Suspected trojan / keylogger

crybaby

i very stupidly opened something on Sunday night due to sheer laziness and the next thing i know the audio is turned off and my anti virus was being turned off. After rebooting I uninstalled bitdefender and most of the security stuff was having issues with being turned off.

I did scans with Malware Bytes and that found something and deleted it but i think that was a previous virus that i was unaware of. After scanning with all sorts and doing a system restore i am now at the point where every scanner is coming up clean - Malware Bytes, Superantispyware, Avast, NOD 32, NOD32 online scanner they all say my system is clean but I still think something is there when i look at the task manager and see all these processes like csrss, atieclxx and many svchost.exe etc. Also iexplore.exe is running a few times in processes even though i only have it opened once.

Anyway here is the hijack and rooter logs I took it in safe mode not sure if that is correct or not so will post up logs taken in normal mode as well within 5 minutes

ogfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:50:03, on 16/12/2552
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Safe mode with network support

Running processes:
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~1\Office12\GR469A~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: ChromeFrame BHO - {ECB3C477-1A0A-44BD-BB57-78F9EFE34FA7} - C:\Program Files (x86)\Google\Chrome Frame\Application\4.0.266.0\npchrome_tab.dll
O3 - Toolbar: RefresherBand Class - {B24BA06E-FB7B-4757-95C2-DC01125F750E} - C:\PROGRA~2\YREFRE~1\YREFRE~1.DLL
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [USB Antivirus] C:\Program Files (x86)\USB Disk Security\USBGuard.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [ATICustomerCare] "C:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\RunOnce: [UniblueRegistryBooster] "C:\Program Files (x86)\Uniblue\RegistryBooster\launcher.exe" delay 20000
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O9 - Extra button: ส่งไปยัง OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: ส่&งไปยัง OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol hijack: cf - {9875BFAF-B04D-445E-8A69-BE36838CDE3E}
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~2\MICROS~1\Office12\GRA32A~1.DLL
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: CSIScanner - Prevx - C:\Program Files\Prevx\prevx.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 7222 bytes


Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows 7 . (6.1.7600)
[32_bits] - Intel64 Family 6 Model 23 Stepping 10, GenuineIntel
.
[wscsvc] STOPPED (state:1) : Security Center -> Disabled !
[MpsSvc] RUNNING (state:4)
Windows Firewall -> Enabled
Windows Defender -> Enabled
User Account Control (UAC) -> Enabled
.
Internet Explorer 8.0.7600.16385
.
C:\ [Fixed-NTFS] .. ( Total:465 Go - Free:293 Go )
\ [CD_Rom]
.
Scan : 13:50.09
Path : C:\Users\Simon\Desktop\Rooter.exe
User : Simon ( Administrator -> YES )
.

---

\\ Processes
.
Locked [System Process] (0)
Locked System (4)
______ ????????? (248)
______ ????????? (324)
______ ????????? (360)
______ ????????? (368)
______ ????????? (428)
______ ????????? (436)
______ ????????? (444)
______ ????????? (460)
______ ????????? (564)
______ ????????? (628)
______ ????????? (736)
______ ????????? (768)
______ ????????? (852)
______ ????????? (892)
______ ????????? (920)
______ ????????? (984)
______ ????????? (1132)
______ ????????? (1176)
______ ????????? (504)
______ C:\Program Files (x86)\Internet Explorer\iexplore.exe (112)
______ ????????? (1840)
______ ????????? (1420)
______ C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe (1740)
______ C:\Windows\SysWOW64\NOTEPAD.EXE (356)
______ C:\Users\Simon\Desktop\Rooter.exe (816)
.

---

\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:32256 | Length:500105217024)
.

---

\\ Scheduled Tasks
.
C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
C:\Windows\Tasks\SA.DAT
C:\Windows\Tasks\SCHEDLGU.TXT
.

---

\\ Registry
.
.

---

\\ Files & Folders
.

---

\\ Scan completed at 13:50.10
.
C:\Rooter$\Rooter_2.txt - (16/12/2009 | 13:50.10)

crybaby

normal mode logs i ran as administrator

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:55:29, on 16/12/2552
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\USB Disk Security\USBGuard.exe
C:\Program Files (x86)\Java\jre6\bin\jusched.exe
C:\Windows\SysWow64\Macromed\Flash\FlashUtil10c.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~1\Office12\GR469A~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: ChromeFrame BHO - {ECB3C477-1A0A-44BD-BB57-78F9EFE34FA7} - C:\Program Files (x86)\Google\Chrome Frame\Application\4.0.266.0\npchrome_tab.dll
O3 - Toolbar: RefresherBand Class - {B24BA06E-FB7B-4757-95C2-DC01125F750E} - C:\PROGRA~2\YREFRE~1\YREFRE~1.DLL
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [USB Antivirus] C:\Program Files (x86)\USB Disk Security\USBGuard.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [ATICustomerCare] "C:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O9 - Extra button: ส่งไปยัง OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: ส่&งไปยัง OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol hijack: cf - {9875BFAF-B04D-445E-8A69-BE36838CDE3E}
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~2\MICROS~1\Office12\GRA32A~1.DLL
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: CSIScanner - Prevx - C:\Program Files\Prevx\prevx.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 7179 bytes



Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows 7 . (6.1.7600)
[32_bits] - Intel64 Family 6 Model 23 Stepping 10, GenuineIntel
.
[wscsvc] (Security Center) RUNNING (state:4)
[MpsSvc] RUNNING (state:4)
Windows Firewall -> Enabled
Windows Defender -> Enabled
User Account Control (UAC) -> Enabled
.
Internet Explorer 8.0.7600.16385
.
C:\ [Fixed-NTFS] .. ( Total:465 Go - Free:293 Go )
\ [CD_Rom]
.
Scan : 13:55.41
Path : C:\Users\Simon\Desktop\Rooter.exe
User : Simon ( Administrator -> YES )
.

---

\\ Processes
.
Locked [System Process] (0)
Locked System (4)
______ ???<?????? (288)
______ ???<?????? (368)
______ ???<?????? (440)
______ ???<?????? (460)
______ ???<?????? (492)
______ ???<?????? (508)
______ ???<?????? (516)
______ ???<?????? (600)
______ ???<?????? (664)
______ ???<?????? (740)
______ ???<?????? (836)
______ ???<?????? (884)
______ ???<?????? (916)
______ ???<?????? (944)
Locked audiodg.exe (260)
______ ???<?????? (364)
______ ???<?????? (1052)
______ ???<?????? (1072)
______ ???<?????? (1260)
______ ???<?????? (1288)
______ ???<?????? (1392)
______ C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe (1428)
______ ???<?????? (1676)
______ ???<?????? (1708)
______ ???<?????? (1736)
______ ???<?????? (1784)
______ ???<?????? (1032)
______ ???<?????? (2184)
______ ???<?????? (2300)
______ C:\Program Files (x86)\USB Disk Security\USBGuard.exe (2592)
______ C:\Program Files (x86)\Java\jre6\bin\jusched.exe (2652)
______ ???<?????? (2688)
______ ???<?????? (2816)
______ ???<?????? (2980)
______ ???<?????? (1620)
______ ???<?????? (2132)
______ ???<?????? (196)
______ ???<?????? (1956)
______ C:\Windows\SysWow64\Macromed\Flash\FlashUtil10c.exe (3128)
______ ???<?????? (3516)
______ ???<?????? (3564)
______ C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe (876)
______ C:\Windows\SysWOW64\NOTEPAD.EXE (700)
______ ???<?????? (2248)
______ ???<?????? (2888)
______ C:\Users\Simon\Desktop\Rooter.exe (2080)
.

---

\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:32256 | Length:500105217024)
.

---

\\ Scheduled Tasks
.
C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
C:\Windows\Tasks\SA.DAT
C:\Windows\Tasks\SCHEDLGU.TXT
.

---

\\ Registry
.
.

---

\\ Files & Folders
.

---

\\ Scan completed at 13:55.43
.
C:\Rooter$\Rooter_3.txt - (16/12/2009 | 13:55.43)

zenno

go into safemode and scan with malwarebytes and superantispyware alot of people think that scanning the system in nornal mode will catch them it doesn't so try that in safemode.
iexplore comes up twice in processes thats normal

crybaby

Think I did already sorry my memory isn't the best after so many scans but will do again when get home

crybaby

scanned with malwarebytes and super antispyware in safe mode both came up clean.

Zone Alarm isnt picking up any mad activity from svchost.exe which is good.

roberthurley14

crybaby wrote: »

scanned with malwarebytes and super antispyware in safe mode both came up clean.

Zone Alarm isnt picking up any mad activity from svchost.exe which is good.

dont use ZoneAlarm, its partnered with some spyware firms

zenno

don't worry about svchost there are usually 12 svchosts in processes thats normal everything looks ok there. are you having any strange problems or such.

ActorSeeksJob

hi

Please download DDS and save it to your desktop.

• Disable any script blocking protection
• Double click dds.pif to run the tool.
• When done, two DDS.txts will open.
• Save both reports to your desktop.

---

Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.

jimoc

roberthurley14 wrote: »

dont use ZoneAlarm, its partnered with some spyware firms

Where can I read up more about this?
I've heard nothing about it.

crybaby

OK here are the logs ad requested i just noticed it says my AV is Bitdefender i seem to be having trouble getting rid of all traces of it as it is installed and I am now using NOD32 as AV software and i did close SUPERantiapyware before the scan incase your wondering about that.

DDS (Ver_09-12-01.01) - NTFSX64
Run by Simon at 3:41:05.18 on Thu 12/17/2009
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Ultimate 6.1.7600.0.874.66.1033.18.4095.2877 [GMT 7:00]

AV: BitDefender Antivirus *On-access scanning disabled* (Outdated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
SP: BitDefender Antispyware *disabled* (Updated) {8B2012EC-32D4-494F-BC03-832DB3BDF911}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
FW: BitDefender Firewall *disabled* {4055920F-2E99-48A8-A270-4243D2B8F242}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\SysWOW64\ZoneLabs\vsmon.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
C:\Program Files (x86)\USB Disk Security\USBGuard.exe
C:\Program Files (x86)\Java\jre6\bin\jusched.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWow64\Macromed\Flash\FlashUtil10c.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Simon\Desktop\dds.pif
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

mLocal Page = c:\windows\syswow64\blank.htm
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~2\micros~1\office12\GR469A~1.DLL
BHO: ZoneAlarm Toolbar Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\wow64\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files (x86)\java\jre6\bin\jp2ssv.dll
BHO: ChromeFrame BHO: {ecb3c477-1a0a-44bd-bb57-78f9efe34fa7} - c:\program files (x86)\google\chrome frame\application\4.0.266.0\npchrome_tab.dll
TB: RefresherBand Class: {b24ba06e-fb7b-4757-95c2-dc01125f750e} - c:\progra~2\yrefre~1\YREFRE~1.DLL
TB: ZoneAlarm Toolbar: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\wow64\trustchecker\bin\TrustCheckerIEPlugin.dll
uRun: [SUPERAntiSpyware] c:\program files (x86)\superantispyware\SUPERAntiSpyware.exe
mRun: [GrooveMonitor] "c:\program files (x86)\microsoft office\office12\GrooveMonitor.exe"
mRun: [USB Antivirus] c:\program files (x86)\usb disk security\USBGuard.exe
mRun: [StartCCC] "c:\program files (x86)\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [ATICustomerCare] "c:\program files (x86)\ati\aticustomercare\ATICustomerCare.exe"
mRun: [SunJavaUpdateSched] "c:\program files (x86)\java\jre6\bin\jusched.exe"
mRun: [ZoneAlarm Client] "c:\program files (x86)\zone labs\zonealarm\zlclient.exe"
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~2\micros~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~2\micros~1\office12\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: cf - {9875BFAF-B04D-445E-8A69-BE36838CDE3E} - c:\program files (x86)\google\chrome frame\application\4.0.266.0\npchrome_tab.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~2\micros~1\office12\GRA32A~1.DLL
Notify: !SASWinLogon - c:\program files (x86)\superantispyware\SASWINLO.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~2\micros~1\office12\GR469A~1.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files (x86)\superantispyware\SASSEH.DLL
BHO-X64: ZoneAlarm Toolbar Registrar: {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO-X64: ZoneAlarm Toolbar Registrar - No File
TB-X64: ZoneAlarm Toolbar: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
mRun-x64: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun-x64: [ISW] "c:\program files\checkpoint\zaforcefield\ForceField.exe" /icon="hidden"

============= SERVICES / DRIVERS ===============

R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-11-4 202752]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\x86\ekrn.exe [2009-9-29 735960]
R2 epfwwfpr;epfwwfpr;c:\windows\system32\drivers\epfwwfpr.sys [2009-9-29 123200]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2009-10-14 32888]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2009-10-14 800624]
S1 SASDIFSV;SASDIFSV;c:\program files (x86)\superantispyware\sasdifsv.sys [2009-11-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files (x86)\superantispyware\SASKUTIL.SYS [2009-11-23 74480]
S2 gupdate;Google Update Service (gupdate);c:\program files (x86)\google\update\GoogleUpdate.exe [2009-12-1 135664]
S3 SASENUM;SASENUM;c:\program files (x86)\superantispyware\SASENUM.SYS [2009-11-23 7408]

=============== Created Last 30 ================

2009-12-16 12:36:39 0 d

---

w- c:\users\simon\appdata\roaming\uTorrent
2009-12-16 11:22:45 0 d

---

w- c:\users\simon\appdata\roaming\CheckPoint
2009-12-16 11:22:29 0 d

---

w- c:\program files\CheckPoint
2009-12-16 11:22:22 58248 ----a-w- c:\windows\syswow64\vsregexp.dll
2009-12-16 11:22:18 69000 ----a-w- c:\windows\syswow64\zlcomm.dll
2009-12-16 11:22:18 103816 ----a-w- c:\windows\syswow64\zlcommdb.dll
2009-12-16 11:22:11 41864 ----a-w- c:\windows\syswow64\vswmi.dll
2009-12-16 11:22:09 1238408 ----a-w- c:\windows\syswow64\zpeng25.dll
2009-12-16 11:22:08 109960 ----a-w- c:\windows\syswow64\vsxml.dll
2009-12-16 11:22:07 299912 ----a-w- c:\windows\syswow64\vspubapi.dll
2009-12-16 11:22:07 0 d

---

w- c:\windows\syswow64\ZoneLabs
2009-12-16 11:22:06 446152 ----a-w- c:\windows\system32\drivers\~GLH0020.TMP
2009-12-16 11:22:06 422437 ----a-w- c:\windows\system32\drivers\vsconfig.xml
2009-12-16 11:22:06 112008 ----a-w- c:\windows\syswow64\vsdata.dll
2009-12-16 11:22:06 107912 ----a-w- c:\windows\syswow64\vsmonapi.dll
2009-12-16 11:21:40 446152

---

w- c:\windows\system32\drivers\vsdatant.sys
2009-12-16 11:21:18 0 d

---

w- c:\programdata\CheckPoint
2009-12-16 11:21:15 621960 ----a-w- c:\windows\syswow64\vsutil.dll
2009-12-16 11:21:15 227720 ----a-w- c:\windows\syswow64\vsinit.dll
2009-12-16 06:37:54 0 d

---

w- C:\Rooter$
2009-12-15 17:00:26 0 d

---

w- c:\users\simon\appdata\roaming\LockHunter
2009-12-15 16:59:00 0 d

---

w- c:\program files\LockHunter
2009-12-15 16:37:22 65536 --sha-w- c:\users\simon\NTUSER.DAT{92d3484c-e990-11de-82e9-002618d41f1f}.TM.blf
2009-12-15 16:37:22 524288 --sha-w- c:\users\simon\NTUSER.DAT{92d3484c-e990-11de-82e9-002618d41f1f}.TMContainer00000000000000000002.regtrans-ms
2009-12-15 16:37:22 524288 --sha-w- c:\users\simon\NTUSER.DAT{92d3484c-e990-11de-82e9-002618d41f1f}.TMContainer00000000000000000001.regtrans-ms
2009-12-15 15:10:12 0 d

---

w- c:\users\simon\appdata\roaming\Uniblue
2009-12-15 15:10:09 0 d

---

w- c:\program files (x86)\Uniblue
2009-12-15 15:08:25 0 d

---

w- c:\programdata\ESET
2009-12-15 15:08:25 0 d

---

w- c:\program files\ESET
2009-12-15 14:55:21 0 d

---

w- c:\users\simon\appdata\roaming\Malwarebytes
2009-12-15 14:55:16 22104 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-15 13:53:49 0 d

---

w- c:\programdata\SUPERAntiSpyware.com
2009-12-15 13:53:15 0 d

---

w- c:\users\simon\appdata\roaming\SUPERAntiSpyware.com
2009-12-15 13:53:15 0 d

---

w- c:\program files (x86)\SUPERAntiSpyware
2009-12-15 13:51:48 0 d

---

w- c:\users\simon\appdata\roaming\AVG8
2009-12-15 13:48:03 733184 ----a-w- c:\users\simon\s-1-5-21-222245395-69493320-1356158625-1003.rrr
2009-12-15 13:43:36 0 d

---

w- c:\program files (x86)\CCleaner
2009-12-15 13:40:27 0 d---a-w- c:\programdata\TEMP
2009-12-15 13:33:26 0 d

---

w- c:\program files (x86)\Zone Labs
2009-12-15 13:33:20 0 d

---

w- c:\windows\Internet Logs
2009-12-15 13:30:56 3560

---

w- C:\bootsqm.dat
2009-12-14 15:23:10 64512 ----a-w- c:\windows\syswow64\msfeedsbs.dll
2009-12-14 15:23:10 5958656 ----a-w- c:\windows\syswow64\mshtml.dll
2009-12-14 14:15:10 0 d

---

w- c:\program files (x86)\Greatis
2009-12-14 13:58:37 0 d

---

w- c:\program files\Alwil Software
2009-12-14 13:51:50 0 d

---

w- c:\program files (x86)\Trend Micro
2009-12-14 11:52:43 0 d

---

w- c:\programdata\avg9
2009-12-14 11:52:43 0 d

---

w- c:\program files (x86)\AVG
2009-12-14 11:36:27 0 d

---

w- c:\programdata\SecTaskMan
2009-12-14 09:58:31 0 d

---

w- c:\program files (x86)\ESET
2009-12-13 19:09:29 0 d

---

w- c:\programdata\Malwarebytes
2009-12-13 19:09:29 0 d

---

w- c:\program files (x86)\Malwarebytes' Anti-Malware
2009-12-13 18:42:50 226688

---

w- c:\windows\system32\MpSigStub.exe
2009-12-10 03:03:03 0 d

---

w- c:\program files (x86)\Foxit Software
2009-12-08 11:01:57 0 d

---

w- C:\Teaching
2009-12-07 09:03:45 0 d

---

w- c:\program files (x86)\EA GAMES
2009-12-05 18:50:05 0 d

---

w- c:\program files (x86)\YRefresher
2009-12-02 00:39:49 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2009-12-01 13:19:58 0 d

---

w- c:\windows\pss
2009-11-28 14:32:14 0 d

---

w- c:\programdata\Real
2009-11-28 14:32:14 0 d

---

w- c:\program files (x86)\common files\Real
2009-11-28 10:43:28 411368 ----a-w- c:\windows\syswow64\deploytk.dll
2009-11-28 10:43:28 149280 ----a-w- c:\windows\syswow64\javaws.exe
2009-11-28 10:43:28 145184 ----a-w- c:\windows\syswow64\javaw.exe
2009-11-28 10:43:28 145184 ----a-w- c:\windows\syswow64\java.exe
2009-11-28 06:53:32 414 ----a-w- c:\windows\syswow64\lame_acm.xml
2009-11-28 06:53:32 38 ----a-w- c:\windows\avisplitter.ini
2009-11-28 06:53:32 178176 ----a-w- c:\windows\syswow64\unrar.dll
2009-11-28 06:53:31 881664 ----a-w- c:\windows\syswow64\xvidcore.dll
2009-11-28 06:53:31 839680 ----a-w- c:\windows\syswow64\lameACM.acm
2009-11-28 06:53:31 217088 ----a-w- c:\windows\syswow64\yv12vfw.dll
2009-11-28 06:53:31 205824 ----a-w- c:\windows\syswow64\xvidvfw.dll
2009-11-28 06:53:31 118784 ----a-w- c:\windows\syswow64\ac3acm.acm
2009-11-28 06:53:30 85504 ----a-w- c:\windows\syswow64\ff_vfw.dll
2009-11-28 06:53:30 547 ----a-w- c:\windows\syswow64\ff_vfw.dll.manifest
2009-11-28 06:53:29 0 d

---

w- c:\program files (x86)\K-Lite Codec Pack
2009-11-28 06:39:57 0 d

---

w- c:\program files (x86)\VirtualDub-1.9.7
2009-11-27 05:54:44 0 d

---

w- c:\program files (x86)\IObit
2009-11-26 09:07:36 132 ----a-w- c:\windows\system32\rezumatenoi.dat
2009-11-26 07:02:46 0 d

---

w- c:\program files (x86)\URUSoft
2009-11-25 20:00:31 2048 ----a-w- c:\windows\syswow64\tzres.dll
2009-11-25 20:00:31 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-25 15:56:40 0 d

---

w- C:\Temp
2009-11-25 12:54:23 0 d

---

w- c:\program files\Cheetah Burner
2009-11-25 04:54:43 0 d

---

w- c:\programdata\Nero
2009-11-24 14:07:17 519000 ----a-w- c:\windows\system32\d3dx10_40.dll
2009-11-24 14:07:17 452440 ----a-w- c:\windows\syswow64\d3dx10_40.dll
2009-11-24 14:07:17 2605920 ----a-w- c:\windows\system32\D3DCompiler_40.dll
2009-11-24 14:07:17 2036576 ----a-w- c:\windows\syswow64\D3DCompiler_40.dll
2009-11-24 14:07:13 5631312 ----a-w- c:\windows\system32\D3DX9_40.dll
2009-11-24 14:07:13 4379984 ----a-w- c:\windows\syswow64\D3DX9_40.dll
2009-11-24 13:31:18 0 d

---

w- c:\program files (x86)\Activision
2009-11-24 10:51:13 311808 ----a-w- c:\windows\system32\msv1_0.dll
2009-11-24 10:51:13 257024 ----a-w- c:\windows\syswow64\msv1_0.dll
2009-11-24 10:51:02 0 d

---

w- c:\program files (x86)\MSXML 4.0
2009-11-24 04:02:51 0 d

---

w- c:\program files (x86)\Bethesda Softworks
2009-11-24 03:47:37 0 d

---

w- C:\Fallout 3
2009-11-24 03:24:38 0 d

---

w- c:\program files (x86)\common files\PX Storage Engine
2009-11-24 03:07:08 0 d

---

w- c:\program files (x86)\GRETECH
2009-11-23 10:29:43 0 d

---

w- c:\programdata\Electronic Arts
2009-11-23 09:47:54 0 ----a-w- c:\windows\system32\wsbl.dat
2009-11-23 09:47:54 0 ----a-w- c:\windows\system32\ph_white.dat
2009-11-23 09:47:54 0 ----a-w- c:\windows\system32\ph_summ.dat
2009-11-23 09:47:54 0 ----a-w- c:\windows\system32\ph_spoof.sig
2009-11-23 09:47:54 0 ----a-w- c:\windows\system32\ph_sign.slf
2009-11-23 09:47:54 0 ----a-w- c:\windows\system32\ph_fuzzy.sig
2009-11-23 09:47:54 0 ----a-w- c:\windows\system32\ph_black.dat
2009-11-23 09:47:54 0 ----a-w- c:\windows\system32\pcwords2.dat
2009-11-23 09:47:54 0 ----a-w- c:\windows\system32\pcwords.dat
2009-11-23 09:47:54 0 ----a-w- c:\windows\system32\pc_sign.slf
2009-11-23 09:47:54 0 ----a-w- c:\windows\system32\ab_sbl.sig
2009-11-23 09:30:26 0 d

---

w- C:\Simon's Movies
2009-11-23 08:52:54 4 ----a-w- c:\windows\system32\aspdict-en.dat
2009-11-23 08:52:54 16 ----a-w- c:\windows\system32\asdict.dat
2009-11-23 08:52:54 0 ----a-w- c:\windows\system32\ab_bl.sig
2009-11-23 08:48:49 0 d

---

w- c:\program files\BitDefender
2009-11-23 01:44:37 896 ----a-w- c:\windows\system32\wbem\ServiceModel.mof.uninstall
2009-11-23 01:44:37 83607 ----a-w- c:\windows\system32\wbem\ServiceModel.mof
2009-11-23 01:44:36 0 d

---

w- c:\program files\Reference Assemblies
2009-11-23 01:44:36 0 d

---

w- c:\program files\MSBuild
2009-11-23 00:56:17 0 d

---

w- C:\Games
2009-11-23 00:07:37 0 d

---

w- c:\windows\Panther
2009-11-23 00:07:25 8192 --sha-r- C:\BOOTSECT.BAK
2009-11-23 00:07:23 383562 --sha-r- C:\bootmgr
2009-11-23 00:07:23 0 d-sh--w- C:\Boot
2009-11-22 18:56:01 0 d

---

w- c:\program files\Star Wars The Clone Wars Republic Heroes
2009-11-22 18:54:08 0 d

---

w- c:\programdata\SWTCWRH
2009-11-22 18:53:35 0 d

---

w- c:\windows\syswow64\AGEIA
2009-11-22 18:53:27 0 d

---

w- c:\program files (x86)\common files\Wise Installation Wizard
2009-11-22 18:40:42 0 d

---

w- c:\program files\README
2009-11-22 18:18:41 0 d

---

w- c:\program files\WinRAR
2009-11-22 17:59:15 0 d

---

w- c:\program files (x86)\Microsoft WSE
2009-11-22 16:40:52 0 d

---

w- c:\program files\505games
2009-11-22 15:15:46 0 d

---

w- c:\program files (x86)\uTorrent
2009-11-22 15:13:48 0 d

---

w- c:\program files\Empire Total War
2009-11-22 14:48:27 0 d

---

w- c:\program files (x86)\Microsoft Games for Windows - LIVE
2009-11-22 14:46:47 0 d--h--w- c:\windows\msdownld.tmp
2009-11-22 14:46:39 0 d

---

w- c:\windows\syswow64\directx
2009-11-22 13:43:37 0 d

---

w- c:\windows\syswow64\Adobe
2009-11-22 12:58:03 81768 ----a-w- c:\windows\syswow64\XINPUT1_3.dll
2009-11-22 12:58:03 3851784 ----a-w- c:\windows\syswow64\d3dx9_39.dll
2009-11-22 12:53:52 0 d

---

w- c:\program files (x86)\LucasArts
2009-11-22 11:52:37 0 d

---

w- C:\movies
2009-11-22 11:52:30 0 d

---

w- C:\Music
2009-11-22 11:45:50 0 d

---

w- c:\programdata\InstallShield
2009-11-22 11:45:24 0 d

---

w- c:\program files (x86)\True
2009-11-22 09:38:50 0 d

---

w- c:\windows\PCHEALTH
2009-11-22 09:37:33 0 d

---

w- c:\program files\Microsoft Office
2009-11-22 09:37:30 0 d

---

w- c:\program files (x86)\Microsoft Visual Studio 8
2009-11-22 09:36:59 0 d

---

w- c:\programdata\Microsoft Help
2009-11-22 09:26:50 0 d

---

w- c:\program files (x86)\My Company Name
2009-11-22 09:25:51 0 d

---

w- c:\program files\ATI
2009-11-22 09:25:48 0 d

---

w- c:\program files (x86)\ATI Technologies
2009-11-22 09:25:23 0 d

---

w- c:\program files\ATI Technologies
2009-11-22 09:22:38 0 d-sh--w- c:\windows\Installer
2009-11-22 09:20:35 0 d

---

w- c:\programdata\ATI
2009-11-22 09:20:07 0 ----a-w- c:\windows\ativpsrm.bin
2009-11-22 09:19:18 0 d

---

w- c:\program files (x86)\ATI
2009-11-22 09:17:58 383592 --sh--r- C:\gdrop
2009-11-22 09:17:58 171136 --sh--r- C:\xeldr
2009-11-22 09:16:33 0 d

---

w- C:\ATI
2009-11-22 09:13:03 0 d-sh--w- C:\Recovery
2009-11-22 09:11:12 0 d

---

w- c:\windows\syswow64\Macromed
2009-11-22 09:09:12 0 d

---

w- c:\windows\system32\appmgmt
2009-11-22 09:08:09 81984 ----a-w- c:\windows\system32\bdod.bin
2009-11-22 09:00:57 850 ----a-w- c:\windows\system32\ProductTweaks.xml
2009-11-22 09:00:57 385 ----a-w- c:\windows\system32\user_gensett.xml
2009-11-22 08:58:41 0 d

---

w- c:\program files (x86)\common files\MSSoap
2009-11-22 08:58:41 0 d

---

w- C:\Binaries
2009-11-22 08:58:26 0 d

---

w- c:\programdata\BitDefender
2009-11-22 08:58:26 0 d

---

w- c:\program files\common files\BitDefender
2009-11-22 08:57:55 734870 ----a-w- c:\windows\syswow64\PerfStringBackup.INI
2009-11-22 08:57:37 0 d

---

w- c:\windows\syswow64\URTTEMP
2009-11-22 08:57:27 0 d

---

w- c:\program files (x86)\common files\BitDefender
2009-11-22 08:51:05 0 d

---

w- c:\program files (x86)\Microsoft Speech SDK 5.1
2009-11-22 08:50:05 58 ----a-w- c:\windows\system32\thsd1735.dll
2009-11-22 08:50:05 0 d

---

w- c:\program files (x86)\ThaiSoftware Enterprise
2009-11-22 08:47:10 0 d

---

w- c:\program files (x86)\USB Disk Security
2009-11-22 08:39:44 0 d

---

w- c:\programdata\ACD Systems
2009-11-22 08:39:39 0 d

---

w- c:\program files (x86)\common files\ACD Systems
2009-11-22 08:39:39 0 d

---

w- c:\program files (x86)\ACD Systems

==================== Find3M ====================

2009-11-23 09:41:50 101896 ----a-w- c:\windows\system32\drivers\bdhv.sys
2009-11-23 09:34:47 87048 ----a-w- c:\windows\system32\drivers\BdfNdisf6.sys
2009-11-23 01:44:31 43318 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
2009-11-23 01:44:31 29779 ----a-w- c:\windows\fonts\GlobalSerif.CompositeFont
2009-11-23 01:44:31 26489 ----a-w- c:\windows\fonts\GlobalSansSerif.CompositeFont
2009-11-23 01:44:31 26040 ----a-w- c:\windows\fonts\GlobalMonospace.CompositeFont
2009-11-04 16:17:30 6088192 ----a-w- c:\windows\system32\drivers\atikmdag.sys
2009-11-04 15:46:00 479232 ----a-w- c:\windows\system32\ATIDEMGX.dll
2009-11-04 15:45:48 436736 ----a-w- c:\windows\system32\atieclxx.exe
2009-11-04 15:45:14 202752 ----a-w- c:\windows\system32\atiesrxx.exe
2009-11-04 15:43:50 120320 ----a-w- c:\windows\system32\atitmm64.dll
2009-11-04 15:43:32 421376 ----a-w- c:\windows\system32\atipdl64.dll
2009-11-04 15:43:24 356352 ----a-w- c:\windows\syswow64\atipdlxx.dll
2009-11-04 15:43:10 274432 ----a-w- c:\windows\syswow64\Oemdspif.dll
2009-11-04 15:43:02 12288 ----a-w- c:\windows\system32\atimuixx.dll
2009-11-04 15:42:58 59392 ----a-w- c:\windows\system32\atiedu64.dll
2009-11-04 15:42:52 43520 ----a-w- c:\windows\syswow64\ati2edxx.dll
2009-11-04 15:39:24 3034624 ----a-w- c:\windows\syswow64\atidxx32.dll
2009-11-04 15:34:56 17199616 ----a-w- c:\windows\system32\atio6axx.dll
2009-11-04 15:31:40 3624448 ----a-w- c:\windows\system32\atidxx64.dll
2009-11-04 15:23:10 3602432 ----a-w- c:\windows\syswow64\atiumdag.dll
2009-11-04 15:17:30 4661760 ----a-w- c:\windows\system32\atiumd64.dll
2009-11-04 15:11:30 12964352 ----a-w- c:\windows\syswow64\atioglxx.dll
2009-11-04 15:11:16 2599424 ----a-w- c:\windows\system32\atiumd6a.dll
2009-11-04 15:05:20 2899456 ----a-w- c:\windows\syswow64\atiumdva.dll
2009-11-04 14:52:58 53248 ----a-w- c:\windows\system32\atimpc64.dll
2009-11-04 14:52:58 53248 ----a-w- c:\windows\system32\amdpcom64.dll
2009-11-04 14:52:52 52224 ----a-w- c:\windows\syswow64\atimpc32.dll
2009-11-04 14:52:52 52224 ----a-w- c:\windows\syswow64\amdpcom32.dll
2009-11-04 14:52:28 302592 ----a-w- c:\windows\system32\atiadlxx.dll
2009-11-04 14:52:22 208896 ----a-w- c:\windows\syswow64\atiadlxy.dll
2009-11-04 14:47:54 43008 ----a-w- c:\windows\system32\aticalrt64.dll
2009-11-04 14:47:52 53248 ----a-w- c:\windows\syswow64\aticalrt.dll
2009-11-04 14:47:42 39936 ----a-w- c:\windows\system32\aticalcl64.dll
2009-11-04 14:47:40 53248 ----a-w- c:\windows\syswow64\aticalcl.dll
2009-11-04 14:47:30 4634112 ----a-w- c:\windows\system32\aticaldd64.dll
2009-11-04 14:46:34 3547136 ----a-w- c:\windows\syswow64\aticaldd.dll
2009-11-04 14:37:24 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:54:24 174 --sha-w- c:\program files\desktop.ini
2009-07-14 04:54:24 174 --sha-w- c:\program files (x86)\desktop.ini
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 20:44:08 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 01:39:53 398848 --sha-w- c:\windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_4d4d1f2f696639a2\WinMail.exe
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 3:41:41.56 ===============


DS (Ver_09-12-01.01)

Microsoft Windows 7 Ultimate
Boot Device: \Device\HarddiskVolume1
Install Date: 22/11/2552 16:13:07
System Uptime: 17/12/2009 3:36:45 (4759847 hours ago)

Motherboard: ASUSTeK Computer INC. | | P5QPL-AM
Processor: Pentium(R) Dual-Core CPU E6300 @ 2.80GHz | LGA775 | 2800/266mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 466 GiB total, 293.509 GiB free.
is CDROM (CDFS)

==== Disabled Device Manager Items =============

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft Teredo Tunneling Adapter
Device ID: ROOT\*TEREDO\0000
Manufacturer: Microsoft
Name: Teredo Tunneling Pseudo-Interface
PNP Device ID: ROOT\*TEREDO\0000
Service: tunnel

==== System Restore Points ===================

RP64: 15/12/2552 20:52:17 - Installed SUPERAntiSpyware Free Edition
RP65: 15/12/2552 22:03:58 - Windows Update
RP66: 15/12/2552 22:06:37 - Installed ESET NOD32 Antivirus
RP67: 15/12/2552 22:37:08 - Removed The Sims 3
RP68: 15/12/2552 22:38:46 - Removed SUPERAntiSpyware Free Edition
RP69: 16/12/2552 18:19:28 - Installed SUPERAntiSpyware Free Edition
RP70: 16/12/2552 18:21:44 - Device Driver Package Install: Check Point Software Technologies Ltd. Network Service

==== Installed Programs ======================

?Torrent
ACDSee Pro 2.5
Adobe Flash Player 10 ActiveX
Adobe Shockwave Player 11.5
Advertising Center
ASUS VGA Driver
ATI Catalyst Registration
Call of Duty Modern Warfare 2
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center Graphics Previews Vista
Catalyst Control Center HydraVision Full
Catalyst Control Center InstallProxy
ccc-core-static
CCC Help English
CCleaner
Cheetah DVD Burner
EA Download Manager
Fallout 3
Foxit Reader
Game Booster
GOM Player
Google Chrome Frame
Google Update Helper
Grand Theft Auto IV
hi-speed Navigator
HijackThis 2.0.2
ImagXpress
Java(TM) 6 Update 17
K-Lite Codec Pack 5.4.0 (Full)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft Games for Windows - LIVE
Microsoft Games for Windows - LIVE Redistributable
Microsoft Office Access MUI (English) 2007
Microsoft Office Access MUI (Thai) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Excel MUI (Thai) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (Thai) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office InfoPath MUI (Thai) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office OneNote MUI (Thai) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office Outlook MUI (Thai) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint MUI (Thai) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proof (Thai) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing (Thai) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Publisher MUI (Thai) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared MUI (Thai) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Office Word MUI (Thai) 2007
Microsoft Speech SDK 5.1
Microsoft Visual C++ 2005 Redistributable
Microsoft WSE 3.0 Runtime
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
neroxml
NOD32 FiX v2.1
NVIDIA PhysX v8.05.26
Republic Heroes
SUPERAntiSpyware Free Edition
ThaiSoftware Dictionary v.7.0
The Sims 2 18 in ONE By GAMEGOD
Uniblue RegistryBooster 2010
USB Disk Security 5.1.0.8
Winamp
Windows Live OneCare safety scanner
Yrefresher 1.00
ZoneAlarm

==== Event Viewer Messages From Past Week ========

17/12/2552 3:37:36, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SASDIFSV SASKUTIL
17/12/2552 3:36:56, Error: Application Popup [1060] - \??\C:\Program Files (x86)\SUPERAntiSpyware\SASKUTIL.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
17/12/2552 3:36:56, Error: Application Popup [1060] - \??\C:\Program Files (x86)\SUPERAntiSpyware\SASDIFSV.SYS has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
16/12/2552 20:04:04, Error: Schannel [36888] - The following fatal alert was generated: 10. The internal error state is 10.
16/12/2552 19:10:58, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
16/12/2552 19:10:57, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
16/12/2552 19:10:56, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
16/12/2552 19:10:54, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
16/12/2552 19:10:54, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
16/12/2552 19:10:53, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
16/12/2552 19:10:47, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
16/12/2552 19:10:45, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD CSC DfsC discache ehdrv NetBIOS NetBT nsiproxy Psched rdbss SASDIFSV SASKUTIL spldr tdx Vsdatant Wanarpv6 WfpLwf
16/12/2552 19:10:41, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
16/12/2552 19:10:41, Error: Service Control Manager [7001] - The TrueVector Internet Monitor service depends on the Zone Alarm Firewall Driver service which failed to start because of the following error: A device attached to the system is not functioning.
16/12/2552 19:10:41, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
16/12/2552 19:10:41, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
16/12/2552 19:10:41, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
16/12/2552 19:10:41, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
16/12/2552 19:10:41, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning.
16/12/2552 19:10:41, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
16/12/2552 19:10:41, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
16/12/2552 19:10:41, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
16/12/2552 19:10:41, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
16/12/2552 18:22:35, Error: Service Control Manager [7030] - The ZoneAlarm Toolbar IswSvc service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
16/12/2552 18:22:14, Error: Service Control Manager [7030] - The TrueVector Internet Monitor service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
16/12/2552 18:20:05, Error: Service Control Manager [7000] - The SASENUM service failed to start due to the following error: This driver has been blocked from loading
16/12/2552 18:20:05, Error: Application Popup [1060] - \??\C:\Program Files (x86)\SUPERAntiSpyware\SASENUM.SYS has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
16/12/2552 18:20:00, Error: Service Control Manager [7000] - The SASDIFSV service failed to start due to the following error: This driver has been blocked from loading
16/12/2552 18:19:59, Error: Service Control Manager [7000] - The SASKUTIL service failed to start due to the following error: This driver has been blocked from loading
16/12/2552 18:17:37, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
16/12/2552 18:16:41, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: discache ehdrv spldr Wanarpv6
15/12/2552 23:43:54, Error: Service Control Manager [7031] - The Windows Defender service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
15/12/2552 23:43:46, Error: Service Control Manager [7034] - The AMD External Events Utility service terminated unexpectedly. It has done this 1 time(s).
14/12/2552 22:14:12, Error: Service Control Manager [7024] - The Windows Firewall service terminated with service-specific error Access is denied..
14/12/2552 22:04:04, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service VSSERV with arguments "" in order to run the server: {6DFC0DC7-FDC5-44C2-8B80-5977BA8F8ACC}
14/12/2552 22:03:20, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
14/12/2552 22:03:04, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: bdfsfltr bdfwfpf discache spldr Wanarpv6
14/12/2552 21:53:43, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
14/12/2552 21:33:42, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: aswSP AvgLdx64 AvgMfx64 discache Partizan spldr Wanarpv6
14/12/2552 21:00:01, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: aswSP AvgLdx64 AvgMfx64 discache spldr Wanarpv6
14/12/2552 20:59:06, Error: Service Control Manager [7030] - The avast! Web Scanner service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
14/12/2552 20:59:05, Error: Service Control Manager [7030] - The avast! Mail Scanner service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
14/12/2552 20:59:05, Error: Service Control Manager [7030] - The avast! iAVS4 Control Service service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
14/12/2552 20:59:04, Error: Service Control Manager [7030] - The avast! Antivirus service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
14/12/2552 20:11:09, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AvgLdx64 AvgMfx64 discache spldr Wanarpv6
14/12/2552 20:07:35, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AvgLdx64 AvgMfx64 AvgTdiA CSC DfsC discache NetBIOS NetBT nsiproxy Psched rdbss spldr tdx Wanarpv6 WfpLwf
14/12/2552 20:06:19, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service stisvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
14/12/2552 19:21:26, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Reboot the machine) after the unexpected termination of the Plug and Play service, but this action failed with the following error: A system shutdown has already been scheduled.
14/12/2552 19:21:26, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Reboot the machine) after the unexpected termination of the DCOM Server Process Launcher service, but this action failed with the following error: A system shutdown has already been scheduled.
14/12/2552 19:21:26, Error: Service Control Manager [7031] - The Power service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
14/12/2552 19:21:26, Error: Service Control Manager [7031] - The Plug and Play service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
14/12/2552 19:21:26, Error: Service Control Manager [7031] - The DCOM Server Process Launcher service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
14/12/2552 19:07:28, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the RPC Endpoint Mapper service, but this action failed with the following error: An instance of the service is already running.
14/12/2552 19:07:23, Error: Service Control Manager [7001] - The User Profile Service service depends on the Remote Procedure Call (RPC) service which failed to start because of the following error: The dependency service or group failed to start.
14/12/2552 19:07:23, Error: Service Control Manager [7001] - The Remote Procedure Call (RPC) service depends on the RPC Endpoint Mapper service which failed to start because of the following error: The service has not been started.
14/12/2552 19:07:18, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Driver Foundation - User-mode Driver Framework service to connect.
14/12/2552 19:07:18, Error: Service Control Manager [7001] - The Portable Device Enumerator Service service depends on the Remote Procedure Call (RPC) service which failed to start because of the following error: The dependency service or group failed to start.
14/12/2552 19:07:18, Error: Service Control Manager [7000] - The Windows Driver Foundation - User-mode Driver Framework service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
14/12/2552 19:06:20, Error: Service Control Manager [7001] - The Windows Defender service depends on the Remote Procedure Call (RPC) service which failed to start because of the following error: The dependency service or group failed to start.
14/12/2552 19:06:16, Error: Service Control Manager [7001] - The Remote Procedure Call (RPC) service depends on the RPC Endpoint Mapper service which failed to start because of the following error: The service has returned a service-specific error code.
14/12/2552 19:06:16, Error: Service Control Manager [7001] - The Cryptographic Services service depends on the Remote Procedure Call (RPC) service which failed to start because of the following error: The dependency service or group failed to start.
14/12/2552 19:05:28, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Reboot the machine) after the unexpected termination of the Remote Procedure Call (RPC) service, but this action failed with the following error: A system shutdown has already been scheduled.
14/12/2552 19:05:28, Error: Service Control Manager [7031] - The RPC Endpoint Mapper service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
14/12/2552 19:05:28, Error: Service Control Manager [7031] - The Remote Procedure Call (RPC) service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
14/12/2552 19:05:25, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Reboot the machine) after the unexpected termination of the Power service, but this action failed with the following error: A system shutdown has already been scheduled.
14/12/2552 19:05:23, Error: Service Control Manager [7034] - The Application Information service terminated unexpectedly. It has done this 1 time(s).
14/12/2552 19:05:23, Error: Service Control Manager [7031] - The Windows Management Instrumentation service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
14/12/2552 19:05:23, Error: Service Control Manager [7031] - The User Profile Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
14/12/2552 19:05:18, Error: Service Control Manager [7031] - The Windows Driver Foundation - User-mode Driver Framework service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
14/12/2552 19:05:16, Error: Service Control Manager [7031] - The Cryptographic Services service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
14/12/2552 15:47:19, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: discache spldr Wanarpv6
13/12/2552 11:12:43, Error: Service Control Manager [7043] - The Windows Update service did not shut down properly after receiving a preshutdown control.
12/12/2552 12:01:59, Error: Microsoft-Windows-DistributedCOM [10016] - The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {9BA05972-F6A8-11CF-A442-00A0C90A8F39} and APPID {9BA05972-F6A8-11CF-A442-00A0C90A8F39} to the user User-PC\User SID (S-1-5-21-222245395-69493320-1356158625-1000) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

==== End Of File ===========================

ActorSeeksJob

hi

Please download OTM

• Save it to your desktop.
• Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  

  :Processes
  
  :Services
  
  :Reg
  
  :Files
  c:\windows\system32\rezumatenoi.dat
  C:\gdrop
  C:\xeldr
  c:\windows\system32\bdod.bin
  c:\windows\system32\drivers\bdhv.sys
  c:\windows\system32\drivers\BdfNdisf6.sys
  c:\program files (x86)\common files\BitDefender
  
  :Commands
  [purity]
  [emptytemp]
  [Reboot]
  

• Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTM and reboot your PC.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.



Download TFC to your desktop

• Open the file and close any other windows.
• It will close all programs itself when run, make sure to let it run uninterrupted.
• Click the Start button to begin the process. The program should not take long to finish its job
• Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.






Go to Kaspersky website and perform an online antivirus scan.

1. Read through the requirements and privacy statement and click on Accept button.
2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
3. When the downloads have finished, click on Settings.
4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
   Spyware, Adware, Dialers, and other potentially dangerous programs
   Archives
   Mail databases

[*]Click on My Computer under Scan.
[*]Once the scan is complete, it will display the results. Click on View Scan Report.
[*]You will see a list of infected items there. Click on Save Report As....
[*]Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

danjo-xx

roberthurley14 wrote: »

dont use ZoneAlarm, its partnered with some spyware firms

as asked above can you give us any more details on this or a link.

crybaby

All processes killed
========== PROCESSES ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
File/Folder c:\windows\system32\rezumatenoi.dat not found.
C:\gdrop moved successfully.
C:\xeldr moved successfully.
File/Folder c:\windows\system32\bdod.bin not found.
File/Folder c:\windows\system32\drivers\bdhv.sys not found.
File/Folder c:\windows\system32\drivers\BdfNdisf6.sys not found.
c:\program files (x86)\common files\BitDefender\Setup Information folder moved successfully.
c:\program files (x86)\common files\BitDefender folder moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: aaaa
->Temp folder emptied: 179456 bytes
->Temporary Internet Files folder emptied: 32768 bytes

User: aaaa.User-PC
->Temp folder emptied: 1918559 bytes
->Temporary Internet Files folder emptied: 8361316 bytes

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public

User: Simon
->Temp folder emptied: 33135700 bytes

crybaby

Log after reboot from OTM - I ran OTM as normal not as administrator as I am on Windows 7 so wasn't sure what to do. Should I run it again to see if it can find those files?

All processes killed
========== PROCESSES ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
File/Folder c:\windows\system32\rezumatenoi.dat not found.
C:\gdrop moved successfully.
C:\xeldr moved successfully.
File/Folder c:\windows\system32\bdod.bin not found.
File/Folder c:\windows\system32\drivers\bdhv.sys not found.
File/Folder c:\windows\system32\drivers\BdfNdisf6.sys not found.
c:\program files (x86)\common files\BitDefender\Setup Information folder moved successfully.
c:\program files (x86)\common files\BitDefender folder moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: aaaa
->Temp folder emptied: 179456 bytes
->Temporary Internet Files folder emptied: 32768 bytes

User: aaaa.User-PC
->Temp folder emptied: 1918559 bytes
->Temporary Internet Files folder emptied: 8361316 bytes

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public

User: Simon
->Temp folder emptied: 33135700 bytes
->Temporary Internet Files folder emptied: 32292234 bytes
->Java cache emptied: 5400 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
Windows Temp folder emptied: 13994985 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50333 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 85.80 mb


OTM by OldTimer - Version 3.1.2.2 log created on 12172009_043851

Files moved on Reboot...
C:\Users\Simon\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
File C:\Users\Simon\AppData\Local\Temp\~DF2F4761D6E0ED62F7.TMP not found!
C:\Users\Simon\AppData\Local\Temp\~DF4DB531136F4E37D6.TMP moved successfully.
File C:\Users\Simon\AppData\Local\Temp\~DF81078C2E9923CDC9.TMP not found!
File C:\Users\Simon\AppData\Local\Temp\~DFB56B1BB364A72A7F.TMP not found!
File C:\Users\Simon\AppData\Local\Temp\~DFE7CFF88EF4B4B10B.TMP not found!
File C:\Users\Simon\AppData\Local\Temp\~DFEF21414F168E36D0.TMP not found!
File C:\Users\Simon\AppData\Local\Temp\~DFEFEB9265983A998A.TMP not found!
File move failed. C:\Users\Simon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\642OETX1\1ACA06KLJDCA3XEUBSCA3AANAPCAVNKPK6CAA8DJRDCAPE15XDCAEO0ARHCANEERZSCAR0476LCAUYJIXKCAJOQ9XKCA5LNNZ4CA0X80UCCAGP5P8YCAE0VEK9CAL7QT80CAR950WBCAG3Q9SJCA8P04DJ.htm scheduled to be moved on reboot.
File C:\Users\Simon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\642OETX1\st[1] not found!
File C:\Users\Simon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\15LXXJ9S\showthread[1].htm not found!
C:\Users\Simon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.
C:\Users\Simon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT moved successfully.
File C:\Windows\temp\ZLT06418.TMP not found!

crybaby

scanned with malware antibytes low belo. Thanks for all the help so far tis much appreciated!

Malwarebytes' Anti-Malware 1.42
Database version: 3378
Windows 6.1.7600
Internet Explorer 8.0.7600.16385

17/12/2552 4:53:12
mbam-log-2009-12-17 (04-53-12).txt

Scan type: Quick Scan
Objects scanned: 110911
Time elapsed: 2 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Just waiting for Kaspersky to update fully

crybaby

OK the Kaspersky scanner came out clean, can't post the log as i am at work will post it when i get home in about 3 hours time.

OTM refuses to find those files you flagged when i click moveit! but i can find them easily when I search for them?

Anyway thanks again for your help.

ActorSeeksJob

Your PC is clean, I wouldn't worry

crybaby

brilliant, thanks again for the help.

Solitaire over on the building and upgrading forum helped me put this machine together and you helped me fix it. Thanks a million mate.