
2)File C:\ProgramFiles\COMODO\Firewall\Scanners\heur.cav is infected by Win32:Crypt-IN [Trj]

QUOTE

What firewall do you recommend be used with Avast if I shouldn't use Comodo with Avast?

If you are happy with Comodo then there is no need to change. You can install it now, make sure you dont install the antivirus module and Ask toolbar.

QUOTE

Should I now run scans on the 320G drive especially since I got a TJ warning from Avast or was that a false warning? Running scans is easy, so wouldn't doing so be a good idea regardless of what we think the problem is?

Yes we will check this harddrive out aswell.

Download HijackThis

To get things going i need you to download HijackThis see the instructions below.

Click HERE to download HijackThis Installer
Save HijackThis Installer to your desktop.
Doubleclick on the HijackThis Installer icon on your desktop.
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed it will launch Hijackthis.
Close the program

DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

random's system information tool (RSIT)

Download random's system information tool (RSIT) by random/random from HERE and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open:
- log.txt (<<will be maximized)
- info.txt (<<will be minimized)
Post both of these logs in your next reply (Sometimes you have to make several post to get the logs posted.)

Honors Graduate of Malware Removal University

Back to top of the page up there ^
MultiQuote
Reply

#14 333nnn

Junior Member

Group: Members
Posts: 60
Joined: 08-March 08

Posted 12 March 2009 - 03:13 PM

Logfile of random's system information tool 1.05 (written by random/random)
Run by John Austin Brewder at 2009-03-12 16:09:38
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 270 GB (89%) free of 305 GB
Total RAM: 958 MB (19% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:09:39 PM, on 3/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\John Austin Brewder\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\John Austin Brewder.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.8.7.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.8.7.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcp.../pcpitstop2.dll
O20 - AppInit_DLLs:
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 7983 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3049C3E9-B461-4BC5-8870-4C09146192CA}]
RealPlayer Download and Record Plugin for Internet Explorer - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll [2009-02-24 312928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}]
BitComet Helper - C:\Program Files\BitComet\tools\BitCometBHO_1.2.8.7.dll [2008-08-11 656696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2008-09-15 1562960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - c:\program files\google\googletoolbar1.dll [2008-10-08 2403392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll [2009-01-16 657904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-01-17 35840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-01-17 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar1.dll [2008-10-08 2403392]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"PrinTray"=C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe [2000-05-09 36864]
"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [2007-03-15 153136]
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [2008-07-19 78008]
"COMODO Firewall Pro"=C:\Program Files\COMODO\Firewall\cfp.exe -h []
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2008-09-06 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-10-01 289576]
"HDAudDeck"=C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe [2007-06-29 811008]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2009-02-24 198160]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-01-17 148888]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2008-10-08 68856]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"=C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe [2007-05-07 149040]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-14 1695232]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-01-26 2144088]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE

C:\Documents and Settings\John Austin Brewder\Start Menu\Programs\Startup
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"=" "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\BitComet\BitComet.exe"="C:\Program Files\BitComet\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"C:\Program Files\Mozilla Firefox\firefox.exe"="C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox"
"C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"="C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe:*:Enabled:Veoh Web Player "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======List of files/folders created in the last 3 months======

2009-03-12 16:09:38 ----D---- C:\rsit
2009-03-11 03:00:35 ----HDC---- C:\WINDOWS\$NtUninstallKB960225$
2009-03-11 03:00:26 ----HDC---- C:\WINDOWS\$NtUninstallKB958690$
2009-02-26 11:16:55 ----A---- C:\WINDOWS\system32\javaws.exe
2009-02-26 11:16:55 ----A---- C:\WINDOWS\system32\javaw.exe
2009-02-26 11:16:55 ----A---- C:\WINDOWS\system32\java.exe
2009-02-25 04:00:27 ----HDC---- C:\WINDOWS\$NtUninstallKB967715$
2009-02-24 20:10:46 ----D---- C:\Program Files\Common Files\xing shared
2009-02-24 20:10:39 ----A---- C:\WINDOWS\system32\rmoc3260.dll
2009-02-24 20:10:30 ----D---- C:\Program Files\Real
2009-02-24 20:10:30 ----A---- C:\WINDOWS\system32\pndx5032.dll
2009-02-24 20:10:30 ----A---- C:\WINDOWS\system32\pndx5016.dll
2009-02-24 20:10:29 ----A---- C:\WINDOWS\system32\pncrt.dll
2009-02-24 20:10:27 ----D---- C:\Program Files\Common Files\Real
2009-02-24 20:10:24 ----D---- C:\Documents and Settings\John Austin Brewder\Application Data\Real
2009-02-12 04:01:08 ----HDC---- C:\WINDOWS\$NtUninstallKB960715$
2009-02-12 04:01:00 ----A---- C:\WINDOWS\imsins.BAK
2009-01-16 19:25:05 ----D---- C:\Documents and Settings\All Users\Application Data\Google Updater
2009-01-14 04:02:31 ----HDC---- C:\WINDOWS\$NtUninstallKB958687$

======List of files/folders modified in the last 3 months======

2009-03-12 16:08:20 ----D---- C:\WINDOWS\Prefetch
2009-03-12 12:25:31 ----D---- C:\Program Files\Mozilla Firefox
2009-03-12 12:13:15 ----D---- C:\WINDOWS\Temp
2009-03-12 12:12:52 ----D---- C:\WINDOWS\system32
2009-03-12 12:12:47 ----D---- C:\Documents and Settings\John Austin Brewder\Application Data\LimeWire
2009-03-12 05:49:41 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-03-11 03:07:11 ----D---- C:\WINDOWS
2009-03-11 03:06:00 ----D---- C:\WINDOWS\system32\CatRoot2
2009-03-11 03:00:38 ----HD---- C:\WINDOWS\inf
2009-03-11 03:00:37 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-03-10 22:09:00 ----D---- C:\WINDOWS\system32\CatRoot
2009-03-10 22:07:05 ----HD---- C:\WINDOWS\$hf_mig$
2009-03-10 17:13:16 ----D---- C:\Program Files\COMODO
2009-03-10 17:13:16 ----D---- C:\Documents and Settings\John Austin Brewder\Application Data\Comodo
2009-03-10 17:11:48 ----D---- C:\Documents and Settings\All Users\Application Data\comodo
2009-03-10 17:11:47 ----D---- C:\WINDOWS\system32\drivers
2009-03-08 13:14:54 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-03-06 16:35:17 ----D---- C:\WINDOWS\system32\Macromed
2009-02-27 08:53:25 ----D---- C:\Program Files\S3
2009-02-26 11:18:59 ----D---- C:\WINDOWS\Help
2009-02-26 11:17:07 ----SHD---- C:\WINDOWS\Installer
2009-02-26 11:16:52 ----D---- C:\Program Files\Java
2009-02-26 11:10:00 ----RD---- C:\Program Files
2009-02-24 20:11:58 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-02-24 20:10:46 ----D---- C:\Program Files\Common Files
2009-02-24 13:34:04 ----D---- C:\Downloads
2009-02-23 04:14:34 ----A---- C:\WINDOWS\NeroDigital.ini
2009-02-22 04:39:15 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-22 04:38:30 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-02-14 03:18:45 ----D---- C:\WINDOWS\Debug
2009-02-12 04:00:50 ----D---- C:\Program Files\Internet Explorer
2009-02-12 04:00:34 ----D---- C:\WINDOWS\ie7updates
2009-02-11 21:56:18 ----A---- C:\WINDOWS\system32\MRT.exe
2009-02-10 06:58:51 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2009-01-19 02:57:36 ----D---- C:\Program Files\CCleaner
2009-01-17 14:29:59 ----A---- C:\WINDOWS\system32\deploytk.dll
2009-01-16 22:35:14 ----A---- C:\WINDOWS\system32\mshtml.dll
2009-01-16 19:27:01 ----D---- C:\Documents and Settings\John Austin Brewder\Application Data\Google
2009-01-16 19:26:29 ----D---- C:\Program Files\Google
2009-01-16 05:21:46 ----SD---- C:\Documents and Settings\John Austin Brewder\Application Data\Microsoft
2008-12-20 16:15:41 ----A---- C:\WINDOWS\system32\wininet.dll
2008-12-20 16:15:40 ----A---- C:\WINDOWS\system32\webcheck.dll
2008-12-20 16:15:40 ----A---- C:\WINDOWS\system32\urlmon.dll
2008-12-20 16:15:39 ----A---- C:\WINDOWS\system32\url.dll
2008-12-20 16:15:38 ----N---- C:\WINDOWS\system32\pngfilt.dll
2008-12-20 16:15:38 ----N---- C:\WINDOWS\system32\occache.dll
2008-12-20 16:15:32 ----N---- C:\WINDOWS\system32\mstime.dll
2008-12-20 16:15:31 ----N---- C:\WINDOWS\system32\msrating.dll
2008-12-20 16:15:30 ----N---- C:\WINDOWS\system32\mshtmled.dll
2008-12-20 16:15:24 ----A---- C:\WINDOWS\system32\msfeedsbs.dll
2008-12-20 16:15:23 ----A---- C:\WINDOWS\system32\msfeeds.dll
2008-12-20 16:15:23 ----A---- C:\WINDOWS\system32\jsproxy.dll
2008-12-20 16:15:22 ----A---- C:\WINDOWS\system32\iertutil.dll
2008-12-20 16:15:21 ----N---- C:\WINDOWS\system32\iernonce.dll
2008-12-20 16:15:21 ----A---- C:\WINDOWS\system32\ieframe.dll
2008-12-20 16:15:16 ----N---- C:\WINDOWS\system32\iedkcs32.dll
2008-12-20 16:15:15 ----A---- C:\WINDOWS\system32\ieapfltr.dll
2008-12-20 16:15:14 ----N---- C:\WINDOWS\system32\ieaksie.dll
2008-12-20 16:15:14 ----N---- C:\WINDOWS\system32\ieakeng.dll
2008-12-20 16:15:13 ----N---- C:\WINDOWS\system32\extmgr.dll
2008-12-20 16:15:13 ----N---- C:\WINDOWS\system32\dxtrans.dll
2008-12-20 16:15:13 ----A---- C:\WINDOWS\system32\icardie.dll
2008-12-20 16:15:12 ----N---- C:\WINDOWS\system32\dxtmsft.dll
2008-12-20 16:15:11 ----A---- C:\WINDOWS\system32\advpack.dll
2008-12-19 02:10:15 ----N---- C:\WINDOWS\system32\ie4uinit.exe
2008-12-19 02:10:15 ----A---- C:\WINDOWS\system32\ieudinit.exe
2008-12-18 22:23:56 ----N---- C:\WINDOWS\system32\ieakui.dll

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Aavmker4;avast! Asynchronous Virus Monitor; C:\WINDOWS\system32\drivers\Aavmker4.sys [2008-07-19 26944]
R1 aswSP;avast! Self Protection; C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R1 aswTdi;avast! Network Shield Support; C:\WINDOWS\system32\drivers\aswTdi.sys [2008-07-19 42912]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-14 14592]
R2 aswFsBlk;aswFsBlk; C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
R2 aswMon2;avast! Standard Shield Support; C:\WINDOWS\system32\drivers\aswMon2.sys [2008-07-19 94416]
R3 aswRdr;aswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [2008-07-19 23152]
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service; C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2007-04-16 42496]
R3 HdAudAddService;VIA High Definition Audio Service; C:\WINDOWS\system32\drivers\viahduaa.sys [2007-06-05 201216]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-14 144384]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-14 10368]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-14 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-14 20608]
S3 FETNDIS;VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\fetnd5.sys [2001-08-17 27165]
S3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2008-04-17 15464]
S3 S3GIGP;S3GIGP; C:\WINDOWS\system32\DRIVERS\S3gIGPm.sys []
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-09-10 611664]
R2 aswUpdSv;avast! iAVS4 Control Service; C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [2008-07-19 16056]
R2 avast! Antivirus;avast! Antivirus; C:\Program Files\Alwil Software\Avast4\ashServ.exe [2008-07-19 147640]
R2 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-16 168432]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-01-17 152984]
R2 LexBceS;LexBce Server; C:\WINDOWS\system32\LEXBCES.EXE [2000-05-09 287232]
R2 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2007-01-17 61440]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2004-08-11 38912]
R3 avast! Mail Scanner;avast! Mail Scanner; C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [2008-07-19 250040]
R3 avast! Web Scanner;avast! Web Scanner; C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [2008-07-23 348344]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-10-01 536872]
R3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe [2007-05-07 271920]
S3 NBService;NBService; C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe [2007-05-07 779824]

-----------------EOF-----------------

info.txt logfile of random's system information tool 1.05 2009-03-12 16:09:41

======Uninstall list======

-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
-->C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
-->C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
-->C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
-->C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
-->C:\WINDOWS\UNNeroVision.exe /UNINSTALL
-->C:\WINDOWS\UNRecode.exe /UNINSTALL
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Acrobat.com-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe -uninstall com.adobe.mauby 4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
Acrobat.com-->MsiExec.exe /I{77DCDCE3-2DED-62F3-8154-05E745472D07}
Ad-Aware-->MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe AIR-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{00203668-8170-44A0-BE44-B632FA4D780F}
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 9-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A90000000001}
avast! Antivirus-->C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
BitComet 1.05-->C:\Program Files\BitComet\uninst.exe
CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
Google Earth-->MsiExec.exe /I{1D14373E-7970-4F2F-A467-ACA4F0EA21E3}
Google Toolbar for Internet Explorer-->MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer-->regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
Google Updater-->"C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
iTunes-->MsiExec.exe /I{DDDE0BE3-0CBE-4BF6-B75A-E3F69C947843}
Java™ 6 Update 12-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216010FF}
LimeWire 4.18.8-->"C:\Program Files\LimeWire\uninstall.exe"
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office 2000 Standard-->MsiExec.exe /I{00020409-78E1-11D2-B60F-006097C998E7}
Mozilla Firefox (3.0.7)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSN-->C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
Nero 7 Essentials-->MsiExec.exe /X{E11BD6A7-5046-4D25-ABCB-386A54F71033}
neroxml-->MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
OverDrive Media Console-->MsiExec.exe /I{34D6EED8-7650-4E1C-BC26-F5B2DDE185C6}
Panda ActiveScan 2.0-->C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe
PC Pitstop Optimize2 2.0-->"C:\Program Files\PCPitstop\Optimize2\unins000.exe"
QuickTime-->MsiExec.exe /I{8DC42D05-680B-41B0-8878-6C14D24602DB}
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923689)-->"C:\WINDOWS\$NtUninstallKB923689$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953838)-->"C:\WINDOWS\$NtUninstallKB953838$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Update for Windows XP (KB898461)-->"C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
VIA Platform Device Manager-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{20D4A895-748C-4D88-871C-FDB1695B0169}
VIA Rhine-Family Fast-Ethernet Adapter-->Rundll32.exe vuins32.dll,vuins32Ex $Rhine $VIA
Windows Internet Explorer 7-->"C:\WINDOWS\ie7\spuninst\spuninst.exe"
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Player Firefox Plugin-->MsiExec.exe /I{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}
Xvid 1.1.3 final uninstall-->"C:\Program Files\Xvid\unins000.exe"

======Hosts File======

127.0.0.1 localhost
127.0.0.1 ad.a8.net
127.0.0.1 asy.a8ww.net
127.0.0.1 a9rhiwa.cn #[Google.Warning]
127.0.0.1 www.a9rhiwa.cn
127.0.0.1 acezip.net #[SiteAdvisor.acezip.net]
127.0.0.1 www.acezip.net #[Win32/Adware.180Solutions]
127.0.0.1 phpadsnew.abac.com
127.0.0.1 a.abnad.net
127.0.0.1 b.abnad.net

======Security center information======

AV: avast! antivirus 4.8.1229 [VPS 090311-1]

System event log

Computer Name: JOHN
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 2298
Source Name: Tcpip
Time Written: 20081205162946.000000-480
Event Type: warning
User:

Computer Name: JOHN
Event Code: 7036
Message: The Computer Browser service entered the stopped state.

Record Number: 2297
Source Name: Service Control Manager
Time Written: 20081205134240.000000-480
Event Type: information
User:

Computer Name: JOHN
Event Code: 7036
Message: The Remote Access Connection Manager service entered the running state.

Record Number: 2296
Source Name: Service Control Manager
Time Written: 20081205134240.000000-480
Event Type: information
User:

Computer Name: JOHN
Event Code: 7036
Message: The Application Layer Gateway Service service entered the running state.

Record Number: 2295
Source Name: Service Control Manager
Time Written: 20081205134239.000000-480
Event Type: information
User:

Computer Name: JOHN
Event Code: 7035
Message: The Application Layer Gateway Service service was successfully sent a start control.

Record Number: 2294
Source Name: Service Control Manager
Time Written: 20081205134239.000000-480
Event Type: information
User: NT AUTHORITY\SYSTEM

Application event log

Computer Name: JOHN
Event Code: 1000
Message: Performance counters for the ContentIndex (ContentIndex) service were loaded successfully.
The Record Data contains the new index values assigned
to this service.

Record Number: 5
Source Name: LoadPerf
Time Written: 20081008170547.000000-420
Event Type: information
User:

Computer Name: JOHN
Event Code: 1000
Message: Performance counters for the TermService (Terminal Services) service were loaded successfully.
The Record Data contains the new index values assigned
to this service.

Record Number: 4
Source Name: LoadPerf
Time Written: 20081008170545.000000-420
Event Type: information
User:

Computer Name: JOHN
Event Code: 1000
Message: Performance counters for the RemoteAccess (Routing and Remote Access) service were loaded successfully.
The Record Data contains the new index values assigned
to this service.

Record Number: 3
Source Name: LoadPerf
Time Written: 20081008170429.000000-420
Event Type: information
User:

Computer Name: JOHN
Event Code: 1000
Message: Performance counters for the PSched (PSched) service were loaded successfully.
The Record Data contains the new index values assigned
to this service.

Record Number: 2
Source Name: LoadPerf
Time Written: 20081008170403.000000-420
Event Type: information
User:

Computer Name: JOHN
Event Code: 1000
Message: Performance counters for the RSVP (QoS RSVP) service were loaded successfully.
The Record Data contains the new index values assigned
to this service.

Record Number: 1
Source Name: LoadPerf
Time Written: 20081008170402.000000-420
Event Type: information
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 13, GenuineIntel
"PROCESSOR_REVISION"=0f0d
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"CLASSPATH"=.;C:\Program Files\Java\jre6\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre6\lib\ext\QTJava.zip

-----------------EOF-----------------

Acrobat.com
Acrobat.com
Ad-Aware
Adobe AIR
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Reader 9
avast! Antivirus
BitComet 1.05
CCleaner (remove only)
Google Earth
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Updater
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
iTunes
Java™ 6 Update 12
LimeWire 4.18.8
Malwarebytes' Anti-Malware
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Standard
Mozilla Firefox (3.0.7)
MSN
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Nero 7 Essentials
neroxml
OverDrive Media Console
Panda ActiveScan 2.0
PC Pitstop Optimize2 2.0
QuickTime
RealPlayer
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Spybot - Search & Destroy
Update for Windows XP (KB898461)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VIA Platform Device Manager
VIA Rhine-Family Fast-Ethernet Adapter
Windows Internet Explorer 7
Windows Media Format Runtime
Windows Media Player Firefox Plugin
Xvid 1.1.3 final uninstall

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:08:10 PM, on 3/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.8.7.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.8.7.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcp.../pcpitstop2.dll
O20 - AppInit_DLLs:
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 7844 bytes

Back to top of the page up there ^
MultiQuote
Reply

#15 Bio-Hazard

Global Moderator/Security Expert

Group: Global Moderator
Posts: 85
Joined: 01-February 09
Gender:Male
Location:Cornwall, UK

Posted 12 March 2009 - 04:10 PM

Hello!

Do you know what is in this folder C:\Program Files\S3 ?

P2P Warning!

BitComet 1.05
LimeWire 4.18.8

I understand that downloading music and other files may be important to you; however, the P2P programs that you are using to do that, even if they are not infected with malware, will bring malware into your system. Therefore, the chances of you becoming infected again are very high. This obviously can result in disabling your computer and could even lead to someone stealing sensitive personal data from your computer. Beyond the inconvenience this causes you, these programs also tend to use your computer as a server to spread more infection over the internet, so your computer becomes a part of the malware problem.

Remember that no matter how clean the program you're using for peer-to-peer filesharing may be, it offers no guarantees regarding the cleanliness of files you may choose to download. All files available via p2p filesharing carry a high risk, particularly those that offer you illegitimate methods of using legitimate software programs without paying for them. Any program or file that offers you the ability to access non-freeware programs at no cost, e.g., copyrighted material, pirated software, and/or cracks/key generators for gaining access to legitimate software, is 100% guaranteed to contain malware.

An often unanticipated and unintended consequence of using p2p programs is that you may be leaving your computer open to access by others without either your knowledge or consent. This is how you can uninstall it/them:

Click Start
Go to Control Panel
Go to Add/Remove Programs
Find and click Remove for the following (if present):

BitComet 1.05
LimeWire 4.18.8

NOTE: Take care when answering any questions posed by an uninstaller. Some questions may be worded to deceive you into keeping the program.

If you wish to keep them, you MUST NOT use them until your computer is clean.

Back Up registry with ERUNT

Please use the following link and scroll down to ERUNT and download it on to your desktop. HERE
Click on the erunt-setup.exe
Follow the prompts to install ERUNT
Choose language
A set up window will pop up. It will ask: Create ERUNT entry in to the Start up folder, answer NO
Backup your registry to the default location

Note: To restore your registry (if needed), go to the folder and start ERDNT.exe

OTMoveIt3

Download OTMoveIt3 by Old Timer and save it to your Desktop.

Double-click OTMoveIt3.exe to run it.
Copy the lines in the codebox below.

CODE

:reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"=""
:commands
[EmptyTemp]

Return to OTMoveIt3, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
OTMI3 may ask to reboot the machine. Please do so if asked.
Copy everything in the Results window (under the green bar), and paste it in your next reply.
Close OTMoveIt3

Kaspersky Online Scan

Please go to Kaspersky website and perform an online antivirus scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
- Spyware, Adware, Dialers, and other potentially dangerous programs
- Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply along with a fresh HijackThis log.

Logs/Information to Post in Next Reply

Please post the following logs/Information in your reply:

OTMoveit Log
Anser to my question about the folder
Kaspersky Scan Log
A fresh HijackThis Log ( after all the above has been done)
A description of how your computer is behaving

Honors Graduate of Malware Removal University

Back to top of the page up there ^
MultiQuote
Reply

#16 333nnn

Junior Member

Group: Members
Posts: 60
Joined: 08-March 08

Posted 15 March 2009 - 06:35 AM

When running the Kaspersky Scanner I got this message : "Update has failed. The program has failed to start. Close Scanner and open it again to install the program". I closed the Scanner page and tried to restart it again several times but each time got the same message. I don't know what is in C:\Program Files\S3. I don't remember creating it. I don't want to open it because doing so may activate something. My computer is running fine with both hard drives. I don't notice any problems with either drive.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:32:16 AM, on 3/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcp.../pcpitstop2.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 7574 bytes

Acrobat.com
Acrobat.com
Ad-Aware
Adobe AIR
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Reader 9
avast! Antivirus
CCleaner (remove only)
COMODO Internet Security
ERUNT 1.1j
Google Earth
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Updater
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
iTunes
Java™ 6 Update 12
Malwarebytes' Anti-Malware
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Standard
Mozilla Firefox (3.0.7)
MSN
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Nero 7 Essentials
neroxml
OverDrive Media Console
Panda ActiveScan 2.0
PC Pitstop Optimize2 2.0
QuickTime
RealPlayer
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Spybot - Search & Destroy
Update for Windows XP (KB898461)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VIA Platform Device Manager
VIA Rhine-Family Fast-Ethernet Adapter
Windows Internet Explorer 7
Windows Media Format Runtime
Windows Media Player Firefox Plugin
Xvid 1.1.3 final uninstall

========== REGISTRY ==========
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\"AppInit_DLLS"|"" /E : value set successfully!
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\JOHNAU~1\LOCALS~1\Temp\etilqs_dPe8pgHeMCtjdgv6K5c0 scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_5c8.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_6f0.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\John Austin Brewder\Local Settings\Application Data\Mozilla\Firefox\Profiles\ev44j3zj.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\John Austin Brewder\Local Settings\Application Data\Mozilla\Firefox\Profiles\ev44j3zj.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\John Austin Brewder\Local Settings\Application Data\Mozilla\Firefox\Profiles\ev44j3zj.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\John Austin Brewder\Local Settings\Application Data\Mozilla\Firefox\Profiles\ev44j3zj.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\John Austin Brewder\Local Settings\Application Data\Mozilla\Firefox\Profiles\ev44j3zj.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\John Austin Brewder\Local Settings\Application Data\Mozilla\Firefox\Profiles\ev44j3zj.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 03152009_013905

Files moved on Reboot...
File C:\DOCUME~1\JOHNAU~1\LOCALS~1\Temp\etilqs_dPe8pgHeMCtjdgv6K5c0 not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be moved on reboot.
File C:\WINDOWS\temp\Perflib_Perfdata_5c8.dat not found!
File C:\WINDOWS\temp\Perflib_Perfdata_6f0.dat not found!
C:\Documents and Settings\John Austin Brewder\Local Settings\Application Data\Mozilla\Firefox\Profiles\ev44j3zj.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\John Austin Brewder\Local Settings\Application Data\Mozilla\Firefox\Profiles\ev44j3zj.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\John Austin Brewder\Local Settings\Application Data\Mozilla\Firefox\Profiles\ev44j3zj.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\John Austin Brewder\Local Settings\Application Data\Mozilla\Firefox\Profiles\ev44j3zj.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\John Austin Brewder\Local Settings\Application Data\Mozilla\Firefox\Profiles\ev44j3zj.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\John Austin Brewder\Local Settings\Application Data\Mozilla\Firefox\Profiles\ev44j3zj.default\XUL.mfl moved successfully.

ERUNT - The Emergency Recovery Utility NT
=========================================

Registry Backup and Restore for Windows NT/2000/2003/XP

v1.1j, 10/20/2005, Freeware
Written by Lars Hederer
e-mail: lars.hederer@t-online.de

Look for the latest version here:
http://www.larsheder...online.de/erunt

To find out what's new in this version, please see the "Version
history" section later in this file.

Introduction
------------

With the invention of Windows 95 Microsoft made the wise decision to
organize all computer- and application-specific data which was spread
over countless INI files before in a centralized Windows database,
called the system "registry". The registry is one of the most
important parts in every Windows system today, without which the OS
would not even boot. And since the registry is quite sensitive to
corruption, it is very advisable to backup its according files from
time to time.

In MS-DOS based Windows versions (95, 98, Me) the registry consists of
the files SYSTEM.DAT and USER.DAT (and CLASSES.DAT in Windows Me). To
backup these files, one can easily go to the Windows folder in
Explorer and copy the files to a safe location, for example another
folder on the hard disk. Microsoft even supplies a utility called ERU
which can be used to backup these and a few other critical system
files to a safe location.

Also, Windows 9x/Me automatically create backups of the registry at
startup, with Windows 95 always backing up the registry from the
previous Windows session, and Windows 98/Me maintaining up to five
registry copies from the last five days where Windows was running.

Unfortunately, this is not the case with Windows versions based on the
NT kernel. In Windows NT and 2000, the registry is never backed up
automatically, and in XP it is backed up only as part of the bloated
and resource hogging System Restore program which cannot even be used
for a "restore" should a corrupted registry prevent Windows from
booting. It has also become impossible to copy the necessary files,
now called "hives" and usually named DEFAULT, SAM, SECURITY, SOFTWARE,
SYSTEM in the SYSTEM32\CONFIG folder, to another location because they
are all in use by the OS. And though the registry in an NT-based
Windows is less likely to become corrupted than in other versions, it
can still happen, and for these cases NT is simply missing an option
for easy registry backup and restore as there is in Windows 9x/Me, to
get the system up and running again in no time.

In 2001, as Windows XP began to come pre-installed on many new home
user PCs and was likely to become the new Windows standard over the
next years, I decided to write a program which offers the ease-of-use
of Windows 9x/Me ERU by Microsoft (hence the name ERUNT) to backup the
registry, as well as providing an auto-backup capability, for example
at Windows startup.

Or, before installing a new program for testing purposes one could
save the registry with ERUNT, install and test the program, uninstall
it and restore the registry to be 100% sure that no debris is left.

Note: The "Export registry" function in Regedit is USELESS (!) for
making a complete backup of the registry. Neither does it export the
whole registry (for example, no information from the "SECURITY" hive
is saved), nor can the exported file be used later to replace the
current registry with the old one. Instead, if you re-import the file,
it is merged with the current registry without deleting anything that
has been added since the export, leaving you with an absolute mess of
old and new entries.

Features
--------

- Backup the Windows NT/2000/2003/XP registry to a folder of your
choice

- System and current user registries selectable

- Command line switches for automated registry backup and restoration

- Restore the registry in Windows 9x/Me/NT/2000/2003/XP and MS-DOS
(all-in-one restore program) or the Windows Recovery Console

- Included in this package:
NTREGOPT program for optimizing the registry

- All programs in this package are completely localizable
(translate them into your language), German version included

Supported operating systems
---------------------------

- Windows NT 3.51
- Windows NT 4.0
- Windows 2000
- Windows 2003
- Windows XP
- most likely, all future Windows versions based on the NT kernel

Additionally supported by the ERDNT restore program:
- MS-DOS
- Windows 95
- Windows 98
- Windows Me

Installation
------------

Use the Setup program to install ERUNT on your computer.

Or, if you downloaded the zipped version: Unzip all files into a
folder of your choice, and if you want, create shortcuts on your
desktop to the ERUNT.EXE and NTREGOPT.EXE files.

Uninstallation
--------------

Use "Add/Remove Programs" in Windows' control panel to remove ERUNT
from your computer.

Or, if you downloaded the zipped version: Delete the ERUNT folder,
delete the appropriate desktop icons.

(You may also want to delete all restore folders you have previously
created with the program.)

Backing up the registry with ERUNT
----------------------------------

Note: To ensure proper operation of ERUNT, you should be logged in as
a system administrator.

Start ERUNT, confirm the Welcome message.

Type in the name of a restore folder where the backed up registry
files should be saved, or click "..." to browse your computer's drives
and select a folder. You can also simply leave the default, which is a
folder named ERDNT inside your Windows folder, the advantage being
that you have access to this folder from the Windows Recovery Console
in case Windows does not boot anymore.

Note that in the folder edit field, ERUNT by default appends a folder
named the current date to the restore folder, which allows you to keep
as many registry backups as you wish in the same restore folder,
separated into the different creation dates. This feature, as well as
the appearance of the date string, can be configured via the ERUNT.INI
file, described later in this document. If you want the registry backup
to be created directly in the folder you select, you can also simply
remove the date from the folder edit field before clicking "OK".

Next, select the backup options:

- System registry: The current system registry, usually consisting of
the files DEFAULT, SAM, SECURITY, SOFTWARE, and SYSTEM.

- Current user registy: The registry files for the currently logged-on
user, usually NTUSER.DAT and USRCLASS.DAT.

- Other open user registries: Sometimes Windows has a few other user
registries in memory. Examples for this are "generic" registries,
e.g. for user "EVERYONE", or registries of other users if you use
Fast Task Switching in Windows XP. Check this option to backup all
these additional user registries (if found) as well.

Click "OK" and wait until the backup process is complete. (Note that
depending on your system configuration this may take some time, and
that the first bar is NOT a progress bar, just an indicator that the
program is still running.) The ERDNT program for later restoration of
the registry is automatically copied to the restore folder.

(Technical information: ERUNT saves only registry files which are in
use by the system. It obtains information about these files from
registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\
hivelist. Registry hives not listed there, for example those
of other users of the computer, cannot be saved by ERUNT.)

ERUNT command line switches
---------------------------

ERUNT supports command line switches with which you can perform an
automated registry backup, without user interaction. The syntax for
the ERUNT command line is as follows:

ERUNT DestinationFolder [sysreg] [curuser] [otherusers]
[/noconfirmdelete] [/noprogresswindow]

DestinationFolder is required for command line operation of ERUNT,
all other switches are optional.

If you specify a destination folder on the command line, ERUNT
automatically runs in "silent" mode and with default backup options
(system and current user registry). No user interaction is required,
EXCEPT the confirmation of the restore folder deletion if it exists,
or any error messages. The confirmation question can be suppressed
by using /noconfirmdelete (see below).

Description of the command line switches:

DestinationFolder
The name of the folder where the registry backup should be saved.
Example: C:\WINDOWS\ERDNT
You can use the strings #Date# and #Time# anywhere in the folder
name to have ERUNT insert the current date/time at that position.
Example: C:\WINDOWS\ERDNT\#Date#
Windows' %SystemRoot% environment variable can be used on the
command line as a substitute for the name of the Windows folder.
Example: %SystemRoot%\ERDNT\#Date#

sysreg
Backup the system registry

curuser
Backup the current user registry

otherusers
Backup other open user registries

(Note: If none of the three above options is given on the command
line, ERUNT automatically uses the default backup options, system
and current user registry.)

/noconfirmdelete
Automatically deletes the contents of the destination folder if it
exists, without asking the user. BE CAREFUL and only use this option
if you are sure that the contents of that folder may really be
deleted!

/noprogresswindow
Hides the progress window during backup.

So, to backup the system registry to folder C:\ERDNT each day of the
week using subfolders with the name of the current day you could use
the integrated scheduler in Windows to schedule seven different ERUNT
calls for each day:

For Monday you would use the command line
C:\ERUNT\ERUNT.EXE C:\ERDNT\Monday sysreg /noconfirmdelete

For Tuesday you would use the command line
C:\ERUNT\ERUNT.EXE C:\ERDNT\Tuesday sysreg /noconfirmdelete

... well, you get the idea.

Or, to have ERUNT automatically backup the registry on each Windows
startup to a folder named "ERDNT" inside the Windows folder, including
a folder named the current date, you could place a shortcut like the
following in your Start Menu/Programs/Startup folder:

C:\ERUNT\ERUNT.EXE %SystemRoot%\ERDNT\#Date# /noconfirmdelete

If you want old restore folders created this way to be deleted
automatically from time to time, you can use AUTOBACK.EXE instead of
ERUNT.EXE. The AUTOBACK tool is described later in this document.
Also, ERUNT Setup offers the choice to add an AutoBackup shortcut to
the Startup folder automatically during the installation process.

The ERUNT.INI file
------------------

You can configure various ERUNT settings with this file, for example
change the default destination folder displayed in ERUNT's folder edit
field, or disable automatic appendation of the current date there.

Use Notepad to create a file named ERUNT.INI in your ERUNT folder, and
add the following line:

[ERUNT]

Below this line, enter one or more of the following configuration
options:

DefaultDestinationFolder
The name of the default folder displayed in ERUNT's folder edit
field. You may also use environment variables here, for example
%SystemRoot% as a substitute for the name of the Windows folder.
Default: %SystemRoot%\ERDNT
Example:
DefaultDestinationFolder=C:\ERDNT

AppendDateToFolderEditField
Enable or disable automatic appendation of the current date to
ERUNT's folder edit field.
0=disable, 1=enable, default: 1
Example:
AppendDateToFolderEditField=0

AppendTimeToFolderEditField
Enable or disable automatic appendation of the current time to
ERUNT's folder edit field. This function can only be enabled in
conjunction with AppendDateToFolderEditField also set to 1.
0=disable, 1=enable, default: 0
Example:
AppendTimeToFolderEditField=1

DateFormat
DateSeparator
These settings configure the appearance of the date string in
ERUNT's folder edit field, or when #Date# is used on the command
line. By default, ERUNT uses Windows' regional settings for the
short date format. Note that only "." and "-" are allowed as date
separators.
Example:
DateFormat=mm/dd/yyyy
DateSeparator=-

TimeFormat
TimeSeparator
These settings configure the appearance of the time string in
ERUNT's folder edit field, or when #Time# is used on the command
line. By default, ERUNT uses Windows' regional settings for the
short time format. Note that only "." and "-" are allowed as time
separators.
Example:
TimeFormat=hh:mm:ss
TimeSeparator=.

DisableFastBackup
On supported operating systems (including Windows XP and Server
2003) ERUNT by default uses a very fast backup algorithm. If you
experience any problems during registry backup, you can try to
disable this function and revert back to the conventional (but slow)
method. This setting has no effect on unsupported operating systems,
where the conventional algorithm is always used.
0=fast method, 1=conventional method, default: 0
Example:
DisableFastBackup=1

The AUTOBACK.EXE tool
---------------------

The command line tool AUTOBACK.EXE uses the same syntax as ERUNT but
performs the additional task of deleting old restore folders after the
new backup has been created.

For this to work properly, the name of the last folder in the command
line option DestinationFolder must begin with the current date, or the
#Date# string, respectively. If this is the case AUTOBACK
automatically searches the parent folder of the newly created backup
for folder names of the same date format and deletes all folders
except from the last 30 days where backups have been created.

The number of restore folders to keep can be changed using the /days:n
command line switch, e.g. /days:7 would only keep the folders from the
last 7 backup days.

By default AUTOBACK does not create a new backup if one already exists
for the current day. Use the /alwayscreate switch to change this
behavior and have the program always create a new backup.

AUTOBACK is dependent on ERUNT and therefore needs to be executed from
the same folder. It uses the same settings for the date format as
ERUNT does, so if you specified a new format in ERUNT.INI it will also
be used automatically by AUTOBACK.

Restoring the registry with ERDNT
---------------------------------

Situation: Windows is running normally.

To restore a previous registry backup, open Windows Explorer, navigate
to the folder where you saved the backup to, and double-click the
ERDNT.EXE file to start the restoration program. (Each restore folder
has its own copy of ERDNT.EXE in it.) Select which registry components
to restore, then click "OK" to start restoration. When the process is
complete, click "OK" to restart the computer and activate the restored
registry.

Note: If you experience any problems restoring the registry, please
read "ERDNT technical information" later in this document to learn
what ERDNT is actually doing during the process, or simply read on
through the following emergency scenarios for other ways of restoring
the registry.

What to do if Windows does not boot anymore?
--------------------------------------------

If Windows refuses to boot normally it can be for a variety of
reasons, not the least of which is that the registry is damaged, or
you installed a program or driver which is somewhat incompatible with
the system or buggy, in which case restoring a registry backup from a
point where everything was running smoothly should also help.

The first thing to try is to reboot and press the F8 key immediately
before the first Windows screen appears, then select the "Last Known
Good" option from the menu and see if Windows boots up with this
option. If it does, you're all set.

If it does not, reboot again with F8, and select the option "Safe
Mode". If Windows boots up in safe mode, you can restore a registry
backup just as you would in normal mode, as described above.

If safe mode also fails, read on...

Restoring the registry with ERDNT - Emergency Scenario I
--------------------------------------------------------

Situation: Windows fails to boot up in normal and safe mode, but you
have a DOS boot disk or another (working) operating system installed
on your PC which is supported by the ERDNT restoration program, and
from which you have full access to the drive(s) containing the corrupt
Windows installation and the registry backup.

Boot up to the working OS, and open the folder containing the registry
backup you want to restore.

If the drive letters are different to as they were in the Windows
where you created the registry backup, you need to edit the ERDNT.INF
file now to reflect the new drive letters, before trying to restore
the registry backup. For example, if the drive with the corrupt
Windows installation is now available as D: instead of C:, then you
would change all C:\... references in the INF file to D:\... . Editing
the file can be done in Windows with the Notepad program, and in DOS
with the EDIT command.

Now run the ERDNT.EXE file to start the restoration program. Select
which registry components to restore (just the system registry will do
in most cases), then start restoration. When the process is complete,
reboot the computer and check if the other Windows installation is
repaired now.

Restoring the registry with ERDNT - Emergency Scenario II
---------------------------------------------------------

Situation: Windows fails to boot up in normal and safe mode, and you
have no other working operating system installed on your PC.

The following two rescue methods require that your PC is configured so
that it can boot from CD. See your BIOS documentation for more
information.

1. Bart's PE Builder
Use another computer with Internet access and CD burning capabilities
to download this free program from the Internet (do a Google search
for it), which will create a bootable Windows CD with full access to
all drives (including NTFS). Boot from this CD, open the File
Management Utility and follow the directions in "Emergency Scenario I"
to run ERDNT and restore the registry.

2. The Windows Recovery Console (Windows 2000 and higher)
Note that you can use this method only if you saved the registry
backup inside the Windows folder, and that using this procedure only
the system registry is restored. This should however get you back into
Windows, from where you can run the ERDNT program to restore user
registries, if necessary.
- Boot your system from the Windows 2000/2003/XP CD-ROM.
- At the welcome screen, press "R" (Windows 2000: "R" then "C").
- Type in the number of the Windows installation you want to repair
(usually 1), then press ENTER.
- Type in the Administrator password (leave blank if you are unsure
what it is) and press ENTER.
- At the command prompt type
cd erdnt
or whatever you named your restore folder, then press ENTER.
- If you enabled automatic registry backup on system boot during ERUNT
installation and want to restore one of these backups, type
cd autobackup <ENTER>
- If you created subfolders for different registry backups (for
example, with the different creation dates), type
dir <ENTER>
to see a list of available folders, then type
cd foldername <ENTER>
where foldername is the name of a folder listed by the dir command,
to open that folder.
- Now type
batch erdnt.con <ENTER>
to restore the system registry from that folder.
- Type
exit <ENTER>
and remove the CD from the CD-ROM drive. The system will now reboot
with the restored registry.

ERDNT technical information
---------------------------

ERDNT knows two restoration modes. The right mode is usually auto-
detected each time ERDNT is run, but read on if you are experiencing
problems restoring the registry.

"NT" mode is used if you run the ERDNT program from within the same
system where you made the backup. This is determined by looking at the
[SystemRoot] entry in the ERDNT.INF file and comparing it to the
actual %SystemRoot% environment variable. Using "NT" mode is the only
way to successfully restore the active registry of the currently
running OS.

"File copy" mode is used if the currently running OS is NOT NT-based,
or if the [SystemRoot] entry does not match the %SystemRoot%
environment variable. In this mode the backed up registry files are
simply copied back to their original location.

MS-DOS based ERDNT only supports "File copy" mode.

Note: In restoration mode "NT" backups of the current registry files
are automatically created, so that option is grayed out. In
restoration mode "File copy" all saved user registries are
automatically restored, so you cannot choose between "current user"
and "other user" registries.

The backups of the current registry files are placed in the same
location as the original and are given the extension ".bak".

Experienced users don't even need to use the ERDNT program in other
operating systems to restore a registry backup. Given access to the
appropriate files and folders, the backed up files can simply be
copied back to their original location, as that is all ERDNT does
in "File copy" mode anyway. Have a look at the ERDNT.INF file to
find out what the original file locations are.

ERDNT command line switches
---------------------------

The ERDNT program also supports command line switches for "silent"
operation. The syntax for the ERDNT command line is:

ERDNT silent [sysreg] [curuser] [otherusers]
[/mode:nt|filecopy] [/nobackup] [/noprogresswindow] [/reboot]

(Switches in brackets are optional.)

Description of the command line switches:

silent
Puts ERDNT into "silent" mode and enables all other switches.

sysreg
Restore the system registry

curuser *
Restore the current user registry
(This option is ignored in "File copy" restoration mode.)

otherusers
Restore other saved user registries

(Note: If none of the three above options is given on the command
line, ERDNT automatically uses the default restoration options, system
and current user registry.)

/mode:nt or /mode:filecopy *
Disables automatic detection of the correct restoration mode and
uses mode "NT" or "File copy" instead.

/nobackup
Don't make backups of the current registry files during restoration.
(This switch is ignored in "NT" restoration mode.)

/noprogresswindow
Hides the progress window during restoration.

/reboot *
Automatically reboots the computer when restoration of the registry
is complete.

* = Not supported in the DOS version of ERDNT.

Optimizing the registry with NTREGOPT
-------------------------------------

Similar to Windows 9x/Me, the registry files in an NT-based system
can become fragmented over time, occupying more space on your hard
disk than necessary and decreasing overall performance. You should
use the NTREGOPT utility regularly, but especially after installing
or uninstalling a program, to minimize the size of the registry files
and optimize registry access.

The program works by recreating each registry hive "from scratch",
thus removing any slack space that may be left from previously
modified or deleted keys.

Note that the program does NOT change the contents of the registry in
any way, nor does it physically defrag the registry files on the drive
(as the PageDefrag program from SysInternals does). The optimization
done by NTREGOPT is simply compacting the registry hives to the
minimum size possible.

To optimize your registry, simply run NTREGOPT, click "OK", and when
the process is complete click "OK" to reboot the computer. You should
do so immediately because any changes made to the registry after
NTREGOPT has been run are lost after the reboot.

NTREGOPT command line switches
------------------------------

The syntax for the NTREGOPT command line is:

NTREGOPT silent [/noprogresswindow] [/reboot]

(Switches in brackets are optional.)

Description of the command line switches:

silent
Puts NTREGOPT into "silent" mode and enables the other switches.

/noprogresswindow
Hides the progress window during optimization.

/reboot
Automatically reboots the computer when optimization of the registry
is complete.

Known problems
--------------

ERUNT and NTREGOPT sometimes fail with error 1450 - "Insufficient
system resources exist to complete the requested service" - when
trying to save a registry hive. I have not yet been able to reproduce
this error on any PC, and reports from affected users indicate that it
also pops up when trying to back up the critical hive using
Microsoft's REGBACK program. This makes it unlikely that there is
anything I can do on my (the programmer's) side. Some users reported
however that they were able to work around the problem by running
ERUNT/NTREGOPT in Windows' safe mode, and in one case uninstalling a
Symantec software suite solved it permanently. One user reported that
increasing the "IRPStackSize" value as described in Microsoft
Knowledge Base article 177078 fixed the problem on his system.

When the system is rebooted after a restoration of the registry with
ERDNT or optimization with NTREGOPT, Windows Server 2003 will by
default display the shutdown event tracker during logon asking why the
system has been shut down unexpectedly. This is because the info that
the shutdown was in fact an expected one is written to the "old"
registry during shutdown of the system which is replaced by the
restored/optimized registry next time the system is booted, and
therefore the shutdown info is discarded and shutdown event tracker
thinks the system crashed. You may want to disable the tracker to
avoid this message in the future (see the Windows help for information
on how to do this).

If you experience any other problems, please email me at
lars.hederer@t-online.de with a detailed description and I will see if
I can help you.

Localization
------------

You can translate all programs from this package into your language by
editing the appropriate .LOC file.

Keep in mind that the LOC files of the three Windows programs (ERUNT,
ERDNTWIN, NTREGOPT) should be edited using a Windows based editor
(Notepad), and ERDNTDOS.LOC using an MS-DOS based editor (EDIT.COM).
This is to ensure that any OEM characters are displayed correctly in
the program.

If your language is not yet present on my homepage and you want your
localization to be available to the general public, you are welcome to
send the four translated files to me. I will then make them available
for download, with credits of course.

I have included a German language pack. If you want to use the program
in German, simply unzip LOC_GER.ZIP into your ERUNT folder.

Version history
---------------

v1.1j, 10/20/2005
- Fixed compatibility issues with 64-bit Windows (many thanks to
Ian Smith and Hajo for all testing)
- Enhanced error messages
- AutoBackup now supports all date formats
- ERUNT.INI: "TimeSeparator" fixed; "DefaultDestinationFolder" now
supports all environment variables (previously only %SystemRoot%
could be used)
- ERDNT now displays the source Windows folder in addition to the
backup's creation date

v1.1i, 08/17/2005
- AutoBackup: Improved support for complex date formats
- NTREGOPT: Optimization results are now calculated correctly when
optimization failed on one or more hives

v1.1h, 03/06/2005
- Updated homepage address
- New ERUNT.INI option: AppendTimeToFolderEditField
- Fixed a problem where the current user registry could not be
identified on some systems
- Changed behavior of AutoBackup's /days:n switch

v1.1g, 11/02/2004
- ERUNT is now MUCH faster on Windows XP and Server 2003
- Added time string support on the command line
- AutoBackup now by default skips creating a backup for the current
day if one already exists

v1.1f, 08/26/2004
- Added AUTOBACK.EXE command line tool for automated registry backup
and deletion of old restore folders created prior to a specific
number of days
- Window position is now screen center instead of desktop center,
fixing display problem when using multiple monitors (thanks John

v1.1e, 07/31/2004
- Appearance of the date string can be configured via ERUNT.INI
- NTREGOPT: Optimization results: use thousand separator

v1.1d, 07/07/2004
- Optimized error handling
- Combined DOS and Windows ERDNT into a single Win32 executable,
fixing problems with the previous 16-bit exe stub on some systems
and with BartPE
- Added Windows Recovery Console support with ERDNT batch file
- Default destination folder can now be configured via file ERUNT.INI,
replacing #DestinationFolder command line option
- Changed the default destination folder to be inside the Windows
folder, for easy recovery console access
- New folder named the current date is automatically appended to
destination folder (can be disabled in ERUNT.INI)
- Rewrote major parts of the documentation

v1.1c, 05/10/2004
- Fixed problems with dynamic disks
- Added browse function for destination folder, as well as the option
to change the default name (use #DestinationFolder on the command
line)
- Re-added support for Windows NT 3.51 (got lost with v1.1) except
browse function

v1.1b, 04/23/2004
- ERUNT and NTREGOPT are now compatible with Windows Server 2003 and
Windows XP Service Pack 2
- Fixed a problem where the registry hives could not be
saved/restored/optimized on some systems
- Changed naming convention for user subfolders in the ERDNT folder

v1.1a, 10/03/2002
- Fixed a problem where the registry hives could not be
saved/restored/optimized on some systems

v1.1, 09/25/2002
- Fixed "Invalid pointer operation" message which occurred on some
systems (many thanks to Russ Cordner for his assistance in isolating
the problem)
- Fixed "Error opening localization file" message when ERUNT.EXE was
called from outside the ERUNT folder
- Fixed some problems with UNC path names
- Added command line support for ERDNT and NTREGOPT
- NTREGOPT: show optimization results (initial and new registry size)

v1.0, 11/24/2001
- Initial release

Distribution
------------

The ERUNT package (including the programs ERUNT, AUTOBACK, ERDNT and
NTREGOPT) is freeware. Please pass it to anyone who you think may find
it useful.

I explicitly allow this package to be included in any file archive,
CD-ROM or other media collection as well as usage in your own programs
provided that all files are kept and remain unchanged. A quick note
via e-mail where my program has been included is appreciated.

Donations
---------

Though I chose to make my programs freeware so that no one is required
to pay for using them, I accept and appreciate donations. So, if you
find my programs helpful and want to support further development,
simply visit my homepage and click one of the "PayPal" buttons, or
donate directly to my e-mail address via PayPal. Thanks in advance!

If you live in Germany and want to make a donation, you may also
transfer money directly to my bank account. Contact me for more
information.

Disclaimer
----------

Use this software at your own risk. I do not take responsibility for
anything that might happen to you or the PC upon use of my programs,
including but not limited to: registry destruction, hard disk crash,
heart attack...

Comments and suggestions via e-mail, however, are always welcome!

Back to top of the page up there ^
MultiQuote
Reply

#17 Bio-Hazard

Global Moderator/Security Expert

Group: Global Moderator
Posts: 85
Joined: 01-February 09
Gender:Male
Location:Cornwall, UK

Posted 15 March 2009 - 07:00 AM

Hello!

This folder C:\Program Files\S3 is ok, it is not malicious. Lets try another online scan. There is no need to post the HijackThis uninstall list.

Panda Online Scan

Please go HERE to run Panda's ActiveScan

Once you are on the Panda site, click the Scan your PC now button
A new window will open...click the Scan Now button
Allow the ActiveX control to be installed. It will start downloading the files it requires for the scan. Note: This may take a couple of minutes
Run the ActiveX control, if requested. The screen will then show the scanning progress - the scan will take a while to finish. Please be patient.
When the scan has finished, click on Export To
Save the file as Activescan.txt to your Desktop
Close the Activescan window then go to your Desktop
Double-click on Activescan.txt and it will open in Notepad
In Notepad, click Edit > Select all, then Edit > Copy
Reply to this thread and click Ctrl+V to paste the log in your reply

Logs/Information to Post in Next Reply

Please post the following logs/Information in your reply:

Panda scan Log
A fresh HijackThis Log ( after all the above has been done)

Honors Graduate of Malware Removal University

Back to top of the page up there ^
MultiQuote
Reply

#18 333nnn

Junior Member

Group: Members
Posts: 60
Joined: 08-March 08

Posted 15 March 2009 - 10:23 AM

The Active Scan did not give a log. A screen came up when the scan was finished saying congratulations there was nothing threatening found.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:20:18 AM, on 3/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcp.../pcpitstop2.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 7428 bytes

Back to top of the page up there ^
MultiQuote
Reply

#19 Bio-Hazard

Global Moderator/Security Expert

Group: Global Moderator
Posts: 85
Joined: 01-February 09
Gender:Male
Location:Cornwall, UK

Posted 15 March 2009 - 10:49 AM

Your log now appears to be clean. Congratulations!

You can get rid of the tools we used:

RSIT and the folder C:/rsit(You can just delete the exe file from your desktop)
ERUNT(You can uninstall it from Add/Remove Programs)
ATF cleaner(You can just delete the exe file from your desktop)

Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints. You need to be registered to post as, unfortunately, we were hit with too many spam posts to allow guest posting to continue. Just find your country room and register your complaint.

General Security and Computer Health

Clear Infected System Restore Points
Turn System Restore off
On the Desktop, right click on the My Computer icon.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Restart your computer
Turn System Restore on
On the Desktop, right click on the My Computer icon.
Click Properties.
Click the System Restore tab.
Uncheck *Turn off System Restore*.
Click Apply, and then click OK.

Note:

once

not

Set correct settings for files
- Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
- Under Hidden files and folders if necessary select Do not show hidden files and folders.
- If unchecked please check Hide protected operating system files (Recommended)
- If necessary check Display content of system folders
- If necessary Uncheck Hide file extensions for known file types.
- Click OK
Make sure that you keep your antivirus updated
New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
NOTE: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
Security Updates for Windows, Internet Explorer & Microsoft Office
Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.
NOTE: The update process uses ActiveX, so you will need to use internet explorer for it and allow the ActiveX control to install.
Update Non-Microsoft Programs
Microsoft isn't the only company whose products can contain security vulnerabilities. To check whether other programs running on your PC are in need of an update, you can use the Secunia Software Inspector or F-secure Health Check. I suggest that you run one of them at least once a month.
Make Internet Explorer More Secure
You are using Internet Explorer v. 7. Therefore please read and follow the recommendations at this SITE

Recommended Programs

I would recommend the download and installation of some or all of the following programs (if not already present), and the updating of them on a regular basis.

WinPatrol
As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE.
SpywareBlaster
SpywareBlaster sets killbits in the registry to prevent known malicious ActiveX controls from installing on your computer. If you don't know what ActiveX controls are, see HERE. You can download SpywareBlaster from HERE.
Malwarebytes' Anti-Malware
Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start.You can download Malwarebytes' Anti-Malware from HERE. Here are two tutorials: Malwarebytes' Anti-Malware Setup Guide and Malwarebytes' Anti-Malware Scanning Guide.
Hosts File
For added protection you may also like to add a host file. A simple explanation of what a Hosts file does is HERE and for more information regarding host files read HERE.
Use an alternative Internet Browser
Many of the exploits are directed to users of Internet Explorer. Try using a different browser instead: Firefox or Opera

Here is a great article by miekiemoes How to prevent Malware.

Finally I am trying to make one point very clear. It is ABSOLUTELY ESSENTIAL to keep all of your security programs up to date.

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.

Happy surfing and stay clean!

Bio-Hazard

Honors Graduate of Malware Removal University

Back to top of the page up there ^
MultiQuote
Reply

#20 333nnn

Junior Member

Group: Members
Posts: 60
Joined: 08-March 08

Posted 15 March 2009 - 12:07 PM

Thanks for the help. A forum tech has saved my computer yet again. Online computer techs make using and maintaining pcs possible. We should all never forget the days when we were forced to pay manufacturers ridiculous fees for help. I read everything in your last post and followed the recommendations. I will post a complaint about those creating malware. They are indeed criminals and should be dealt with as such. They're not simply mischievous. One other question I have is I get a lot of notices from Comodo firewall about whether to allow a program to do something it's trying to do. It's difficult oftentimes to tell whether the attempted step is safe. How can I better tell what to allow and not allow?

Back to top of the page up there ^
MultiQuote
Reply

(2 Pages)
1
2
→

You cannot start a new topic
This topic is locked

5 Star Support Forums: