• Welcome Guest, to the Spybot Forums! It's 2025, and we just upgraded our forum software.

    Today is Safer Internet Day, and with our new forum, you can finally use passkeys to login. That was about time!

    Of course, you could ask if a forum is still useful, with so many social media networks out there where you might already have an account, and met a lot of users. You can now use your login from some of those networks to log in here. And by posting here, your question and data is stored on our servers and not automatically shared with a whole social media network.

    We'll also start using the forum for small bits of information, announcements and more again.

Whatever it is is won't even let HJT run

I'm going to need a day or so to complete everything you talk about in your last reply so please don't close this case yet.
Click to expand...

Ok, I'll keep the thread open until you're ready to have it closed. :)

Also, I still have a couple of issues. Outlook 2007 still occasionally closes on first use of Send/Receive, and the SQL database associated with ACT 11 occasionally will not load at all, generating four red warnings in the Windows event viewer under applications.

Is there one last scan we can do that will let us know that we actually caught everything?

And/or will I simply need to go in and run some of the Windows repair routines and possibly just reinstall specific programs that are behaving strangely?
Click to expand...

I think the best thing to do for the Outlook '07 and ACT 11 problems is to do either the Windows repair routines or just reinstall those programs.

But, just in case something has come back/we missed something, go ahead and run DDS again (redownload it if you've already deleted DDS.scr) and run MalwareBytes' again (do another Quick scan and be sure to Update it before doing the scan).

Post the DDS and MalwareBytes' Logs in your next post and let me know if you solved your problems with Outlook and ACT.
 
Thanks.

What is UPHClean?

Is STOPZilla a problem? I don't know where it came from, and when I tried to uninstall it the other day it totally broke IE and also took out something that then prevented the ACT SQL server from loading, so I was relieved that the System Restore was there, again. This is the same thing that happened when I tried to remove the duplicate Personal Folders from Outlook 2007.

Apparently neither of these are creating problems that are detectable so should I just leave them, and other stuff like them, alone?

I'll report back one more time after I have completed your last set of instructions.

Here are the reports you requested.



=== DDS.txt ===

DDS (Ver_09-07-30.01) - NTFSx86
Run by Geoff at 13:47:07.71 on Tue 09/29/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.539 [GMT -7:00]

AV: AVG Anti-Virus *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\kmw_run.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\ACT\Act for Windows\Act.Outlook.Service.exe
C:\Program Files\ACT\Act for Windows\Act.Scheduler.UI.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\tbctray.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\WINDOWS\system32\KMW_SHOW.EXE
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Geoff\Desktop\SaferNetworking\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: ZILLAbar Browser Helper Object: {1827766b-9f49-4854-8034-f6ee26fcb1ec} - c:\program files\stopzilla!\SZSG.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile: {d5233fcd-d258-4903-89b8-fb1568e7413d} - mscoree.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: STOPzilla Browser Helper Object: {e3215f20-3212-11d6-9f8b-00d0b743919d} - c:\program files\stopzilla!\SZIEBHO.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: STOPzilla: {98828ded-a591-462f-83ba-d2f62a68b8b8} - c:\program files\stopzilla!\SZSG.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\Wcescomm.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [kmw_run.exe] kmw_run.exe
mRun: [EPSON Stylus Photo R200 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Act.Outlook.Service] "c:\program files\act\act for windows\Act.Outlook.Service.exe"
mRun: [Act! Preloader] "c:\program files\act\act for windows\ActSage.exe" -preload
mRun: [ACTSchedulerUI] "c:\program files\act\act for windows\Act.Scheduler.UI.exe" -Dfalse
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [TraySantaCruz] c:\windows\system32\tbctray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1235942706406
DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - hxxp://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/softwareupdate/su/ocx/15106/CTPID.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} -
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} -
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} -
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\geoff\applic~1\mozilla\firefox\profiles\wrnsupub.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\documents and settings\geoff\application data\mozilla\firefox\profiles\wrnsupub.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\FFAlert.dll
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v1.02.08
============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2008-5-22 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-22 335240]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2006-11-23 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-22 108552]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-8 297752]
R2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2008-11-24 29263712]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-4-8 92008]
R3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [2005-4-9 144768]
R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [2005-4-9 545088]
S3 getPlusHelper;getPlus(R) Helper;c:\windows\system32\svchost.exe -k getPlusHelper [2001-8-23 14336]
S3 SysProtDrv.sys;SysProtDrv.sys;c:\documents and settings\geoff\desktop\safernetworking\sysprot\sysprot\sysprot\SysProtDrv.sys [2009-9-23 44288]
S4 ACT! Scheduler;ACT! Scheduler;c:\program files\act\act for windows\Act.Scheduler.exe [2008-7-31 81920]

=============== Created Last 30 ================

2009-09-28 12:05 <DIR> --d----- c:\windows\system32\wbem\Repository
2009-09-28 12:05 <DIR> --d----- c:\program files\STOPzilla!
2009-09-28 11:54 311,296 a----r-- c:\windows\system32\SZBase5.dll
2009-09-28 11:54 126,976 a----r-- c:\windows\system32\IS3HTUI5.dll
2009-09-28 11:54 724,992 a----r-- c:\windows\system32\IS3Base5.dll
2009-09-28 11:54 385,024 a----r-- c:\windows\system32\IS3UI5.dll
2009-09-28 11:54 225,280 a----r-- c:\windows\system32\IS3Win325.dll
2009-09-28 11:54 94,208 a----r-- c:\windows\system32\IS3Inet5.dll
2009-09-25 22:23 <DIR> --d----- c:\docume~1\geoff\applic~1\Malwarebytes
2009-09-25 22:23 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-25 22:23 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-25 22:23 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-25 22:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-09-25 22:17 73,728 a------- c:\windows\system32\javacpl.cpl
2009-09-24 13:12 <DIR> a-dshr-- C:\cmdcons
2009-09-24 13:11 229,888 a------- c:\windows\PEV.exe
2009-09-24 13:11 161,792 a------- c:\windows\SWREG.exe
2009-09-24 13:11 98,816 a------- c:\windows\sed.exe
2009-09-20 20:57 <DIR> --d----- c:\program files\oldspybot~2
2009-09-19 21:02 <DIR> --d----- c:\program files\Trend Micro
2009-09-19 18:46 <DIR> --d----- c:\program files\OLD-2Spybot - Search & Destroy
2009-09-18 00:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SITEguard
2009-09-18 00:36 <DIR> --d----- c:\program files\common files\iS3
2009-09-18 00:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\STOPzilla!
2009-09-03 23:56 <DIR> --d----- c:\program files\SpyZooka

==================== Find3M ====================

2009-09-29 11:33 952 a--sh--- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2009-09-29 10:54 7,304 a------- c:\windows\TMP0001.TMP
2009-09-27 21:50 244,874 a------- c:\windows\pchealth\helpctr\config\cache\Professional_32_1033.dat
2009-09-25 22:16 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-28 19:23 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-07-20 14:57 17,408 a----r-- c:\windows\system32\SZIO5.dll
2009-07-20 14:56 540,672 a----r-- c:\windows\system32\SZComp5.dll
2009-07-09 15:52 393,216 a----r-- c:\windows\system32\IS3DBA5.dll
2009-07-09 15:51 61,440 a----r-- c:\windows\system32\IS3Hks5.dll
2009-07-09 15:51 23,040 a----r-- c:\windows\system32\IS3XDat5.dll
2009-07-09 15:50 90,112 a----r-- c:\windows\system32\IS3Svc5.dll
2009-07-03 10:09 915,456 -------- c:\windows\system32\wininet.dll
2009-06-24 13:31 88 ---shr-- c:\docume~1\alluse~1\applic~1\E18EE82E7A.sys
2008-12-25 13:35 2,788,800 -------- c:\program files\FLV PlayerFCSetup.exe
2008-06-02 14:08 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008060220080603\index.dat

============= FINISH: 13:47:53.32 ===============



===Attach.txt ===

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 4/9/2005 4:36:05 PM
System Uptime: 9/29/2009 10:54:04 AM (3 hours ago)

Motherboard: | | 848P-ICH5
Processor: Intel(R) Pentium(R) 4 CPU 3.20GHz | Socket 478 | 3192/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 128 GiB total, 81.056 GiB free.
D: is FIXED (NTFS) - 37 GiB total, 3.828 GiB free.

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Multimedia Audio Controller
Device ID: PCI\VEN_8086&DEV_24D5&SUBSYS_18751019&REV_02\3&13C0B0C5&0&FD
Manufacturer:
Name: Multimedia Audio Controller
PNP Device ID: PCI\VEN_8086&DEV_24D5&SUBSYS_18751019&REV_02\3&13C0B0C5&0&FD
Service:

==== System Restore Points ===================

RP3: 9/24/2009 1:19:47 PM - System Checkpoint
RP4: 9/24/2009 8:16:25 PM - System Checkpoint
RP5: 9/25/2009 10:09:40 PM - Removed J2SE Runtime Environment 5.0 Update 11
RP6: 9/25/2009 10:10:31 PM - Removed Java(TM) 6 Update 15
RP7: 9/25/2009 10:16:41 PM - Installed Java(TM) 6 Update 16
RP8: 9/26/2009 8:52:12 PM - Removed Adobe Reader 7.0
RP9: 9/26/2009 8:52:32 PM - Installed Adobe Reader 9.1.
RP10: 9/27/2009 9:51:35 PM - Restore Operation
RP11: 9/28/2009 11:54:54 AM - Removed STOPzilla. Available with Windows Installer version 1.2 and later.
RP12: 9/28/2009 12:04:43 PM - Restore Operation
RP13: 9/29/2009 9:46:37 AM - Avg8 Update
RP14: 9/29/2009 9:47:17 AM - Avg8 Update

==== Installed Programs ======================

2007 Microsoft Office Suite Service Pack 2 (SP2)
Acoustica Effects Pack
Acrobat.com
ACT!
ACT! by Sage 2009 (11.0)
Ad-Aware
Adobe Acrobat 4.0
Adobe AIR
Adobe Download Manager
Adobe Download Manager 2.0 (Remove Only)
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop 6.0
Adobe Product/Adobe Studio Update 10/2001
Adobe SVG Viewer 3.0
Amazon MP3 Downloader 1.0.0+6
APC PowerChute Personal Edition
Apple Software Update
Applet_App
Applet_Copy
Applet_Creativity
Applet_Email
Applet_Epp
Applet_File
Applet_OCR
Applet_Web
Applian FLV Player
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
ATT-AACE
Audacity 1.2.6
Audacity 1.3.7 (Unicode)
AutoUpdate
AVG 8.5
BadCopy Pro
CompanionLink
Copy Utility
Creative MediaSource 5
Creative Removable Disk Manager
Creative System Information
Creative ZEN Vision M Series
Critical Update for Windows Media Player 11 (KB959772)
DBF Viewer 2000
DiscWizard for Windows
DivX
DivX Web Player
EPSON Print CD
EPSON Printer Software
EPSON Smart Panel
EPSON SP R200 Reference Guide
EPSON TWAIN 5
ERUNT 1.1j
ffdshow (remove only)
FileZilla (remove only)
FileZilla Client 3.2.3.1
Freecorder Toolbar
Freecorder Toolbar 3.02 Application
Google Earth
Google Toolbar for Internet Explorer
Google Updater
Google Video Player
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Icon Edit 2.1.9
JagoClient Version 5.0
Java(TM) 6 Update 16
Kensington MouseWorks
Macromedia Flash MX 2004
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
Mapopolis
Microsearch Color Picker
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft ActiveSync
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft IntelliPoint 5.2
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 SR-1 Premium
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Standard 2007
Microsoft Office Word MUI (English) 2007
Microsoft Outlook Personal Folders Backup
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (ACT7)
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Windows XP Video Decoder Checkup Utility
Mozilla Firefox (3.0.10)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser
Musicnotes Player V1.23.1 and Viewer
NTI CD-Maker 2000
PC Inspector smart recovery
PF1250-1650 Guide
Pocket GNU Go
QuickTime
Real Alternative 1.51
RecordPad Sound Recorder Uninstall
ScanToWeb
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB973346)
Spin It Again
STOPzilla
Switch Uninstall
TomTom HOME 2.6.2.1586
TomTom HOME Visual Studio Merge Modules
Turtle Beach Santa Cruz Driver
U.S. Robotics V.92 PCI Faxmodem
UltraEdit-32
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows XP (KB943729)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
User Profile Hive Cleanup Service
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WavePad Uninstall
WebFldrs XP
Winamp (remove only)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 10 Hotfix - KB894476
Windows Media Player 10 Hotfix - KB895316
Windows Media Player 11
Windows Mobile Daylight Saving Time 2007 Updates
Windows Search 4.0
Windows XP Service Pack 3
Yahoo! Install Manager
ZENcast Organizer

==== Event Viewer Messages From Past Week ========

9/28/2009 12:07:59 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Windows Search service to connect.
9/28/2009 12:07:59 PM, error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
9/28/2009 12:07:58 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B68-F52A-11D8-B9A5-505054503030}
9/27/2009 9:55:18 PM, error: Service Control Manager [7024] - The Windows Search service terminated with service-specific error 2147749155 (0x80040D23).
9/27/2009 6:04:44 PM, error: Service Control Manager [7024] - The SQL Server (ACT7) service terminated with service-specific error 3417 (0xD59).
9/25/2009 10:34:53 PM, error: Service Control Manager [7000] - The STOPzilla Service service failed to start due to the following error: Access is denied.
9/24/2009 11:26:11 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PEVSystemStart service to connect.
9/24/2009 11:21:24 PM, error: Service Control Manager [7034] - The User Profile Hive Cleanup service terminated unexpectedly. It has done this 1 time(s).
9/24/2009 11:21:24 PM, error: Service Control Manager [7034] - The TomTomHOMEService service terminated unexpectedly. It has done this 1 time(s).
9/24/2009 11:21:24 PM, error: Service Control Manager [7034] - The SQL Server VSS Writer service terminated unexpectedly. It has done this 1 time(s).
9/24/2009 11:21:24 PM, error: Service Control Manager [7034] - The SQL Server (ACT7) service terminated unexpectedly. It has done this 1 time(s).
9/24/2009 11:21:24 PM, error: Service Control Manager [7034] - The Protexis Licensing V2 service terminated unexpectedly. It has done this 1 time(s).
9/24/2009 11:21:24 PM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s).
9/24/2009 11:21:24 PM, error: Service Control Manager [7034] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 1 time(s).
9/24/2009 11:21:24 PM, error: Service Control Manager [7034] - The Creative Service for CDROM Access service terminated unexpectedly. It has done this 1 time(s).
9/24/2009 11:21:24 PM, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).
9/24/2009 11:21:24 PM, error: Service Control Manager [7034] - The APC UPS Service service terminated unexpectedly. It has done this 1 time(s).
9/24/2009 11:21:24 PM, error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
9/24/2009 11:21:24 PM, error: Service Control Manager [7031] - The SQL Server Browser service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
9/24/2009 11:21:24 PM, error: Service Control Manager [7031] - The AVG8 WatchDog service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
9/24/2009 11:20:32 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
9/24/2009 1:19:48 PM, error: PlugPlayManager [11] - The device Root\LEGACY_ROOTREPEAL\0000 disappeared from the system without first being prepared for removal.
9/24/2009 1:19:46 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC000003A' while processing the file 'KB912812' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
9/24/2009 1:10:55 PM, error: Service Control Manager [7023] - The Automatic Updates service terminated with the following error: The specified module could not be found.

==== End Of File ===========================



=== mbam-log-2009-09-29(13-59-27 ===
Malwarebytes' Anti-Malware 1.41
Database version: 2873
Windows 5.1.2600 Service Pack 3

9/29/2009 1:59:27 PM
mbam-log-2009-09-29 (13-59-27).txt

Scan type: Quick Scan
Objects scanned: 113065
Time elapsed: 5 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
 
Right after I sent the above reports I reinstalled Spybot S&D and ran it, successfully for the first time in about two weeks, and it found two entries which it labeled as TrojansC. Below is the log from this last run. I let S&D "fix" the problem. BTW, I could not accomplish this reinstall without first uninstalling the previous no-longer-working one already installed. But, I could not completely uninstall S&D either, nor could I remove the folder nor the SpybotSD.exe file. I was told that it could not be deleted because it was being used by another application. What I could do, but only via the CMD window, was rename the folder to something else. This allowed me to then reinstall as I said above.

Next I uninstalled AVG, which had stopped working about a week ago, and then deleted all its left over folders and files. I then reinstalled it and ran a full scan. It, too, found two Trojan Horse infections, which it ultimately said it removed and healed. Below the S&D report is the AVG report.





=== Spybot S&D report ===
--- Search result list ---
Win32.TDSS.reg: [SBI $36E9AD68] Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\uacd.sys\imagepath

Win32.TDSS.reg: [SBI $65DD3871] System Service (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\uacd.sys


--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-09-29 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-09-07 advcheck.dll (1.6.4.18)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2009-05-19 Includes\Adware.sbi (*)
2009-09-22 Includes\AdwareC.sbi (*)
2009-01-22 Includes\Cookies.sbi (*)
2009-08-10 Includes\Dialer.sbi (*)
2009-09-22 Includes\DialerC.sbi (*)
2009-01-22 Includes\HeavyDuty.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2009-09-22 Includes\HijackersC.sbi (*)
2009-09-22 Includes\Keyloggers.sbi (*)
2009-09-22 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2009-08-19 Includes\Malware.sbi (*)
2009-09-22 Includes\MalwareC.sbi (*)
2009-03-25 Includes\PUPS.sbi (*)
2009-09-22 Includes\PUPSC.sbi (*)
2009-01-22 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2009-09-22 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-04-07 Includes\Spyware.sbi (*)
2009-09-22 Includes\SpywareC.sbi (*)
2009-06-08 Includes\Tracks.uti
2009-09-15 Includes\Trojans.sbi (*)
2009-09-22 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll



--- System information ---
Windows XP (Build: 2600) Service Pack 3 (5.1.2600)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Hotfix (KB928366)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
/ MSXML4SP2: FIX: ASP stops responding when calling Response.Redirect to another server using msxml4 sp2
/ MSXML4SP2: Security update for MSXML4 SP2 (KB936181)
/ MSXML4SP2: Security update for MSXML4 SP2 (KB954430)
/ Windows / SP1: Microsoft Internationalized Domain Names Mitigation APIs
/ Windows / SP1: Microsoft National Language Support Downlevel APIs
/ Windows Media Format 11 SDK: Hotfix for Windows Media Format 11 SDK (KB929399)
/ Windows Media Player: Security Update for Windows Media Player (KB952069)
/ Windows Media Player 10: Security Update for Windows Media Player 10 (KB911565)
/ Windows Media Player 10: Security Update for Windows Media Player 10 (KB917734)
/ Windows Media Player 11: Security Update for Windows Media Player 11 (KB936782)
/ Windows Media Player 11: Hotfix for Windows Media Player 11 (KB939683)
/ Windows Media Player 11: Security Update for Windows Media Player 11 (KB954154)
/ Windows Media Player 11: Critical Update for Windows Media Player 11 (KB959772)
/ Windows Media Player 6.4: Security Update for Windows Media Player 6.4 (KB925398)
/ Windows XP: Security Update for Windows XP (KB941569)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB928090)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB929969)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB938127)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB939653)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB944533)
/ Windows XP / SP0: Hotfix for Windows Internet Explorer 7 (KB947864)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB950759)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB956390)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB961260)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB969897)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 8 (KB969897)
/ Windows XP / SP0: Update for Windows Internet Explorer 8 (KB971930)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 8 (KB972260)
/ Windows XP / SP10: Microsoft Compression Client Pack 1.0 for Windows XP
/ Windows XP / SP2: Windows XP Service Pack 2
/ Windows XP / SP3: Windows XP Service Pack 3
/ Windows XP / SP4: Hotfix for Windows XP (KB915800-v4)
/ Windows XP / SP4: Security Update for Windows XP (KB923561)
/ Windows XP / SP4: Security Update for Windows XP (KB938464)
/ Windows XP / SP4: Security Update for Windows XP (KB946648)
/ Windows XP / SP4: Security Update for Windows XP (KB950760)
/ Windows XP / SP4: Security Update for Windows XP (KB950762)
/ Windows XP / SP4: Security Update for Windows XP (KB950974)
/ Windows XP / SP4: Security Update for Windows XP (KB951066)
/ Windows XP / SP4: Update for Windows XP (KB951072-v2)
/ Windows XP / SP4: Security Update for Windows XP (KB951376-v2)
/ Windows XP / SP4: Security Update for Windows XP (KB951698)
/ Windows XP / SP4: Security Update for Windows XP (KB951748)
/ Windows XP / SP4: Update for Windows XP (KB951978)
/ Windows XP / SP4: Security Update for Windows XP (KB952004)
/ Windows XP / SP4: Hotfix for Windows XP (KB952287)
/ Windows XP / SP4: Security Update for Windows XP (KB952954)
/ Windows XP / SP4: Security Update for Windows XP (KB954211)
/ Windows XP / SP4: Security Update for Windows XP (KB954459)
/ Windows XP / SP4: Hotfix for Windows XP (KB954550-v5)
/ Windows XP / SP4: Security Update for Windows XP (KB954600)
/ Windows XP / SP4: Security Update for Windows XP (KB955069)
/ Windows XP / SP4: Update for Windows XP (KB955839)
/ Windows XP / SP4: Security Update for Windows XP (KB956391)
/ Windows XP / SP4: Security Update for Windows XP (KB956572)
/ Windows XP / SP4: Security Update for Windows XP (KB956802)
/ Windows XP / SP4: Security Update for Windows XP (KB956803)
/ Windows XP / SP4: Security Update for Windows XP (KB956841)
/ Windows XP / SP4: Security Update for Windows XP (KB957095)
/ Windows XP / SP4: Security Update for Windows XP (KB957097)
/ Windows XP / SP4: Security Update for Windows XP (KB958644)
/ Windows XP / SP4: Security Update for Windows XP (KB958687)
/ Windows XP / SP4: Security Update for Windows XP (KB959426)
/ Windows XP / SP4: Security Update for Windows XP (KB960225)
/ Windows XP / SP4: Security Update for Windows XP (KB960715)
/ Windows XP / SP4: Security Update for Windows XP (KB960803)
/ Windows XP / SP4: Hotfix for Windows XP (KB961118)
/ Windows XP / SP4: Security Update for Windows XP (KB961371)
/ Windows XP / SP4: Security Update for Windows XP (KB961373)
/ Windows XP / SP4: Security Update for Windows XP (KB961501)
/ Windows XP / SP4: Update for Windows XP (KB967715)
/ Windows XP / SP4: Security Update for Windows XP (KB968537)
/ Windows XP / SP4: Security Update for Windows XP (KB969898)
/ Windows XP / SP4: Security Update for Windows XP (KB970238)
/ Windows XP / SP4: Security Update for Windows XP (KB971633)
/ Windows XP / SP4: Security Update for Windows XP (KB973346)


--- Startup entries list ---
Located: HK_LM:Run, Act! Preloader
command: "C:\Program Files\ACT\Act for Windows\ActSage.exe" -preload
file: C:\Program Files\ACT\Act for Windows\ActSage.exe
size: 393216
MD5: EE6B83A90AD49DDB035AD2F69AEE5E63

Located: HK_LM:Run, Act.Outlook.Service
command: "C:\Program Files\ACT\Act for Windows\Act.Outlook.Service.exe"
file: C:\Program Files\ACT\Act for Windows\Act.Outlook.Service.exe
size: 28672
MD5: 883625BDF6C508C81BE6AD130E0682E4

Located: HK_LM:Run, ACTSchedulerUI
command: "C:\Program Files\ACT\Act for Windows\Act.Scheduler.UI.exe" -Dfalse
file: C:\Program Files\ACT\Act for Windows\Act.Scheduler.UI.exe
size: 499712
MD5: 7E473FE86F9D79A6BEBD8166FC9FD936

Located: HK_LM:Run, AVG8_TRAY
command: C:\PROGRA~1\AVG\AVG8\avgtray.exe
file: C:\PROGRA~1\AVG\AVG8\avgtray.exe
size: 2023704
MD5: B87AE4DF2BCF791F3BBFF77AEDD2B88E

Located: HK_LM:Run, EPSON Stylus Photo R200 Series
command: C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
file: C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
size: 99840
MD5: A4C1716A34262E098CB585DB78895312

Located: HK_LM:Run, kmw_run.exe
command: kmw_run.exe
file: C:\WINDOWS\system32\kmw_run.exe
size: 106496
MD5: 2436367CDD597D19E6132EBD76AF4BE3

Located: HK_LM:Run, Malwarebytes Anti-Malware (reboot)
command: "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
file: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
size: 1312080
MD5: C5FCC0B761069FABD59E41B7C3280DDF

Located: HK_LM:Run, QuickTime Task
command: "C:\Program Files\QuickTime\qttask.exe" -atboottime
file: C:\Program Files\QuickTime\qttask.exe
size: 413696
MD5: FABAD2BFD44661D8CC627E5485BFAFAF

Located: HK_LM:Run, SunJavaUpdateSched
command: "C:\Program Files\Java\jre6\bin\jusched.exe"
file: C:\Program Files\Java\jre6\bin\jusched.exe
size: 149280
MD5: 5E4C9C25D603AE46DEDCBD9674F86E21

Located: HK_LM:Run, TraySantaCruz
command: C:\WINDOWS\system32\tbctray.exe
file: C:\WINDOWS\system32\tbctray.exe
size: 290816
MD5: DB287A128B405524E45534D6EAECD066

Located: HK_LM:Run, Adobe Photo Downloader (DISABLED)
command: "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
file: C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_LM:Run, IntelliPoint (DISABLED)
command: "C:\Program Files\Microsoft IntelliPoint\point32.exe"
file: C:\Program Files\Microsoft IntelliPoint\point32.exe
size: 204800
MD5: D6C9858536249E31A5E9A1A4F3A08113

Located: HK_LM:Run, MSWheel (DISABLED)
command:
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_LM:Run, QuickTime Task (DISABLED)
command: "C:\Program Files\QuickTime\qttask.exe" -atboottime
file: C:\Program Files\QuickTime\qttask.exe
size: 413696
MD5: FABAD2BFD44661D8CC627E5485BFAFAF

Located: HK_CU:Run, ctfmon.exe
where: S-1-5-21-2052111302-706699826-839522115-1003...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3

Located: HK_CU:Run, CTSyncU.exe
where: S-1-5-21-2052111302-706699826-839522115-1003...
command: "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
file: C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
size: 700416
MD5: C00E6005BBDBA8DAEDBF7C7A7F4522A7

Located: HK_CU:Run, H/PC Connection Agent
where: S-1-5-21-2052111302-706699826-839522115-1003...
command: "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
file: C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
size: 1289000
MD5: 5515EB5E3A8B073F66CFC697EB0D4B55

Located: HK_CU:Run, SpybotSD TeaTimer
where: S-1-5-21-2052111302-706699826-839522115-1003...
command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 2260480
MD5: 390679F7A217A5E73D756276C40AE887

Located: HK_CU:Run, swg
where: S-1-5-21-2052111302-706699826-839522115-1003...
command: "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
file: C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
size: 68856
MD5: E616A6A6E91B0A86F2F6217CDE835FFE

Located: HK_CU:Run, TomTomHOME.exe
where: S-1-5-21-2052111302-706699826-839522115-1003...
command: "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe"
file: C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
size: 251240
MD5: 188D622EFF263BC4BEFF08DB7D7EC811

Located: Startup (common), APC UPS Status.lnk
where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe
file: C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe
size: 221295
MD5: D792A8E66DD10C0EAD76DF613A670B7B

Located: WinLogon, AtiExtEvent
command: Ati2evxx.dll
file: Ati2evxx.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, avgrsstarter
command: avgrsstx.dll
file: avgrsstx.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, dimsntfy
command: %SystemRoot%\System32\dimsntfy.dll
file: %SystemRoot%\System32\dimsntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, Schedule
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, SensLogn
command: WlNotify.dll
file: WlNotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, termsrv
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, WgaLogon
command: WgaLogon.dll
file: WgaLogon.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, wlballoon
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!



--- Browser helper object list ---
{1827766B-9F49-4854-8034-F6EE26FCB1EC} (SITEguard BHO)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: SITEguard BHO
CLSID name: ZILLAbar Browser Helper Object
Path: C:\Program Files\STOPzilla!\
Long name: SZSG.dll
Short name:
Date (created): 9/28/2009 11:55:00 AM
Date (last access): 9/29/2009 2:12:52 PM
Date (last write): 8/18/2009 4:09:46 PM
Filesize: 259520
Attributes: readonly archive
MD5: C1E8D22553A85D0EA3D3CC82EEB162CC
CRC32: 4F978459
Version: 2.0.50.0

{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} (WormRadar.com IESiteBlocker.NavFilter)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: WormRadar.com IESiteBlocker.NavFilter
CLSID name: AVG Safe Search
Path: C:\Program Files\AVG\AVG8\
Long name: avgssie.dll
Short name:
Date (created): 1/8/2009 10:26:00 AM
Date (last access): 9/29/2009 2:12:52 PM
Date (last write): 7/28/2009 7:23:48 PM
Filesize: 1111320
Attributes: archive
MD5: 726F21F6723ECEBA37DCF325E1A5FFEC
CRC32: 170FF9EA
Version: 8.5.0.405

{53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Spybot-S&D IE Protection
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\PROGRA~1\SPYBOT~1\
Long name: SDHelper.dll
Short name:
Date (created): 9/29/2009 2:21:26 PM
Date (last access): 9/29/2009 2:21:26 PM
Date (last write): 1/26/2009 3:31:02 PM
Filesize: 1879896
Attributes: archive
MD5: 022C2F6DCCDFA0AD73024D254E62AFAC
CRC32: 5BA24007
Version: 1.6.2.14

{A3BC75A2-1F87-4686-AA43-5347D756017C} (AVG Security Toolbar BHO)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: AVG Security Toolbar BHO
Path: C:\Program Files\AVG\AVG8\Toolbar\
Long name: IEToolbar.dll
Short name: IETOOL~1.DLL
Date (created): 6/10/2009 8:41:42 AM
Date (last access): 9/29/2009 2:12:52 PM
Date (last write): 6/2/2009 1:38:14 PM
Filesize: 1004800
Attributes:
MD5: 604AF29F1799FC48065BFB52D47567EA
CRC32: DBFD3081
Version: 2.506.2.2

{AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Google Toolbar Helper
description: Google toolbar
classification: Open for discussion
known filename: googletoolbar.dll<br>googletoolbar*.dll<br>(* = number)<br>googletoolbar_en_*.**-big.dll<br>Googletoolbar_en_*.*.**-deleon.dll
info link: http://toolbar.google.com/
info source: TonyKlein
Path: C:\Program Files\Google\Google Toolbar\
Long name: GoogleToolbar_32.dll
Short name: GOOGLE~2.DLL
Date (created): 8/26/2009 8:30:20 PM
Date (last access): 9/29/2009 2:12:50 PM
Date (last write): 8/26/2009 8:23:08 PM
Filesize: 256112
Attributes: archive
MD5: 783AD24A77CD964B9888F27535FCC56E
CRC32: 4A1F3697
Version: 6.2.1815.1002

{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Google Toolbar Notifier BHO
Path: C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\
Long name: swg.dll
Short name:
Date (created): 8/26/2009 8:30:24 PM
Date (last access): 9/29/2009 2:12:50 PM
Date (last write): 8/26/2009 8:30:24 PM
Filesize: 761840
Attributes: archive
MD5: 32201F66E39D48070D61D002A0D729DB
CRC32: 4210C569
Version: 5.2.4204.1700

{C84D72FE-E17D-4195-BB24-76C02E2E7C4E} (Google Dictionary Compression sdch)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: Google Dictionary Compression sdch
CLSID name: Google Dictionary Compression sdch
Path: C:\Program Files\Google\Google Toolbar\Component\
Long name: fastsearch_B7C5AC242193BB3E.dll
Short name: FASTSE~1.DLL
Date (created): 8/26/2009 8:23:02 PM
Date (last access): 9/29/2009 2:12:52 PM
Date (last write): 8/26/2009 8:23:02 PM
Filesize: 458736
Attributes: archive
MD5: CB84DFAFF68CD27E840251343B9B8E99
CRC32: E25B2196
Version: 1.0.1801.150

{D5233FCD-D258-4903-89B8-FB1568E7413D} (Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile
Path:
Long name: mscoree.dll

{DBC80044-A445-435b-BC74-9C25C1C588A9} (Java(tm) Plug-In 2 SSV Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Java(tm) Plug-In 2 SSV Helper
Path: C:\Program Files\Java\jre6\bin\
Long name: jp2ssv.dll
Short name:
Date (created): 9/25/2009 10:16:48 PM
Date (last access): 9/29/2009 2:12:54 PM
Date (last write): 9/25/2009 10:16:48 PM
Filesize: 41760
Attributes: archive
MD5: 7AF9D3B7B88AF81D2F87AA846DC2EE70
CRC32: 00DFC49A
Version: 6.0.160.1

{E3215F20-3212-11D6-9F8B-00D0B743919D} (STOPzilla Browser Helper Object)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: STOPzilla Browser Helper Object
description: StopZilla
classification: Legitimate
known filename: StopzillaBHO.dll<br>SZIEBHO.dll
info link: http://www.stopzilla.com/site/
info source: TonyKlein
Path: C:\Program Files\STOPzilla!\
Long name: SZIEBHO.dll
Short name:
Date (created): 9/28/2009 11:55:00 AM
Date (last access): 9/29/2009 2:12:54 PM
Date (last write): 8/18/2009 4:09:46 PM
Filesize: 222656
Attributes: readonly archive
MD5: F7C46E23C9AFED47E786B379EEB1028D
CRC32: DCC87C76
Version: 5.0.50.93

{E7E6F031-17CE-4C07-BC86-EABFE594F69C} (JQSIEStartDetectorImpl)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: JQSIEStartDetectorImpl
CLSID name: JQSIEStartDetectorImpl Class
Path: C:\Program Files\Java\jre6\lib\deploy\jqs\ie\
Long name: jqs_plugin.dll
Short name: JQS_PL~1.DLL
Date (created): 9/25/2009 10:16:50 PM
Date (last access): 9/29/2009 2:12:54 PM
Date (last write): 9/25/2009 10:16:50 PM
Filesize: 73728
Attributes: archive
MD5: 37EDBCC7E5E0B89E59941FF79A2F9746
CRC32: 60D1666F
Version: 6.0.160.1



--- ActiveX list ---
DirectAnimation Java Classes (DirectAnimation Java Classes)
DPF name: DirectAnimation Java Classes
CLSID name:
Installer:
Codebase: file://C:\WINDOWS\Java\classes\dajava.cab
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\dajava.cab
info link:
info source: Patrick M. Kolla

Microsoft XML Parser for Java (Microsoft XML Parser for Java)
DPF name: Microsoft XML Parser for Java
CLSID name:
Installer:
Codebase: file://C:\WINDOWS\Java\classes\xmldso.cab
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\xmldso.cab
info link:
info source: Patrick M. Kolla

{02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control)
DPF name:
CLSID name: Microsoft Office Template and Media Control
Installer: C:\WINDOWS\Downloaded Program Files\ieawsdc.inf
Codebase: http://office.microsoft.com/templates/ieawsdc.cab
description:
classification: Legitimate
known filename: IEAWSDC.DLL
info link:
info source: Safer Networking Ltd.
Path: C:\PROGRA~1\MICROS~2\Office12\
Long name: IEAWSDC.DLL
Short name:
Date (created): 10/25/2008 6:18:50 AM
Date (last access): 9/26/2009 10:29:00 PM
Date (last write): 10/25/2008 6:18:50 AM
Filesize: 172880
Attributes: archive
MD5: E6BC6BA065287D7B6C22D9231E80AF3B
CRC32: 6F420EE1
Version: 12.0.6034.0

{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object)
DPF name:
CLSID name: QuickTime Object
Installer: C:\WINDOWS\Downloaded Program Files\QTPlugin.inf
Codebase: http://www.apple.com/qtactivex/qtplugin.cab
description: Apple Quicktime
classification: Legitimate
known filename: QTPLUGIN.OCX
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\QuickTime\
Long name: QTPlugin.ocx
Short name:
Date (created): 5/26/2009 5:18:52 PM
Date (last access): 9/26/2009 10:32:36 PM
Date (last write): 5/26/2009 5:18:52 PM
Filesize: 779568
Attributes: archive
MD5: 119F55DAE2859632F2DD950031CD0A3B
CRC32: 0FB7CD34
Version: 7.6.2.0

{1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer)
DPF name:
CLSID name: Musicnotes Viewer
Installer: C:\WINDOWS\Downloaded Program Files\Mnviewer.inf
Codebase: http://www.musicnotes.com/download/mnviewer.cab
description:
classification: Legitimate
known filename: mnviewer.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Program Files\Musicnotes\Player\
Long name: Mnviewer.dll
Short name:
Date (created): 4/19/2008 3:06:38 PM
Date (last access): 9/26/2009 10:32:24 PM
Date (last write): 6/1/2007 2:25:24 PM
Filesize: 317016
Attributes:
MD5: 31042E7CDEA9F9EF02F559EB1B846E06
CRC32: 81DB5668
Version: 1.16.10.0

{166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control)
DPF name:
CLSID name: Shockwave ActiveX Control
Installer: C:\WINDOWS\Downloaded Program Files\erma.inf
Codebase: http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
description: Macromedia ShockWave Flash Player 7
classification: Legitimate
known filename: SWDIR.DLL
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\system32\Macromed\Director\
Long name: SwDir.dll
Short name:
Date (created): 1/13/2006 12:06:52 PM
Date (last access): 9/26/2009 11:04:50 PM
Date (last write): 12/19/2005 5:05:56 PM
Filesize: 54976
Attributes:
MD5: 9EDA5BB8F38D6A1235D93F1A81971928
CRC32: 702383B9
Version: 10.1.0.11

{17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool)
DPF name:
CLSID name: Windows Genuine Advantage Validation Tool
Installer: C:\WINDOWS\Downloaded Program Files\LegitCheckControl.inf
Codebase: http://download.microsoft.com/downl...-40e1-a617-af65a72a0465/LegitCheckControl.cab
description:
classification: Legitimate
known filename: LegitCheckControl.DLL
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\system32\
Long name: LegitCheckControl.dll
Short name: LEGITC~1.DLL
Date (created): 7/12/2005 6:04:22 PM
Date (last access): 9/29/2009 1:55:42 PM
Date (last write): 3/10/2009 10:18:20 PM
Filesize: 1482112
Attributes: archive
MD5: CC26451A90025F6C55F64146C333DEA5
CRC32: BA16A880
Version: 1.9.40.0

{30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support)
DPF name:
CLSID name: Installation Support
Installer:
Codebase: C:\Program Files\Yahoo!\Common\Yinsthelper.dll
description: Yahoo! Installation helper
classification: Legitimate
known filename: %SystemRoot%\Downloaded Program Files\yinsthelper.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\Yahoo!\Common\
Long name: YInstHelper.dll
Short name: YINSTH~1.DLL
Date (created): 2/6/2007 5:46:38 PM
Date (last access): 9/26/2009 10:36:08 PM
Date (last write): 2/6/2007 5:46:38 PM
Filesize: 207912
Attributes:
MD5: 4F374B4704F49E87516A105E38F886F7
CRC32: FF63FB06
Version: 2007.2.6.1

{3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine)
DPF name:
CLSID name: Office Update Installation Engine
Installer: C:\WINDOWS\Downloaded Program Files\opuc.inf
Codebase: http://office.microsoft.com/officeupdate/content/opuc3.cab
description:
classification: Legitimate
known filename: opuc.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\
Long name: opuc.dll
Short name:
Date (created): 1/18/2005 1:07:18 AM
Date (last access): 9/29/2009 1:58:24 PM
Date (last write): 10/26/2006 2:59:36 PM
Filesize: 524288
Attributes:
MD5: 2AE14671DD3771110CD15ED12FED5BE6
CRC32: B312915B
Version: 12.0.4518.1014

{6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
DPF name:
CLSID name: WUWebControl Class
Installer: C:\WINDOWS\Downloaded Program Files\wuweb.inf
Codebase: http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1235942706406
description:
classification: Legitimate
known filename: wuweb.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\system32\
Long name: wuweb.dll
Short name:
Date (created): 4/9/2005 5:03:20 PM
Date (last access): 9/29/2009 1:55:26 PM
Date (last write): 10/16/2008 3:12:24 PM
Filesize: 202776
Attributes: archive
MD5: 0006DE8037F5A562F96B461B3C557C3C
CRC32: 9B107DED
Version: 7.2.6001.788

{6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate)
DPF name:
CLSID name: Creative Software AutoUpdate
Installer: C:\WINDOWS\Downloaded Program Files\CTSUEng.inf
Codebase: http://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab
Path: C:\WINDOWS\DOWNLO~1\
Long name: CTSUEngn.ocx
Short name:
Date (created): 6/11/2008 4:45:56 PM
Date (last access): 9/29/2009 1:58:34 PM
Date (last write): 6/11/2008 4:45:56 PM
Filesize: 643792
Attributes:
MD5: 96659FBC9A8B951DDD46C3FF509AE9B1
CRC32: C145AD52
Version: 1.51.1.0

{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_16
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\Java\jre6\bin\
Long name: npjpi160_16.dll
Short name: NPJPI1~1.DLL
Date (created): 9/25/2009 10:16:50 PM
Date (last access): 9/26/2009 10:21:36 PM
Date (last write): 9/25/2009 10:16:50 PM
Filesize: 136992
Attributes: archive
MD5: EF5C38E082CA41D7588621F3DFA09A64
CRC32: D4B4406B
Version: 6.0.160.1

{8FFBE65D-2C9C-4669-84BD-5829DC0B603C} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\erma.inf
Codebase: http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
description:
classification: Open for discussion
known filename:
info link:
info source: Safer Networking Ltd.

{C7DB51B4-BCF7-4923-8874-7F1A0DC92277} (Office Update Installation Engine)
DPF name:
CLSID name: Office Update Installation Engine
Installer: C:\WINDOWS\Downloaded Program Files\opuc.inf
Codebase: http://office.microsoft.com/officeupdate/content/opuc4.cab
description:
classification: Legitimate
known filename: opuc.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\
Long name: opuc.dll
Short name:
Date (created): 1/18/2005 1:07:18 AM
Date (last access): 9/29/2009 1:58:24 PM
Date (last write): 10/26/2006 2:59:36 PM
Filesize: 524288
Attributes:
MD5: 2AE14671DD3771110CD15ED12FED5BE6
CRC32: B312915B
Version: 12.0.4518.1014

{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_16
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
Path: C:\Program Files\Java\jre6\bin\
Long name: npjpi160_16.dll
Short name: NPJPI1~1.DLL
Date (created): 9/25/2009 10:16:50 PM
Date (last access): 9/29/2009 2:48:44 PM
Date (last write): 9/25/2009 10:16:50 PM
Filesize: 136992
Attributes: archive
MD5: EF5C38E082CA41D7588621F3DFA09A64
CRC32: D4B4406B
Version: 6.0.160.1

{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_16
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
description:
classification: Legitimate
known filename: npjpi150_06.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Program Files\Java\jre6\bin\
Long name: npjpi160_16.dll
Short name: NPJPI1~1.DLL
Date (created): 9/25/2009 10:16:50 PM
Date (last access): 9/29/2009 2:48:44 PM
Date (last write): 9/25/2009 10:16:50 PM
Filesize: 136992
Attributes: archive
MD5: EF5C38E082CA41D7588621F3DFA09A64
CRC32: D4B4406B
Version: 6.0.160.1

{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
Installer: C:\WINDOWS\Downloaded Program Files\swflash.inf
Codebase: http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\system32\Macromed\Flash\
Long name: Flash10c.ocx
Short name:
Date (created): 7/17/2009 8:12:12 PM
Date (last access): 9/29/2009 1:18:54 PM
Date (last write): 7/17/2009 8:12:12 PM
Filesize: 3979680
Attributes: readonly archive
MD5: 43C6ACDFB92A18C3E516E6BD5F1ACD51
CRC32: D6F40D46
Version: 10.0.32.18

{E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class)
DPF name:
CLSID name: get_atlcom Class
Installer: C:\WINDOWS\Downloaded Program Files\gp.inf
Codebase: http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Path: C:\WINDOWS\Downloaded Program Files\
Long name: gp.ocx

{F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package)
DPF name:
CLSID name: Creative Software AutoUpdate Support Package
Installer: C:\WINDOWS\Downloaded Program Files\CTPID.inf
Codebase: http://www.creative.com/softwareupdate/su/ocx/15106/CTPID.cab
description:
classification: Legitimate
known filename: CTPID.ocx
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\DOWNLO~1\
Long name: CTPID.ocx
Short name:
Date (created): 9/4/2008 4:19:38 PM
Date (last access): 9/29/2009 1:58:34 PM
Date (last write): 9/4/2008 4:19:38 PM
Filesize: 37616
Attributes:
MD5: 034B1C07FA8C265C77EF054FB6BC6473
CRC32: 868AADBC
Version: 1.0.49.0



--- Process list ---
PID: 0 ( 0) [System]
PID: 448 ( 4) \SystemRoot\System32\smss.exe
size: 50688
PID: 504 ( 448) \??\C:\WINDOWS\system32\csrss.exe
size: 6144
PID: 528 ( 448) \??\C:\WINDOWS\system32\winlogon.exe
size: 507904
PID: 572 ( 528) C:\WINDOWS\system32\services.exe
size: 110592
MD5: 65DF52F5B8B6E9BBD183505225C37315
PID: 584 ( 528) C:\WINDOWS\system32\lsass.exe
size: 13312
MD5: BF2466B3E18E970D8A976FB95FC1CA85
PID: 752 ( 572) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 800 ( 572) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 868 ( 572) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 908 ( 572) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 956 ( 572) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1032 ( 572) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1048 ( 572) C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
size: 611664
MD5: 17067069B9A7865028C1F2E6971D0CCC
PID: 1408 (1364) C:\WINDOWS\Explorer.EXE
size: 1033728
MD5: 12896823FB95BFB3DC9B46BCAEDC9923
PID: 1580 (1408) C:\WINDOWS\system32\kmw_run.exe
size: 106496
MD5: 2436367CDD597D19E6132EBD76AF4BE3
PID: 1632 (1408) C:\PROGRA~1\AVG\AVG8\avgtray.exe
size: 2023704
MD5: B87AE4DF2BCF791F3BBFF77AEDD2B88E
PID: 1640 (1408) C:\Program Files\ACT\Act for Windows\Act.Outlook.Service.exe
size: 28672
MD5: 883625BDF6C508C81BE6AD130E0682E4
PID: 1656 (1408) C:\Program Files\ACT\Act for Windows\Act.Scheduler.UI.exe
size: 499712
MD5: 7E473FE86F9D79A6BEBD8166FC9FD936
PID: 1684 (1408) C:\Program Files\Java\jre6\bin\jusched.exe
size: 149280
MD5: 5E4C9C25D603AE46DEDCBD9674F86E21
PID: 1708 (1408) C:\WINDOWS\system32\tbctray.exe
size: 290816
MD5: DB287A128B405524E45534D6EAECD066
PID: 1736 (1408) C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
size: 700416
MD5: C00E6005BBDBA8DAEDBF7C7A7F4522A7
PID: 1744 (1408) C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
size: 251240
MD5: 188D622EFF263BC4BEFF08DB7D7EC811
PID: 1748 (1580) C:\WINDOWS\system32\KMW_SHOW.EXE
size: 176128
MD5: ED4856133C0519DB80ABDB43424E2854
PID: 1776 (1408) C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
size: 1289000
MD5: 5515EB5E3A8B073F66CFC697EB0D4B55
PID: 1800 (1408) C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3
PID: 1952 ( 752) C:\PROGRA~1\MICROS~4\rapimgr.exe
size: 199464
MD5: 7D4A768DEA3DC643CBB65222D5B1377B
PID: 244 (1856) C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
size: 413807
MD5: 7AFDA26A52E92C938CDAD981061E41F4
PID: 720 ( 572) C:\WINDOWS\system32\spoolsv.exe
size: 57856
MD5: D8E14A61ACC1D4A6CD0D38AEBAC7FA3B
PID: 1376 ( 572) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1468 ( 572) C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
size: 176241
MD5: 29DEB59DE57EA97553B1566F04B39D11
PID: 1092 ( 572) C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
size: 297752
MD5: DB338A6BD3976904EB0F8343F51E64EB
PID: 1608 ( 572) C:\WINDOWS\system32\CTsvcCDA.exe
size: 44032
MD5: 3C8B6609712F4FF78E521F6DCFC4032B
PID: 1476 (1092) C:\PROGRA~1\AVG\AVG8\avgam.exe
size: 832792
MD5: 309DE2B599871BC38C58B49B2F08EB10
PID: 1364 ( 572) C:\Program Files\Java\jre6\bin\jqs.exe
size: 153376
MD5: 09417134F248DFCEEA15C72BCC87F592
PID: 1704 (1092) C:\Program Files\AVG\AVG8\avgrsx.exe
size: 486680
MD5: 65EA6EB029BB031773473AD9A78A666D
PID: 2028 (1092) C:\PROGRA~1\AVG\AVG8\avgnsx.exe
size: 595736
MD5: A6CF4FF9BE1202800C22EC5A6A7CF4A6
PID: 1148 ( 572) C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
size: 29263712
MD5: 4263DCF845B089E397C7C3BFC74F04FE
PID: 2084 ( 572) C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
size: 185632
MD5: E0D0CB09AA07B22BE984E4F7EC0326F5
PID: 2136 ( 572) C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
size: 239968
MD5: B2EC3E1DEAC5F0A764BD3486D213A0AF
PID: 2264 ( 572) C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
size: 87904
MD5: D2F4F32B59440011174B4F8137AF4E0C
PID: 2308 ( 572) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 2336 ( 572) C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
size: 92008
MD5: 800AE7DB015952A610F7FD2185747CCE
PID: 2380 ( 572) C:\Program Files\UPHClean\uphclean.exe
size: 192573
MD5: C65BDF0E5B5413D4FD939068666E564A
PID: 2552 ( 572) C:\WINDOWS\system32\SearchIndexer.exe
size: 439808
MD5: 7778BDFA3F6F6FBA0E75B9594098F737
PID: 3040 ( 868) C:\WINDOWS\system32\wscntfy.exe
size: 13824
MD5: F92E1076C42FCD6DB3D72D8CFE9816D5
PID: 3384 ( 572) C:\WINDOWS\System32\alg.exe
size: 44544
MD5: 8C515081584A38AA007909CD02020B3D
PID: 3112 (3484) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 5365592
MD5: 0477C2F9171599CA5BC3307FDFBA8D89
PID: 4008 (3476) C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 2260480
MD5: 390679F7A217A5E73D756276C40AE887
PID: 5368 (3112) C:\WINDOWS\hh.exe
size: 10752
MD5: 6BA0A833DCABF3E28622143689E2C92E
PID: 4 ( 0) System


--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 9/29/2009 2:48:44 PM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
about:blank
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\@
http://www.google.com/keyword/%s
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm


--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 5: MSAFD NetBIOS [\Device\NetBT_Tcpip_{933CE23D-BA68-43B3-A92C-D366AD1926F3}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{933CE23D-BA68-43B3-A92C-D366AD1926F3}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{7EB0318D-4BE5-42F3-ADF0-972542C56AA5}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{7EB0318D-4BE5-42F3-ADF0-972542C56AA5}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{FB48C8C7-8CBE-4F90-B517-5391A4C4DF10}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{FB48C8C7-8CBE-4F90-B517-5391A4C4DF10}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{7307E0B9-BEB3-49FD-AA18-395DBAC59AD6}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{7307E0B9-BEB3-49FD-AA18-395DBAC59AD6}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2B1C748F-2E7D-42FB-96AF-207BF16A97D6}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2B1C748F-2E7D-42FB-96AF-207BF16A97D6}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP

Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS

Namespace Provider 2: Network Location Awareness (NLA) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace



=== AVG report ===
"Scan ""Scan whole computer"" was finished."
"Infections";"2";"2";"0"
"Folders selected for scanning:";"Scan whole computer"
"Scan started:";"Tuesday, September 29, 2009, 3:20:46 PM"
"Scan finished:";"Tuesday, September 29, 2009, 5:03:57 PM (1 hour(s) 43 minute(s) 11 second(s))"
"Total object scanned:";"700333"
"User who launched the scan:";"Geoff"

"Infections"
"File";"Infection";"Result"
"C:\Qoobox\Quarantine\C\WINDOWS\system32\eventlog.dll.vir";"Trojan horse Generic14.BMJO";"Moved to Virus Vault"
"C:\System Volume Information\_restore{3D2F4BBA-EAB6-4978-9EBA-5CDE82BEBE2A}\RP3\A0000634.dll";"Trojan horse Generic14.BMJO";"Moved to Virus Vault"

"Warnings"
"File";"Infection";"Result"
"C:\Documents and Settings\Geoff\Application Data\Mozilla\Firefox\Profiles\wrnsupub.default\cookies.sqlite";"Found Tracking cookie.Yadro";"Healed"
"C:\Documents and Settings\Geoff\Application Data\Mozilla\Firefox\Profiles\wrnsupub.default\cookies.sqlite:\yadro.ru.c77afad5";"Found Tracking cookie.Yadro";"Moved to Virus Vault"
 
Nothing bad is jumping out at me from the DDS Log and the MalwareBytes' Log came up clean. :)

What is UPHClean?
Click to expand...

UPHClean comes directly from Microsoft. "The User Profile Hive Cleanup service helps to ensure user sessions are completely terminated when a user logs off." Do you remember downloading it? If you didn't, it may have come with a Microsoft update or another Microsoft program you downloaded in the past. I would go ahead and leave it alone.

More info on UPHClean:

http://www.processlibrary.com/directory/files/uphclean/
http://www.microsoft.com/downloadS/...6d-8912-4e18-b570-42470e2f3582&displaylang=en


Is STOPZilla a problem? I don't know where it came from, and when I tried to uninstall it the other day it totally broke IE and also took out something that then prevented the ACT SQL server from loading, so I was relieved that the System Restore was there, again. This is the same thing that happened when I tried to remove the duplicate Personal Folders from Outlook 2007.

Apparently neither of these are creating problems that are detectable so should I just leave them, and other stuff like them, alone?
Click to expand...

Haven't heard of any problems with StopZilla Does anyone else use the computer besides yourself? Perhaps they downloaded/installed it without your knowledge. Since things appear to be working now (if I'm reading your last sentence correctly), I'd just leave well enough alone for now.

I'll report back one more time after I have completed your last set of instructions.
Click to expand...

Ok sounds good. :)

===================


What Spybot found were some registry keys. Go ahead and rerun Spybot S&D (be sure to update first) and let me know if they (or anything new shows up again).


As for AVG, it found and cleaned some tracking cookies, a file in the Qoobox folder (which is where ComboFix keeps its quarantined files) and an infected System Restore point (which I mentioned earlier are harmless and my "All-Clean" instructions showed you how to remove them and set a new, clean one).
 
OK, I think we're good. No more errors are showing up and everything appears to be running as it should.

I am almost through the Please Read section of you last post, which I will complete this afternoon.

Question: I don't understand your request that I: "Please take the time to read <your> All Clean Post." What is that referring to?

In retrospect I thought I was already well armed and secure before this all happened. Now, with the additional tools I have acquired as a result of this exercise, I feel anger over the fact that the internet has evolved to such a hostile environment that it requires this incredibly high level of protection.

Thank you so much for all your efforts in helping me work through this ordeal. It took about as much time as it would have to rebuild the machine but it was also a lot less trouble and data repair work. I am grateful! And I hope your making some big bucks doing this. You deserve it.

For a long time I have been using mostly free versions of much of the software you recommend. I think it's time I actually started paying for them. And I'm going to begin with donations to Safer Networking and Spybot S&D.

Final set of questions:

: How do I go about deleting corrupt exe files that continue to tell me that I don't have access to them? Such as the old renamed S&D files and the old RootRepeal.exe that I still can't remove?

: You gave a list of files that it was now OK to delete, but it did not include everything that we used. Are programs such as MalwareBytes and ATF-Cleaner still of any use?

: Once you close this case will this thread continue to live on the forum? There are a lot of useful links and info here that I want to be able to reference and apply to my other computer that has so far remained unscathed, but which can also stand to have its protection beefed up.

Again, many thanks!:bigthumb:
 
Good to hear that things are running well. :bigthumb:

Question: I don't understand your request that I: "Please take the time to read <your> All Clean Post." What is that referring to?
Click to expand...

Are you referring to this in Post#19 of the thread?:

Please take the time to read my All Clean Post.

It just means that I'd like for you to make sure you take the time to read through and do everything below that line (and above that line as well) in that particular post. And it sounds like you already have/are going to. :)


You gave a list of files that it was now OK to delete, but it did not include everything that we used. Are programs such as MalwareBytes and ATF-Cleaner still of any use?
Click to expand...

Both MalwareBytes' and ATF-Cleaner are very useful programs and definitely worth keeping on your computer. MalwareBytes' is an excellent anti-spyware/malware program that is frequently updated (often 2-3 times a day), I would run a Quick Scan with it at least every 2 weeks or so, making sure to check for Updates first.

And ATF-Cleaner is a great temp/junk file cleaner which will help keep off junk on your computer that can accumlate over time. I would run it every couple of weeks as well.


Once you close this case will this thread continue to live on the forum? There are a lot of useful links and info here that I want to be able to reference and apply to my other computer that has so far remained unscathed, but which can also stand to have its protection beefed up.
Click to expand...

All closed threads on the Safer Networking forum go into the Archives section of the forum. You can no longer reply to your thread once it is in the Archives, but you can easily access it for reference. :)


How do I go about deleting corrupt exe files that continue to tell me that I don't have access to them? Such as the old renamed S&D files and the old RootRepeal.exe that I still can't remove?
Click to expand...

We'll need to use a final set of tools to help get back permissions so you can delete those files. First, we'll run a tool that'll show us what files you don't have permissions (deleting, moving, running, etc) for:


We need to scan the system with this special tool:

* Please download and save:

Junction.zip

* Unzip it and place Junction.exe in the Windows directory (C:\Windows).
* Go to Start => Run... => Copy and paste the following command in the Run box and click OK:

cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

A command window opens starting to scan the system. Wait until a log file opens. Copy and paste the log in your next reply.
 
Here is the result from the Junction scan:



Junction v1.05 - Windows junction creator and reparse point viewer
Copyright (C) 2000-2007 Mark Russinovich
Systems Internals - http://www.sysinternals.com


Failed to open \\?\c:\\hiberfil.sys: The process cannot access the file because it is being used by another process.



Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.


...

...

...

...

...

...
Failed to open \\?\c:\\Documents and Settings\Geoff\Desktop\RootRepeal.exe: Access is denied.



Failed to open \\?\c:\\Documents and Settings\Geoff\Desktop\Downloads\installFolder\HijackThis.exe: Access is denied.





Failed to open \\?\c:\\Documents and Settings\Geoff\Desktop\SaferNetworking\RootRepeal.exe: Access is denied.


...

.
Failed to open \\?\c:\\Documents and Settings\Geoff\Local Settings\Application Data\Microsoft\CardSpace\CardSpaceSP2.db: Access is denied.



Failed to open \\?\c:\\Documents and Settings\Geoff\Local Settings\Application Data\Microsoft\CardSpace\CardSpaceSP2.db.shadow: Access is denied.


..

...

...

...

...

...

...

...

.
Failed to open \\?\c:\\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe: Access is denied.


..

...

...

...

...

...

...
Failed to open \\?\c:\\Program Files\OLD-2Spybot - Search & Destroy\SpybotSD.exe: Access is denied.



Failed to open \\?\c:\\Program Files\oldspybot~2\SpybotSD.exe: Access is denied.



Failed to open \\?\c:\\Program Files\old_spybot~1\SpybotSD.exe: Access is denied.




...
Failed to open \\?\c:\\Program Files\Trend Micro\HijackThis\HijackThis.exe: Access is denied.




..
Failed to open \\?\c:\\System Volume Information\MountPointManagerRemoteDatabase: Access is denied.


.

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

..No reparse points found.
 
I'd like for you to do this next:

We need to reset the permissions altered by the malware on some files.

* Download this tool and save it to your Desktop: <-- Important

Inherit.exe

Make sure that Inherit.exe is on your Desktop

* Go to Start => Run => Copy and paste the first line of the following lines in the run box and click OK:


"%userprofile%\desktop\inherit" "c:\Documents and Settings\Geoff\Desktop\RootRepeal.exe"
"%userprofile%\desktop\inherit" "c:\Documents and Settings\Geoff\Desktop\Downloads\installFolder\HijackThis.exe"
"%userprofile%\desktop\inherit" "c:\Documents and Settings\Geoff\Desktop\SaferNetworking\RootRepeal.exe"
"%userprofile%\desktop\inherit" "c:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe"
"%userprofile%\desktop\inherit" "c:\Program Files\OLD-2Spybot - Search & Destroy\SpybotSD.exe"
"%userprofile%\desktop\inherit" "c:\Program Files\oldspybot~2\SpybotSD.exe"
"%userprofile%\desktop\inherit" "c:\Program Files\old_spybot~1\SpybotSD.exe"
"%userprofile%\desktop\inherit" "c:\Program Files\Trend Micro\HijackThis\HijackThis.exe"


* If you get a security warning select Run.
* You will get a "Finish" popup. Click OK.
* Do the same for the rest of the lines until you have run all the above commands one by one.


Once you've run all the above commands, try deleting the .exe files that you couldn't delete before. Let me know if you were able to delete them or not.
 
SUCCESS! I think this is goodbye.

One last question: Is it possible to identify what evil bug, or combination of bugs, my computer had? If yes, what was it, or were they?

Thanks again!
 
jskyer said:
SUCCESS! I think this is goodbye.

One last question: Is it possible to identify what evil bug, or combination of bugs, my computer had? If yes, what was it, or were they?

Thanks again!
Click to expand...

Excellent. :) You can go ahead and delete Junction.zip, Junction.exe and Inherit.exe off of your computer now.

What you had is known as Max++. One of its main features is that disables/denies permissions to .exe files, especially .exe files belong to anti-malware/spyware programs.
 
Thanks for that info. And thanks again for your help. I just did full backup and everything appears to be back in order again. I don't have any bugs on my other machine, that I'm aware of, but I'm going to use this thread, after you move it to the archives, as a guide on what housekeeping steps I need to attend to and what to install keep it that way. I hope I never have to go through this again!

Thanks again.
 
You must log in or register to reply here.
Back
Top