HJT Log Help please

gvp444 · 1 Week Ago

Hello.

My PC has been having a few problems lately. Sometimes it shuts down of its own accord, sometimes it does'nt start correctly and I have ben having a Virus detected by Bitdefender (which it stops). I do a full scan, remove the virus but its back again a few hours later. It says its Trojan.Spy.BZub.NIB.

I also keep getting a debug error message come up and shut IE7 down its says something along the lines of debug error visualc++ securenet.dll. The HJT Log is below if anyone can help me out. There is a load of junk on it i'm sure.

Thanks in advance

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:25:30, on 08/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Comodo\Firewall\cmdagent.exe
D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
D:\WINDOWS\system32\HPZipm12.exe
D:\Program Files\Spyware Terminator\sp_rsser.exe
D:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
D:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
D:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Trust\Trust MD3100 USB ADSL MODEM\CnxDslTb.exe
D:\WINDOWS\system32\VTTimer.exe
D:\WINDOWS\system32\VTtrayp.exe
D:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
D:\Program Files\Comodo\Firewall\CPF.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Windows Live\Messenger\msnmsgr.exe
D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
D:\Program Files\Windows Live\Messenger\usnsvc.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Outlook Express\msimn.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\N1OU33UY\HiJackThis[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.ebay.co.uk/ws/ebayisapi.dl...=1&_trksid=m37
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.ebay.co.uk/ws/ebayisapi.dl...=1&_trksid=m37
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.ebay.co.uk/ws/eBayISAPI.dl...=1&_trksid=m37
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - D:\Program Files\IEPro\iepro.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - D:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - D:\Program Files\AskSBar\bar\3.bin\ASKSBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - D:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - D:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - D:\Program Files\AskSBar\bar\3.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [CnxDslTaskBar] "D:\Program Files\Trust\Trust MD3100 USB ADSL MODEM\CnxDslTb.exe"
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "D:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "D:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "D:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [SpywareTerminator] "D:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Update Service] D:\PROGRA~1\COMMON~1\TEKNUM~1\update.exe /startup
O4 - HKCU\..\Run: [SmartRAM] "D:\Program Files\IObit\Advanced WindowsCare 3 Beta\Sup_SmartRAM.exe" /m
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - D:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - D:\Program Files\IEPro\iepro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} (TraderMediaImgX Control) - http://sell.autotrader.co.uk/uk-ola/...aderMediaX.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/...lMgr_v01_6.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02...s/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1188314303298
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1188314629251
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD44/JSCDL/...ws-i586-jc.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://crucial.com/controls/cpcScanner.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/...ploader4_5.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F550FB65-92D2-487D-B6B4-0EB769088CBF}: NameServer = 158.152.1.58 158.152.1.43
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - D:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - D:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - ?????????????????•????????????????????" (file missing)
O23 - Service: ServiceLayer - Nokia. - D:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - D:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - D:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - D:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 11158 bytes

**noahdfear** · 1 Week Ago

Welcome to WindowsBBS gvp444

Does BitDefender give you a filename and or location for the detection?

Lets get a log from another tool that will give us a better look at things. Download Deckard's System Scanner (dss.exe) and save it to your desktop.

Close all applications and windows.
Double click on dss.exe to run it and follow the prompts.
When the scan is complete, two text files will open; main.txt, which will be maximized and extra.txt, which will be minimized.

Post the contents of main.txt only for now.

gvp444 · 1 Week Ago

Hi. Thanks for your help.

Bitdefender doesn't come up with a file name or path and it doesn't give any options to delete or quarantine, just to click ok. The messgae says Bitdefender had prevented a virus from running on your computer, then gives the name as above. When I do the scan (only finds it in deep scan) it finds it in a few files which I then delete, they look like registry files and temp files to me. Here is the DSS log.

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-08-09 08:13:23
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
30: 2008-08-09 07:13:33 UTC - RP365 - Deckard's System Scanner Restore Point
29: 2008-08-08 08:10:04 UTC - RP364 - Advanced WindowsCare RestorePoint
28: 2008-08-07 07:13:35 UTC - RP363 - System Checkpoint
27: 2008-08-04 19:01:31 UTC - RP362 - System Checkpoint
26: 2008-08-03 16:26:03 UTC - RP361 - System Checkpoint

-- First Restore Point --
1: 2008-07-05 20:46:06 UTC - RP336 - Installed DirectX

Backed up registry hives.
Performed disk cleanup.

-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-08-09 08:17:37
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16674)
Boot mode: Normal

Running processes:
D:\WINDOWS\system32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Comodo\Firewall\cmdagent.exe
D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
D:\WINDOWS\system32\HPZipm12.exe
D:\Program Files\Spyware Terminator\sp_rsser.exe
D:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
D:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
D:\WINDOWS\explorer.exe
D:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Trust\Trust MD3100 USB ADSL MODEM\CnxDslTb.exe
D:\WINDOWS\system32\VTTimer.exe
D:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Windows Live\Messenger\usnsvc.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
D:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SKGBG4ZO\dss[1].exe
D:\Program Files\PC Connectivity Solution\ServiceLayer.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.ebay.co.uk/ws/ebayisapi.dl...=1&_trksid=m37
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.ebay.co.uk/ws/ebayisapi.dl...=1&_trksid=m37
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.ebay.co.uk/ws/eBayISAPI.dl...=1&_trksid=m37
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - D:\Program Files\IEPro\IEPro.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - D:\Program Files\Google\GoogleToolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - D:\Program Files\epson\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - D:\Program Files\AskSBar\bar\3.bin\ASKSBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - D:\Program Files\Google\GoogleToolbar1.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - D:\Program Files\epson\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - D:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - D:\Program Files\AskSBar\bar\3.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [CnxDslTaskBar] "D:\Program Files\Trust\Trust MD3100 USB ADSL MODEM\CnxDslTb.exe"
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "D:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "D:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "D:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [SpywareTerminator] "D:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Update Service] D:\PROGRA~1\COMMON~1\TEKNUM~1\update.exe /startup
O4 - HKCU\..\Run: [SmartRAM] "D:\Program Files\IObit\Advanced WindowsCare 3 Beta\Sup_SmartRAM.exe" /m
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] D:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] D:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - D:\Program Files\IEPro\IEPro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - D:\Program Files\IEPro\IEPro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} (TraderMediaImgX Control) - http://sell.autotrader.co.uk/uk-ola/...aderMediaX.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} () - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/...lMgr_v01_6.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02...s/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1188314303298
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1188314629251
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.6.0_07) - http://sdlc-esd.sun.com/ESD44/JSCDL/...ws-i586-jc.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get.../ultrashim.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://crucial.com/controls/cpcScanner.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/...ploader4_5.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - D:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - D:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - D:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - D:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - D:\Program Files\Windows Live\Mail\mailcomm.dll
O18 - Filter: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - D:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - D:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: KService - Kontiki Inc. - D:\Program Files\Kontiki\KService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - D:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - ?????????????????•????????????????????"
O23 - Service: ServiceLayer - Nokia. - D:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - D:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - D:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - D:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 12043 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 SCDEmu - d:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R1 sp_rsdrv2 (Spyware Terminator Driver 2) - d:\windows\system32\drivers\sp_rsdrv2.sys
R1 vcdrom (Virtual CD-ROM Device Driver) - d:\documents and settings\administrator\my documents\my ebooks\vcdrom.sys <Not Verified; Microsoft Corporation; VirtualCdRom>
R3 BDSelfPr - d:\program files\bitdefender\bitdefender 2008\bdselfpr.sys <Not Verified; BitDefender S.R.L.; BitDefender>
R3 CnxEtP (Trust MD3100 USB ADSL MODEM LAN Adapter Filter Driver) - d:\windows\system32\drivers\cnxetp.sys <Not Verified; Conexant; Conexant USB ADSL Modem>
R3 CnxEtU (Trust MD3100 USB ADSL MODEM Loader) - d:\windows\system32\drivers\cnxetu.sys <Not Verified; Conexant; Conexant USB ADSL Modem>
R3 CnxTgN (Trust MD3100 USB ADSL MODEM LAN Adapter Driver) - d:\windows\system32\drivers\cnxtgn.sys <Not Verified; Conexant Systems Inc.; Conexant AccessRunner ADSL>

S1 bdpredir - d:\program files\softwin\bitdefender10\bdpredir.sys (file missing)
S3 catchme - d:\docume~1\admini~1\locals~1\temp\catchme.sys (file missing)
S3 gmer - ????????????s (file missing)
S3 jswmidin - d:\docume~1\admini~1\locals~1\temp\jswmidin.sys (file missing)
S3 NPF (NetGroup Packet Filter Driver) - ???????????? (file missing)
S3 Partizan - d:\windows\system32\drivers\partizan.sys <Not Verified; Greatis Software; RegRun Security Suite>
S3 SABProcEnum - d:\program files\internet explorer\sabprocenum.sys (file missing)
S3 TVICHW32 - d:\windows\system32\drivers\tvichw32.sys <Not Verified; EnTech Taiwan; TVicHW32 Generic Device Driver for Windows 95/98/ME/NT/2000/2003/XP/XP64>
S3 ZSMC0305 (VIMICRO USB PC Camera V) - d:\windows\system32\drivers\usbvm305.sys <Not Verified; Vimicro Corporation; >
S3 ZSMC302 (VIMICRO USB PC Camera) - d:\windows\system32\drivers\usbvm31b.sys <Not Verified; VM; >

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 sp_rssrv (Spyware Terminator Realtime Shield Service) - "d:\program files\spyware terminator\sp_rsser.exe" <Not Verified; Crawler.com; Crawler Spyware Terminator>
R3 ServiceLayer - "d:\program files\pc connectivity solution\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution>

S3 rpcapd (Remote Packet Capture Protocol v.0 (experimental)) - ?????????????????•????????????????????" (file missing)

-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E96E-E325-11CE-BFC1-08002BE10318}
Description:
Device ID: ROOT\MONITOR\0000
Manufacturer: HP
Name:
PNP Device ID: ROOT\MONITOR\0000
Service:

Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}
Description: Nokia 6300
Device ID: ROOT\WPD\0000
Manufacturer: Nokia
Name: Nokia 6300
PNP Device ID: ROOT\WPD\0000
Service: WUDFRd

-- Scheduled Tasks -------------------------------------------------------------

2008-08-09 07:23:21 464 --a------ D:\WINDOWS\Tasks\XoftSpySE 2.job
2008-08-08 21:44:00 428 --a------ D:\WINDOWS\Tasks\AWC Update.job
2008-07-07 16:57:58 378 --a------ D:\WINDOWS\Tasks\XoftSpySE.job

-- Files created between 2008-07-09 and 2008-08-09 -----------------------------

2008-08-07 15:58:02 0 d-------- D:\Documents and Settings\Administrator\Application Data\IEPro
2008-08-07 15:57:50 0 d-------- D:\Program Files\IEPro
2008-08-02 22:13:58 0 d-------- D:\Documents and Settings\Administrator\Application Data\Ashampoo
2008-08-02 22:13:49 0 d-------- D:\Documents and Settings\All Users\Application Data\ashampoo
2008-08-02 22:05:31 0 d-------- D:\Documents and Settings\Administrator\Application Data\DeepBurner
2008-08-02 22:05:10 0 d-------- D:\Program Files\Astonsoft
2008-08-01 11:02:24 0 d-------- D:\Documents and Settings\Default User\Application Data\Macromedia
2008-07-14 15:46:28 0 d-------- D:\Program Files\Common Files\Wise Installation Wizard
2008-07-14 15:45:42 0 d-------- D:\Documents and Settings\Administrator\.housecall6.6
2008-07-14 09:58:46 0 d-------- D:\Program Files\AskSBar
2008-07-12 14:22:43 208896 --a------ D:\WINDOWS\system32\wpcap.dll <Not Verified; Politecnico di Torino; WinPcap wpcap.dll>
2008-07-12 14:22:43 53299 --a------ D:\WINDOWS\system32\pthreadVC.dll
2008-07-12 14:22:40 0 d-------- D:\Program Files\winpcap
2008-07-12 14:09:14 0 d-------- D:\Program Files\Java
2008-07-12 14:08:18 0 d-------- D:\Program Files\Common Files\Java
2008-07-09 21:50:39 0 d-------- D:\WINDOWS\ERUNT

-- Find3M Report ---------------------------------------------------------------

2008-08-09 08:14:45 81984 --a------ D:\WINDOWS\system32\bdod.bin
2008-08-08 16:49:12 0 d-------- D:\Documents and Settings\Administrator\Application Data\FrostWire
2008-08-08 10:00:11 0 d-------- D:\Documents and Settings\Administrator\Application Data\Spare Backup
2008-08-08 09:08:42 0 d-------- D:\Program Files\IObit
2008-08-02 22:48:33 0 d-------- D:\Program Files\DVD Shrink
2008-08-02 20:03:47 0 d-------- D:\Documents and Settings\Administrator\Application Data\uTorrent
2008-07-31 14:40:35 0 d-------- D:\Documents and Settings\Administrator\Application Data\Ladbrokes
2008-07-14 15:46:54 0 d-------- D:\Program Files\SUPERAntiSpyware
2008-07-14 15:46:50 0 d-------- D:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-07-14 15:46:28 0 d-------- D:\Program Files\Common Files
2008-07-14 09:59:03 0 d-------- D:\Program Files\FrostWire
2008-07-13 13:00:18 0 d-------- D:\Documents and Settings\Administrator\Application Data\FxFotoDB
2008-07-12 14:11:23 0 d-------- D:\Program Files\XoftSpySE
2008-07-07 16:34:30 0 d-------- D:\Program Files\Windows Media Bonus Pack for Windows XP
2008-07-07 16:32:51 0 d-------- D:\Program Files\Eusing Free Registry Cleaner
2008-07-07 12:09:49 0 d-------- D:\Program Files\PEN
2008-07-06 19:30:06 0 d-------- D:\Program Files\Net Tools
2008-07-05 21:39:28 0 d--h----- D:\Program Files\InstallShield Installation Information
2008-07-03 12:48:02 0 d-------- D:\Documents and Settings\Administrator\Application Data\Mozilla
2008-07-02 11:41:24 0 d-------- D:\Program Files\Spyware Terminator
2008-07-02 11:00:38 0 d-------- D:\Documents and Settings\Administrator\Application Data\Spyware Terminator
2008-06-27 20:24:19 0 d-------- D:\Documents and Settings\Administrator\Application Data\Nokia Multimedia Player
2008-06-27 20:20:26 0 d-------- D:\Documents and Settings\Administrator\Application Data\Nokia
2008-06-27 20:20:24 0 d-------- D:\Documents and Settings\Administrator\Application Data\PC Suite
2008-06-27 20:19:12 0 d-------- D:\Program Files\DIFX
2008-06-27 20:18:04 0 d-------- D:\Program Files\Common Files\PCSuite
2008-06-27 20:17:39 0 d-------- D:\Program Files\Common Files\Nokia
2008-06-27 20:17:36 0 d-------- D:\Program Files\Nokia
2008-06-27 20:16:55 0 d-------- D:\Program Files\PC Connectivity Solution
2008-06-14 13:59:51 0 d-------- D:\Program Files\CD to MP3 Freeware
2008-06-12 19:47:24 0 d-------- D:\Program Files\Spyware Doctor
2008-06-12 13:18:22 28672 --a------ D:\WINDOWS\system32\Partizan.exe <Not Verified; Greatis Software; RegRun Security Suite, UnHackMe>

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
14/07/2008 09:58 267592 --a------ D:\Program Files\AskSBar\bar\3.bin\ASKSBAR.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= D:\Program Files\AskSBar\bar\3.bin\ASKSBAR.DLL [14/07/2008 09:58 267592]

[-HKEY_CLASSES_ROOT\CLSID\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CnxDslTaskBar"="D:\Program Files\Trust\Trust MD3100 USB ADSL MODEM\CnxDslTb.exe" [28/08/2007 15:55]
"VTTimer"="VTTimer.exe" [21/09/2006 17:36 D:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [27/08/2007 20:03 D:\WINDOWS\system32\VTTrayp.exe]
"BitDefender Antiphishing Helper"="D:\Program Files\BitDefender\BitDefender 2008\IEShow.exe" [09/10/2007 16:46]
"BDAgent"="D:\Program Files\BitDefender\BitDefender 2008\bdagent.exe" [02/07/2008 15:44]
"GrooveMonitor"="D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [24/08/2007 08:00]
"COMODO Firewall Pro"="D:\Program Files\Comodo\Firewall\CPF.exe" [05/02/2008 19:06]
"SpywareTerminator"="D:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [24/05/2008 10:17]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="D:\WINDOWS\system32\ctfmon.exe" [04/08/2004 00:56]
"MsnMsgr"="D:\Program Files\Windows Live\Messenger\msnmsgr.exe" [18/10/2007 12:34]
"Update Service"="D:\PROGRA~1\COMMON~1\TEKNUM~1\update.exe" [14/10/2007 22:42]
"SmartRAM"="D:\Program Files\IObit\Advanced WindowsCare 3 Beta\Sup_SmartRAM.exe" [22/07/2008 15:42]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Nokia.PCSync"=D:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explo rer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoResolveSearch"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explor er]
"LinkResolveIgnoreLinkInfo"=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\expl orer]
"NoLogOff"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell ExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= D:\Program Files\SUPERAntiSpyware\SASSEH.DLL [13/05/2008 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
D:\Program Files\SUPERAntiSpyware\SASWINLO.dll 19/04/2007 13:41 294912 D:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5 B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Gangsters2Setup.lnk]
backup=D:\WINDOWS\pss\Gangsters2Setup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
backup=D:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4oD]
"D:\Program Files\Kontiki\KHost.exe" -all

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDog305]
D:\WINDOWS\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDogPath]
D:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
D:\Program Files\Kontiki\KHost.exe -all

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaFace Integration]
D:\Program Files\Fellowes\MediaFACE 4.2\SetHook.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
D:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
D:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spare Backup]
"D:\Program Files\Spare Backup\SpareTray.exe" /silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Total Security]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TotalSecurityUpdate]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows live Messenger]
msn.com

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"KService"=2 (0x2)
"aawservice"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx scan

-- End of Deckard's System Scanner: finished at 2008-08-09 08:18:28 ------------

**noahdfear** · 1 Week Ago

Quote:

When I do the scan (only finds it in deep scan) it finds it in a few files which I then delete, they look like registry files and temp files to me.

And those files have no name or location?

Please do an online scan with Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.

Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click View scan report at the bottom.
Click the Save Report As... button.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

gvp444 · 1 Week Ago

Hi.
Sorry I get what you mean now. Here is the latest can report with all the file names it found.

Scan Paths:Path0000: C:\
Path0001: D:\

Scan Options:Scan for viruses : Yes
Scan for adware : Yes
Scan for spyware : Yes
Scan for applications : Yes
Scan for dialers : Yes
Scan for rootkits : Yes

Target selection options:Scan registry keys : Yes
Scan cookies : Yes
Scan boot sectors : Yes
Scan memory processes : Yes
Scan archives : Yes
Scan runtime packers : Yes
Scan emails : Yes
Scan all files : Yes
Heuristic Scan : Yes
Scanned extensions :
Excluded extensions :

Target ProcessingDefault action for infected objects : Disinfect
Default action for suspicious objects : None
Default action for hidden objects : None

Scan engines summaryNumber of virus signatures : 1381418
Archive plugins : 42
Email plugins : 6
Scan plugins : 12
Archive plugins : 42
System plugins : 4
Unpack plugins : 7

Overall scan summaryScanned items : 716362
Infected items : 1
Suspicious items : 28
Resolved items : 28
Individual viruses found : 1
Scanned directories : 14839
Scanned boot sectors : 5
Scanned archives : 49491
Input-output errors : 28
Scan time : 00:03:00:39
Files per second : 66

Scanned processes summaryScanned : 35
Infected : 0

Scanned registry keys summaryScanned : 344
Infected : 0

Scanned cookies summaryScanned : 0
Infected : 0

Remaining issues:Object Name Threat Name Final Status
C:\System Volume Information\_restore{3645F337-2EB4-4D2C-81FB-5451D08365B1}\RP165\A0026544.exe=](NSIS o)=]lzma_nsis0006 Trojan.FatObfus.Gen Infected (no action was possible, file was in an archive)

Resolved issues:Object Name Threat Name Final Status
D:\System Volume Information\_restore{F7B3A608-9B10-4204-A73B-1B2713D4B47B}\RP324\snapshot\_REGISTRY_USER_.DEFAULT Trojan.Spy.BZub.NIB Deleted
D:\System Volume Information\_restore{F7B3A608-9B10-4204-A73B-1B2713D4B47B}\RP325\snapshot\_REGISTRY_USER_.DEFAULT Trojan.Spy.BZub.NIB Deleted
D:\System Volume Information\_restore{F7B3A608-9B10-4204-A73B-1B2713D4B47B}\RP326\snapshot\_REGISTRY_USER_.DEFAULT Trojan.Spy.BZub.NIB Deleted
D:\System Volume Information\_restore{F7B3A608-9B10-4204-A73B-1B2713D4B47B}\RP327\snapshot\_REGISTRY_USER_.DEFAULT Trojan.Spy.BZub.NIB Deleted
D:\System Volume Information\_restore{F7B3A608-9B10-4204-A73B-1B2713D4B47B}\RP328\snapshot\_REGISTRY_USER_.DEFAULT Trojan.Spy.BZub.NIB Deleted
D:\System Volume Information\_restore{F7B3A608-9B10-4204-A73B-1B2713D4B47B}\RP329\snapshot\_REGISTRY_USER_.DEFAULT Trojan.Spy.BZub.NIB Deleted
D:\System Volume Information\_restore{F7B3A608-9B10-4204-A73B-1B2713D4B47B}\RP330\snapshot\_REGISTRY_USER_.DEFAULT Trojan.Spy.BZub.NIB Deleted
D:\System Volume Information\_restore{F7B3A608-9B10-4204-A73B-1B2713D4B47B}\RP331\snapshot\_REGISTRY_USER_.DEFAULT Trojan.Spy.BZub.NIB Deleted
D:\System Volume Information\_restore{F7B3A608-9B10-4204-A73B-1B2713D4B47B}\RP332\snapshot\_REGISTRY_USER_.DEFAULT Trojan.Spy.BZub.NIB Deleted
D:\System Volume Information\_restore{F7B3A608-9B10-4204-A73B-1B2713D4B47B}\RP333\snapshot\_REGISTRY_USER_.DEFAULT Trojan.Spy.BZub.NIB Deleted
D:\System Volume Information\_restore{F7B3A608-9B10-4204-A73B-1B2713D4B47B}\RP334\snapshot\_REGISTRY_USER_.DEFAULT Trojan.Spy.BZub.NIB Deleted
D:\System Volume Information\_restore{F7B3A608-9B10-4204-A73B-1B2713D4B47B}\RP335\snapshot\_REGISTRY_USER_.DEFAULT Trojan.Spy.BZub.NIB Deleted
D:\System Volume Information\_restore{F7B3A608-9B10-4204-A73B-1B2713D4B47B}\RP336\snapshot\_REGISTRY_USER_.DEFAULT Trojan.Spy.BZub.NIB Deleted
D:\System Volume Information\_restore{F7B3A608-9B10-4204-A73B-1B2713D4B47B}\RP337\snapshot\_REGISTRY_USER_.DEFAULT Trojan.Spy.BZub.NIB Deleted
D:\System Volume Information\_restore{F7B3A608-9B10-4204-A73B-1B2713D4B47B}\RP338\snapshot\_REGISTRY_USER_.DEFAULT Trojan.Spy.BZub.NIB Deleted
D:\System Volume Information\_restore{F7B3A608-9B10-4204-A73B-1B2713D4B47B}\RP339\snapshot\_REGISTRY_USER_.DEFAULT Trojan.Spy.BZub.NIB Deleted
D:\System Volume Information\_restore{F7B3A608-9B10-4204-A73B-1B2713D4B47B}\RP340\snapshot\_REGISTRY_USER_.DEFAULT Trojan.Spy.BZub.NIB Deleted
D:\System Volume Information\_restore{F7B3A608-9B10-4204-A73B-1B2713D4B47B}\RP341\snapshot\_REGISTRY_USER_.DEFAULT Trojan.Spy.BZub.NIB Deleted
D:\System Volume Information\_restore{F7B3A608-9B10-4204-A73B-1B2713D4B47B}\RP342\snapshot\_REGISTRY_USER_.DEFAULT Trojan.Spy.BZub.NIB Deleted
D:\System Volume Information\_restore{F7B3A608-9B10-4204-A73B-1B2713D4B47B}\RP343\snapshot\_REGISTRY_USER_.DEFAULT Trojan.Spy.BZub.NIB Deleted
D:\System Volume Information\_restore{F7B3A608-9B10-4204-A73B-1B2713D4B47B}\RP344\snapshot\_REGISTRY_USER_.DEFAULT Trojan.Spy.BZub.NIB Deleted
D:\System Volume Information\_restore{F7B3A608-9B10-4204-A73B-1B2713D4B47B}\RP345\snapshot\_REGISTRY_USER_.DEFAULT Trojan.Spy.BZub.NIB Deleted
D:\System Volume Information\_restore{F7B3A608-9B10-4204-A73B-1B2713D4B47B}\RP346\snapshot\_REGISTRY_USER_.DEFAULT Trojan.Spy.BZub.NIB Deleted
D:\System Volume Information\_restore{F7B3A608-9B10-4204-A73B-1B2713D4B47B}\RP347\snapshot\_REGISTRY_USER_.DEFAULT Trojan.Spy.BZub.NIB Deleted
D:\System Volume Information\_restore{F7B3A608-9B10-4204-A73B-1B2713D4B47B}\RP348\snapshot\_REGISTRY_USER_.DEFAULT Trojan.Spy.BZub.NIB Deleted
D:\System Volume Information\_restore{F7B3A608-9B10-4204-A73B-1B2713D4B47B}\RP349\snapshot\_REGISTRY_USER_.DEFAULT Trojan.Spy.BZub.NIB Deleted
D:\WINDOWS\ERUNT\SDFIX\default Trojan.Spy.BZub.NIB Deleted
D:\WINDOWS\ERUNT\SDFIX_First_Run\default Trojan.Spy.BZub.NIB Deleted

**noahdfear** · 1 Week Ago

Those system volume information detections are System Restore points. The Erunt detections are in a backup registry hive created when sdfix was run. Remove the Erunt folder and empty the recycle bin. If your computer is performing properly otherwise, clean up the System Restore points as follows.

Clear past system restore points and create a new one.
Right click My Computer and select Properties. On the System Restore tab, check the box to turn System Restore off. Click Apply. Now, uncheck the box and click Apply to turn System Restore back on. Click OK, then OK to close the System Properties dialog.

Verify a new restore point was created.
Click Start>All Programs>Accessories>System Tools>System Restore
Select 'Restore my computer to an earlier time', then click next.
You should have a newly created System Checkpoint available. If so, click Cancel. If not, click Back and select 'Create a restore point' then click Next. Give the restore point a name and click next.