Jump to content


Photo

sluggish computer


  • This topic is locked This topic is locked
22 replies to this topic

#1 <jjimbo>

<jjimbo>

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 28 January 2010 - 01:26 PM

(this log was originally answered by a non member hence my replies further down in the post but it has not yet been resolved by a qualified member so i was asked to put it in the help queue)

im experiencing computer sluggishness and have run disk defrag and emptied unused folders and programmes.
more worringly i came across two entries in task manager processes which were
- hbp.exe
- hookcontroller.exe







i terminated both but hbp came back. spybot scan was clear as was malwarebytes scan(log below)please could you
check my hjt log to see if all is in order?







thanks very much for you assistance.
win xp home edition


Malwarebytes' Anti-Malware 1.44
Database version: 3651
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/28/2010 3:26:38 PM
mbam-log-2010-01-28 (15-26-38).txt

Scan type: Full Scan (C:\|)
Objects scanned: 150388
Time elapsed: 19 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


hjt log-
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:58:56 PM, on 1/28/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.crawler.c...w=%s&tbid=60076
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.sky.com/skynews/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.c...spx?tb_id=60076
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.c...aspx?TbId=60076
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.crawler.c...spx?tb_id=60076
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.c...aspx?TbId=60076
R3 - URLSearchHook: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\ctbr.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\ctbr.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\ctbr.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKUS\S-1-5-18\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.euro....iler/SysPro.CAB
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1252255393171
O16 - DPF: {94E5218F-9737-4FC2-8457-567B1FF23DC0} (diskhealth Class) - http://utilities.pcp...DiskMD3Ctrl.dll
O16 - DPF: {A553720A-BFED-4EA4-A71F-7EFCA690A1F7} (PCPitstop AntiVirus) - http://utilities.pcp...opAntiVirus.dll
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadbl...ivex/sabspx.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.ad...Plus/1.6/gp.cab
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\ctbr.dll
O23 - Service: dlcg_device - - C:\WINDOWS\system32\dlcgcoms.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Microsoft Antimalware Service (MsMpSvc) - Unknown owner - c:\Program Files\Microsoft Security Essentials\MsMpEng.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: STSService - Unknown owner - C:\Program Files\SoundTaxi Media Suite\STSService.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7166 bytes
p.s Occassionally i run c.a yahoo anti spy on demand(in yahoo toolbar)and it detected ezula so i ran symantec ezula scan and it produced the following log
__
Symantec Adware.Ezula Removal Tool 1.0.3
process: iexplore.exe (terminated)
process: iexplore.exe (terminated)


Adware.Ezula has been successfully removed from your computer!

Here is the report:

The total number of the scanned files: 37261
The number of deleted threat files: 0
The number of threat processes terminated: 2
The number of registry entries fixed: 0

Edited by <jjimbo>, 03 February 2010 - 07:10 AM.


#2 <jjimbo>

<jjimbo>

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 29 January 2010 - 12:41 AM

( IGNORE THIS REPLY PLEASE)thank you for quick response.
did as suggested and there is indeed a slight improvement
your assistance is very much appreciated
( i think i will up my ram from 512 to 2 gb rather than buy new pc)

Edited by <jjimbo>, 03 February 2010 - 08:01 AM.


#3 <jjimbo>

<jjimbo>

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 29 January 2010 - 08:04 AM

(IGNORE THIS REPLY PLEASE)thanks for the advice.
i assumed that i post a log and a trained member helps.
how do i post a log then for the attention of a trained member?





i thought i had followed the correct procedure. can u tell me where i went wrong please?
does this mean i will still get help?
thanks again for the advice

EDIT: I needed to delete my earlier comments so that you would get the message from the SWI Bot and you would show up in our list of people still waiting... It was Jiminy777 who made a mistake, not you... Please follow directions from the Bot to get help...

Edited by <jjimbo>, 03 February 2010 - 08:00 AM.


#4 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,533 posts

Posted 31 January 2010 - 07:04 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.

If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.


[this is an automated reply]
This is an automated message. It does not count as help.

#5 lance_yien

lance_yien

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 2,442 posts

Posted 03 February 2010 - 09:14 AM

Hello <jjimbo> and welcome to SWI.

I'm lance_yien and will be helping you.

Please, print out these instructions or copy them to a Notepad file for an easer reading and download, to your Desktop:

  • Security Check by screen317 from here or here.
  • ComboFix© by sUBs from here or here
--

Please familiarize yourself with ComboFix here before running it.
I recommend you print out the information from this page or copy them to a Notepad file as well.

Please ensure you have disabled all anti virus and anti malware programs and run ComboFix.

Notes:

  • It is very important that you have the Windows Recovery Console installed because without it, ComboFix shall not attempt the fixing of some serious infections.
    It's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Please, DO NOT click ComboFix's window while it is running. This may cause it to hang.

Then, please double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt

Please post the contents of that document and C:\ComboFix.txt with a fresh HijackThis log.
Also, please let me know how your computer is functioning now.
EI | SWI | ZEBULON | Posted Image | Posted Image

My help is free, but if you wish to help keep these forums running please consider a donation. Please, see here for details.

#6 <jjimbo>

<jjimbo>

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 04 February 2010 - 04:21 AM

Hi lance_yien. Thank you for your assistance.
i give you this information in case it is important-

- I switched off zone alarm suite but combo fix advised av scanner was still active(if u require i will uninstall zone alarm and rerun the scans)
- combo fix shows microsoft security essentials as disabled , but i dont have this application installed
- i now have 2 internet explore icons on my desktop after scan( previously 1)
- on start up after scan i got error message " internet explorer is not your default browser, do i want to make it..."

Anyway , here is my logs

ComboFix 10-02-03.04 - jh 02/04/2010 9:23.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.249 [GMT 0:00]
Running from: c:\documents and settings\jh\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: ZoneAlarm Security Suite Antivirus *On-access scanning enabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\install.exe
c:\windows\system32\drivers\etc\lmhosts

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF


((((((((((((((((((((((((( Files Created from 2010-01-04 to 2010-02-04 )))))))))))))))))))))))))))))))
.

2010-02-02 14:33 . 2010-02-02 14:42 -------- d-----w- c:\program files\Exterminate It!
2010-01-28 18:26 . 2010-01-29 06:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-28 18:26 . 2010-01-28 18:33 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-28 18:01 . 2010-01-28 18:01 16409960 ----a-w- c:\program files\spybotsd162.exe
2010-01-28 11:18 . 2010-01-28 11:18 -------- d-----w- c:\program files\Trend Micro
2010-01-28 11:01 . 2010-01-28 11:01 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-01-28 10:55 . 2010-01-28 10:55 -------- d-----w- c:\program files\FLVCodec
2010-01-28 10:54 . 2010-01-28 14:39 -------- d-----w- c:\program files\RipTiger
2010-01-25 16:47 . 2010-01-25 16:47 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-01-21 10:56 . 2007-08-31 12:52 33968 ----a-w- c:\windows\system32\anim.dll
2010-01-21 10:56 . 2004-12-07 10:11 258352 ----a-w- c:\windows\system32\unicows.dll
2010-01-21 10:56 . 2001-08-24 08:25 1706800 ----a-w- c:\windows\system32\gdiplus.dll
2010-01-21 10:56 . 1999-11-22 15:50 4608 ----a-w- c:\windows\system32\W95INF32.DLL
2010-01-21 10:56 . 1999-11-22 15:50 2272 ----a-w- c:\windows\system32\W95INF16.DLL
2010-01-21 10:56 . 2010-01-28 19:30 -------- d-----w- c:\program files\WinUtilities
2010-01-15 07:21 . 2010-01-15 07:21 -------- d-sh--w- c:\documents and settings\All Users\Application Data\{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC}
2010-01-13 13:00 . 2010-01-13 13:08 -------- d-----w- C:\e28b242a8090a3aad7a99a
2010-01-12 17:45 . 2010-01-28 17:22 -------- d-----w- c:\documents and settings\jh\Application Data\MailFrontier
2010-01-12 17:42 . 2009-08-26 21:09 72584 ----a-w- c:\windows\zllsputility.exe
2010-01-11 13:01 . 2010-01-11 13:01 -------- d-----w- C:\VundoFix Backups
2010-01-09 12:57 . 2010-01-09 12:57 -------- d-----w- c:\documents and settings\jh\Local Settings\Application Data\Apple Computer
2010-01-08 23:18 . 2009-10-13 16:42 25704 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(5).sys
2010-01-08 23:18 . 2009-10-13 16:42 25704 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(4).sys
2010-01-08 23:17 . 2009-10-13 16:42 25704 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(3).sys
2010-01-08 23:16 . 2009-10-13 16:42 25704 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(2).sys
2010-01-08 19:11 . 2010-01-08 19:25 -------- d-sh--w- c:\documents and settings\jh\Phone Browser
2010-01-08 18:46 . 2009-10-13 16:42 25704 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(1).sys
2010-01-08 18:45 . 2010-01-22 13:32 -------- d-----w- c:\program files\Aimersoft
2010-01-08 16:27 . 2010-01-08 16:59 38784 ----a-w- c:\documents and settings\jh\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-01-05 15:43 . 2010-01-05 15:45 -------- d-----w- c:\documents and settings\jh\Application Data\muvee Technologies
2010-01-05 09:41 . 2010-01-05 09:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Napster

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-04 09:13 . 2009-09-03 21:10 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-02-03 20:40 . 2010-02-04 08:52 2121728 ----a-w- c:\windows\Internet Logs\xDB4.tmp
2010-02-03 20:40 . 2010-02-04 08:52 49664 ----a-w- c:\windows\Internet Logs\xDB3.tmp
2010-02-02 21:04 . 2010-02-02 21:28 2119168 ----a-w- c:\windows\Internet Logs\xDB2.tmp
2010-02-02 21:04 . 2010-02-02 21:28 66048 ----a-w- c:\windows\Internet Logs\xDB1.tmp
2010-01-28 11:14 . 2009-09-04 17:04 -------- d-----w- c:\program files\IObit
2010-01-28 10:35 . 2010-01-28 10:35 2561668 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-01-25 16:54 . 2009-09-04 20:35 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-01-25 16:50 . 2009-09-05 18:53 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-22 22:29 . 2009-11-27 11:16 572712 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-01-19 14:15 . 2009-09-04 10:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-19 14:15 . 2009-09-11 19:41 5115824 -c--a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-12 17:41 . 2010-01-12 17:41 -------- d-----w- c:\program files\Zone Labs
2010-01-09 11:52 . 2009-09-03 23:40 -------- d-----w- c:\program files\SpywareBlaster
2010-01-09 11:49 . 2009-11-22 11:08 -------- d-----w- c:\program files\Google
2010-01-09 11:45 . 2009-09-04 19:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-01-08 17:16 . 2009-11-08 17:23 -------- d-----w- c:\program files\QuickMediaConverter
2010-01-08 16:59 . 2009-10-06 17:27 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-01-07 16:07 . 2009-09-04 10:08 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 16:07 . 2009-09-04 10:08 19160 -c--a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 16:06 . 2009-09-03 23:40 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-21 19:14 . 2004-08-10 11:51 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-21 15:07 . 2009-11-26 17:57 -------- d-----w- c:\documents and settings\jh\Application Data\Nokia
2009-12-17 10:52 . 2009-12-17 10:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-12-17 10:52 . 2009-12-17 10:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-12-17 10:52 . 2009-09-03 23:05 -------- d-----w- c:\program files\Yahoo!
2009-12-16 12:50 . 2009-11-06 16:16 -------- d-----w- c:\program files\YouTube Downloader
2009-12-16 12:50 . 2009-11-03 15:57 -------- d-----w- c:\program files\PodSpider
2009-12-16 12:50 . 2009-09-06 16:54 -------- d-----w- c:\program files\Windows Media Connect 2
2009-12-16 12:50 . 2009-09-04 18:56 -------- d-----w- c:\program files\CA Yahoo! Anti-Spy
2009-12-16 12:50 . 2006-05-03 07:42 -------- d-----w- c:\program files\Microsoft Works
2009-12-10 15:13 . 2009-11-26 17:38 -------- d-----w- c:\program files\Nokia
2009-12-10 15:01 . 2009-11-26 17:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Nokia
2009-12-09 17:43 . 2009-11-26 17:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Installations
2009-12-09 17:41 . 2009-12-09 17:41 36864 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{12D6E140-AEDB-4F78-9D4A-643786772120}\Installer\CommonCustomActions\Sleep.exe
2009-12-09 17:41 . 2009-12-09 17:41 3351812 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{12D6E140-AEDB-4F78-9D4A-643786772120}\Installer\CommonCustomActions\msxml6Exec.exe
2009-12-09 17:41 . 2009-12-09 17:41 3203453 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{12D6E140-AEDB-4F78-9D4A-643786772120}\Installer\CommonCustomActions\vcredistExec.exe
2009-12-09 17:39 . 2009-12-09 17:42 24438096 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{12D6E140-AEDB-4F78-9D4A-643786772120}\NokiaSoftwareUpdaterSetup_2.4.1EN.exe
2009-12-08 08:31 . 2009-12-08 08:31 -------- d-----w- c:\program files\NSS
2009-12-08 06:27 . 2009-09-04 11:28 34712 ----a-w- c:\documents and settings\jh\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-08 06:25 . 2009-12-08 06:25 -------- d-----w- c:\program files\Common Files\muvee Technologies
2009-11-28 13:58 . 2009-11-28 13:58 12212040 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{82E16F2D-804A-4990-BEEF-C9DB44AE844B}\Installer\CommonCustomActions\WMFDist11-WindowsXP-X86-ENU.exe
2009-11-28 13:58 . 2009-11-28 13:58 13930312 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{82E16F2D-804A-4990-BEEF-C9DB44AE844B}\Installer\CommonCustomActions\WMFDist11-WindowsXP-X64-ENU.exe
2009-11-28 13:58 . 2009-11-28 13:58 77824 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{82E16F2D-804A-4990-BEEF-C9DB44AE844B}\Installer\CommonCustomActions\Run_XML6_SP1.exe
2009-11-28 13:58 . 2009-11-28 13:58 61440 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{82E16F2D-804A-4990-BEEF-C9DB44AE844B}\Installer\CommonCustomActions\WMF11Runx86.exe
2009-11-28 13:58 . 2009-11-28 13:58 58880 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{82E16F2D-804A-4990-BEEF-C9DB44AE844B}\Installer\CommonCustomActions\WMF11Runx64.exe
2009-11-28 13:58 . 2009-11-28 13:58 50000 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{82E16F2D-804A-4990-BEEF-C9DB44AE844B}\Installer\CommonCustomActions\pcswpc.exe
2009-11-28 13:53 . 2009-11-28 13:57 94628904 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{82E16F2D-804A-4990-BEEF-C9DB44AE844B}\Nokia_Ovi_Suite_webinstaller_ALL.exe
2009-11-26 18:04 . 2009-11-26 18:04 95232 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\pcswpcsi.exe
2009-11-26 18:04 . 2009-11-26 18:04 8192 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstCCD.exe
2009-11-26 18:04 . 2009-11-26 18:04 61440 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2009-11-26 18:04 . 2009-11-26 18:04 10240 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstPCS.exe
2009-11-26 18:03 . 2009-11-26 18:04 34429264 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Nokia_PC_Suite_7_1_40_1_eng.exe
2009-11-26 17:54 . 2009-11-26 17:54 95232 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{3D39E775-DDDA-4327-B747-0BDC5F191331}\Installer\CommonCustomActions\pcswpcsi.exe
2009-11-26 17:54 . 2009-11-26 17:54 8192 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{3D39E775-DDDA-4327-B747-0BDC5F191331}\Installer\CommonCustomActions\UninstCCD.exe
2009-11-26 17:54 . 2009-11-26 17:54 61440 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{3D39E775-DDDA-4327-B747-0BDC5F191331}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2009-11-26 17:54 . 2009-11-26 17:54 10240 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{3D39E775-DDDA-4327-B747-0BDC5F191331}\Installer\CommonCustomActions\UninstPCS.exe
2009-11-26 17:53 . 2009-11-26 17:54 33773208 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{3D39E775-DDDA-4327-B747-0BDC5F191331}\Nokia_PC_Suite_7_1_30_9_eng_web[1].exe
2009-11-21 15:51 . 2004-08-10 11:50 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-19 19:53 . 2009-11-19 19:53 117760 ----a-w- c:\documents and settings\jh\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-10-29 160592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-08-26 1011080]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-10-29 160592]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^jh^Start Menu^Programs^Startup^PodNova Desktop Client.lnk]
backup=c:\windows\pss\PodNova Desktop Client.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AntiLogger
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IObit Security 360
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISW
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-12-11 15:57 948672 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 01:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMusic FastStart]
2009-11-06 16:00 2090272 ----a-w- c:\program files\Nokia\Ovi Player\NokiaOviPlayer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaOviSuite2]
2009-10-27 15:10 401728 ----a-w- c:\program files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
2009-11-11 10:57 1451520 ----a-w- c:\documents and settings\jh\My Documents\Nokia PC Suite 7\PCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 16:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-07 18:56 149280 -c--a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPatrol]
2009-07-27 15:33 341312 -c----w- c:\program files\BillP Studios\WinPatrol\WinPatrol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YMailAdvisor]
2009-05-08 10:53 174424 ----a-w- c:\program files\Yahoo!\Common\YMailAdvisor.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"PC Suite Tray"="c:\documents and settings\jh\My Documents\Nokia PC Suite 7\PCSuite.exe" -onlytray

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 procguard;procguard;c:\windows\system32\drivers\procguard.sys [10/6/2009 4:25 PM 24911]
R3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [1/8/2010 6:46 PM 25704]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [9/9/2009 10:59 AM 13224]
S3 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/22/2009 11:08 AM 135664]
S3 LgBttPort;LGE Bluetooth TransPort;c:\windows\system32\DRIVERS\lgbtport.sys --> c:\windows\system32\DRIVERS\lgbtport.sys [?]
S3 lgbusenum;LG Bluetooth Bus Enumerator;c:\windows\system32\DRIVERS\lgbtbus.sys --> c:\windows\system32\DRIVERS\lgbtbus.sys [?]
S3 LGVMODEM;LGE Virtual Modem;c:\windows\system32\DRIVERS\lgvmodem.sys --> c:\windows\system32\DRIVERS\lgvmodem.sys [?]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [11/26/2009 6:05 PM 136704]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [11/26/2009 6:05 PM 8320]
S3 s115bus;Sony Ericsson Device 115 driver (WDM);c:\windows\system32\drivers\s115bus.sys [4/23/2007 12:54 PM 83208]
S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;c:\windows\system32\drivers\s115mdfl.sys [4/23/2007 12:54 PM 15112]
S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;c:\windows\system32\drivers\s115mdm.sys [4/23/2007 12:54 PM 108680]
S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s115mgmt.sys [4/23/2007 12:54 PM 100488]
S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;c:\windows\system32\drivers\s115obex.sys [4/23/2007 12:54 PM 98568]
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS --> c:\program files\SUPERAntiSpyware\SASENUM.SYS [?]
S3 STSService;STSService;"c:\program files\SoundTaxi Media Suite\STSService.exe" --> c:\program files\SoundTaxi Media Suite\STSService.exe [?]
S3 WsAudio_DeviceS(2);WsAudio_DeviceS(2);c:\windows\system32\drivers\WsAudio_DeviceS(2).sys [1/8/2010 11:16 PM 25704]
S3 WsAudio_DeviceS(3);WsAudio_DeviceS(3);c:\windows\system32\drivers\WsAudio_DeviceS(3).sys [1/8/2010 11:17 PM 25704]
S3 WsAudio_DeviceS(4);WsAudio_DeviceS(4);c:\windows\system32\drivers\WsAudio_DeviceS(4).sys [1/8/2010 11:18 PM 25704]
S3 WsAudio_DeviceS(5);WsAudio_DeviceS(5);c:\windows\system32\drivers\WsAudio_DeviceS(5).sys [1/8/2010 11:18 PM 25704]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9C450606-ED24-4958-92BA-B8940C99D441}]
2009-03-04 16:32 8192 ----a-w- c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://news.sky.com/skynews/
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
Trusted Zone: yahoo.com\m.uk
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-MSSE - c:\program files\Microsoft Security Essentials\msseces.exe
MSConfigStartUp-Revo Uninstaller - c:\program files\VS Revo Group\Revo Uninstaller\revouninstaller.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-04 09:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1108)
c:\windows\system32\WININET.dll
c:\progra~1\ZONELA~1\ZONEAL~1\MAILFR~1\mlfhook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\documents and settings\jh\My Documents\Nokia PC Suite 7\PhoneBrowser.dll
c:\documents and settings\jh\My Documents\Nokia PC Suite 7\NGSCM.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\documents and settings\jh\My Documents\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
c:\documents and settings\jh\My Documents\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\locator.exe
.
**************************************************************************
.
Completion time: 2010-02-04 09:38:16 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-04 09:38

Pre-Run: 64,590,630,912 bytes free
Post-Run: 64,547,356,672 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 88F4854395D2592E2CA95FACC823FA1D



Results of screen317's Security Check version 0.99.1
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Disabled!
ZoneAlarm Security Suite
``````````````````````````````
Anti-malware/Other Utilities Check:

WinPatrol 2009
CA Yahoo! Anti-Spy (remove only)
Spybot - Search & Destroy
HijackThis 2.0.2
CCleaner (remove only)
Java™ 6 Update 16
Java 2 Runtime Environment, SE v1.4.2_03
Out of date Java installed!
Adobe Flash Player 10
Adobe Reader 9.3
``````````````````````````````
Process Check:
objlist.exe by Laurent

WinPatrol winpatrol.exe is disabled!
``````````````````````````````
DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:52:23 AM, on 2/4/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.sky.com/skynews/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKUS\S-1-5-18\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'Default user')
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.euro....iler/SysPro.CAB
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1252255393171
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.ad...Plus/1.6/gp.cab
O23 - Service: dlcg_device - - C:\WINDOWS\system32\dlcgcoms.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: STSService - Unknown owner - C:\Program Files\SoundTaxi Media Suite\STSService.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5322 bytes

Edited by <jjimbo>, 04 February 2010 - 11:54 AM.


#7 lance_yien

lance_yien

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 2,442 posts

Posted 05 February 2010 - 03:58 AM

Hello <jjimbo>,

I am studying your logs and will get back to you.

Please be patient, thank you.

Edited by lance_yien, 05 February 2010 - 06:51 AM.

EI | SWI | ZEBULON | Posted Image | Posted Image

My help is free, but if you wish to help keep these forums running please consider a donation. Please, see here for details.

#8 <jjimbo>

<jjimbo>

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 05 February 2010 - 09:48 AM

hi lance-yien
i read your reply advising not to use zone alarm firewall.
i see the reply has been removed. Should i still follow your recommendations or await further assistance?

#9 lance_yien

lance_yien

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 2,442 posts

Posted 05 February 2010 - 10:09 AM

Should i still follow your recommendations or await further assistance?


Please wait. I asked one of our experts for some clarification. Thank you :thumbup:
EI | SWI | ZEBULON | Posted Image | Posted Image

My help is free, but if you wish to help keep these forums running please consider a donation. Please, see here for details.

#10 trimmboti

trimmboti

    Member

  • New Member
  • Pip
  • 1 posts

Posted 05 February 2010 - 02:53 PM

No need to deal with this, I suppose (double checked, Vista):

- hbp.exe
- hookcontroller.exe

are part of RipTiger! (streaming video catcher)

hbp.exe seems to be invoked with several instances by "Add URL" method to download several videos and they don´t get closed even if RipTiger has finished the jobs and has been _really exited_ (not minimized to tray)
hookcontroller.exe too is launched by simply starting RipTiger (Browser sniffing interception or so, bad english..) and doesn´t get closed too on exiting RipTiger

There are several other helper applications which may be launched by RipTiger doing its jobs, but these seem to be terminated as expected on exiting.

So, no danger... Just terminate with Task Manager, and you´re done.

@jimbo:
Maybe you feel comfortable to inform the RipTiger developer. (I have spent my time on this topic...)

Regards

trimmboti is not one of our trained helpers. Please see The various helper groups here. cnm

Edited by cnm, 05 February 2010 - 05:45 PM.
warning


#11 lance_yien

lance_yien

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 2,442 posts

Posted 07 February 2010 - 01:43 AM

Hello <jjimbo>

Sorry for the delay!

There is no need to uninstall Zone Alarm.

- Your logs show that "IObit Security 360" is present on your computer. This program is a rogue security program known to cause system problems and that had stolen material from other computer security companies to use in their own program: IOBit Steals Malwarebytes’ Intellectual Property , IOBit’s Denial of Theft Unconvincing

The program has also been seen to cause numerous system problems that tend to go away after uninstalling their software.

Please, go to "Start" => "Control Panel" => "Add or Remove Programs" and remove the following programs:

IObit Security 360
Advanced SystemCare

(or any program from IObit)

To remove every last trace of the entries of IObit programs left behind please download BitRemover to your Desktop from here and run it.


- Have you installed "PixiePack Codec Pack"? It may be added without your knowledge when installing other programs.

If not, please remove it from the "Control Panel" => "Add or Remove Programs" and delete this folder (in bold) if present: c:\program files\PixiePack Codec Pack

Please post a fresh HijackThis log and tell me if you have tried to uninstall these programs:

  • SuperAntiSpyware
  • Bluetooth
  • Virtual Modem
  • Sound Taxi Media Suite.

EI | SWI | ZEBULON | Posted Image | Posted Image

My help is free, but if you wish to help keep these forums running please consider a donation. Please, see here for details.

#12 <jjimbo>

<jjimbo>

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 08 February 2010 - 07:41 AM

hi lance-yien.thanks for advice.
i have done the following-
- ran bit remover to remove remnants of iobit which i uninstalled weeks ago(result was 42 files and 4 registry keys removed)
- uninstalled pixie pack which i installed months ago but never used(i think i was trying to find video codecs for my mobile phone at the time)
-i did uninstall super antispyware months ago









_regards to bluetooth virtual modem and taxi suite, i think they were part of a usb blutooh device i bought to connect pc with my mobile phone.but i no longer use them.

_ regards to previous helpers advice on rip tiger. i uninstalled this programme weeks ago and no longer use

here is my new hjt log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:26:50 PM, on 2/8/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.sky.com/skynews/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKUS\S-1-5-18\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'Default user')
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.euro....iler/SysPro.CAB
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1252255393171
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.ad...Plus/1.6/gp.cab
O23 - Service: dlcg_device - - C:\WINDOWS\system32\dlcgcoms.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: STSService - Unknown owner - C:\Program Files\SoundTaxi Media Suite\STSService.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5466 bytes

Edited by <jjimbo>, 08 February 2010 - 07:44 AM.


#13 lance_yien

lance_yien

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 2,442 posts

Posted 08 February 2010 - 11:18 AM

Hello <jjimbo>

_regards to bluetooth virtual modem and taxi suite, i think they were part of a usb blutooh device i bought to connect pc with my mobile phone.but i no longer use them.


If you wish uninstall them, please go to Start => Control Panel => Add or Remove Programs, select each from the following (if present) and click "Remove":

SoundTaxi Media Suite
LGE Bluetooth TransPort
LG Bluetooth Bus Enumerator
LGE Virtual Modem


Now, please, print out these instructions or copy them to a Notepad file for an easer reading and download CCleaner (freeware) to your Desktop from here
Run the ccleaner installer by double clicking ccsetup....exe, and uncheck the option to install Yahoo toolbar (unless you want Yahoo toolbar).
Once installed, run CCleaner.

The following should be selected by default, if not, please select:

Posted Image

Then please click Posted Image and choose Posted Image

Please uncheck Posted Image

Then go back to Posted Image and click Posted Image to run it.

Then, please go to Start => Run => type Notepad in the Open field and click OK.
Copy and paste the text present inside the quote box below:

KillAll::

DirLook::
c:\documents and settings\All Users\Application Data\{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC}
C:\e28b242a8090a3aad7a99a

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]

Folder::
c:\program files\IObit
C:\VundoFix Backups
c:\program files\PixiePack Codec Pack
c:\program files\RipTiger
c:\program files\SUPERAntiSpyware
c:\documents and settings\jh\Application Data\SUPERAntiSpyware.com



Optionals fixes:

  • If you have uninstalled "SoundTaxi Media Suite", please add this line at the end of the list:

    c:\program files\SoundTaxi Media Suite
  • If you have uninstalled your "LGE Bluetooth/ Virtual Modem" please add these lines at the end of the list:

    File::
    c:\windows\system32\DRIVERS\lgvmodem.sys
    c:\windows\system32\DRIVERS\lgbtport.sys
    c:\windows\system32\DRIVERS\lgbtbus.sys

Warning: If you want add these lines, please make sure that c:\program files\SoundTaxi Media Suite is before File::

Save this as "CFScript.txt", in the same location as ComboFix.exe.

Please close any open browsers and disable all your Protection Programs so they do not interfere with the running of ComboFix.

Posted Image

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
This will start ComboFix again.

After reboot, (in case it asks to reboot), it will produce a log for you.

Please reboot the computer (if ComboFix did not ask for a reboot) and post the Combofix log with a fresh HijackThis log in your next reply.
Also, please let me know if you still have any problem.


LY

Edited by lance_yien, 08 February 2010 - 11:19 AM.

EI | SWI | ZEBULON | Posted Image | Posted Image

My help is free, but if you wish to help keep these forums running please consider a donation. Please, see here for details.

#14 <jjimbo>

<jjimbo>

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 09 February 2010 - 01:41 AM

hi lance_yien
i have carried out your instructions.
the following 2 entries listed in add/remove programmes i cannot delete

-lg mc usb modem driver
-lg usb modem driver
the error messages when trying to remove these respectively are...
-setup.exe has encountered a problem and has to close
-error2753.the file"exeremover.exe" is not marked for installation. (then i get fatal error during installation error)
i realise you didnt say to remove these but any lg programmes on my pc are no longer used

here are my logs. my pc seems to be running absolutely fine.thank you








ComboFix 10-02-03.04 - jh 02/09/2010 7:11.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.235 [GMT 0:00]
Running from: c:\documents and settings\jh\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\jh\Desktop\CFScript.txt.txt
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

FILE ::
"c:\windows\system32\DRIVERS\lgbtbus.sys"
"c:\windows\system32\DRIVERS\lgbtport.sys"
"c:\windows\system32\DRIVERS\lgvmodem.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\jh\Application Data\SUPERAntiSpyware.com
c:\documents and settings\jh\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-11-19-2009( 19-53-7 ).SDB
c:\documents and settings\jh\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-11-19-2009( 20-22-44 ).SDB
c:\documents and settings\jh\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-11-20-2009( 16-30-30 ).SDB
c:\documents and settings\jh\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-11-20-2009( 8-38-45 ).SDB
c:\documents and settings\jh\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-11-21-2009( 9-7-44 ).SDB
c:\documents and settings\jh\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-11-22-2009( 7-27-13 ).SDB
c:\documents and settings\jh\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-11-23-2009( 6-32-11 ).SDB
c:\documents and settings\jh\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-11-24-2009( 11-26-51 ).SDB
c:\documents and settings\jh\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-11-24-2009( 11-53-24 ).SDB
c:\documents and settings\jh\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-11-24-2009( 12-42-2 ).SDB
c:\documents and settings\jh\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-11-25-2009( 16-1-16 ).SDB
c:\documents and settings\jh\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-11-25-2009( 4-28-10 ).SDB
c:\documents and settings\jh\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-11-25-2009( 9-57-58 ).SDB
c:\documents and settings\jh\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-11-26-2009( 16-37-46 ).SDB
c:\documents and settings\jh\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-11-26-2009( 17-45-6 ).SDB
c:\documents and settings\jh\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-11-26-2009( 18-14-29 ).SDB
c:\documents and settings\jh\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-11-26-2009( 6-13-51 ).SDB
c:\documents and settings\jh\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-11-27-2009( 13-11-23 ).SDB
c:\documents and settings\jh\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-11-27-2009( 13-34-30 ).SDB
c:\documents and settings\jh\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-11-27-2009( 17-53-33 ).SDB
c:\documents and settings\jh\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-11-27-2009( 5-37-27 ).SDB
c:\documents and settings\jh\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-11-28-2009( 18-14-19 ).SDB
c:\documents and settings\jh\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-11-28-2009( 8-15-8 ).SDB
c:\documents and settings\jh\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-11-28-2009( 8-5-35 ).SDB
c:\documents and settings\jh\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-11-29-2009( 17-17-48 ).SDB
c:\documents and settings\jh\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-11-30-2009( 10-27-41 ).SDB
c:\documents and settings\jh\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-12-1-2009( 15-58-25 ).SDB
c:\documents and settings\jh\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-12-1-2009( 9-30-4 ).SDB
c:\documents and settings\jh\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-12-2-2009( 9-33-1 ).SDB
c:\documents and settings\jh\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-12-3-2009( 10-45-29 ).SDB
c:\documents and settings\jh\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\PROCESSLIST.BIN
c:\documents and settings\jh\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\PROCESSLIST.DB
c:\documents and settings\jh\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\PROCESSLIST.ZIP
c:\documents and settings\jh\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\PROCESSLISTRELATED.DB
c:\documents and settings\jh\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\PROCESSLISTRELATED.ZIP
c:\documents and settings\jh\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
C:\VundoFix Backups
c:\windows\system32\drivers\etc\lmhosts . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2010-01-09 to 2010-02-09 )))))))))))))))))))))))))))))))
.

2010-02-08 16:00 . 2010-02-08 16:00 -------- d-----w- c:\documents and settings\All Users\Application Data\xml_param
2010-01-28 18:26 . 2010-01-29 06:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-28 18:26 . 2010-01-28 18:33 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-28 18:01 . 2010-01-28 18:01 16409960 ----a-w- c:\program files\spybotsd162.exe
2010-01-28 11:18 . 2010-01-28 11:18 -------- d-----w- c:\program files\Trend Micro
2010-01-28 11:01 . 2010-01-28 11:01 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-01-28 10:55 . 2010-01-28 10:55 -------- d-----w- c:\program files\FLVCodec
2010-01-25 16:47 . 2010-01-25 16:47 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-01-21 10:56 . 2007-08-31 12:52 33968 ----a-w- c:\windows\system32\anim.dll
2010-01-21 10:56 . 2004-12-07 10:11 258352 ----a-w- c:\windows\system32\unicows.dll
2010-01-21 10:56 . 2001-08-24 08:25 1706800 ----a-w- c:\windows\system32\gdiplus.dll
2010-01-21 10:56 . 1999-11-22 15:50 4608 ----a-w- c:\windows\system32\W95INF32.DLL
2010-01-21 10:56 . 1999-11-22 15:50 2272 ----a-w- c:\windows\system32\W95INF16.DLL
2010-01-21 10:56 . 2010-02-08 16:48 -------- d-----w- c:\program files\WinUtilities
2010-01-15 07:21 . 2010-01-15 07:21 -------- d-sh--w- c:\documents and settings\All Users\Application Data\{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC}
2010-01-13 13:00 . 2010-01-13 13:08 -------- d-----w- C:\e28b242a8090a3aad7a99a
2010-01-12 17:45 . 2010-01-28 17:22 -------- d-----w- c:\documents and settings\jh\Application Data\MailFrontier
2010-01-12 17:42 . 2009-08-26 21:09 72584 ----a-w- c:\windows\zllsputility.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-09 06:49 . 2009-09-03 21:10 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-02-08 21:59 . 2010-02-09 06:32 2199552 ----a-w- c:\windows\Internet Logs\xDB2.tmp
2010-02-08 21:59 . 2010-02-09 06:32 58368 ----a-w- c:\windows\Internet Logs\xDB1.tmp
2010-02-08 16:44 . 2009-09-04 22:23 -------- d-----w- c:\program files\Eraser
2010-02-08 16:44 . 2006-05-03 07:42 -------- d-----w- c:\program files\Microsoft Works
2010-02-08 13:22 . 2009-09-04 17:57 -------- d-----w- c:\documents and settings\jh\Application Data\IObit
2010-01-28 10:35 . 2010-01-28 10:35 2561668 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-01-25 16:54 . 2009-09-04 20:35 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-01-25 16:50 . 2009-09-05 18:53 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-22 22:29 . 2009-11-27 11:16 572712 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-01-22 13:32 . 2010-01-08 18:45 -------- d-----w- c:\program files\Aimersoft
2010-01-19 14:15 . 2009-09-04 10:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-19 14:15 . 2009-09-11 19:41 5115824 -c--a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-12 17:41 . 2010-01-12 17:41 -------- d-----w- c:\program files\Zone Labs
2010-01-09 11:49 . 2009-11-22 11:08 -------- d-----w- c:\program files\Google
2010-01-09 11:45 . 2009-09-04 19:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-01-08 17:16 . 2009-11-08 17:23 -------- d-----w- c:\program files\QuickMediaConverter
2010-01-08 16:59 . 2009-10-06 17:27 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-01-08 16:59 . 2010-01-08 16:27 38784 ----a-w- c:\documents and settings\jh\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-01-07 16:07 . 2009-09-04 10:08 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 16:07 . 2009-09-04 10:08 19160 -c--a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 16:06 . 2009-09-03 23:40 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-05 15:45 . 2010-01-05 15:43 -------- d-----w- c:\documents and settings\jh\Application Data\muvee Technologies
2010-01-05 09:41 . 2010-01-05 09:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Napster
2009-12-21 19:14 . 2004-08-10 11:51 916480 ------w- c:\windows\system32\wininet.dll
2009-12-21 15:07 . 2009-11-26 17:57 -------- d-----w- c:\documents and settings\jh\Application Data\Nokia
2009-12-17 10:52 . 2009-12-17 10:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-12-17 10:52 . 2009-12-17 10:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-12-17 10:52 . 2009-09-03 23:05 -------- d-----w- c:\program files\Yahoo!
2009-12-16 12:50 . 2009-11-06 16:16 -------- d-----w- c:\program files\YouTube Downloader
2009-12-16 12:50 . 2009-11-03 15:57 -------- d-----w- c:\program files\PodSpider
2009-12-16 12:50 . 2009-09-06 16:54 -------- d-----w- c:\program files\Windows Media Connect 2
2009-12-16 12:50 . 2009-09-04 18:56 -------- d-----w- c:\program files\CA Yahoo! Anti-Spy
2009-12-09 17:41 . 2009-12-09 17:41 36864 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{12D6E140-AEDB-4F78-9D4A-643786772120}\Installer\CommonCustomActions\Sleep.exe
2009-12-09 17:41 . 2009-12-09 17:41 3351812 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{12D6E140-AEDB-4F78-9D4A-643786772120}\Installer\CommonCustomActions\msxml6Exec.exe
2009-12-09 17:41 . 2009-12-09 17:41 3203453 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{12D6E140-AEDB-4F78-9D4A-643786772120}\Installer\CommonCustomActions\vcredistExec.exe
2009-12-09 17:39 . 2009-12-09 17:42 24438096 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{12D6E140-AEDB-4F78-9D4A-643786772120}\NokiaSoftwareUpdaterSetup_2.4.1EN.exe
2009-12-08 06:27 . 2009-09-04 11:28 34712 ----a-w- c:\documents and settings\jh\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-28 13:58 . 2009-11-28 13:58 12212040 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{82E16F2D-804A-4990-BEEF-C9DB44AE844B}\Installer\CommonCustomActions\WMFDist11-WindowsXP-X86-ENU.exe
2009-11-28 13:58 . 2009-11-28 13:58 13930312 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{82E16F2D-804A-4990-BEEF-C9DB44AE844B}\Installer\CommonCustomActions\WMFDist11-WindowsXP-X64-ENU.exe
2009-11-28 13:58 . 2009-11-28 13:58 77824 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{82E16F2D-804A-4990-BEEF-C9DB44AE844B}\Installer\CommonCustomActions\Run_XML6_SP1.exe
2009-11-28 13:58 . 2009-11-28 13:58 61440 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{82E16F2D-804A-4990-BEEF-C9DB44AE844B}\Installer\CommonCustomActions\WMF11Runx86.exe
2009-11-28 13:58 . 2009-11-28 13:58 58880 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{82E16F2D-804A-4990-BEEF-C9DB44AE844B}\Installer\CommonCustomActions\WMF11Runx64.exe
2009-11-28 13:58 . 2009-11-28 13:58 50000 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{82E16F2D-804A-4990-BEEF-C9DB44AE844B}\Installer\CommonCustomActions\pcswpc.exe
2009-11-28 13:53 . 2009-11-28 13:57 94628904 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{82E16F2D-804A-4990-BEEF-C9DB44AE844B}\Nokia_Ovi_Suite_webinstaller_ALL.exe
2009-11-26 18:04 . 2009-11-26 18:04 95232 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\pcswpcsi.exe
2009-11-26 18:04 . 2009-11-26 18:04 8192 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstCCD.exe
2009-11-26 18:04 . 2009-11-26 18:04 61440 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2009-11-26 18:04 . 2009-11-26 18:04 10240 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstPCS.exe
2009-11-26 18:03 . 2009-11-26 18:04 34429264 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Nokia_PC_Suite_7_1_40_1_eng.exe
2009-11-26 17:54 . 2009-11-26 17:54 95232 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{3D39E775-DDDA-4327-B747-0BDC5F191331}\Installer\CommonCustomActions\pcswpcsi.exe
2009-11-26 17:54 . 2009-11-26 17:54 8192 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{3D39E775-DDDA-4327-B747-0BDC5F191331}\Installer\CommonCustomActions\UninstCCD.exe
2009-11-26 17:54 . 2009-11-26 17:54 61440 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{3D39E775-DDDA-4327-B747-0BDC5F191331}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2009-11-26 17:54 . 2009-11-26 17:54 10240 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{3D39E775-DDDA-4327-B747-0BDC5F191331}\Installer\CommonCustomActions\UninstPCS.exe
2009-11-26 17:53 . 2009-11-26 17:54 33773208 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{3D39E775-DDDA-4327-B747-0BDC5F191331}\Nokia_PC_Suite_7_1_30_9_eng_web[1].exe
2009-11-21 15:51 . 2004-08-10 11:50 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\All Users\Application Data\{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC} ----

2010-01-15 07:21 . 2010-01-15 07:23 18752000 ----a-w- c:\documents and settings\All Users\Application Data\{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC}\{D3742F82-1C1A-4DCC-ABBD-0E831C0185CC}.msi

---- Directory of C:\e28b242a8090a3aad7a99a ----

2010-01-04 16:31 . 2010-01-04 16:31 843563 ----a-w- c:\e28b242a8090a3aad7a99a\mrt.exe._p
2010-01-04 16:17 . 2010-01-04 16:17 57800 ----a-w- c:\e28b242a8090a3aad7a99a\mrtstub.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-10-29 160592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-08-26 1011080]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-10-29 160592]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^jh^Start Menu^Programs^Startup^PodNova Desktop Client.lnk]
backup=c:\windows\pss\PodNova Desktop Client.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-12-11 15:57 948672 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 01:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMusic FastStart]
2009-11-06 16:00 2090272 ----a-w- c:\program files\Nokia\Ovi Player\NokiaOviPlayer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaOviSuite2]
2009-10-27 15:10 401728 ----a-w- c:\program files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
2009-11-11 10:57 1451520 ----a-w- c:\documents and settings\jh\My Documents\Nokia PC Suite 7\PCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 16:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-07 18:56 149280 -c--a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPatrol]
2009-07-27 15:33 341312 -c----w- c:\program files\BillP Studios\WinPatrol\WinPatrol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YMailAdvisor]
2009-05-08 10:53 174424 ----a-w- c:\program files\Yahoo!\Common\YMailAdvisor.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"PC Suite Tray"="c:\documents and settings\jh\My Documents\Nokia PC Suite 7\PCSuite.exe" -onlytray

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 procguard;procguard;c:\windows\system32\drivers\procguard.sys [10/6/2009 4:25 PM 24911]
R3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [1/8/2010 6:46 PM 25704]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [9/9/2009 10:59 AM 13224]
S3 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/22/2009 11:08 AM 135664]
S3 LgBttPort;LGE Bluetooth TransPort;c:\windows\system32\DRIVERS\lgbtport.sys --> c:\windows\system32\DRIVERS\lgbtport.sys [?]
S3 lgbusenum;LG Bluetooth Bus Enumerator;c:\windows\system32\DRIVERS\lgbtbus.sys --> c:\windows\system32\DRIVERS\lgbtbus.sys [?]
S3 LGVMODEM;LGE Virtual Modem;c:\windows\system32\DRIVERS\lgvmodem.sys --> c:\windows\system32\DRIVERS\lgvmodem.sys [?]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [11/26/2009 6:05 PM 136704]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [11/26/2009 6:05 PM 8320]
S3 s115bus;Sony Ericsson Device 115 driver (WDM);c:\windows\system32\drivers\s115bus.sys [4/23/2007 12:54 PM 83208]
S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;c:\windows\system32\drivers\s115mdfl.sys [4/23/2007 12:54 PM 15112]
S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;c:\windows\system32\drivers\s115mdm.sys [4/23/2007 12:54 PM 108680]
S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s115mgmt.sys [4/23/2007 12:54 PM 100488]
S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;c:\windows\system32\drivers\s115obex.sys [4/23/2007 12:54 PM 98568]
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS --> c:\program files\SUPERAntiSpyware\SASENUM.SYS [?]
S3 STSService;STSService;"c:\program files\SoundTaxi Media Suite\STSService.exe" --> c:\program files\SoundTaxi Media Suite\STSService.exe [?]
S3 WsAudio_DeviceS(2);WsAudio_DeviceS(2);c:\windows\system32\drivers\WsAudio_DeviceS(2).sys [1/8/2010 11:16 PM 25704]
S3 WsAudio_DeviceS(3);WsAudio_DeviceS(3);c:\windows\system32\drivers\WsAudio_DeviceS(3).sys [1/8/2010 11:17 PM 25704]
S3 WsAudio_DeviceS(4);WsAudio_DeviceS(4);c:\windows\system32\drivers\WsAudio_DeviceS(4).sys [1/8/2010 11:18 PM 25704]
S3 WsAudio_DeviceS(5);WsAudio_DeviceS(5);c:\windows\system32\drivers\WsAudio_DeviceS(5).sys [1/8/2010 11:18 PM 25704]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://news.sky.com/skynews/
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
Trusted Zone: yahoo.com\m.uk
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-09 07:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(656)
c:\windows\system32\WININET.dll
c:\progra~1\ZONELA~1\ZONEAL~1\MAILFR~1\mlfhook.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\documents and settings\jh\My Documents\Nokia PC Suite 7\PhoneBrowser.dll
c:\documents and settings\jh\My Documents\Nokia PC Suite 7\NGSCM.DLL
c:\documents and settings\jh\My Documents\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
c:\documents and settings\jh\My Documents\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\locator.exe
c:\progra~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
.
**************************************************************************
.
Completion time: 2010-02-09 07:21:49 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-09 07:21
ComboFix2.txt 2010-02-04 09:38

Pre-Run: 63,810,387,968 bytes free
Post-Run: 63,764,500,480 bytes free

- - End Of File - - 8E3793FE61DE8554D2516EACB930DD52




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:25:47 AM, on 2/9/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.sky.com/skynews/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKUS\S-1-5-18\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'Default user')
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.euro....iler/SysPro.CAB
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1252255393171
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.ad...Plus/1.6/gp.cab
O23 - Service: dlcg_device - - C:\WINDOWS\system32\dlcgcoms.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: STSService - Unknown owner - C:\Program Files\SoundTaxi Media Suite\STSService.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5434 bytes

#15 lance_yien

lance_yien

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 2,442 posts

Posted 09 February 2010 - 03:14 AM

Hello <jjimbo>

... my pc seems to be running absolutely fine.thank you


This is a good news. Your logs appear clean :thumbup:
--

Please delete this folder (in bold): c:\program files\SUPERAntiSpyware

Then, please go to http://virusscan.jotti.org , click the Browse button, and upload the following file for analysis:

c:\documents and settings\All Users\Application Data\{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC}\{D3742F82-1C1A-4DCC-ABBD-0E831C0185CC}.msi

Then click the Submit button and allow the file to be scanned.
Please copy and paste the results here for me to see.

Note: If Jotti is busy, please go to http://www.virustotal.com.

LY
EI | SWI | ZEBULON | Posted Image | Posted Image

My help is free, but if you wish to help keep these forums running please consider a donation. Please, see here for details.

#16 <jjimbo>

<jjimbo>

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 09 February 2010 - 06:22 AM

hi lance _yien

The folder "superantispyware" dont exist in programme files.
The long number folder you mention to scan located in ..."application data> all users" also dont exist
when opening "all users" the only folders present are-
-desktop
-shared documents
-favourites
-start menu
none of which contain the number you refer to either

#17 <jjimbo>

<jjimbo>

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 09 February 2010 - 06:23 AM

hi lance _yien

The folder "superantispyware" dont exist in programme files.
The long number folder you mention to scan located in ..."application data> all users" also dont exist
when opening "all users" the only folders present are-
-desktop
-shared documents
-favourites
-start menu
none of which contain the number you refer to either

#18 <jjimbo>

<jjimbo>

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 09 February 2010 - 07:54 AM

hi lance_yien
The folder"superantispyware"
and the file with "long number" are both not in the places you specify.





(sorry i didnt relise the post was now on 2 pages hence my repeated replies)

Edited by <jjimbo>, 09 February 2010 - 07:56 AM.


#19 lance_yien

lance_yien

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 2,442 posts

Posted 09 February 2010 - 09:18 AM

Hi again :)

...The long number folder you mention to scan located in ..."application data> all users" also dont exist
when opening "all users" the only folders present are-
-desktop
-shared documents
-favourites
-start menu
none of which contain the number you refer to either


"Application Data" is a hidden folder.

To set Windows XP to show hidden/system files and folders, please click Start and open My Computer.
On the Tools menu, click on Folder Options.
On the View tab, uncheck "Hide file extensions for known file types".
Uncheck "Hide protected operating system files (Recommended)" and click Yes on the warning message.
Under "Hidden files and folders", check "Show hidden files and folders".
Click Apply to All Folders.
Click OK and close My Computer.

Now you can see and open "Application Data" to submit your file
=========

When you have finished, please DO NOT forget to set Windows XP to hide hidden/system files and folders by clicking Start => My Computer.
On the Tools menu, click on Folder Options.
On the View tab, check "Hide file extensions for known file types".
Check "Hide protected operating system files (Recommended)". Under "Hidden files and folders", check "Do not show hidden files and folders".
Click Apply to All Folders.
Click OK and close My Computer.

LY
EI | SWI | ZEBULON | Posted Image | Posted Image

My help is free, but if you wish to help keep these forums running please consider a donation. Please, see here for details.

#20 <jjimbo>

<jjimbo>

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 09 February 2010 - 03:03 PM

File TU2010Trial.msi received on 2010.02.03 16:52:29 (UTC)
Current status: finished

Result: 0/39 (0.00%)
Compact Print results
Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.02.03 -
AhnLab-V3 5.0.0.2 2010.02.03 -
AntiVir 7.9.1.158 2010.02.03 -
Antiy-AVL 2.0.3.7 2010.02.03 -
Authentium 5.2.0.5 2010.02.03 -
Avast 4.8.1351.0 2010.02.02 -
AVG 9.0.0.730 2010.02.03 -
BitDefender 7.2 2010.02.03 -
CAT-QuickHeal 10.00 2010.02.03 -
ClamAV 0.96.0.0-git 2010.02.03 -
Comodo 3807 2010.02.03 -
DrWeb 5.0.1.12222 2010.02.03 -
eSafe 7.0.17.0 2010.02.03 -
eTrust-Vet 35.2.7278 2010.02.03 -
F-Prot 4.5.1.85 2010.02.03 -
Fortinet 4.0.14.0 2010.02.03 -
GData 19 2010.02.03 -
Ikarus T3.1.1.80.0 2010.02.03 -
Jiangmin 13.0.900 2010.02.03 -
K7AntiVirus 7.10.966 2010.02.03 -
Kaspersky 7.0.0.125 2010.02.03 -
McAfee 5881 2010.02.03 -
McAfee+Artemis 5881 2010.02.03 -
McAfee-GW-Edition 6.8.5 2010.02.03 -
Microsoft 1.5406 2010.02.03 -
NOD32 4832 2010.02.03 -
Norman 6.04.03 2010.02.03 -
nProtect 2009.1.8.0 2010.02.03 -
Panda 10.0.2.2 2010.02.03 -
PCTools 7.0.3.5 2010.02.03 -
Prevx 3.0 2010.02.03 -
Rising 22.33.02.04 2010.02.03 -
Sophos 4.50.0 2010.02.03 -
Sunbelt 3.2.1858.2 2010.02.03 -
TheHacker 6.5.1.0.178 2010.02.03 -
TrendMicro 9.120.0.1004 2010.02.03 -
VBA32 3.12.12.1 2010.02.03 -
ViRobot 2010.2.3.2170 2010.02.03 -
VirusBuster 5.0.21.0 2010.02.03 -
Additional information
File size: 18752000 bytes
MD5 : 98e763412f43926a64405c84356dd460
SHA1 : acf320266987827b48ede41e332e73a075ced8e2
SHA256: 49c67aedda38284dfed268d99a49dab5db37a979b2aee68d3a3ad9e7893493cf
TrID : File type identification
Windows SDK Setup Transform Script (88.7%)
Generic OLE2 / Multistream Compound File (11.2%)
ssdeep: 393216:eJQZuQQQwAVdioLYL8yih3X1GlZNJU0aTubJSWuaVR+M:9xQQRsWYLclG00aabFXR+
PEiD : -
packers (Kaspersky): PE_Patch, PE_Patch, PE_Patch, PE_Patch, PE_Patch, PE_Patch, PE_Patch, PE_Patch, PE_Patch, PE_Patch, PE_Patch, PE_Patch, PE_Patch, PE_Patch, PE_Patch, PE_Patch, PE_Patch, PE_Patch, PE_Patch, PE_Patch, PE_Patch, PE_Patch, PE_Patch, PE_Patch, PE_Patch, PE_Patch, PE_Patch, PE_Patch, PE_Patch, PE_Patch, PE_Patch, PE_Patch, PE_Patch, PE_Patch, PE_Patch, PE_Patch, PE_Patch, PE_Patch, PE_Patch, PE_Patch, PE_Patch, PE_Patch, PE_Patch, PE_Patch, PE_Patch, PE_Patch, PE_Patch, PE_Patch, PE_Patch, PE_Patch, PE_Patch, PE_Patch, PE_Patch, PE_Patch, PE_Patch, PE_Patch, PE_Patch, PE_Patch, PE_Patch, PE_Patch, PE_Patch, PE_Patch, PE_Patch, PE_Patch, PE_Patch, PE_Patch
RDS : NSRL Reference Data Set
-
i also note that under application data there is a superantispware folder. shall i delete this folder?

when the virus total scan finished i wasnt too sure where the log is produced so i clicked " show previous report". i think i may have done it wrong.
hovering over the long number within application data it showed up as "tune- up utilities" 17mb

Edited by <jjimbo>, 09 February 2010 - 03:13 PM.


#21 lance_yien

lance_yien

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 2,442 posts

Posted 10 February 2010 - 02:14 AM

... there is a superantispware folder. shall i delete this folder?


Yes :)

when the virus total scan finished i wasnt too sure where the log is produced so i clicked " show previous report". i think i may have done it wrong.


That is why you have given me the results for another file named "TU2010Trial.msi" :)

hovering over the long number within application data it showed up as "tune- up utilities" 17mb


That means that is related to "TuneUp Utilities" and should be safe. Leave it there!
--

- Your version of Java is out of date. I recommend you update to the newest Version:
Please download to your Desktop the newest version from here.

It's important that you uninstall older versions of Java. They can leave holes and vulnerabilities on your computer.

Please, go to Start => Control Panel double-click on the Software icon => Add or Remove programs.
Search in the list for all previous installed versions of Java (J2SE Runtime Environment.... ).
They should have this icon next to them: Posted Image
Select each in turn and click Remove.

Now install the newest version.

- Please remove ComboFix from your computer by going to Start => Run and type ComboFix /Uninstall in the runbox. Click OK (make sure to leave a space between ComboFix and /Uninstall).

This will delete ComboFix and its associated files/ folders and reset System Restore.

- Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future. :thumbup:

  • I recommend you install and run some of the following programs. They are either free or have free versions of commercial programs:

    • SpywareBlaster. A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.
    • SpywareGuard. A tutorial on using SpywareGuard for real-time protection against spyware and hijackers may be found here.

    Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection.
    However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster can be run with any of them.
  • Please consider using an alternate browser. Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScripts, can make it even more secure. You can download Firefox from here

    Opera is another good option. It is available here
  • Please, note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you may be able to find out if it is a rogue here: http://www.spywarewa...nti-spyware.htm

- For much more useful information, please also read Tony Klein's excellent article: How did I get infected in the first place

Hopefully this should take care of your problems!

Safe surfing! :)

LY
EI | SWI | ZEBULON | Posted Image | Posted Image

My help is free, but if you wish to help keep these forums running please consider a donation. Please, see here for details.

#22 <jjimbo>

<jjimbo>

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 10 February 2010 - 05:21 AM

Hi lance_yien

ive carried out your instructions and will indeed read the articles you have suggested
May i thank you for your time and effort with my enquiries and you have given me a better understanding of the importance of safe browsing and security.
I think people like you who give up their own time and knowledge for others is admirable.
Thanks again :drinks:

#23 lance_yien

lance_yien

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 2,442 posts

Posted 10 February 2010 - 08:30 AM

You are welcome <jjimbo>. Glad we could help. :cool:

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter.

Everyone else, please begin a new topic.

LY

Edited by lance_yien, 10 February 2010 - 08:31 AM.

EI | SWI | ZEBULON | Posted Image | Posted Image

My help is free, but if you wish to help keep these forums running please consider a donation. Please, see here for details.




Member of UNITE
Support SpywareInfo Forum - click the button