Er......this really sucks. Help, please?

[oldman]

Hi alex, I tried to post earlier when you where on, but was having problems with forum ,really slow

re:avast

I don't think there's anything not functioning.

If you hover the mouse over the "a" icon, it will tell you how many providers running.

What type of network are you in?  If wireless is it password protected?

I have ADSL home internet, not wireless. Is that what you mean?

Yes that was the question. Do you have more than  comuter connected via a router?

see if you can run ComboFix from the C: partition.

Just to clarify, you want me to save ComboFix to my C partition and run it just like that?

I believe that what he wants, but should wait for him to confirm.

Ran a search, only found one Frostwire.exe in D:\Program Files\Frostwire\

Do you have a version number?

Maybe it's just a coincidence that two notices from avast about a Trojan came up just as I finished running the keygen but I uploaded the file to VirusTotal just now and came out with this, is it significant?

According to the virustotal scan, avast isn't detecting anything in the keygen file you uploaded. Please check the avast log-warning.

Sometimes the path is too long to see completely even by expanding the columns. If that's the case...

right click the "a" icon, click log viewer, warning tab
click edit, filter
in the "time range" section set a range just prior to and after the detection
click select defined, ok
click the export icon
type a name and save as all files(*.*)

This will give you the file avast is detecting, please submit that one.

I'm going to do some more checking on those files.

You can also scan your c:\ with SAS, I should have mentioned this earlier. 

[alex1234]

I have Frostwire 4.13.2.
There are 6 out of 7 providers running in avast. If I am reading it right it might be Outlook/Exchange that isn't running since all others show up under the Pause Provider option.\
No, there is only this computer.

This will give you the file avast is detecting, please submit that one.

Both times that the alert came up after running the keygen, it was D:\Documents and Settings\Administrator\Local Settings\Temp\lsass.exe
but earlier I was asked to empty out my Temp folder so it is no longer there, nor is it in my Recycle Bin, so I cannot upload it to VirusTotal.

I ran SAS (complete scan) with only my C drive checked, it seemed to also want to check D as well. At any rate, it found 6 tracking cookies...but in D....the log is attached. *shrugs*

[oldman]

There are 6 out of 7 providers running in avast. If I am reading it right it might be Outlook/Exchange that isn't running since all others show up under the Pause Provider option.\

Avast seems to be functioning fine.

Both times that the alert came up after running the keygen, it was D:\Documents and Settings\Administrator\Local Settings\Temp\lsass.exe]

If you moved it to the chest, you can submit that one. You will have to extract it to a temp folder to submit. In the chest right click the file and extract. You can delete the temp folder after.

As for the SAS scan, c:\ must be very clean, or something is well hidden. I haven't heard from mauserme, but I'm sure he wants you to d/l combofix to C:\ and run it from there.

As for the keygen submission not many detected it so it could just be the behavior of a keygen.


This will make accessing the chest easier.

right click on your desktop, select new, shortcut, paste the following line in the box

"D:\Program Files\Alwil Software\Avast4\ASHCHEST.EXE"

or use the browse.

[mauserme]

Sorry - I've been under the weather this weekend.

In regard to ComboFix, please download a new copy to C: and run it from here.

But I have to tell you the P2P is risky enough and keygens almost guarantee infection.  I'm not being judgemental about it - just saying the reality is we could spend weeks cleaning this only to find its back the next time you use a kegen.  If you're going to keep doing this remormatting every so often might be the most efficient solution.

[DavidR]

But I have to tell you the P2P is risky enough and keygens almost guarantee infection.  I'm not being judgemental about it - just saying the reality is we could spend weeks cleaning this only to find its back the next time you use a kegen.  If you're going to keep doing this remormatting every so often might be the most efficient solution.

I couldn't agree more, keygens and cracks are high risk exercises (who are you going to complain to if something bad happens), without getting into the potential moral and legal arguments.

If I were you I would invest in some pro-active measures if you have a back-up and recovery plan, you can recover from anything in minutes, not hours or days as in this case.

1. back-up all the things that you don't want to lose, data files, like documents, spreadsheets, emails, email account details, registration keys, address book, favourites/bookmarks, downloaded files/programs, etc. the list goes on and on but if you don't want to lose it back it up. There are many back-up programs that can simplify this task and run it every day.

2. Recovery - re-installing your system really is a poor choice and one of last resort. There are tools (Drive Imaging software) that take exact images of your Partitions or Hard Disks and these images can be restored in minutes if you suffer a major catastrophe and that doesn't have to be a virus attack.

I do a weekly image of my partitions and save them to my 2nd hard disk, they can also be saved to off-line storage, DVD, USB external hard disk, etc. as part of my weekly system maintenance.

So if the worst comes to the worst at most I lose:
A. 6 days worth of program updates or new installations, but with my daily back-up I can recover most of that.
B. less than one days data files, emails, etc.
None of these is a problem and much quicker than a system reinstall and I don't have to go on-line to download the myriad of security updates needed to secure my system where there is a chance to get reinfected whilst my system has vulnerabilities because of these missing patches. Not to mention all my system tweaks and program settings are retained and I will have saved myself many hours of work and a huge amount of stress.

Many of these programs cost, there are some free ones, but it will take some research on your part to find these tools and decide on what is best for you from reviews, user feed back, etc. good luck.

[alex1234]

If you moved it to the chest, you can submit that one. You will have to extract it to a temp folder to submit. In the chest right click the file and extract.

I submitted the most recent version of lsass.exe and it came out with 13/32 or about 40%.

ComboFix was run from C:\ and this time it was complete for sure, log is attached. It didn't require a restart this time.

Thanks for the advice, DavidR. I don't use my system to store anything earth-shatteringly important so I am willing to let a lot of it go if I have to so I am not averse to wiping it clean, however it is true that it was annoying that I had to reinstall everything and get XP updated again. So I will certainly do some hunting around and be a bit more careful about what I do.

Also, there is a program in the Windows\system32 directory called msnmgr.exe that keeps on wanting to make connections that I now deny. At first I thought it was MSN Messenger (now Windows Live Messenger) but the executable that is in the MSN Program Files is called msnmsgr.exe, not msnmgr.exe. Moreover, msnmgr.exe wants to make connections even without MSN Messenger running. Is this another security risk? I did a Google on this file and some sites seem to call it a Trojan, others suggest it's part of the MSN Messenger program. Thanks.

[DavidR]

Your welcome.

I would advise you also upload this windows\system32\msnmgr.exe to virustotal and report the findings here. If multiple detections, also send a sample to avast.

[oldman]

Hi

 Submit the file,  msnmgr.exe,  to virustotal. I got some hits on that name. If positve add it ot the users section of the chest and see below. Post the result, it would be good to know what it was detected as.

edit: just a bit more to what DavidR posted

edit2

Can you also look for this file?

D:\WINDOWS\system32\cmbvuyuo.dll

Just check the files and add to the users section.

[oldman]

alex

Please download OTMoveIt  by OldTimer.  Save it to your desktop

Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

D:\WINDOWS\system32\msnmgr.exe   
D:\WINDOWS\system32\cmbvuyuo.dll



Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes


Download SDFix and save it to your desktop.

Do not run it yet. See end of this post.

To run SDFix

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

In Safe Mode, double click SDFix.exe and install to the default location by clicking Install.  The SDFix Folder will be extracted to %systemdrive% \ (Drive that contains the Windows directory - typically 'C:\SDFix') Open the SDFix folder in Safe Mode then double click the RunThis.bat file to start the fixtool.  Type Y to begin the script.

It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.  Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.  When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum.


From the C: partition please do the following, run in the following order

Fresh ComboFix log
Fresh HJAlex log
SDFix log (if it runs)

[alex1234]

Another suspicious thing about the msnmgr.exe file is that the icon for it is the same as the one for the Nero keygen. It looks basically like a maroon-coloured letter 'e' inside a maroon-coloured rounded rectangular border.

File msnmgr.exe received on 11.01.2007 20:41:04 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 13/32 (40.63%)
AhnLab-V3   2007.11.2.0   2007.11.01   -
AntiVir   7.6.0.30   2007.11.01   HEUR/Crypted
Authentium   4.93.8   2007.11.01   -
Avast   4.7.1074.0   2007.11.01   -
AVG   7.5.0.503   2007.11.01   BackDoor.RBot
BitDefender   7.2   2007.11.01   DeepScan:Generic.Sdbot.2E946E80
CAT-QuickHeal   9.00   2007.11.01   Win32.Backdoor.Rbot.bmr
ClamAV   0.91.2   2007.11.01   PUA.Packed.Themida
DrWeb   4.44.0.09170   2007.11.01   -
eSafe   7.0.15.0   2007.10.28   -
eTrust-Vet   31.2.5259   2007.11.01   -
Ewido   4.0   2007.11.01   -
FileAdvisor   1   2007.11.01   -
Fortinet   3.11.0.0   2007.10.19   -
F-Prot   4.3.2.48   2007.11.01   -
F-Secure   6.70.13030.0   2007.11.01   Backdoor.Win32.Rbot.esb
Ikarus   T3.1.1.12   2007.11.01   Backdoor.Win32.Rbot.esb
Kaspersky   7.0.0.125   2007.11.01   Backdoor.Win32.Rbot.esb
McAfee   5154   2007.11.01   -
Microsoft   1.2908   2007.11.01   -
NOD32v2   2632   2007.11.01   -
Norman   5.80.02   2007.11.01   W32/Spybot.CJCM
Panda   9.0.0.4   2007.11.01   -
Prevx1   V2   2007.11.01   Heuristic: Suspicious Self Modifying EXE
Rising   20.16.31.00   2007.11.01   -
Sophos   4.23.0   2007.11.01   -
Sunbelt   2.2.907.0   2007.10.31   VIPRE.Suspicious
Symantec   10   2007.11.01   W32.Spybot.Worm
TheHacker   6.2.9.110   2007.10.27   -
VBA32   3.12.2.4   2007.10.31   -
VirusBuster   4.3.26:9   2007.11.01   -
Webwasher-Gateway   6.6.1   2007.11.01   Heuristic.Crypted
Additional information
File size: 616541 bytes
MD5: 33f56658331dcee83f0591d90ec9f08a
SHA1: 7435923c1611eb9b0f0596b4517af4f3fad528c8
packers: Themida
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PX5=8AF4E2395DFA3C39689309F0A598E600DC1104DB
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

As for the cmbvuyuo.dll file, it is no longer in D:\WINDOWS\system32\ but I found it in D:\qoobox\Quarantine\D\WINDOWS\system32 where it was renamed to cmbvuyuo.dll.vir
Now this file cmbvuyuo.dll.vir is the one I uploaded to VirusTotal and this is what I got:

File cmbvuyuo.dll.vir received on 11.01.2007 20:58:38 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 21/32 (65.63%)
AhnLab-V3   2007.11.2.0   2007.11.01   -
AntiVir   7.6.0.30   2007.11.01   TR/Dldr.ConHook.Gen
Authentium   4.93.8   2007.11.01   -
Avast   4.7.1074.0   2007.11.01   Win32:Vundo-gen57
AVG   7.5.0.503   2007.11.01   Lop
BitDefender   7.2   2007.11.01   Trojan.Vundo.DNR
CAT-QuickHeal   9.00   2007.11.01   -
ClamAV   0.91.2   2007.11.01   -
DrWeb   4.44.0.09170   2007.11.01   Trojan.Click.4739
eSafe   7.0.15.0   2007.10.28   Suspicious File
eTrust-Vet   31.2.5259   2007.11.01   Win32/Nisrest.C
Ewido   4.0   2007.11.01   -
FileAdvisor   1   2007.11.01   -
Fortinet   3.11.0.0   2007.10.19   -
F-Prot   4.3.2.48   2007.11.01   -
F-Secure   6.70.13030.0   2007.11.01   Vundo.gen41
Ikarus   T3.1.1.12   2007.11.01   Trojan.Vundo.DNR
Kaspersky   7.0.0.125   2007.11.01   not-a-virus:AdWare.Win32.Virtumonde.ady
McAfee   5154   2007.11.01   Vundo
Microsoft   1.2908   2007.11.01   Trojan:Win32/Vundo
NOD32v2   2632   2007.11.01   Win32/Adware.Virtumonde
Norman   5.80.02   2007.11.01   Vundo.gen41
Panda   9.0.0.4   2007.11.01   Spyware/Virtumonde
Prevx1   V2   2007.11.01   -
Rising   20.16.31.00   2007.11.01   -
Sophos   4.23.0   2007.11.01   Troj/Virtum-Gen
Sunbelt   2.2.907.0   2007.10.31   Virtumonde
Symantec   10   2007.11.01   Trojan Horse
TheHacker   6.2.9.110   2007.10.27   Adware/Virtumonde.ady
VBA32   3.12.2.4   2007.10.31   AdWare.Win32.Virtumonde.ady
VirusBuster   4.3.26:9   2007.11.01   -
Webwasher-Gateway   6.6.1   2007.11.01   Trojan.Dldr.ConHook.Gen


So in this light, with regards to oldman's instructions for me, do I just run OTMoveIt on  D:\WINDOWS\system32\msnmgr.exe? Or on both, but change the file path to point to where the cmbvuyuo.dll now is in quarantine?

Also, to clarify, should I run OTMoveIt before doing this:

From the C: partition please do the following, run in the following order

Fresh ComboFix log
Fresh HJAlex log
SDFix log (if it runs)

and do I still run OTMoveIt from the D partition or do I do it from C?

And I have sent both the msnmgr.exe and cmbvuyuo.dll.vir files to avast.

I'll wait for replies before proceeding. Thanks.

[mauserme]

So in this light, with regards to oldman's instructions for me, do I just run OTMoveIt on  D:\WINDOWS\system32\msnmgr.exe? Or on both, but change the file path to point to where the cmbvuyuo.dll now is in quarantine?

Run Combofix from the C: drive using the 2 paths oldman originally posted. 

The cmbvuyuo.dll you're finding is in the ComboFix quarantine - its quite safe to leave it there.  Using the paths oldman posted will kill it again if it's come back, or just report it as missing if that's the case.

Also, to clarify, should I run OTMoveIt before doing this ...

Yes - run OTMoveIt first to kill the file(s).  Then the 3 scans.

do I still run OTMoveIt from the D partition or do I do it from C?

From the C: side.

Let's figure on running everything from C: from this point forward unless otherwise specified.

[oldman]

Can you check this again, it may have beeb reset.

Open the Folder Options in the Control Panel.  On the View tab make sure Show Hidden Files and Folders is checked and Hide Protected Operating System Files is not checked.  Click OK

Thanks

[oldman]

So in this light, with regards to oldman's instructions for me, do I just run OTMoveIt on  D:\WINDOWS\system32\msnmgr.exe? Or on both, but change the file path to point to where the cmbvuyuo.dll now is in quarantine?

Run Combofix from the C: drive using the 2 paths oldman originally posted. 

I believe that is a typo, it should be "Run OTMOVEIIT from the C: drive using the 2 paths oldman originally posted. "

[mauserme]

I believe that is a typo, it should be "Run OTMOVEIIT from the C: drive using the 2 paths oldman originally posted. "

Yes, exactly so - run OTMoveIt from the C: drive to kill the 2 files oldman mentioned that are located on the D: drive.

Sorry about that.

[alex1234]

Open the Folder Options in the Control Panel.  On the View tab make sure Show Hidden Files and Folders is checked and Hide Protected Operating System Files is not checked.  Click OK

Done and it is correct.

Results of OTMoveIt:
D:\WINDOWS\system32\msnmgr.exe moved successfully.
File/Folder D:\WINDOWS\system32\cmbvuyuo.dll not found.

Created on 11/02/2007 16:13:43

ComboFix log attached.

HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:31:21 PM, on 02/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\Program Files\Comodo\Firewall\cmdagent.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\WINDOWS\system32\devldr32.exe
D:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
D:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
D:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\system32\msnmgr.exe
D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
D:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
D:\Program Files\MSN Messenger\usnsvc.exe
D:\Program Files\Comodo\Firewall\cpf.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\explorer.exe
C:\HiJackThisAlexC.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Motive SmartBridge] D:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [MimBoot] D:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NBKeyScan] "D:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [hpfsched] D:\WINDOWS\hpfsched.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "D:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Messenger Service] msnmgr.exe
O4 - HKLM\..\RunServices: [Microsoft Messenger Service] msnmgr.exe
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: TELUS eCare.lnk = D:\Program Files\TELUS eCare\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - D:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: NBService - Nero AG - D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - D:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 6777 bytes

I could not get my PC to boot up in safemode and it wasn't for lack of trying, so I could not run SDFix as was specified. Can I run it in normal mode?