Trojan Removal Help

View previous topic View next topic Go down

Trojan Removal Help

Post by Skitta on Wed Apr 21, 2010 3:40 pm

EDIT: Just realized you guys now use OTL. I'll do a scan with OTL and post the log one the Malware Bytes scan finishes.

Here is my HiJackThis log. I'm currently running a Malware Bytes scan, will post log upon completion. It was the "av.exe" virus, which has caused me to get fake security threats, messed up my browser, disabled my account's administrator access, registry access, and much more.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:33:29 AM, on 4/21/2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Documents and Settings\Administrator\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~1\Office12\GR469A~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Hotspot Shield Class - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files\Hotspot Shield\hssie\HssIE.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [Kcidukukububov] rundll32.exe "C:\Users\Administrator\AppData\Local\oxezisijih.dll",Startup
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Global Startup: Rainmeter.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O16 - DPF: {2EDF75C0-5ABD-49f9-BAB6-220476A32034} (System Requirements Lab) - [You must be registered and logged in to see this link.]
O17 - HKLM\System\CCS\Services\Tcpip\..\{7598A832-DEF8-422B-9708-814DF2839866}: NameServer = 10.16.64.1
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~1\Office12\GRA32A~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASKUpgrade - Unknown owner - C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Browser Defender Update Service - Unknown owner - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - Unknown owner - C:\Program Files\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: @%SystemRoot%\system32\PresentationHost.exe,-3309 (FontCache3.0.0.0) - Unknown owner - C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe (file missing)
O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe
O23 - Service: Hotspot Shield Tray Service (HssTrayService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\HssTrayService.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

--
End of file - 6088 bytes

Skitta
Novice
Novice

Posts Posts : 24
Joined Joined : 2008-12-11
OS OS : Windows XP
Points Points : 29314
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan Removal Help

Post by Belahzur on Wed Apr 21, 2010 4:08 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O4 - HKLM\..\Run: [Kcidukukububov] rundll32.exe "C:\Users\Administrator\AppData\Local\oxezisijih.dll",Startup



  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Trojan Removal Help

Post by Skitta on Wed Apr 21, 2010 7:31 pm

Whenever I try to scan with Mbam, the program freezes and the process will not end. I cannot reinstall because my access to Zlib.dll is denied when attempting to reinstall.

Also, that piece I'm supposed to fix in HiJackThis won't stop reappearing.

Skitta
Novice
Novice

Posts Posts : 24
Joined Joined : 2008-12-11
OS OS : Windows XP
Points Points : 29314
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan Removal Help

Post by Skitta on Wed Apr 21, 2010 8:50 pm

Malwarebytes' Anti-Malware 1.45
[You must be registered and logged in to see this link.]

Database version: 3930

Windows 6.1.7600 (Safe Mode)
Internet Explorer 8.0.7600.16385

4/21/2010 1:48:49 PM
mbam-log-2010-04-21 (13-48-49).txt

Scan type: Quick scan
Objects scanned: 107645
Time elapsed: 3 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 6
Registry Data Items Infected: 8
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fastuserswitchingcompatibility (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ias (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\YVIBBBHA8C (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\net (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yvibbbha8c (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\winid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vvehewat (Trojan.Agent.U) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\secfile\shell\open\command\(default) (Rogue.MultipleAV) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Administrator\AppData\Local\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Administrator\AppData\Local\ave.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Administrator\AppData\Local\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\.exe\(default) (Hijacked.exeFile) -> Bad: (secfile) Good: (exefile) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\FastUv32.dll (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\Iasex.dll (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\scsichk.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Users\Administrator\AppData\Local\Temp\mv1 .exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\js.mui (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\System32\certstore.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Administrator\AppData\Local\Temp\jisfije9fjoiee.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

Skitta
Novice
Novice

Posts Posts : 24
Joined Joined : 2008-12-11
OS OS : Windows XP
Points Points : 29314
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan Removal Help

Post by Belahzur on Wed Apr 21, 2010 9:27 pm

Download [You must be registered and logged in to see this link.] by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe
  • Click Run Scan and let the program run uninterrupted
  • It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  • You may need to use two posts to get it all.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Trojan Removal Help

Post by Skitta on Wed Apr 21, 2010 11:46 pm

This was the only file generated (otl.txt):
OTL logfile created on: 4/21/2010 4:44:39 PM - Run 2
OTL by OldTimer - Version 3.2.1.3 Folder = C:\Users\Administrator\Downloads
Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 68.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 233.75 Gb Total Space | 0.99 Gb Free Space | 0.42% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 149.01 Gb Total Space | 137.29 Gb Free Space | 92.13% Space Free | Partition Type: FAT32
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: WIN-09CJ23V3G7H
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/04/21 16:44:33 | 000,562,176 | ---- | M] (OldTimer Tools) -- C:\Users\Administrator\Downloads\OTL.exe
PRC - [2010/04/03 02:28:06 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/09/15 13:28:52 | 000,204,848 | ---- | M] () -- C:\Program Files\Hotspot Shield\bin\openvpnas.exe
PRC - [2009/07/13 18:14:42 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2009/07/13 18:14:20 | 002,613,248 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010/04/21 16:44:33 | 000,562,176 | ---- | M] (OldTimer Tools) -- C:\Users\Administrator\Downloads\OTL.exe
MOD - [2009/07/13 18:16:15 | 000,099,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sspicli.dll
MOD - [2009/07/13 18:16:13 | 000,092,160 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sechost.dll
MOD - [2009/07/13 18:16:13 | 000,050,688 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\samcli.dll
MOD - [2009/07/13 18:16:12 | 000,031,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\profapi.dll
MOD - [2009/07/13 18:16:03 | 000,022,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\netutils.dll
MOD - [2009/07/13 18:15:35 | 000,288,256 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\KernelBase.dll
MOD - [2009/07/13 18:15:13 | 000,067,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dwmapi.dll
MOD - [2009/07/13 18:15:11 | 000,064,512 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\devobj.dll
MOD - [2009/07/13 18:15:07 | 000,036,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cryptbase.dll
MOD - [2009/07/13 18:15:02 | 000,145,920 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cfgmgr32.dll
MOD - [2009/07/13 18:03:50 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (NetTcpPortSharing)
SRV - File not found [Unknown | Stopped] -- -- (idsvc)
SRV - File not found [On_Demand | Stopped] -- -- (FontCache3.0.0.0)
SRV - File not found [On_Demand | Stopped] -- -- (DAUpdaterSvc)
SRV - [2010/04/01 19:10:24 | 002,504,280 | ---- | M] () [Auto | Running] -- c:\Program Files\Common Files\Akamai\rswin_3653.dll -- (Akamai)
SRV - [2009/10/30 17:35:29 | 000,320,760 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2009/09/19 11:46:00 | 003,474,384 | ---- | M] (INCA Internet Co., Ltd.) [On_Demand | Stopped] -- C:\Windows\System32\GameMon.des -- (npggsvc)
SRV - [2009/09/15 13:29:04 | 000,057,640 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\Hotspot Shield\bin\HssTrayService.exe -- (HssTrayService)
SRV - [2009/09/15 13:28:52 | 000,204,848 | ---- | M] () [Auto | Running] -- C:\Program Files\Hotspot Shield\bin\openvpnas.exe -- (HotspotShieldService)
SRV - [2009/09/06 01:26:52 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2009/07/13 18:16:21 | 000,185,856 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wwansvc.dll -- (WwanSvc)
SRV - [2009/07/13 18:16:17 | 000,151,552 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wbiosrvc.dll -- (WbioSrvc)
SRV - [2009/07/13 18:16:17 | 000,119,808 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\umpo.dll -- (Power)
SRV - [2009/07/13 18:16:16 | 000,037,376 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\themeservice.dll -- (Themes)
SRV - [2009/07/13 18:16:15 | 000,053,760 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sppuinotify.dll -- (sppuinotify)
SRV - [2009/07/13 18:16:13 | 000,043,520 | ---- | M] (Microsoft Corporation) [Unknown | Running] -- C:\Windows\System32\RpcEpMap.dll -- (RpcEptMapper)
SRV - [2009/07/13 18:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/13 18:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009/07/13 18:16:12 | 000,165,376 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\provsvc.dll -- (HomeGroupProvider)
SRV - [2009/07/13 18:15:36 | 000,194,560 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\ListSvc.dll -- (HomeGroupListener)
SRV - [2009/07/13 18:15:21 | 000,797,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2009/07/13 18:15:11 | 000,253,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\dhcpcore.dll -- (Dhcp)
SRV - [2009/07/13 18:15:10 | 000,218,624 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\defragsvc.dll -- (defragsvc)
SRV - [2009/07/13 18:14:58 | 000,088,064 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\AxInstSv.dll -- (AxInstSV) ActiveX Installer (AxInstSV)
SRV - [2009/07/13 18:14:53 | 000,027,648 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\appidsvc.dll -- (AppIDSvc)
SRV - [2009/07/13 18:14:29 | 003,179,520 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\System32\sppsvc.exe -- (sppsvc)
SRV - [2009/04/02 12:47:04 | 000,234,888 | ---- | M] () [Auto | Stopped] -- C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe -- (ASKUpgrade)


========== Driver Services (SafeList) ==========

DRV - [2009/11/20 19:34:54 | 011,515,752 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2009/11/06 01:53:25 | 000,691,696 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\sptd.sys -- (sptd)
DRV - [2009/09/15 13:04:58 | 000,032,768 | ---- | M] (AnchorFree Inc) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\taphss.sys -- (taphss)
DRV - [2009/07/13 18:26:21 | 000,015,952 | ---- | M] (CMD Technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\cmdide.sys -- (cmdide)
DRV - [2009/07/13 18:26:17 | 000,297,552 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adpahci.sys -- (adpahci)
DRV - [2009/07/13 18:26:15 | 000,422,976 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adp94xx.sys -- (adp94xx)
DRV - [2009/07/13 18:26:15 | 000,159,312 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdsbs.sys -- (amdsbs)
DRV - [2009/07/13 18:26:15 | 000,146,512 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adpu320.sys -- (adpu320)
DRV - [2009/07/13 18:26:15 | 000,086,608 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\arcsas.sys -- (arcsas)
DRV - [2009/07/13 18:26:15 | 000,079,952 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdsata.sys -- (amdsata)
DRV - [2009/07/13 18:26:15 | 000,076,368 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\arc.sys -- (arc)
DRV - [2009/07/13 18:26:15 | 000,023,616 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\amdxata.sys -- (amdxata)
DRV - [2009/07/13 18:26:15 | 000,014,400 | ---- | M] (Acer Laboratories Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\aliide.sys -- (aliide)
DRV - [2009/07/13 18:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nvstor.sys -- (nvstor)
DRV - [2009/07/13 18:20:44 | 000,117,312 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nvraid.sys -- (nvraid)
DRV - [2009/07/13 18:20:44 | 000,044,624 | ---- | M] (IBM Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nfrd960.sys -- (nfrd960)
DRV - [2009/07/13 18:20:37 | 000,089,168 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_sas.sys -- (LSI_SAS)
DRV - [2009/07/13 18:20:36 | 000,332,352 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\iaStorV.sys -- (iaStorV)
DRV - [2009/07/13 18:20:36 | 000,235,584 | ---- | M] (LSI Corporation, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\MegaSR.sys -- (MegaSR)
DRV - [2009/07/13 18:20:36 | 000,133,200 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\ksecpkg.sys -- (KSecPkg)
DRV - [2009/07/13 18:20:36 | 000,096,848 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2009/07/13 18:20:36 | 000,095,824 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_fc.sys -- (LSI_FC)
DRV - [2009/07/13 18:20:36 | 000,054,864 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_sas2.sys -- (LSI_SAS2)
DRV - [2009/07/13 18:20:36 | 000,041,040 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\iirsp.sys -- (iirsp)
DRV - [2009/07/13 18:20:36 | 000,030,800 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\megasas.sys -- (megasas)
DRV - [2009/07/13 18:20:36 | 000,013,904 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\hwpolicy.sys -- (hwpolicy)
DRV - [2009/07/13 18:20:28 | 000,453,712 | ---- | M] (Emulex) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\elxstor.sys -- (elxstor)
DRV - [2009/07/13 18:20:28 | 000,070,720 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\djsvs.sys -- (aic78xx)
DRV - [2009/07/13 18:20:28 | 000,067,152 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\HpSAMD.sys -- (HpSAMD)
DRV - [2009/07/13 18:20:28 | 000,046,160 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\fsdepends.sys -- (FsDepends)
DRV - [2009/07/13 18:19:11 | 000,141,904 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vsmraid.sys -- (vsmraid)
DRV - [2009/07/13 18:19:10 | 000,175,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vmbus.sys -- (vmbus)
DRV - [2009/07/13 18:19:10 | 000,159,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vhdmp.sys -- (vhdmp)
DRV - [2009/07/13 18:19:10 | 000,040,896 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\vmstorfl.sys -- (storflt)
DRV - [2009/07/13 18:19:10 | 000,032,832 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\vdrvroot.sys -- (vdrvroot)
DRV - [2009/07/13 18:19:10 | 000,028,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\storvsc.sys -- (storvsc)
DRV - [2009/07/13 18:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\wimmount.sys -- (WIMMount)
DRV - [2009/07/13 18:19:10 | 000,016,976 | ---- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\viaide.sys -- (viaide)
DRV - [2009/07/13 18:19:04 | 001,383,488 | ---- | M] (QLogic Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\ql2300.sys -- (ql2300)
DRV - [2009/07/13 18:19:04 | 000,173,648 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\rdyboost.sys -- (rdyboost)
DRV - [2009/07/13 18:19:04 | 000,106,064 | ---- | M] (QLogic Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\ql40xx.sys -- (ql40xx)
DRV - [2009/07/13 18:19:04 | 000,077,888 | ---- | M] (Silicon Integrated Systems) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\sisraid4.sys -- (SiSRaid4)
DRV - [2009/07/13 18:19:04 | 000,043,088 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\pcw.sys -- (pcw)
DRV - [2009/07/13 18:19:04 | 000,040,016 | ---- | M] (Silicon Integrated Systems Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\SiSRaid2.sys -- (SiSRaid2)
DRV - [2009/07/13 18:19:04 | 000,021,072 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\stexstor.sys -- (stexstor)
DRV - [2009/07/13 18:17:54 | 000,369,568 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\cng.sys -- (CNG)
DRV - [2009/07/13 17:57:25 | 000,272,128 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\Brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2009/07/13 17:02:41 | 000,018,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\rdpbus.sys -- (rdpbus)
DRV - [2009/07/13 16:55:00 | 000,049,152 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\agilevpn.sys -- (RasAgileVpn) WAN Miniport (IKEv2)
DRV - [2009/07/13 16:53:51 | 000,009,728 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\wfplwf.sys -- (WfpLwf)
DRV - [2009/07/13 16:52:44 | 000,027,136 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ndiscap.sys -- (NdisCap)
DRV - [2009/07/13 16:52:02 | 000,019,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vwifibus.sys -- (vwifibus)
DRV - [2009/07/13 16:52:00 | 000,163,328 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\1394ohci.sys -- (1394ohci)
DRV - [2009/07/13 16:51:35 | 000,008,192 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\umpass.sys -- (UmPass)
DRV - [2009/07/13 16:51:11 | 000,034,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2009/07/13 16:51:08 | 000,004,096 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mshidkmdf.sys -- (mshidkmdf)
DRV - [2009/07/13 16:46:55 | 000,012,288 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\MTConfig.sys -- (MTConfig)
DRV - [2009/07/13 16:45:26 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CompositeBus.sys -- (CompositeBus)
DRV - [2009/07/13 16:36:52 | 000,050,176 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\appid.sys -- (AppID)
DRV - [2009/07/13 16:33:50 | 000,026,624 | ---- | M] (Microsoft Corporation) [Kernel | Unknown | Stopped] -- C:\Windows\System32\drivers\scfilter.sys -- (scfilter)
DRV - [2009/07/13 16:28:47 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vms3cap.sys -- (s3cap)
DRV - [2009/07/13 16:28:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\VMBusHID.sys -- (VMBusHID)
DRV - [2009/07/13 16:24:05 | 000,032,256 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\discache.sys -- (discache)
DRV - [2009/07/13 16:19:21 | 000,021,504 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\HidBatt.sys -- (HidBatt)
DRV - [2009/07/13 16:16:36 | 000,009,728 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\acpipmi.sys -- (AcpiPmi)
DRV - [2009/07/13 16:11:04 | 000,052,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdppm.sys -- (AmdPPM)
DRV - [2009/07/13 15:54:14 | 000,026,624 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\hcw85cir.sys -- (hcw85cir)
DRV - [2009/07/13 15:53:33 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrUsbMdm.sys -- (BrUsbMdm)
DRV - [2009/07/13 15:53:33 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrUsbSer.sys -- (BrUsbSer)
DRV - [2009/07/13 15:53:32 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrSerWdm.sys -- (BrSerWdm)
DRV - [2009/07/13 15:53:28 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\BrFiltLo.sys -- (BrFiltLo)
DRV - [2009/07/13 15:53:28 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\BrFiltUp.sys -- (BrFiltUp)
DRV - [2009/07/13 15:02:50 | 000,211,456 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express) Intel(R)
DRV - [2009/07/13 15:02:49 | 000,229,888 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\b57nd60x.sys -- (b57nd60x)
DRV - [2009/07/13 15:02:48 | 003,100,160 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\evbdx.sys -- (ebdrv)
DRV - [2009/07/13 15:02:48 | 000,430,080 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\bxvbdx.sys -- (b06bdrv)
DRV - [2009/05/25 00:00:00 | 000,026,736 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt -- (EverestDriver)
DRV - [2009/03/12 12:53:46 | 000,398,336 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\stwrt.sys -- (STHDA)
DRV - [2008/08/14 07:57:42 | 000,074,720 | ---- | M] (Adobe Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\adfs.sys -- (adfs)
DRV - [2007/08/02 17:32:26 | 000,022,784 | ---- | M] (Razer (Asia-Pacific) Pte Ltd) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\dadder.sys -- (DAdderFltr)
DRV - [2007/05/09 01:03:38 | 000,503,680 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\rt2870.sys -- (rt2870)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Ask"
FF - prefs.js..browser.search.order.1: "Ask"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official"
FF - prefs.js..extensions.enabledItems: {A1CC2845-2A49-4152-B210-C067A37BE523}:1.9.1
FF - prefs.js..keyword.URL: "http://toolbar.ask.com/toolbarv/askRedirect?o=13917&gct=&gc=1&q="

FF - HKLM\software\mozilla\Firefox\Extensions\\{C9E0F027-FA5C-40DE-9819-1AE6BA5BBF12}: C:\Users\Administrator\AppData\Local\{C9E0F027-FA5C-40DE-9819-1AE6BA5BBF12} [2010/04/21 03:09:41 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{A1CC2845-2A49-4152-B210-C067A37BE523}: C:\Users\Jon\AppData\Local\{A1CC2845-2A49-4152-B210-C067A37BE523} [2010/04/21 08:27:00 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/21 03:07:19 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/03 02:28:09 | 000,000,000 | ---D | M]

[2009/08/22 13:02:26 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\Mozilla\Extensions
[2010/04/21 13:45:08 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p4nrz6l8.default\extensions
[2009/08/23 01:00:14 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p4nrz6l8.default\extensions\{E9A1DEE0-C623-4439-8932-001E7D17607D}
[2009/09/06 00:58:09 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p4nrz6l8.default\extensions\DTToolbar@toolbarnet.com
[2009/08/23 01:14:18 | 000,000,687 | ---- | M] () -- C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p4nrz6l8.default\searchplugins\ask.xml
[2009/09/06 00:58:02 | 000,002,399 | ---- | M] () -- C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\p4nrz6l8.default\searchplugins\daemon-search.xml
[2010/04/21 13:45:08 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/07/03 00:34:44 | 000,083,376 | ---- | M] (NHN USA Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npijjiautoinstallpluginff.dll
[2009/10/06 02:40:40 | 000,098,304 | ---- | M] (OGPlanet Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npOGPPlugin.dll
[2010/02/16 23:42:35 | 000,238,776 | ---- | M] (Pando Networks) -- C:\Program Files\Mozilla Firefox\plugins\npPandoWebInst.dll

O1 HOSTS File: ([2009/09/06 01:34:25 | 000,001,306 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 activate.adobe.com
O1 - Hosts: 127.0.0.1 practivate.adobe.com
O1 - Hosts: 127.0.0.1 ereg.adobe.com
O1 - Hosts: 127.0.0.1 activate.wip3.adobe.com
O1 - Hosts: 127.0.0.1 wip3.adobe.com
O1 - Hosts: 127.0.0.1 3dns-3.adobe.com
O1 - Hosts: 127.0.0.1 3dns-2.adobe.com
O1 - Hosts: 127.0.0.1 adobe-dns.adobe.com
O1 - Hosts: 127.0.0.1 adobe-dns-2.adobe.com
O1 - Hosts: 127.0.0.1 adobe-dns-3.adobe.com
O1 - Hosts: 127.0.0.1 ereg.wip3.adobe.com
O1 - Hosts: 127.0.0.1 activate-sea.adobe.com
O1 - Hosts: 127.0.0.1 wwis-dubc1-vip60.adobe.com
O1 - Hosts: 127.0.0.1 activate-sjc0.adobe.com
O2 - BHO: (AskBar BHO) - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (Hotspot Shield Class) - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files\Hotspot Shield\hssie\HssIE.dll (AnchorFree Inc.)
O3 - HKLM\..\Toolbar: (Ask Toolbar) - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com)
O3 - HKLM\..\Toolbar: (DAEMON Tools Toolbar) - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (Ask Toolbar) - {3041D03E-FD4B-44E0-B742-2D9B88305F98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com)
O3 - HKCU\..\Toolbar\WebBrowser: (DAEMON Tools Toolbar) - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll ()
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (rootkit-scan)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKCU..\Run: [AdobeBridge] File not found
O4 - HKCU..\Run: [Pando Media Booster] C:\Program Files\Pando Networks\Media Booster\pmb.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Start_ShowMyMusic = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoInternetOpenWith = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: verbosestatus = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: RestrictRun = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O16 - DPF: {2EDF75C0-5ABD-49f9-BAB6-220476A32034} [You must be registered and logged in to see this link.] (System Requirements Lab Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_15)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (pku2u) - C:\Windows\System32\pku2u.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 14:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{961600d4-9aba-11de-94fe-001cdf07d8de}\Shell - "" = AutoRun
O33 - MountPoints2\{961600d4-9aba-11de-94fe-001cdf07d8de}\Shell\AutoRun\command - "" = E:\Support\AutoRun\AutoRun.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKCU\...exe [@ = exefile] -- Reg Error: Key error. File not found

========== Files/Folders - Created Within 30 Days ==========

[2010/04/21 14:04:38 | 000,000,000 | ---D | C] -- C:\Windows\pss
[2010/04/21 13:44:59 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\Malwarebytes
[2010/04/21 08:36:32 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/04/21 08:36:30 | 000,020,824 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/04/21 08:36:30 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/04/21 08:36:30 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/04/21 04:11:17 | 000,000,000 | -H-D | C] -- C:\$AVG
[2010/04/21 04:09:03 | 000,000,000 | ---D | C] -- C:\Program Files\AVG
[2010/04/21 04:08:52 | 000,000,000 | ---D | C] -- C:\ProgramData\avg9
[2010/04/21 03:51:08 | 000,069,632 | ---- | C] (Auto Debug System) -- C:\Users\Administrator\Desktop\KillProcess.exe
[2010/04/21 03:18:24 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Local\Threat Expert
[2010/04/21 03:09:40 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Local\{C9E0F027-FA5C-40DE-9819-1AE6BA5BBF12}
[2010/03/28 21:30:21 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Local\PunkBuster
[2010/03/28 21:30:16 | 000,000,000 | ---D | C] -- C:\Users\Administrator\Documents\BFBC2
[2010/03/28 21:30:07 | 000,000,000 | RH-D | C] -- C:\Users\Administrator\AppData\Roaming\SecuROM
[2010/03/28 16:57:21 | 000,000,000 | ---D | C] -- C:\ProgramData\EA Core
[2010/03/28 16:57:04 | 000,000,000 | ---D | C] -- C:\ProgramData\Electronic Arts
[2010/03/28 16:56:33 | 000,000,000 | ---D | C] -- C:\Program Files\Electronic Arts
[2010/03/26 18:26:42 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2010/03/26 18:26:41 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2010/03/26 18:25:30 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2009/07/13 16:24:44 | 000,176,128 | ---- | C] (Padus Incorporated) -- C:\Users\Administrator\AppData\Local\oxezisijih.dll
[2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/04/21 16:45:04 | 002,883,584 | -HS- | M] () -- C:\Users\Administrator\NTUSER.DAT
[2010/04/21 16:45:04 | 000,823,808 | ---- | M] () -- C:\Windows\System32\drivers\vtotjuok.sys
[2010/04/21 16:00:00 | 000,000,380 | ---- | M] () -- C:\Windows\tasks\At17.job
[2010/04/21 15:00:00 | 000,000,380 | ---- | M] () -- C:\Windows\tasks\At16.job
[2010/04/21 14:29:04 | 000,054,016 | ---- | M] () -- C:\Windows\System32\drivers\wpykb.sys
[2010/04/21 14:25:17 | 000,054,016 | ---- | M] () -- C:\Windows\System32\drivers\afwslbe.sys
[2010/04/21 14:20:14 | 000,054,016 | ---- | M] () -- C:\Windows\System32\drivers\hnaexdlg.sys
[2010/04/21 14:20:14 | 000,000,004 | ---- | M] () -- C:\Windows\System\tjuwk
[2010/04/21 14:10:51 | 000,014,016 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010/04/21 14:10:51 | 000,014,016 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010/04/21 14:10:42 | 000,712,250 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/04/21 14:10:42 | 000,615,122 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/04/21 14:10:42 | 000,103,496 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/04/21 14:05:50 | 000,000,326 | -HS- | M] () -- C:\Windows\tasks\LRJFN.job
[2010/04/21 14:05:49 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/04/21 14:05:41 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/04/21 14:04:43 | 001,843,686 | -H-- | M] () -- C:\Users\Administrator\AppData\Local\IconCache.db
[2010/04/21 13:00:00 | 000,000,380 | ---- | M] () -- C:\Windows\tasks\At14.job
[2010/04/21 12:00:00 | 000,000,380 | ---- | M] () -- C:\Windows\tasks\At13.job
[2010/04/21 11:00:00 | 000,000,380 | ---- | M] () -- C:\Windows\tasks\At12.job
[2010/04/21 10:00:00 | 000,000,380 | ---- | M] () -- C:\Windows\tasks\At11.job
[2010/04/21 09:00:00 | 000,000,380 | ---- | M] () -- C:\Windows\tasks\At10.job
[2010/04/21 08:36:34 | 000,000,880 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/04/21 08:19:05 | 000,000,380 | ---- | M] () -- C:\Windows\tasks\At4.job
[2010/04/21 08:19:05 | 000,000,380 | ---- | M] () -- C:\Windows\tasks\At3.job
[2010/04/21 08:19:05 | 000,000,380 | ---- | M] () -- C:\Windows\tasks\At24.job
[2010/04/21 08:19:05 | 000,000,380 | ---- | M] () -- C:\Windows\tasks\At23.job
[2010/04/21 08:19:05 | 000,000,380 | ---- | M] () -- C:\Windows\tasks\At22.job
[2010/04/21 08:19:05 | 000,000,380 | ---- | M] () -- C:\Windows\tasks\At21.job
[2010/04/21 08:19:05 | 000,000,380 | ---- | M] () -- C:\Windows\tasks\At20.job
[2010/04/21 08:19:05 | 000,000,380 | ---- | M] () -- C:\Windows\tasks\At2.job
[2010/04/21 08:19:05 | 000,000,380 | ---- | M] () -- C:\Windows\tasks\At19.job
[2010/04/21 08:19:05 | 000,000,380 | ---- | M] () -- C:\Windows\tasks\At18.job
[2010/04/21 08:19:05 | 000,000,380 | ---- | M] () -- C:\Windows\tasks\At15.job
[2010/04/21 08:19:05 | 000,000,380 | ---- | M] () -- C:\Windows\tasks\At1.job
[2010/04/21 08:16:32 | 000,000,120 | ---- | M] () -- C:\Users\Administrator\AppData\Local\Jqonipatax.dat
[2010/04/21 08:15:57 | 000,000,380 | ---- | M] () -- C:\Windows\tasks\At5.job
[2010/04/21 08:00:00 | 000,000,380 | ---- | M] () -- C:\Windows\tasks\At9.job
[2010/04/21 07:00:00 | 000,000,380 | ---- | M] () -- C:\Windows\tasks\At8.job
[2010/04/21 06:00:00 | 000,000,380 | ---- | M] () -- C:\Windows\tasks\At7.job
[2010/04/21 05:00:00 | 000,000,380 | ---- | M] () -- C:\Windows\tasks\At6.job
[2010/04/21 04:00:39 | 000,014,498 | -HS- | M] () -- C:\Users\Administrator\AppData\Local\MAN3277rEUk
[2010/04/21 04:00:39 | 000,014,498 | -HS- | M] () -- C:\ProgramData\MAN3277rEUk
[2010/04/21 03:58:07 | 000,001,180 | RHS- | M] () -- C:\Users\Administrator\ntuser.pol
[2010/04/21 03:12:09 | 000,000,324 | ---- | M] () -- C:\Users\Administrator\Desktop\exefix.reg
[2010/04/21 03:09:42 | 000,000,000 | ---- | M] () -- C:\Users\Administrator\AppData\Local\Rguleqijol.bin
[2010/04/21 03:08:02 | 000,070,656 | RHS- | M] () -- C:\Windows\System32\WSDApi0.dll
[2010/04/21 03:07:45 | 000,151,552 | ---- | M] () -- C:\Windows\Mnyqaa.exe
[2010/04/19 13:45:28 | 000,000,113 | ---- | M] () -- C:\Users\Administrator\webct_upload_applet.properties
[2010/04/18 23:32:18 | 000,215,128 | ---- | M] () -- C:\Windows\System32\PnkBstrB.xtr
[2010/04/18 23:09:33 | 000,139,128 | ---- | M] () -- C:\Windows\System32\drivers\PnkBstrK.sys
[2010/04/08 14:34:29 | 000,343,619 | ---- | M] () -- C:\Users\Administrator\Desktop\Untitled.jpg
[2010/04/08 00:41:00 | 000,205,878 | -H-- | M] () -- C:\Windows\MEMORY.DMP
[2010/04/02 00:57:08 | 000,000,218 | ---- | M] () -- C:\Users\Administrator\.recently-used.xbel
[2010/03/30 00:46:30 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/03/30 00:45:52 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/03/28 21:53:39 | 002,434,856 | ---- | M] () -- C:\Users\Administrator\Desktop\pbsvc_bc2.exe
[2010/03/28 21:23:34 | 000,138,056 | ---- | M] () -- C:\Users\Administrator\AppData\Roaming\PnkBstrK.sys
[2010/03/28 21:22:59 | 002,434,856 | ---- | M] () -- C:\Windows\System32\pbsvc_bc2.exe
[2010/03/28 16:58:38 | 000,211,581 | ---- | M] () -- C:\Users\Administrator\Desktop\copofinvoice.png
[2010/03/28 16:57:05 | 000,002,218 | ---- | M] () -- C:\Users\Public\Desktop\EA Download Manager.lnk
[2010/03/28 16:25:02 | 000,453,031 | ---- | M] () -- C:\Users\Administrator\Desktop\sc.jpg
[2010/03/26 18:27:06 | 000,002,429 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk
[2010/03/26 18:25:36 | 000,001,722 | ---- | M] () -- C:\Users\Public\Desktop\QuickTime Player.lnk
[2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/04/21 14:29:04 | 000,054,016 | ---- | C] () -- C:\Windows\System32\drivers\wpykb.sys
[2010/04/21 14:25:17 | 000,054,016 | ---- | C] () -- C:\Windows\System32\drivers\afwslbe.sys
[2010/04/21 14:20:14 | 000,054,016 | ---- | C] () -- C:\Windows\System32\drivers\hnaexdlg.sys
[2010/04/21 14:20:14 | 000,000,004 | ---- | C] () -- C:\Windows\System\tjuwk
[2010/04/21 08:36:34 | 000,000,880 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/04/21 04:02:10 | 000,000,380 | ---- | C] () -- C:\Windows\tasks\At24.job
[2010/04/21 04:02:09 | 000,000,380 | ---- | C] () -- C:\Windows\tasks\At23.job
[2010/04/21 04:02:08 | 000,000,380 | ---- | C] () -- C:\Windows\tasks\At22.job
[2010/04/21 04:02:07 | 000,000,380 | ---- | C] () -- C:\Windows\tasks\At21.job
[2010/04/21 04:02:06 | 000,000,380 | ---- | C] () -- C:\Windows\tasks\At20.job
[2010/04/21 04:02:06 | 000,000,380 | ---- | C] () -- C:\Windows\tasks\At19.job
[2010/04/21 04:02:05 | 000,000,380 | ---- | C] () -- C:\Windows\tasks\At18.job
[2010/04/21 04:02:04 | 000,000,380 | ---- | C] () -- C:\Windows\tasks\At17.job
[2010/04/21 04:02:03 | 000,000,380 | ---- | C] () -- C:\Windows\tasks\At16.job
[2010/04/21 04:02:02 | 000,000,380 | ---- | C] () -- C:\Windows\tasks\At15.job
[2010/04/21 04:02:01 | 000,000,380 | ---- | C] () -- C:\Windows\tasks\At14.job
[2010/04/21 04:02:01 | 000,000,380 | ---- | C] () -- C:\Windows\tasks\At13.job
[2010/04/21 04:02:00 | 000,000,380 | ---- | C] () -- C:\Windows\tasks\At12.job
[2010/04/21 04:02:00 | 000,000,380 | ---- | C] () -- C:\Windows\tasks\At11.job
[2010/04/21 04:01:59 | 000,000,380 | ---- | C] () -- C:\Windows\tasks\At10.job
[2010/04/21 04:01:50 | 000,000,380 | ---- | C] () -- C:\Windows\tasks\At1.job
[2010/04/21 03:46:59 | 000,000,380 | ---- | C] () -- C:\Windows\tasks\At9.job
[2010/04/21 03:46:57 | 000,000,380 | ---- | C] () -- C:\Windows\tasks\At8.job
[2010/04/21 03:46:54 | 000,000,380 | ---- | C] () -- C:\Windows\tasks\At7.job
[2010/04/21 03:46:52 | 000,000,380 | ---- | C] () -- C:\Windows\tasks\At6.job
[2010/04/21 03:46:51 | 000,000,380 | ---- | C] () -- C:\Windows\tasks\At5.job
[2010/04/21 03:46:47 | 000,000,380 | ---- | C] () -- C:\Windows\tasks\At4.job
[2010/04/21 03:46:45 | 000,000,380 | ---- | C] () -- C:\Windows\tasks\At3.job
[2010/04/21 03:39:49 | 000,001,180 | RHS- | C] () -- C:\Users\Administrator\ntuser.pol
[2010/04/21 03:12:00 | 000,000,324 | ---- | C] () -- C:\Users\Administrator\Desktop\exefix.reg
[2010/04/21 03:09:42 | 000,000,120 | ---- | C] () -- C:\Users\Administrator\AppData\Local\Jqonipatax.dat
[2010/04/21 03:09:42 | 000,000,000 | ---- | C] () -- C:\Users\Administrator\AppData\Local\Rguleqijol.bin
[2010/04/21 03:08:58 | 000,823,808 | ---- | C] () -- C:\Windows\System32\drivers\vtotjuok.sys
[2010/04/21 03:08:47 | 000,000,380 | ---- | C] () -- C:\Windows\tasks\At2.job
[2010/04/21 03:08:26 | 000,151,552 | ---- | C] () -- C:\Windows\Mnyqaa.exe
[2010/04/21 03:08:14 | 000,000,326 | -HS- | C] () -- C:\Windows\tasks\LRJFN.job
[2010/04/21 03:08:02 | 000,070,656 | RHS- | C] () -- C:\Windows\System32\WSDApi0.dll
[2010/04/21 03:07:45 | 000,014,498 | -HS- | C] () -- C:\Users\Administrator\AppData\Local\MAN3277rEUk
[2010/04/21 03:07:45 | 000,014,498 | -HS- | C] () -- C:\ProgramData\MAN3277rEUk
[2010/04/02 00:57:08 | 000,000,218 | ---- | C] () -- C:\Users\Administrator\.recently-used.xbel
[2010/03/28 21:36:38 | 002,434,856 | ---- | C] () -- C:\Users\Administrator\Desktop\pbsvc_bc2.exe
[2010/03/28 21:30:24 | 000,215,128 | ---- | C] () -- C:\Windows\System32\PnkBstrB.xtr
[2010/03/28 21:23:34 | 000,139,128 | ---- | C] () -- C:\Windows\System32\drivers\PnkBstrK.sys
[2010/03/28 21:23:34 | 000,138,056 | ---- | C] () -- C:\Users\Administrator\AppData\Roaming\PnkBstrK.sys
[2010/03/28 21:23:02 | 000,215,128 | ---- | C] () -- C:\Windows\System32\PnkBstrB.exe
[2010/03/28 21:22:59 | 002,434,856 | ---- | C] () -- C:\Windows\System32\pbsvc_bc2.exe
[2010/03/28 21:22:59 | 000,075,064 | ---- | C] () -- C:\Windows\System32\PnkBstrA.exe
[2010/03/28 16:58:38 | 000,211,581 | ---- | C] () -- C:\Users\Administrator\Desktop\copofinvoice.png
[2010/03/28 16:57:05 | 000,002,218 | ---- | C] () -- C:\Users\Public\Desktop\EA Download Manager.lnk
[2010/03/28 16:25:01 | 000,453,031 | ---- | C] () -- C:\Users\Administrator\Desktop\sc.jpg
[2010/03/26 18:27:06 | 000,002,429 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk
[2010/03/26 18:25:36 | 000,001,722 | ---- | C] () -- C:\Users\Public\Desktop\QuickTime Player.lnk
[2010/03/08 02:04:41 | 000,000,674 | ---- | C] () -- C:\Users\Administrator\AppData\Roaming\myMPQ.ini
[2010/02/25 13:21:17 | 000,000,036 | ---- | C] () -- C:\Users\Administrator\.org.eclipse.epp.usagedata.recording.userId
[2010/02/08 13:26:02 | 000,000,113 | ---- | C] () -- C:\Users\Administrator\webct_upload_applet.properties
[2009/11/06 11:58:04 | 000,178,975 | ---- | C] () -- C:\Windows\System32\xlive.dll.cat
[2009/09/05 23:46:16 | 000,691,696 | ---- | C] () -- C:\Windows\System32\drivers\sptd.sys
[2009/08/22 13:14:36 | 000,000,262 | ---- | C] () -- C:\Windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2009/08/22 12:48:31 | 000,524,288 | -HS- | C] () -- C:\Users\Administrator\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms
[2009/08/22 12:48:31 | 000,000,020 | -HS- | C] () -- C:\Users\Administrator\ntuser.ini
[2009/08/22 12:48:30 | 002,883,584 | -HS- | C] () -- C:\Users\Administrator\NTUSER.DAT
[2009/08/22 12:48:30 | 000,524,288 | -HS- | C] () -- C:\Users\Administrator\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms
[2009/08/22 12:48:30 | 000,262,144 | -HS- | C] () -- C:\Users\Administrator\ntuser.dat.LOG1
[2009/08/22 12:48:30 | 000,065,536 | -HS- | C] () -- C:\Users\Administrator\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf
[2009/08/22 12:48:30 | 000,000,000 | -HS- | C] () -- C:\Users\Administrator\ntuser.dat.LOG2
[2009/08/03 00:21:54 | 000,197,912 | ---- | C] () -- C:\Windows\System32\physxcudart_20.dll
[2009/08/03 00:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelTraditionalChinese.dll
[2009/08/03 00:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSwedish.dll
[2009/08/03 00:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSpanish.dll
[2009/08/03 00:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSimplifiedChinese.dll
[2009/08/03 00:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelPortugese.dll
[2009/08/03 00:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelKorean.dll
[2009/08/03 00:21:54 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelJapanese.dll
[2009/08/03 00:21:52 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelGerman.dll
[2009/08/03 00:21:52 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelFrench.dll
[2009/07/13 16:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/07/13 16:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 121 bytes -> C:\ProgramData\TEMP:DFC5A2B2
@Alternate Data Stream - 109 bytes -> C:\ProgramData\TEMP:A8ADE5D8
@Alternate Data Stream - 109 bytes -> C:\ProgramData\TEMP:05EE1EEF
< End of report >

Skitta
Novice
Novice

Posts Posts : 24
Joined Joined : 2008-12-11
OS OS : Windows XP
Points Points : 29314
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan Removal Help

Post by Skitta on Thu Apr 22, 2010 5:41 am

I'm still experience browser redirection to spyware whenever clicking on a link.

Skitta
Novice
Novice

Posts Posts : 24
Joined Joined : 2008-12-11
OS OS : Windows XP
Points Points : 29314
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan Removal Help

Post by Belahzur on Thu Apr 22, 2010 6:20 pm

Hello.

Please download GooredFix from one of the locations below and save it to your Desktop
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).


Please run OTL.exe.

  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :OTL
    FF - prefs.js..browser.search.defaultenginename: "Ask"
    FF - prefs.js..browser.search.order.1: "Ask"
    FF - prefs.js..keyword.URL: "http://toolbar.ask.com/toolbarv/askRedirect?o=13917&gct=&gc=1&q="
    [2010/04/21 14:29:04 | 000,054,016 | ---- | M] () -- C:\Windows\System32\drivers\wpykb.sys
    [2010/04/21 14:25:17 | 000,054,016 | ---- | M] () -- C:\Windows\System32\drivers\afwslbe.sys
    [2010/04/21 14:20:14 | 000,054,016 | ---- | M] () -- C:\Windows\System32\drivers\hnaexdlg.sys
    [2010/04/21 14:20:14 | 000,000,004 | ---- | M] () -- C:\Windows\System\tjuwk
    [2010/04/21 16:45:04 | 000,823,808 | ---- | M] () -- C:\Windows\System32\drivers\vtotjuok.sys
    [2010/04/21 08:16:32 | 000,000,120 | ---- | M] () -- C:\Users\Administrator\AppData\Local\Jqonipatax.dat
    [2010/04/21 04:00:39 | 000,014,498 | -HS- | M] () -- C:\Users\Administrator\AppData\Local\MAN3277rEUk
    [2010/04/21 04:00:39 | 000,014,498 | -HS- | M] () -- C:\ProgramData\MAN3277rEUk
    [2010/04/21 03:12:09 | 000,000,324 | ---- | M] () -- C:\Users\Administrator\Desktop\exefix.reg
    [2010/04/21 03:09:42 | 000,000,000 | ---- | M] () -- C:\Users\Administrator\AppData\Local\Rguleqijol.bin
    [2010/04/21 03:07:45 | 000,151,552 | ---- | M] () -- C:\Windows\Mnyqaa.exe

    :files
    C:\Windows\tasks\At*.job

    :commands
    [resethosts]
    [reboot]


  • Return to OTL, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.

  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Trojan Removal Help

Post by Skitta on Fri Apr 23, 2010 11:38 pm

OTL didn't generate a new log when I ran the fix. This may have been my fault because I accidentally didn't allow it to run upon reboot (I thought I'd opened it twice by mistake, perhaps that was the log file generator).

Here is the other one:
GooredFix by jpshortstuff (08.01.10.1)
Log created at 16:31 on 23/04/2010 (Administrator)
Firefox version 3.6.3 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [20:01 22/08/2009]
{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} [17:09 25/10/2009]

C:\Users\Administrator\Application Data\Mozilla\Firefox\Profiles\p4nrz6l8.default\extensions\
[You must be registered and logged in to see this link.] [07:58 06/09/2009]
{E9A1DEE0-C623-4439-8932-001E7D17607D} [08:00 23/08/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
(none)

---------- Old Logs ----------
GooredFix[23.28.06_23-04-2010].txt

-=E.O.F=-

Skitta
Novice
Novice

Posts Posts : 24
Joined Joined : 2008-12-11
OS OS : Windows XP
Points Points : 29314
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan Removal Help

Post by Belahzur on Sat Apr 24, 2010 5:18 pm

Hello.
Is there a log for OTL here?
C:\_OTL\date-and-time.log


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Trojan Removal Help

Post by Skitta on Sun Apr 25, 2010 2:29 am

This was in C:\_OTL\MovedFiles

========== OTL ==========
Prefs.js: "Ask" removed from browser.search.defaultenginename
Prefs.js: "Ask" removed from browser.search.order.1
Prefs.js: "http://toolbar.ask.com/toolbarv/askRedirect?o=13917&gct=&gc=1&q=" removed from keyword.URL
C:\Windows\System32\drivers\wpykb.sys moved successfully.
C:\Windows\System32\drivers\afwslbe.sys moved successfully.
File C:\Windows\System32\drivers\hnaexdlg.sys not found.
File C:\Windows\System\tjuwk not found.
File move failed. C:\Windows\System32\drivers\vtotjuok.sys scheduled to be moved on reboot.
C:\Users\Administrator\AppData\Local\Jqonipatax.dat moved successfully.
C:\Users\Administrator\AppData\Local\MAN3277rEUk moved successfully.
C:\ProgramData\MAN3277rEUk moved successfully.
C:\Users\Administrator\Desktop\exefix.reg moved successfully.
C:\Users\Administrator\AppData\Local\Rguleqijol.bin moved successfully.
C:\Windows\Mnyqaa.exe moved successfully.
========== FILES ==========
C:\Windows\tasks\At1.job moved successfully.
C:\Windows\tasks\At10.job moved successfully.
C:\Windows\tasks\At11.job moved successfully.
C:\Windows\tasks\At12.job moved successfully.
C:\Windows\tasks\At13.job moved successfully.
C:\Windows\tasks\At14.job moved successfully.
C:\Windows\tasks\At15.job moved successfully.
C:\Windows\tasks\At16.job moved successfully.
C:\Windows\tasks\At17.job moved successfully.
C:\Windows\tasks\At18.job moved successfully.
C:\Windows\tasks\At19.job moved successfully.
C:\Windows\tasks\At2.job moved successfully.
C:\Windows\tasks\At20.job moved successfully.
C:\Windows\tasks\At21.job moved successfully.
C:\Windows\tasks\At22.job moved successfully.
C:\Windows\tasks\At23.job moved successfully.
C:\Windows\tasks\At24.job moved successfully.
C:\Windows\tasks\At3.job moved successfully.
C:\Windows\tasks\At4.job moved successfully.
C:\Windows\tasks\At5.job moved successfully.
C:\Windows\tasks\At6.job moved successfully.
C:\Windows\tasks\At7.job moved successfully.
C:\Windows\tasks\At8.job moved successfully.
C:\Windows\tasks\At9.job moved successfully.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.1.3 log created on 04232010_163307

Skitta
Novice
Novice

Posts Posts : 24
Joined Joined : 2008-12-11
OS OS : Windows XP
Points Points : 29314
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan Removal Help

Post by Belahzur on Sun Apr 25, 2010 8:52 pm

Okay, please run another MBAM scan and post the log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Trojan Removal Help

Post by Skitta on Tue Apr 27, 2010 4:38 am

Malwarebytes' Anti-Malware 1.45
[You must be registered and logged in to see this link.]

Database version: 3930

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

4/26/2010 9:37:18 PM
mbam-log-2010-04-26 (21-37-18).txt

Scan type: Quick scan
Objects scanned: 110069
Time elapsed: 6 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\drivers\vtotjuok.sys (Rootkit.Agent) -> Delete on reboot.

Skitta
Novice
Novice

Posts Posts : 24
Joined Joined : 2008-12-11
OS OS : Windows XP
Points Points : 29314
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan Removal Help

Post by Belahzur on Tue Apr 27, 2010 8:38 pm

Hello.

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.]

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Services to delete:
vtotjuok

Files to delete:
C:\Windows\System32\drivers\vtotjuok.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum