Must pay “fine” to “unlock” computer webpage (malware title unknown)

View previous topic View next topic Go down

Must pay “fine” to “unlock” computer webpage (malware title unknown)

Post by markls8 on Tue Jan 29, 2013 2:47 am

Hi! :smile2:
24 hours ago I was watching videos with VLC mediaplayer 2.0.5 (just installed latest version a few days ago) when the screen froze and ultimately gave the message that my computer had been locked until I paid a “fine” (in Euros) for illegally downloading copyright-protected files.(International Police Association?) CTRL+ALT+DEL and ALT+ TAB and other keys were unsuccessful, so I had to hit (re)start button.

On restart the Microsoft Security Essentials, and Windows Firewall, both “on” at the time of the infection, gave error messages (eg. Ox80070424, Ox80072EFD) and I was prevented from accessing Microsoft, or other, anti-virus, websites to correct, or update. Checking Trusted sites, and Restricted sites tabs was not helpful. I did not attempt System Restore – thought I'd place myself in your very capable hands first.

I have done the OTL (an old version, my access to the itxassociates website has been blocked, by the infection presumably) and AdwCleaner as below.

Thank you for your help!

OTL logfile created on: 28/01/2013 8:44:57 PM - Run 2
OTL by OldTimer - Version 3.2.20.6 Folder = C:\DOCUME~1\OWNER\MYDOCU~1\INSTAL~1
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 72.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 90.00% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\PROGRA~1
Drive C: | 228.54 Gb Total Space | 198.43 Gb Free Space | 86.83% Space Free | Partition Type: NTFS

Computer Name: NIAGARA-DDBB696 | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/11/02 23:13:22 | 000,161,768 | ---- | M] (Oracle Corporation) -- C:\Program Files\Java\jre7\bin\jqs.exe
PRC - [2012/09/12 16:19:44 | 000,947,176 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2011/01/30 17:26:08 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\DOCUME~1\OWNER\MYDOCU~1\INSTAL~1\OTL.COM
PRC - [2009/03/08 13:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2008/04/13 19:12:30 | 000,420,864 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ntvdm.exe
PRC - [2008/04/13 19:12:28 | 001,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/08/09 02:27:52 | 000,073,728 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe
PRC - [2005/12/12 14:03:54 | 000,417,855 | ---- | M] (American Power Conversion Corporation) -- C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
PRC - [2005/12/12 14:02:24 | 000,176,193 | ---- | M] (American Power Conversion Corporation) -- C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe


========== Modules (SafeList) ==========

MOD - [2011/01/30 17:26:08 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\DOCUME~1\OWNER\MYDOCU~1\INSTAL~1\OTL.COM
MOD - [2010/08/23 11:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2008/04/13 12:37:57 | 000,208,384 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\rsaenh.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Running] -- -- (helpsvc)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2013/01/08 21:41:07 | 000,251,400 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/11/02 23:13:22 | 000,161,768 | ---- | M] (Oracle Corporation) [Auto | Running] -- C:\Program Files\Java\jre7\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2011/02/02 10:57:54 | 000,052,288 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper_3004.dll -- (nosGetPlusHelper) getPlus(R)
SRV - [2008/08/29 09:00:30 | 000,033,752 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_HelperSvc.exe -- (getPlus(R) Helper) getPlus(R)
SRV - [2008/05/02 01:42:06 | 000,121,360 | ---- | M] (Logitech, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe -- (LBTServ)
SRV - [2007/08/09 02:27:52 | 000,073,728 | ---- | M] (HP) [Auto | Running] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)
SRV - [2006/10/18 20:05:24 | 000,913,408 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc)
SRV - [2005/12/12 14:02:24 | 000,176,193 | ---- | M] (American Power Conversion Corporation) [Auto | Running] -- C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe -- (APC UPS Service)


========== Driver Services (SafeList) ==========

DRV - [2012/05/30 13:08:36 | 005,854,752 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
DRV - [2008/04/13 11:36:05 | 000,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/02/29 02:13:46 | 000,028,944 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LUsbFilt.sys -- (LUsbFilt)
DRV - [2008/02/29 02:13:24 | 000,036,880 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LMouFilt.Sys -- (LMouFilt)
DRV - [2008/02/29 02:13:16 | 000,035,344 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LHidFilt.Sys -- (LHidFilt)
DRV - [2007/11/07 20:42:43 | 000,016,694 | ---- | M] (PalmSource, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PalmUSBD.sys -- (PalmUSBD)
DRV - [2007/01/23 14:45:00 | 000,078,864 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LMouKE.Sys -- (LMouKE)
DRV - [2007/01/23 14:44:00 | 000,062,992 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\L8042mou.Sys -- (L8042mou)
DRV - [2007/01/23 14:44:00 | 000,020,496 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\L8042Kbd.sys -- (L8042Kbd)
DRV - [2006/11/10 03:46:12 | 000,090,800 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\se31unic.sys -- (se31unic) Sony Ericsson Device 049 USB Ethernet Emulation SEMC49 (WDM)
DRV - [2006/11/10 03:45:42 | 000,061,600 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SE31bus.sys -- (SE31bus) Sony Ericsson Device 049 Driver driver (WDM)
DRV - [2006/08/17 08:15:00 | 000,034,064 | ---- | M] (Your Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Invoker.sys -- (Invoker)
DRV - [2006/08/17 08:15:00 | 000,033,148 | ---- | M] (Your Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\FlexBios.sys -- (FlexBios)
DRV - [2006/05/26 06:59:12 | 001,177,032 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2006/05/25 00:53:06 | 000,003,712 | ---- | M] (Logitech, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\LBeepKE.sys -- (LBeepKE)
DRV - [2006/05/10 09:56:54 | 000,027,264 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LHidKE.Sys -- (LHidKe)
DRV - [2006/05/01 12:59:18 | 000,086,560 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SE31obex.sys -- (SE31obex)
DRV - [2006/05/01 12:58:30 | 000,088,688 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SE31mgmt.sys -- (SE31mgmt) Sony Ericsson Device 049 USB WMC Device Management Drivers (WDM)
DRV - [2006/05/01 12:57:42 | 000,097,184 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SE31mdm.sys -- (SE31mdm)
DRV - [2006/05/01 12:57:38 | 000,009,360 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SE31mdfl.sys -- (SE31mdfl)
DRV - [2006/05/01 12:56:16 | 000,018,704 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\se31nd5.sys -- (se31nd5) Sony Ericsson Device 049 USB Ethernet Emulation SEMC49 (NDIS)
DRV - [2006/01/18 17:41:00 | 000,080,512 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Rtnicxp.sys -- (RTL8023xp)
DRV - [2005/12/02 16:38:04 | 000,041,728 | ---- | M] (Sonic Focus, Inc) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sfng32.sys -- (sfng32)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-ca
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 14 98 A8 CB 55 D0 CB 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



O1 HOSTS File: ([2011/02/03 21:07:59 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [Kernel and Hardware Abstraction Layer] C:\WINDOWS\KHALMNPR.Exe (Logitech, Inc.)
O4 - HKLM..\Run: [mandex] C:\Documents and Settings\Owner\Application Data\mandex.dll (Syntek Corporation)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [svñhîst] C:\Documents and Settings\Owner\Local Settings\temp\~!#D4.tmp ()
O4 - HKLM..\Run: [upsirt] C:\Documents and Settings\Owner\Application Data\upsirt.dll (SiliconMotion)
O4 - HKLM..\Run: [wgetsi] C:\Documents and Settings\Owner\Application Data\wgetsi.dll ()
O4 - HKCU..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O4 - HKCU..\Run: [swg] File not found
O4 - HKCU..\Run: [Upipquot] C:\Documents and Settings\Owner\Application Data\Umewra\weaf.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - File not found
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - File not found
O15 - HKCU\..Trusted Domains: 3web.com ([myaccount] http in Trusted sites)
O15 - HKCU\..Trusted Domains: 3web.com ([www] http in Trusted sites)
O15 - HKCU\..Trusted Domains: microsoft.com ([*.update] http in Trusted sites)
O15 - HKCU\..Trusted Domains: microsoft.com ([*.update] https in Trusted sites)
O15 - HKCU\..Trusted Domains: microsoft.com ([[You must be registered and logged in to see this link.] http in Trusted sites)
O15 - HKCU\..Trusted Domains: my3web.com ([www] http in Trusted sites)
O15 - HKCU\..Trusted Domains: uspto.gov ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: windowsupdate.com ([download] http in Trusted sites)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} [You must be registered and logged in to see this link.] (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} [You must be registered and logged in to see this link.] (Windows Genuine Advantage Validation Tool)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} [You must be registered and logged in to see this link.] (Symantec AntiVirus scanner)
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} [You must be registered and logged in to see this link.] (MUCatalogWebControl Class)
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} [You must be registered and logged in to see this link.] (Symantec RuFSI Utility Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} [You must be registered and logged in to see this link.] (MUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.7.0_09)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {B479199A-1242-4E3C-AD81-7F0DF801B4AE} [You must be registered and logged in to see this link.] (Microsoft Download Manager ActiveX control)
O16 - DPF: {CAFEEFAC-0017-0000-0009-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.7.0_09)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.7.0_09)
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} [You must be registered and logged in to see this link.] (get_atlcom Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} [You must be registered and logged in to see this link.] (Shockwave Flash Object)
O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} [You must be registered and logged in to see this link.] (CTAdjust Class)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} [You must be registered and logged in to see this link.] (Photo Upload Plugin Class)
O16 - DPF: RedEyeQuote [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\LBTWlgn: DllName - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll - c:\Program Files\Common Files\Logitech\Bluetooth\LBTWLgn.dll (Logitech, Inc.)
O24 - Desktop Components:0 () - [You must be registered and logged in to see this link.]
O24 - Desktop Components:1 (My Current Home Page) - About:Home
O24 - Desktop WallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/11/10 10:05:27 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

MsConfig - StartUpReg: QuickTime Task - hkey= - key= - C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 0
MsConfig - State: "startup" - 2


ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {233C1507-6A77-46A4-9443-F871F945D258} - Adobe Shockwave Director 11.0
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2A202491-F00D-11cf-87CC-0020AFEECF20} - Adobe Shockwave Director 11.0
ActiveX: {2A3320D6-C805-4280-B423-B665BDE33D8F} - Microsoft .NET Framework 1.1 Security Update (KB979906)
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.8
ActiveX: {5056b317-8d4c-43ee-8543-b9d1e234b8f4} - Security Update for Windows XP (KB923789)
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6C298884-91FD-408C-9D90-5A59D2C29FD1} - Microsoft .NET Framework 1.1 Security Update (KB2742597)
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install
ActiveX: {8F736E10-8E5C-4399-A532-D0C00A406227} - Microsoft .NET Framework 1.1 Security Update (KB2698023)
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {C3C986D6-06B1-43BF-90DD-BE30756C00DE} - RevokedRootsUpdate
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11CF-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Sharedaccess - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: helpsvc - File not found



Last edited by markls8 on Tue Jan 29, 2013 6:24 am; edited 1 time in total

markls8
Novice
Novice

Status :
Online
Offline

Posts : 25
Joined : 2011-01-27
Gender : Male
OS : XP

View user profile

Back to top Go down

Re: Must pay “fine” to “unlock” computer webpage (malware title unknown)

Post by markls8 on Tue Jan 29, 2013 2:48 am

Part 2, continued from above - (Sorry so long- feel free to edit if needed moderators)
Let me think


CREATERESTOREPOINT
Restore point Set: OTL Restore Point (106704167501824)

========== Files/Folders - Created Within 30 Days ==========

[2013/01/28 20:38:14 | 000,000,000 | -H-D | C] -- C:\WINDOWS\PIF
[2013/01/28 00:03:51 | 000,336,896 | ---- | C] (SiliconMotion) -- C:\Documents and Settings\Owner\Application Data\upsirt.dll
[2013/01/28 00:02:35 | 000,160,256 | ---- | C] (Syntek Corporation) -- C:\Documents and Settings\Owner\Application Data\mandex.dll
[2013/01/28 00:02:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Xeqece
[2013/01/28 00:02:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Umewra
[2013/01/28 00:02:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Saolne
[2013/01/13 17:36:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\Newfonepix0113
[2013/01/07 23:25:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Innomage
[2013/01/07 23:25:37 | 000,607,232 | ---- | C] (SEDTech (Pty) Ltd.) -- C:\WINDOWS\System32\iSED.dll
[2013/01/07 23:25:37 | 000,188,416 | ---- | C] (Informatik Inc [You must be registered and logged in to see this link.] -- C:\WINDOWS\System32\TiffDLL50.dll
[2013/01/07 23:25:34 | 006,169,600 | ---- | C] (Innomage Enterprises, Inc) -- C:\WINDOWS\System32\internetiffXF.ocx
[2013/01/07 23:25:34 | 000,856,064 | ---- | C] (LEAD Technologies, Inc.) -- C:\WINDOWS\System32\Ltwvc12n.dll
[2013/01/07 23:25:34 | 000,406,016 | ---- | C] (LEAD Technologies, Inc.) -- C:\WINDOWS\System32\LTKRN12N.DLL
[2013/01/07 23:25:34 | 000,225,280 | ---- | C] (Catenary Systems) -- C:\WINDOWS\System32\tifftek32.dll
[2013/01/07 23:25:34 | 000,141,312 | ---- | C] (LEAD Technologies, Inc.) -- C:\WINDOWS\System32\LFTIF12N.DLL
[2013/01/07 23:25:34 | 000,073,728 | ---- | C] (LEAD Technologies, Inc.) -- C:\WINDOWS\System32\LFFAX12N.DLL
[2013/01/07 23:25:33 | 000,307,200 | ---- | C] (LEAD Technologies, Inc.) -- C:\WINDOWS\System32\LTDLG12N.DLL
[2013/01/07 23:25:33 | 000,259,072 | ---- | C] (LEAD Technologies, Inc.) -- C:\WINDOWS\System32\LTDIS12n.dll
[2013/01/07 23:25:33 | 000,164,864 | ---- | C] (LEAD Technologies, Inc.) -- C:\WINDOWS\System32\LTIMG12N.DLL
[2013/01/07 23:25:33 | 000,131,072 | ---- | C] (LEAD Technologies, Inc.) -- C:\WINDOWS\System32\LTFIL12N.DLL
[2013/01/07 23:25:33 | 000,000,000 | ---D | C] -- C:\Program Files\Innomage
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2013/01/28 20:45:02 | 000,000,422 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{8CD77659-D71B-47BD-8434-16F64EBCE73B}.job
[2013/01/28 20:45:00 | 000,000,432 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{8188890F-1866-4838-BF25-E30DDEB4F0C9}.job
[2013/01/28 20:42:30 | 000,006,525 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\08ee967b-5e92-46b1-b283-1e8c65350bed.crx
[2013/01/28 20:41:47 | 000,020,992 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\msconfigOTL.doc
[2013/01/28 20:40:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2013/01/28 20:38:16 | 000,002,855 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Shortcut to OTL.com.pif
[2013/01/28 20:37:24 | 000,020,480 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Must pay.doc
[2013/01/28 20:21:46 | 000,580,235 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\adwcleaner.exe
[2013/01/28 20:12:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2013/01/28 18:21:18 | 000,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2013/01/28 18:21:17 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2013/01/28 18:01:09 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2013/01/28 18:01:08 | 2137,083,904 | -HS- | M] () -- C:\hiberfil.sys
[2013/01/28 00:03:54 | 000,336,896 | ---- | M] (SiliconMotion) -- C:\DOCUME~1\Owner\Application Data\upsirt.dll
[2013/01/28 00:03:29 | 000,621,056 | ---- | M] () -- C:\DOCUME~1\Owner\Application Data\wgetsi.dll
[2013/01/28 00:02:35 | 000,160,256 | ---- | M] (Syntek Corporation) -- C:\DOCUME~1\Owner\Application Data\mandex.dll
[2013/01/27 09:29:11 | 000,032,256 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Inc Tax 2013.xls
[2013/01/21 22:28:00 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2013/01/14 10:37:09 | 000,064,512 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\DEBsOngoing2012-2013Leave.xls
[2013/01/14 09:27:12 | 000,009,216 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\RetirementLetter.doc
[2013/01/13 23:35:34 | 001,559,174 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\PS0410_WiFi_Article.pdf
[2013/01/11 01:00:02 | 000,001,461 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\eventmap.htm
[2013/01/09 18:28:30 | 000,041,834 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Amazon-Shipment-516344486 1 .xls
[2013/01/09 01:27:15 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2013/01/08 21:41:06 | 000,697,864 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2013/01/08 21:41:05 | 000,074,248 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2013/01/06 14:59:28 | 000,035,840 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Inc Tax 2012.xls
[2013/01/06 14:59:09 | 000,035,840 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Inc Tax 2012.xls
[2013/01/06 00:34:35 | 006,009,856 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mshtml.dll
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2013/01/28 20:41:47 | 000,020,992 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\msconfigOTL.doc
[2013/01/28 20:38:16 | 000,002,855 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Shortcut to OTL.com.pif
[2013/01/28 20:21:44 | 000,580,235 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\adwcleaner.exe
[2013/01/28 20:19:48 | 000,020,480 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Must pay.doc
[2013/01/28 00:40:29 | 000,000,785 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Messenger.lnk
[2013/01/28 00:03:30 | 000,006,525 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\08ee967b-5e92-46b1-b283-1e8c65350bed.crx
[2013/01/28 00:03:26 | 000,621,056 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\wgetsi.dll
[2013/01/27 09:29:11 | 000,032,256 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Inc Tax 2013.xls
[2013/01/14 09:15:59 | 000,009,216 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\RetirementLetter.doc
[2013/01/13 23:35:34 | 001,559,174 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\PS0410_WiFi_Article.pdf
[2013/01/11 01:00:02 | 000,001,461 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\eventmap.htm
[2013/01/09 18:28:30 | 000,041,834 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Amazon-Shipment-516344486 1 .xls
[2013/01/07 23:25:34 | 000,503,808 | ---- | C] () -- C:\WINDOWS\System32\tiff2pdf.dll
[2013/01/06 14:59:28 | 000,035,840 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Inc Tax 2012.xls
[2012/07/16 20:59:16 | 000,000,094 | ---- | C] () -- C:\WINDOWS\family.ini
[2012/06/09 23:24:35 | 000,034,764 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\dt.dat
[2012/05/30 13:08:56 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4926.dll
[2012/02/18 14:59:50 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2010/12/08 21:22:55 | 000,165,376 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2010/04/24 20:24:12 | 000,000,502 | ---- | C] () -- C:\WINDOWS\System32\CNCMFP34.INI
[2009/03/08 02:23:30 | 000,000,281 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2009/01/04 16:16:21 | 000,023,552 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/11/07 21:09:34 | 000,000,000 | ---- | C] () -- C:\WINDOWS\QuickInstall.INI
[2007/09/15 21:54:22 | 000,001,767 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/05/13 19:58:44 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\resourceGeneric.dll
[2007/01/19 23:36:31 | 000,000,008 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\.mpid
[2007/01/07 23:45:17 | 000,000,000 | ---- | C] () -- C:\WINDOWS\MTSTACK.INI
[2007/01/05 12:38:10 | 000,000,000 | ---- | C] () -- C:\WINDOWS\hpqEmlSz.INI
[2006/12/19 23:49:02 | 000,000,049 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2006/12/08 15:37:17 | 000,000,221 | ---- | C] () -- C:\WINDOWS\NCLogConfig.ini
[2006/11/30 20:26:28 | 000,000,002 | ---- | C] () -- C:\WINDOWS\PhotoSuite.ini
[2006/11/30 20:26:26 | 000,458,752 | ---- | C] () -- C:\WINDOWS\System32\Fpl.dll
[2006/11/30 20:26:25 | 000,332,800 | ---- | C] () -- C:\WINDOWS\System32\Fpxlib.dll
[2006/11/30 20:26:25 | 000,122,880 | ---- | C] () -- C:\WINDOWS\System32\Jpeglib.dll
[2006/11/30 20:26:25 | 000,019,968 | ---- | C] () -- C:\WINDOWS\System32\Cpuinf32.dll
[2006/11/30 20:20:53 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/11/10 10:12:03 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/11/10 09:01:55 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\fusioncache.dat
[2006/11/10 08:53:09 | 000,001,424 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2006/11/10 08:19:40 | 000,077,824 | R--- | C] () -- C:\WINDOWS\System32\HPZIDS01.dll
[2006/11/10 07:56:23 | 000,002,129 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2006/11/10 01:58:43 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2006/11/09 18:37:09 | 000,040,960 | ---- | C] () -- C:\Program Files\Uninstall_CDS.exe
[2001/07/07 03:00:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini

========== Custom Scans ==========


< %AppData%\Roaming\Mozilla\Firefox\Profiles\*.default\extensions\ /s /md5 >

< %AppData%\Local\ >

< %systemroot%\system32\sysprep >

< *.xpi /md5 >

< %systemroot%\Downloaded Program Files\ >

< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile >

< hklm\software\clients\startmenuinternet|command /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\system32\ie4uinit.exe" -reinstall [2012/10/31 19:35:35 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -hide [2012/10/31 19:35:35 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -show [2012/10/31 19:35:35 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2009/03/08 13:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" [2009/03/08 13:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)

< hklm\software\clients\startmenuinternet|command /64 /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\system32\ie4uinit.exe" -reinstall [2012/10/31 19:35:35 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -hide [2012/10/31 19:35:35 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -show [2012/10/31 19:35:35 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2009/03/08 13:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" [2009/03/08 13:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\system32\drivers\*.sys /90 >

< %systemroot%\System32\config\*.sav >
[2006/11/10 01:57:28 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2006/11/10 01:57:28 | 000,634,880 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2006/11/10 01:57:28 | 000,892,928 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %SYSTEMDRIVE%\*.exe /md5 >
[2008/04/11 07:03:48 | 000,562,688 | ---- | M] (Microsoft Corporation) MD5=E8B4398587AAAFA5EA6A6B7C085C5C8D -- C:\install.exe

Invalid Environment Variable: WinDir

< %systemdrive%\Program Files\Common Files\ComObjects\*.* /s >

< %systemroot%\*. /mp /s >

< %systemroot%\*. /rp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\Installer\ /s >

< %systemroot%\system32\Cache\ /s >

< %systemroot%\system32\config\systemprofile\ /s >

< %PROGRAMFILES%\*. >
[2011/06/16 20:23:05 | 000,000,000 | ---D | M] -- C:\Program Files\Adobe
[2006/11/10 10:08:56 | 000,000,000 | ---D | M] -- C:\Program Files\Ahead
[2010/12/15 23:30:13 | 000,000,000 | ---D | M] -- C:\Program Files\AP Tuner
[2012/06/04 20:16:13 | 000,000,000 | ---D | M] -- C:\Program Files\APC
[2012/03/24 00:40:50 | 000,000,000 | ---D | M] -- C:\Program Files\Apple Software Update
[2007/01/07 23:47:53 | 000,000,000 | ---D | M] -- C:\Program Files\AutoCAD R14
[2011/10/15 22:15:04 | 000,000,000 | ---D | M] -- C:\Program Files\AVG
[2012/07/16 20:55:06 | 000,000,000 | ---D | M] -- C:\Program Files\Belkin Bulldog Plus
[2010/04/24 20:09:46 | 000,000,000 | ---D | M] -- C:\Program Files\Canon
[2012/11/02 23:14:02 | 000,000,000 | ---D | M] -- C:\Program Files\Common Files
[2006/11/10 10:03:39 | 000,000,000 | ---D | M] -- C:\Program Files\ComPlus Applications
[2006/11/09 18:37:27 | 000,000,000 | ---D | M] -- C:\Program Files\CyberLink
[2006/11/09 18:38:16 | 000,000,000 | ---D | M] -- C:\Program Files\CyberLink DVD Solution
[2011/11/11 00:34:36 | 000,000,000 | ---D | M] -- C:\Program Files\FunWebProducts
[2011/02/09 00:01:30 | 000,000,000 | ---D | M] -- C:\Program Files\GIMP-2.0
[2011/02/19 12:07:18 | 000,000,000 | ---D | M] -- C:\Program Files\Google
[2006/11/10 08:30:20 | 000,000,000 | ---D | M] -- C:\Program Files\Hewlett-Packard
[2007/10/31 21:56:48 | 000,000,000 | ---D | M] -- C:\Program Files\HP
[2013/01/07 23:25:34 | 000,000,000 | ---D | M] -- C:\Program Files\Innomage
[2013/01/07 23:25:32 | 000,000,000 | -H-D | M] -- C:\Program Files\InstallShield Installation Information
[2006/11/10 10:19:14 | 000,000,000 | ---D | M] -- C:\Program Files\Intel
[2012/12/12 20:59:57 | 000,000,000 | ---D | M] -- C:\Program Files\Internet Explorer
[2012/11/02 23:13:17 | 000,000,000 | ---D | M] -- C:\Program Files\Java
[2010/12/08 21:23:33 | 000,000,000 | ---D | M] -- C:\Program Files\K-Lite Codec Pack
[2006/11/10 09:06:48 | 000,000,000 | ---D | M] -- C:\Program Files\Logitech
[2007/06/03 22:36:45 | 000,000,000 | ---D | M] -- C:\Program Files\Magellan
[2008/08/13 00:11:52 | 000,000,000 | ---D | M] -- C:\Program Files\Messenger
[2006/11/30 20:26:20 | 000,000,000 | ---D | M] -- C:\Program Files\MGI
[2006/11/30 20:20:22 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft ActiveSync
[2012/03/25 21:36:58 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Download Manager
[2006/11/10 10:05:49 | 000,000,000 | ---D | M] -- C:\Program Files\microsoft frontpage
[2006/11/30 20:19:56 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Office
[2012/09/26 22:38:26 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Security Client
[2010/08/14 09:49:44 | 000,000,000 | ---D | M] -- C:\Program Files\Movie Maker
[2006/11/10 10:02:52 | 000,000,000 | ---D | M] -- C:\Program Files\MSN
[2006/11/10 10:02:59 | 000,000,000 | ---D | M] -- C:\Program Files\MSN Gaming Zone
[2006/11/10 10:18:31 | 000,000,000 | ---D | M] -- C:\Program Files\MSXML 4.0
[2012/06/11 20:53:47 | 000,000,000 | ---D | M] -- C:\Program Files\Mythicsoft
[2008/08/03 01:22:49 | 000,000,000 | ---D | M] -- C:\Program Files\NetMeeting
[2011/01/23 13:22:33 | 000,000,000 | ---D | M] -- C:\Program Files\Network Associates
[2008/09/22 22:00:17 | 000,000,000 | ---D | M] -- C:\Program Files\NOS
[2009/07/22 22:57:15 | 000,000,000 | ---D | M] -- C:\Program Files\Online Services
[2012/08/01 21:50:27 | 000,000,000 | ---D | M] -- C:\Program Files\OpenOffice.org 3
[2010/12/15 00:07:16 | 000,000,000 | ---D | M] -- C:\Program Files\Outlook Express
[2012/07/16 20:59:00 | 000,000,000 | ---D | M] -- C:\Program Files\palmOne
[2006/12/09 02:33:57 | 000,000,000 | ---D | M] -- C:\Program Files\QuickGamma
[2012/03/24 00:41:56 | 000,000,000 | ---D | M] -- C:\Program Files\QuickTime
[2011/03/17 22:58:40 | 000,000,000 | ---D | M] -- C:\Program Files\Real
[2006/11/10 10:05:43 | 000,000,000 | ---D | M] -- C:\Program Files\Sigmatel
[2012/06/10 16:23:05 | 000,000,000 | ---D | M] -- C:\Program Files\Spybot - Search & Destroy
[2006/11/10 10:08:29 | 000,000,000 | -H-D | M] -- C:\Program Files\Uninstall Information
[2010/12/08 21:48:23 | 000,000,000 | ---D | M] -- C:\Program Files\VideoLAN
[2006/12/09 02:04:24 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Defender
[2007/02/11 22:25:06 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Connect 2
[2008/08/03 01:22:42 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Player
[2009/03/11 19:36:57 | 000,000,000 | ---D | M] -- C:\Program Files\Windows NT
[2006/11/10 10:04:14 | 000,000,000 | -H-D | M] -- C:\Program Files\WindowsUpdate
[2011/02/19 12:27:04 | 000,000,000 | ---D | M] -- C:\Program Files\Winzip
[2006/11/10 10:05:50 | 000,000,000 | ---D | M] -- C:\Program Files\xerox
[2011/10/08 01:08:26 | 000,000,000 | ---D | M] -- C:\Program Files\Xiph.Org
[2009/01/09 22:34:16 | 000,000,000 | -H-D | M] -- C:\Program Files\Zero G Registry

< %appdata%\*.* >
[2006/11/10 01:58:30 | 000,000,062 | -HS- | M] () -- C:\Documents and Settings\Owner\Application Data\desktop.ini
[2012/08/21 22:42:49 | 000,059,360 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
[2013/01/28 00:02:35 | 000,160,256 | ---- | M] (Syntek Corporation) -- C:\Documents and Settings\Owner\Application Data\mandex.dll
[2013/01/28 00:03:54 | 000,336,896 | ---- | M] (SiliconMotion) -- C:\Documents and Settings\Owner\Application Data\upsirt.dll
[2013/01/28 00:03:29 | 000,621,056 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\wgetsi.dll


< MD5 for: AFD.SYS >
[2011/08/17 08:49:54 | 000,138,496 | ---- | M] (Microsoft Corporation) MD5=1E44BC1E83D8FD2305F8D452DB109CF9 -- C:\WINDOWS\system32\dllcache\afd.sys
[2011/08/17 08:49:54 | 000,138,496 | ---- | M] (Microsoft Corporation) MD5=1E44BC1E83D8FD2305F8D452DB109CF9 -- C:\WINDOWS\system32\drivers\afd.sys
[2008/04/13 14:19:23 | 000,138,112 | ---- | M] (Microsoft Corporation) MD5=322D0E36693D6E24A2398BEE62A268CD -- C:\WINDOWS\ServicePackFiles\i386\afd.sys
[2011/02/16 08:22:48 | 000,138,496 | ---- | M] (Microsoft Corporation) MD5=355556D9E580915118CD7EF736653A89 -- C:\WINDOWS\$NtUninstallKB2592799$\afd.sys
[2008/10/16 10:07:58 | 000,138,496 | ---- | M] (Microsoft Corporation) MD5=38D7B715504DA4741DF35E3594FE2099 -- C:\WINDOWS\$hf_mig$\KB2509553\SP3QFE\afd.sys
[2008/08/14 05:34:26 | 000,138,496 | ---- | M] (Microsoft Corporation) MD5=4D43E74F2A1239D53929B82600F1971C -- C:\WINDOWS\$hf_mig$\KB956803\SP3QFE\afd.sys
[2008/10/16 09:43:01 | 000,138,496 | ---- | M] (Microsoft Corporation) MD5=7618D5218F2A614672EC61A80D854A37 -- C:\WINDOWS\$NtUninstallKB2503665$\afd.sys
[2008/08/14 05:04:36 | 000,138,496 | ---- | M] (Microsoft Corporation) MD5=7E775010EF291DA96AD17CA4B17137D7 -- C:\WINDOWS\$NtUninstallKB2509553$\afd.sys
[2011/02/16 08:25:05 | 000,138,496 | ---- | M] (Microsoft Corporation) MD5=8D499B1276012EB907E7A9E0F4D8FDA4 -- C:\WINDOWS\$hf_mig$\KB2503665\SP3QFE\afd.sys
[2008/06/20 05:44:38 | 000,138,368 | ---- | M] (Microsoft Corporation) MD5=944CA435BFCFC82CC1ED9E3A7D731AA9 -- C:\WINDOWS\$NtServicePackUninstall$\afd.sys
[2008/06/20 06:48:03 | 000,138,496 | ---- | M] (Microsoft Corporation) MD5=D6EE6014241D034E63C49A50CB2B442A -- C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\afd.sys
[2008/06/20 05:44:08 | 000,138,368 | ---- | M] (Microsoft Corporation) MD5=D99DDFFB33DEACDCF20717CB520379F6 -- C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\afd.sys
[2008/06/20 06:40:08 | 000,138,496 | ---- | M] (Microsoft Corporation) MD5=E3049B90FE06F3F740B7CFDA44995E2C -- C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\afd.sys
[2011/08/17 08:41:46 | 000,138,496 | ---- | M] (Microsoft Corporation) MD5=F6B7B1ECD7B41736BDB6FF4B092BCB79 -- C:\WINDOWS\$hf_mig$\KB2592799\SP3QFE\afd.sys

< MD5 for: ATAPI.SYS >
[2004/08/04 07:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/08/03 01:13:35 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2004/08/04 07:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\I386\sp2.cab:atapi.sys
[2008/08/03 01:13:35 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2004/08/04 07:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0008\DriverFiles\i386\atapi.sys
[2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0009\DriverFiles\i386\atapi.sys

< MD5 for: CRYPTSVC.DLL >
[2004/08/04 07:00:00 | 000,060,416 | ---- | M] (Microsoft Corporation) MD5=10654F9DDCEA9C46CFB77554231BE73B -- C:\WINDOWS\$NtServicePackUninstall$\cryptsvc.dll
[2008/04/13 19:11:51 | 000,062,464 | ---- | M] (Microsoft Corporation) MD5=3D4E199942E29207970E04315D02AD3B -- C:\WINDOWS\ERDNT\cache\cryptsvc.dll
[2008/04/13 19:11:51 | 000,062,464 | ---- | M] (Microsoft Corporation) MD5=3D4E199942E29207970E04315D02AD3B -- C:\WINDOWS\ServicePackFiles\i386\cryptsvc.dll
[2008/04/13 19:11:51 | 000,062,464 | ---- | M] (Microsoft Corporation) MD5=3D4E199942E29207970E04315D02AD3B -- C:\WINDOWS\system32\cryptsvc.dll

< MD5 for: DNSRSLVR.DLL >
[2008/04/13 19:11:52 | 000,045,568 | ---- | M] (Microsoft Corporation) MD5=474B4DC3983173E4B4C9740B0DAC98A6 -- C:\WINDOWS\$NtUninstallKB2509553$\dnsrslvr.dll
[2008/04/13 19:11:52 | 000,045,568 | ---- | M] (Microsoft Corporation) MD5=474B4DC3983173E4B4C9740B0DAC98A6 -- C:\WINDOWS\ServicePackFiles\i386\dnsrslvr.dll
[2009/04/20 12:17:26 | 000,045,568 | ---- | M] (Microsoft Corporation) MD5=5F7E24FA9EAB896051FFB87F840730D2 -- C:\WINDOWS\system32\dllcache\dnsrslvr.dll
[2009/04/20 12:17:26 | 000,045,568 | ---- | M] (Microsoft Corporation) MD5=5F7E24FA9EAB896051FFB87F840730D2 -- C:\WINDOWS\system32\dnsrslvr.dll
[2008/02/20 13:49:36 | 000,045,568 | ---- | M] (Microsoft Corporation) MD5=6333C7E182E5B6247500188D28214DEF -- C:\WINDOWS\$hf_mig$\KB945553\SP2QFE\dnsrslvr.dll
[2008/02/20 00:32:43 | 000,045,568 | ---- | M] (Microsoft Corporation) MD5=AAC8FFBFD61E784FA3BAC851D4A0BD5F -- C:\WINDOWS\$NtServicePackUninstall$\dnsrslvr.dll
[2009/04/20 12:06:44 | 000,045,568 | ---- | M] (Microsoft Corporation) MD5=D977659AE4D8ECE5286D99D1ED34614D -- C:\WINDOWS\$hf_mig$\KB2509553\SP3QFE\dnsrslvr.dll

< MD5 for: ES.DLL >
[2008/04/13 19:11:53 | 000,246,272 | ---- | M] (Microsoft Corporation) MD5=19A799805B24990867B00C120D300C3A -- C:\WINDOWS\ServicePackFiles\i386\es.dll
[2005/07/25 23:39:45 | 000,243,200 | ---- | M] (Microsoft Corporation) MD5=34BBD9ACC1538818F2C878898C64E793 -- C:\WINDOWS\$NtServicePackUninstall$\es.dll
[2005/07/25 23:20:28 | 000,243,200 | ---- | M] (Microsoft Corporation) MD5=95F5FEA4C6DE2C3F28784D0DCC8F0DD3 -- C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\es.dll
[2008/07/07 15:26:58 | 000,253,952 | ---- | M] (Microsoft Corporation) MD5=D4991D98F2DB73C60D042F1AEF79EFAE -- C:\WINDOWS\ERDNT\cache\es.dll
[2008/07/07 15:26:58 | 000,253,952 | ---- | M] (Microsoft Corporation) MD5=D4991D98F2DB73C60D042F1AEF79EFAE -- C:\WINDOWS\system32\dllcache\es.dll
[2008/07/07 15:26:58 | 000,253,952 | ---- | M] (Microsoft Corporation) MD5=D4991D98F2DB73C60D042F1AEF79EFAE -- C:\WINDOWS\system32\es.dll
[2008/07/07 15:23:18 | 000,253,952 | ---- | M] (Microsoft Corporation) MD5=F17F6226BDC0CD5F0BEF0DAF84D29BEC -- C:\WINDOWS\$hf_mig$\KB950974\SP3QFE\es.dll

< MD5 for: EXPLORER.EXE >
[2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ERDNT\cache\explorer.exe
[2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\explorer.exe
[2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ServicePackFiles\i386\explorer.exe
[2007/06/13 06:26:03 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=7712DF0CDDE3A5AC89843E61CD5B3658 -- C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
[2007/06/13 05:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=97BD6515465659FF8F3B7BE375B2EA87 -- C:\WINDOWS\$NtServicePackUninstall$\explorer.exe

< MD5 for: IPNATHLP.DLL >
[2004/08/04 07:00:00 | 000,331,264 | ---- | M] (Microsoft Corporation) MD5=36CC8C01B5E50163037BEF56CB96DEFF -- C:\WINDOWS\$NtServicePackUninstall$\ipnathlp.dll
[2008/04/13 19:11:55 | 000,331,264 | ---- | M] (Microsoft Corporation) MD5=83F41D0D89645D7235C051AB1D9523AC -- C:\WINDOWS\ServicePackFiles\i386\ipnathlp.dll
[2008/04/13 19:11:55 | 000,331,264 | ---- | M] (Microsoft Corporation) MD5=83F41D0D89645D7235C051AB1D9523AC -- C:\WINDOWS\system32\ipnathlp.dll

< MD5 for: IPSEC.SYS >
[2008/04/13 14:19:42 | 000,075,264 | ---- | M] (Microsoft Corporation) MD5=23C74D75E36E7158768DD63D92789A91 -- C:\WINDOWS\ServicePackFiles\i386\ipsec.sys
[2008/04/13 14:19:42 | 000,075,264 | ---- | M] (Microsoft Corporation) MD5=23C74D75E36E7158768DD63D92789A91 -- C:\WINDOWS\system32\drivers\ipsec.sys
[2004/08/04 07:00:00 | 000,074,752 | ---- | M] (Microsoft Corporation) MD5=64537AA5C003A6AFEEE1DF819062D0D1 -- C:\WINDOWS\$NtServicePackUninstall$\ipsec.sys

< MD5 for: NETBT.SYS >
[2004/08/04 07:00:00 | 000,162,816 | ---- | M] (Microsoft Corporation) MD5=0C80E410CD2F47134407EE7DD19CC86B -- C:\WINDOWS\$NtServicePackUninstall$\netbt.sys
[2008/04/13 14:21:00 | 000,162,816 | ---- | M] (Microsoft Corporation) MD5=74B2B2F5BEA5E9A3DC021D685551BD3D -- C:\WINDOWS\ServicePackFiles\i386\netbt.sys
[2008/04/13 14:21:00 | 000,162,816 | ---- | M] (Microsoft Corporation) MD5=74B2B2F5BEA5E9A3DC021D685551BD3D -- C:\WINDOWS\system32\drivers\netbt.sys

< MD5 for: NETMAN.DLL >
[2008/04/13 19:12:01 | 000,198,144 | ---- | M] (Microsoft Corporation) MD5=13E67B55B3ABD7BF3FE7AAE5A0F9A9DE -- C:\WINDOWS\ERDNT\cache\netman.dll
[2008/04/13 19:12:01 | 000,198,144 | ---- | M] (Microsoft Corporation) MD5=13E67B55B3ABD7BF3FE7AAE5A0F9A9DE -- C:\WINDOWS\ServicePackFiles\i386\netman.dll
[2008/04/13 19:12:01 | 000,198,144 | ---- | M] (Microsoft Corporation) MD5=13E67B55B3ABD7BF3FE7AAE5A0F9A9DE -- C:\WINDOWS\system32\netman.dll
[2005/08/22 13:24:55 | 000,197,632 | ---- | M] (Microsoft Corporation) MD5=3516D8A18B36784B1005B950B84232E1 -- C:\WINDOWS\$hf_mig$\KB905414\SP2QFE\netman.dll
[2005/08/22 13:29:46 | 000,197,632 | ---- | M] (Microsoft Corporation) MD5=36739B39267914BA69AD0610A0299732 -- C:\WINDOWS\$NtServicePackUninstall$\netman.dll

< MD5 for: QMGR.DLL >
[2004/08/04 07:00:00 | 000,382,464 | ---- | M] (Microsoft Corporation) MD5=2C69EC7E5A311334D10DD95F338FCCEA -- C:\WINDOWS\$NtServicePackUninstall$\qmgr.dll
[2008/04/13 19:12:03 | 000,409,088 | ---- | M] (Microsoft Corporation) MD5=574738F61FCA2935F5265DC4E5691314 -- C:\WINDOWS\ERDNT\cache\qmgr.dll
[2008/04/13 19:12:03 | 000,409,088 | ---- | M] (Microsoft Corporation) MD5=574738F61FCA2935F5265DC4E5691314 -- C:\WINDOWS\ServicePackFiles\i386\qmgr.dll
[2008/04/13 19:12:03 | 000,409,088 | ---- | M] (Microsoft Corporation) MD5=574738F61FCA2935F5265DC4E5691314 -- C:\WINDOWS\system32\bits\qmgr.dll
[2008/04/13 19:12:03 | 000,409,088 | ---- | M] (Microsoft Corporation) MD5=574738F61FCA2935F5265DC4E5691314 -- C:\WINDOWS\system32\qmgr.dll

< MD5 for: RPCSS.DLL >
[2008/04/13 19:12:04 | 000,399,360 | ---- | M] (Microsoft Corporation) MD5=2589FE6015A316C0F5D5112B4DA7B509 -- C:\WINDOWS\ServicePackFiles\i386\rpcss.dll
[2009/02/09 07:10:48 | 000,401,408 | ---- | M] (Microsoft Corporation) MD5=6B27A5C03DFB94B4245739065431322C -- C:\WINDOWS\ERDNT\cache\rpcss.dll
[2009/02/09 07:10:48 | 000,401,408 | ---- | M] (Microsoft Corporation) MD5=6B27A5C03DFB94B4245739065431322C -- C:\WINDOWS\system32\dllcache\rpcss.dll
[2009/02/09 07:10:48 | 000,401,408 | ---- | M] (Microsoft Corporation) MD5=6B27A5C03DFB94B4245739065431322C -- C:\WINDOWS\system32\rpcss.dll
[2009/02/09 05:56:36 | 000,401,408 | ---- | M] (Microsoft Corporation) MD5=9222562D44021B988B9F9F62207FB6F2 -- C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\rpcss.dll
[2005/07/25 23:20:40 | 000,398,336 | ---- | M] (Microsoft Corporation) MD5=C369DF215D352B6F3A0B8C3469AA34F8 -- C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\rpcss.dll
[2005/07/25 23:39:49 | 000,397,824 | ---- | M] (Microsoft Corporation) MD5=CE94A2BD25E3E9F4D46A7373FF455C6D -- C:\WINDOWS\$NtServicePackUninstall$\rpcss.dll
[2005/04/28 14:35:01 | 000,396,288 | ---- | M] (Microsoft Corporation) MD5=DA383FB39A6F1C445F3AFC94B3EB1248 -- C:\WINDOWS\$hf_mig$\KB894391\SP2QFE\rpcss.dll

< MD5 for: SERVICES.EXE >
[2009/02/06 06:06:24 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=020CEAAEDC8EB655B6506B8C70D53BB6 -- C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\services.exe
[2008/04/13 19:12:34 | 000,108,544 | ---- | M] (Microsoft Corporation) MD5=0E776ED5F7CC9F94299E70461B7B8185 -- C:\WINDOWS\ServicePackFiles\i386\services.exe
[2009/02/06 06:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=65DF52F5B8B6E9BBD183505225C37315 -- C:\WINDOWS\ERDNT\cache\services.exe
[2009/02/06 06:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=65DF52F5B8B6E9BBD183505225C37315 -- C:\WINDOWS\system32\dllcache\services.exe
[2009/02/06 06:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=65DF52F5B8B6E9BBD183505225C37315 -- C:\WINDOWS\system32\services.exe
[2004/08/04 07:00:00 | 000,108,032 | ---- | M] (Microsoft Corporation) MD5=C6CE6EEC82F187615D1002BB3BB50ED4 -- C:\WINDOWS\$NtServicePackUninstall$\services.exe

< MD5 for: SR.SYS >
[2008/04/13 13:36:52 | 000,073,472 | ---- | M] (Microsoft Corporation) MD5=76BB022C2FB6902FD5BDD4F78FC13A5D -- C:\WINDOWS\ServicePackFiles\i386\sr.sys
[2008/04/13 13:36:52 | 000,073,472 | ---- | M] (Microsoft Corporation) MD5=76BB022C2FB6902FD5BDD4F78FC13A5D -- C:\WINDOWS\system32\drivers\sr.sys
[2004/08/04 07:00:00 | 000,073,472 | ---- | M] (Microsoft Corporation) MD5=E41B6D037D6CD08461470AF04500DC24 -- C:\WINDOWS\$NtServicePackUninstall$\sr.sys

< MD5 for: SRSVC.DLL >
[2008/04/13 19:12:07 | 000,171,008 | ---- | M] (Microsoft Corporation) MD5=3805DF0AC4296A34BA4BF93B346CC378 -- C:\WINDOWS\ERDNT\cache\srsvc.dll
[2008/04/13 19:12:07 | 000,171,008 | ---- | M] (Microsoft Corporation) MD5=3805DF0AC4296A34BA4BF93B346CC378 -- C:\WINDOWS\ServicePackFiles\i386\srsvc.dll
[2008/04/13 19:12:07 | 000,171,008 | ---- | M] (Microsoft Corporation) MD5=3805DF0AC4296A34BA4BF93B346CC378 -- C:\WINDOWS\system32\srsvc.dll
[2004/08/04 07:00:00 | 000,170,496 | ---- | M] (Microsoft Corporation) MD5=92BDF74F12D6CBEC43C94D4B7F804838 -- C:\WINDOWS\$NtServicePackUninstall$\srsvc.dll

< MD5 for: SVCHOST.EXE >
[2008/04/13 19:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\ERDNT\cache\svchost.exe
[2008/04/13 19:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\ServicePackFiles\i386\svchost.exe
[2008/04/13 19:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\system32\svchost.exe
[2004/08/04 07:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- C:\WINDOWS\$NtServicePackUninstall$\svchost.exe

< MD5 for: TCPIP.SYS >
[2008/06/20 05:45:13 | 000,360,320 | ---- | M] (Microsoft Corporation) MD5=2A5554FC5B1E04E131230E3CE035C3F9 -- C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
[2007/10/30 11:53:32 | 000,360,832 | ---- | M] (Microsoft Corporation) MD5=64798ECFA43D78C7178375FCDD16D8C8 -- C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[2008/06/20 05:44:42 | 000,360,960 | ---- | M] (Microsoft Corporation) MD5=744E57C99232201AE98C49168B918F48 -- C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[2008/04/13 14:20:16 | 000,361,344 | ---- | M] (Microsoft Corporation) MD5=93EA8D04EC73A85DB02EB8805988F733 -- C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
[2008/06/20 06:51:12 | 000,361,600 | ---- | M] (Microsoft Corporation) MD5=9AEFA14BD6B182D61E3119FA5F436D3D -- C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[2008/06/20 06:51:12 | 000,361,600 | ---- | M] (Microsoft Corporation) MD5=9AEFA14BD6B182D61E3119FA5F436D3D -- C:\WINDOWS\ERDNT\cache\tcpip.sys
[2008/06/20 06:51:12 | 000,361,600 | ---- | M] (Microsoft Corporation) MD5=9AEFA14BD6B182D61E3119FA5F436D3D -- C:\WINDOWS\system32\dllcache\tcpip.sys
[2008/06/20 06:51:12 | 000,361,600 | ---- | M] (Microsoft Corporation) MD5=9AEFA14BD6B182D61E3119FA5F436D3D -- C:\WINDOWS\system32\drivers\tcpip.sys
[2008/06/20 06:59:02 | 000,361,600 | ---- | M] (Microsoft Corporation) MD5=AD978A1B783B5719720CFF204B666C8E -- C:\WINDOWS\$hf_mig$\KB2509553\SP3QFE\tcpip.sys
[2008/06/20 06:59:02 | 000,361,600 | ---- | M] (Microsoft Corporation) MD5=AD978A1B783B5719720CFF204B666C8E -- C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[2006/04/20 07:18:35 | 000,360,576 | ---- | M] (Microsoft Corporation) MD5=B2220C618B42A2212A59D91EBD6FC4B4 -- C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys

< MD5 for: USERINIT.EXE >
[2011/01/27 20:23:58 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\WINDOWS\$NtServicePackUninstall$\userinit.exe
[2008/04/13 19:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\ERDNT\cache\userinit.exe
[2008/04/13 19:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\ServicePackFiles\i386\userinit.exe
[2008/04/13 19:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\system32\userinit.exe

< MD5 for: VOLSNAP.SYS >
[2008/04/13 13:41:01 | 000,052,352 | ---- | M] (Microsoft Corporation) MD5=4C8FCB5CC53AAB716D810740FE59D025 -- C:\WINDOWS\ServicePackFiles\i386\volsnap.sys
[2008/04/13 13:41:01 | 000,052,352 | ---- | M] (Microsoft Corporation) MD5=4C8FCB5CC53AAB716D810740FE59D025 -- C:\WINDOWS\system32\drivers\volsnap.sys
[2004/08/04 07:00:00 | 000,052,352 | ---- | M] (Microsoft Corporation) MD5=EE4660083DEBA849FF6C485D944B379B -- C:\WINDOWS\$NtServicePackUninstall$\volsnap.sys

< MD5 for: WINLOGON.EXE >
[2004/08/04 07:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
[2008/04/13 19:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ERDNT\cache\winlogon.exe
[2008/04/13 19:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
[2008/04/13 19:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\winlogon.exe

< MD5 for: WMISVC.DLL >
[2008/04/13 19:12:09 | 000,144,896 | ---- | M] (Microsoft Corporation) MD5=2D0E4ED081963804CCC196A0929275B5 -- C:\WINDOWS\ServicePackFiles\i386\wmisvc.dll
[2008/04/13 19:12:09 | 000,144,896 | ---- | M] (Microsoft Corporation) MD5=2D0E4ED081963804CCC196A0929275B5 -- C:\WINDOWS\system32\wbem\wmisvc.dll
[2004/08/04 07:00:00 | 000,144,896 | ---- | M] (Microsoft Corporation) MD5=F399242A80C4066FD155EFA4CF96658E -- C:\WINDOWS\$NtServicePackUninstall$\wmisvc.dll

< MD5 for: WSCSVC.DLL >
[2004/08/04 07:00:00 | 000,081,408 | ---- | M] (Microsoft Corporation) MD5=4D59DAA66C60858CDF4F67A900F42D4A -- C:\WINDOWS\$NtServicePackUninstall$\wscsvc.dll
[2008/04/13 19:12:10 | 000,080,896 | ---- | M] (Microsoft Corporation) MD5=7C278E6408D1DCE642230C0585A854D5 -- C:\WINDOWS\ServicePackFiles\i386\wscsvc.dll
[2008/04/13 19:12:10 | 000,080,896 | ---- | M] (Microsoft Corporation) MD5=7C278E6408D1DCE642230C0585A854D5 -- C:\WINDOWS\system32\wscsvc.dll

< MD5 for: WUAUSERV.DLL >
[2004/08/04 07:00:00 | 000,006,656 | ---- | M] (Microsoft Corporation) MD5=13D72740963CBA12D9FF76A7F218BCD8 -- C:\WINDOWS\$NtServicePackUninstall$\wuauserv.dll
[2008/04/13 19:12:11 | 000,006,656 | ---- | M] (Microsoft Corporation) MD5=35321FB577CDC98CE3EB3A3EB9E4610A -- C:\WINDOWS\ServicePackFiles\i386\wuauserv.dll
[2008/04/13 19:12:11 | 000,006,656 | ---- | M] (Microsoft Corporation) MD5=35321FB577CDC98CE3EB3A3EB9E4610A -- C:\WINDOWS\system32\wuauserv.dll

< >

< >

========== Alternate Data Streams ==========

@Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4
@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2

< End of report >




# AdwCleaner v2.109 - Logfile created 01/28/2013 at 20:55:56
# Updated 26/01/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Owner - NIAGARA-DDBB696
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Owner\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Folder Deleted : C:\Program Files\FunWebProducts

***** [Registry] *****

Key Deleted : HKCU\Software\Conduit
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}
Key Deleted : HKLM\SOFTWARE\Classes\FunWebProductsInstaller.Start
Key Deleted : HKLM\SOFTWARE\Classes\FunWebProductsInstaller.Start.1
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{1D4DB7D0-6EC9-47A3-BD87-1E41684E07BB}
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\FunWebProducts
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@funwebproducts.com/Plugin

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

*************************

AdwCleaner[S1].txt - [1463 octets] - [28/01/2013 20:55:56]

########## EOF - C:\AdwCleaner[S1].txt - [1523 octets] ##########

markls8
Novice
Novice

Status :
Online
Offline

Posts : 25
Joined : 2011-01-27
Gender : Male
OS : XP

View user profile

Back to top Go down

Re: Must pay “fine” to “unlock” computer webpage (malware title unknown)

Post by Superdave on Tue Jan 29, 2013 8:01 pm

Hello and welcome to GeekPolice.Net My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*****************************************************************
If you can't run this in Normal mode please try running it in Safe Mode with NetWorking.
[You must be registered and logged in to see this link.] how to get into Safe Mode.

Please download Malwarebytes Anti-Malware from [You must be registered and logged in to see this link.]
Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Superdave
Captain
Captain

Status :
Online
Offline

Posts : 4202
Joined : 2010-02-01
Gender : Male
OS : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: Must pay “fine” to “unlock” computer webpage (malware title unknown)

Post by markls8 on Wed Jan 30, 2013 2:54 am

Hi Dave - thanks for your help. I followed your instructions. My computer was (attempting, at least) to connect itself to various IP addresses (according to the MBAM bubble) on its own so I severed my connection before running the scan, which I think is the contents of the second log below. Should I be concerned about the outgoing data there? Here are the two log reports from MBAM...

Malwarebytes Anti-Malware (Trial) 1.70.0.1100
[You must be registered and logged in to see this link.]

Database version: v2013.01.29.11

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Owner :: NIAGARA-DDBB696 [administrator]

Protection: Enabled

29/01/2013 8:14:48 PM
mbam-log-2013-01-29 (20-14-48).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 362058
Time elapsed: 52 minute(s), 30 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 1
C:\Documents and Settings\Owner\Application Data\mandex.dll (Trojan.Medfos) -> Delete on reboot.

Registry Keys Detected: 1
HKCU\SOFTWARE\CLASSES\CLSID\{42AEDC87-2188-41FD-B9A3-0C966FEABEC1}\INPROCSERVER32 (Trojan.Zaccess) -> Quarantined and deleted successfully.

Registry Values Detected: 4
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|mandex (Trojan.Medfos) -> Data: rundll32.exe "C:\Documents and Settings\Owner\Application Data\mandex.dll",CreateSystemHandleName -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Upipquot (IPH.Trojan.Zbot.Rke) -> Data: "C:\Documents and Settings\Owner\Application Data\Umewra\weaf.exe" -> Quarantined and deleted successfully.
HKCU\SOFTWARE\CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32| (Trojan.Zaccess) -> Data: C:\Documents and Settings\Owner\Local Settings\Application Data\{2e63bd6a-d0c5-e264-9c98-1f8734458f25}\n. -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|svñhîst (Trojan.Agent) -> Data: %SystemDrive%\DOCUME~1\Owner\LOCALS~1\Temp\~!#D4.tmp -> Quarantined and deleted successfully.

Registry Data Items Detected: 2
HKCR\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32| (Trojan.0Access) -> Bad: (C:\RECYCLER\S-1-5-18\$2e63bd6ad0c5e2649c981f8734458f25\n.) Good: (fastprox.dll) -> Quarantined and repaired successfully.
HKCR\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\InProcServer32| (Trojan.0Access) -> Bad: (C:\RECYCLER\S-1-5-21-911505261-913323134-2219545934-1003\$2e63bd6ad0c5e2649c981f8734458f25\n.) Good: (shell32.dll) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 16
C:\Documents and Settings\Owner\Application Data\mandex.dll (Trojan.Medfos) -> Delete on reboot.
C:\Documents and Settings\Owner\Application Data\Umewra\weaf.exe (IPH.Trojan.Zbot.Rke) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0\21\762fda95-523bdafe (Trojan.Agent.ED) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0\30\1ede2ede-158b8f0a (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\temp\AI05A4UC.exe (Trojan.Agent.ED) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\temp\~!#D1.tmp (Trojan.Agent.ED) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\temp\~!#D4.tmp (Trojan.Agent.ED) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-18\$2e63bd6ad0c5e2649c981f8734458f25\n (Trojan.0Access) -> Delete on reboot.
C:\RECYCLER\S-1-5-18\$2e63bd6ad0c5e2649c981f8734458f25\U\00000001.@ (Trojan.0Access) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-18\$2e63bd6ad0c5e2649c981f8734458f25\U\80000000.@ (Trojan.0Access) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-18\$2e63bd6ad0c5e2649c981f8734458f25\U\800000cb.@ (Trojan.0Access) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-911505261-913323134-2219545934-1003\$2e63bd6ad0c5e2649c981f8734458f25\n (Trojan.0Access) -> Delete on reboot.
C:\System Volume Information\_restore{E225CC7D-4D7A-40E3-830A-EEFBCBE2EA96}\RP970\A0112944.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E225CC7D-4D7A-40E3-830A-EEFBCBE2EA96}\RP970\A0112945.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E225CC7D-4D7A-40E3-830A-EEFBCBE2EA96}\RP970\A0112946.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\XQOCG9K.exe (Backdoor.0Access) -> Quarantined and deleted successfully.

(end)


2013/01/29 20:08:52 -0500 NIAGARA-DDBB696 Owner MESSAGE Starting protection
2013/01/29 20:08:52 -0500 NIAGARA-DDBB696 Owner MESSAGE Protection started successfully
2013/01/29 20:08:52 -0500 NIAGARA-DDBB696 Owner MESSAGE Starting IP protection
2013/01/29 20:08:55 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 77.78.240.65 (Type: outgoing)
2013/01/29 20:08:58 -0500 NIAGARA-DDBB696 Owner MESSAGE IP Protection started successfully
2013/01/29 20:09:02 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 209.85.229.104 (Type: outgoing)
2013/01/29 20:09:05 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 209.85.229.104 (Type: outgoing)
2013/01/29 20:09:11 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 209.85.229.104 (Type: outgoing)
2013/01/29 20:09:17 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 77.78.230.220 (Type: outgoing)
2013/01/29 20:09:17 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 77.78.230.220 (Type: outgoing)
2013/01/29 20:09:21 -0500 NIAGARA-DDBB696 Owner MESSAGE Executing scheduled update: Daily
2013/01/29 20:09:23 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 209.85.229.104 (Type: outgoing)
2013/01/29 20:09:26 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 209.85.229.104 (Type: outgoing)
2013/01/29 20:09:32 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 209.85.229.104 (Type: outgoing)
2013/01/29 20:09:45 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 209.85.229.104 (Type: outgoing)
2013/01/29 20:09:48 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 209.85.229.104 (Type: outgoing)
2013/01/29 20:09:54 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 209.85.229.104 (Type: outgoing)
2013/01/29 20:10:03 -0500 NIAGARA-DDBB696 Owner MESSAGE Scheduled update executed successfully: database updated from version v2012.12.14.11 to version v2013.01.29.11
2013/01/29 20:10:03 -0500 NIAGARA-DDBB696 Owner MESSAGE Starting database refresh
2013/01/29 20:10:03 -0500 NIAGARA-DDBB696 Owner MESSAGE Stopping IP protection
2013/01/29 20:10:03 -0500 NIAGARA-DDBB696 Owner MESSAGE IP Protection stopped successfully
2013/01/29 20:10:11 -0500 NIAGARA-DDBB696 Owner MESSAGE Database refreshed successfully
2013/01/29 20:10:11 -0500 NIAGARA-DDBB696 Owner MESSAGE Starting IP protection
2013/01/29 20:10:26 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 93.116.43.30 (Type: incoming)
2013/01/29 20:10:33 -0500 NIAGARA-DDBB696 Owner MESSAGE IP Protection started successfully
2013/01/29 20:10:34 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 203.185.43.71 (Type: outgoing)
2013/01/29 20:10:34 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 203.185.43.71 (Type: outgoing)
2013/01/29 20:10:35 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 77.78.216.118 (Type: outgoing)
2013/01/29 20:10:35 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 203.185.43.71 (Type: outgoing)
2013/01/29 20:10:35 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 203.185.43.71 (Type: outgoing)
2013/01/29 20:10:36 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 209.85.229.104 (Type: outgoing)
2013/01/29 20:10:38 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 180.176.109.93 (Type: outgoing)
2013/01/29 20:10:38 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 180.176.109.93 (Type: outgoing)
2013/01/29 20:10:38 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 98.254.156.173 (Type: outgoing)
2013/01/29 20:10:39 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 212.22.209.229 (Type: outgoing)
2013/01/29 20:10:39 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 98.254.156.173 (Type: outgoing)
2013/01/29 20:10:39 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 98.254.156.173 (Type: outgoing)
2013/01/29 20:10:39 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 98.254.156.173 (Type: outgoing)
2013/01/29 20:10:40 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 98.254.156.173 (Type: outgoing)
2013/01/29 20:10:40 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 98.254.156.173 (Type: outgoing)
2013/01/29 20:10:41 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 98.254.156.173 (Type: outgoing)
2013/01/29 20:10:41 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 77.78.230.220 (Type: outgoing)
2013/01/29 20:10:41 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 98.254.156.173 (Type: outgoing)
2013/01/29 20:10:42 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 212.22.209.229 (Type: outgoing)
2013/01/29 20:10:42 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 212.22.209.229 (Type: outgoing)
2013/01/29 20:10:42 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 77.78.230.220 (Type: outgoing)
2013/01/29 20:10:43 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 98.254.156.173 (Type: outgoing)
2013/01/29 20:10:44 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 212.22.209.229 (Type: outgoing)
2013/01/29 20:10:44 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 212.22.209.229 (Type: outgoing)
2013/01/29 20:10:46 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 203.185.43.71 (Type: outgoing)
2013/01/29 20:10:46 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 203.185.43.71 (Type: outgoing)
2013/01/29 20:10:46 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 203.185.43.71 (Type: outgoing)
2013/01/29 20:10:46 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 203.185.43.71 (Type: outgoing)
2013/01/29 20:10:48 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 66.205.100.224 (Type: incoming)
2013/01/29 20:10:48 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 75.135.80.12 (Type: outgoing)
2013/01/29 20:10:49 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 209.85.229.104 (Type: outgoing)
2013/01/29 20:10:50 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 109.199.157.122 (Type: incoming)
2013/01/29 20:10:52 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 209.85.229.104 (Type: outgoing)
2013/01/29 20:10:54 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 114.35.138.178 (Type: incoming)
2013/01/29 20:10:54 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 71.193.211.74 (Type: incoming)
2013/01/29 20:10:54 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 130.204.3.44 (Type: outgoing)
2013/01/29 20:10:55 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 202.78.81.197 (Type: outgoing)
2013/01/29 20:10:56 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 202.78.81.197 (Type: outgoing)
2013/01/29 20:10:56 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 202.78.81.197 (Type: outgoing)
2013/01/29 20:10:57 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 222.64.44.59 (Type: outgoing)
2013/01/29 20:10:58 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 209.85.229.104 (Type: outgoing)
2013/01/29 20:10:58 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 66.212.137.147 (Type: outgoing)
2013/01/29 20:11:00 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 65.186.201.81 (Type: outgoing)
2013/01/29 20:11:03 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 222.64.44.59 (Type: incoming)
2013/01/29 20:11:03 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 77.78.230.220 (Type: incoming)
2013/01/29 20:11:08 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 109.199.157.122 (Type: incoming)
2013/01/29 20:11:08 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 109.199.157.122 (Type: incoming)
2013/01/29 20:11:08 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 109.199.157.122 (Type: incoming)
2013/01/29 20:11:11 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 209.85.229.104 (Type: outgoing)
2013/01/29 20:11:12 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 76.126.100.34 (Type: outgoing)
2013/01/29 20:11:12 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 37.251.46.31 (Type: incoming)
2013/01/29 20:11:12 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 37.251.46.31 (Type: incoming)
2013/01/29 20:11:12 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 76.126.100.34 (Type: outgoing)
2013/01/29 20:11:14 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 209.85.229.104 (Type: outgoing)
2013/01/29 20:11:16 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 77.78.230.220 (Type: outgoing)
2013/01/29 20:11:17 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 77.78.230.220 (Type: outgoing)
2013/01/29 20:11:18 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 77.78.230.220 (Type: outgoing)
2013/01/29 20:11:18 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 77.78.230.220 (Type: outgoing)
2013/01/29 20:11:18 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 71.203.178.250 (Type: outgoing)
2013/01/29 20:11:18 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 71.203.178.250 (Type: outgoing)
2013/01/29 20:11:20 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 209.85.229.104 (Type: outgoing)
2013/01/29 20:11:20 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 65.186.201.81 (Type: outgoing)
2013/01/29 20:11:21 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 76.126.100.34 (Type: incoming)
2013/01/29 20:11:22 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 76.126.100.34 (Type: incoming)
2013/01/29 20:11:22 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 76.126.100.34 (Type: incoming)
2013/01/29 20:11:23 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 77.78.216.118 (Type: incoming)
2013/01/29 20:11:23 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 77.78.216.118 (Type: incoming)
2013/01/29 20:11:23 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 203.185.43.71 (Type: incoming)
2013/01/29 20:11:24 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 174.55.62.163 (Type: outgoing)
2013/01/29 20:11:24 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 174.55.62.163 (Type: outgoing)
2013/01/29 20:11:24 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 75.135.80.12 (Type: incoming)
2013/01/29 20:11:24 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 75.135.80.12 (Type: incoming)
2013/01/29 20:11:26 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 77.78.230.220 (Type: incoming)
2013/01/29 20:11:29 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 76.126.100.34 (Type: outgoing)
2013/01/29 20:11:30 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 124.248.210.27 (Type: outgoing)
2013/01/29 20:11:30 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 77.78.216.118 (Type: outgoing)
2013/01/29 20:11:30 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 77.78.216.118 (Type: outgoing)
2013/01/29 20:11:31 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 222.64.44.59 (Type: outgoing)
2013/01/29 20:11:32 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 222.64.44.59 (Type: outgoing)
2013/01/29 20:11:32 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 66.212.137.147 (Type: outgoing)
2013/01/29 20:11:33 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 124.248.210.27 (Type: outgoing)
2013/01/29 20:11:33 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 124.248.210.27 (Type: outgoing)
2013/01/29 20:11:33 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 76.126.100.34 (Type: outgoing)
2013/01/29 20:11:34 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 76.126.100.34 (Type: outgoing)
2013/01/29 20:11:35 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 188.254.163.37 (Type: outgoing)
2013/01/29 20:11:36 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 130.204.3.44 (Type: outgoing)
2013/01/29 20:11:37 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 130.204.3.44 (Type: outgoing)
2013/01/29 20:11:37 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 130.204.3.44 (Type: outgoing)
2013/01/29 20:11:38 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 130.204.3.44 (Type: outgoing)
2013/01/29 20:11:38 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 37.251.46.31 (Type: incoming)
2013/01/29 20:11:39 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 124.248.210.27 (Type: outgoing)
2013/01/29 20:11:39 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 76.126.100.34 (Type: incoming)
2013/01/29 20:11:41 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 124.6.0.234 (Type: outgoing)
2013/01/29 20:11:41 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 124.6.0.234 (Type: outgoing)
2013/01/29 20:11:41 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 124.6.0.234 (Type: outgoing)
2013/01/29 20:11:42 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 124.6.0.234 (Type: outgoing)
2013/01/29 20:11:43 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 76.169.132.29 (Type: incoming)
2013/01/29 20:11:43 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 49.251.62.209 (Type: incoming)
2013/01/29 20:11:43 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 114.35.138.178 (Type: incoming)
2013/01/29 20:11:43 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 66.182.87.14 (Type: outgoing)
2013/01/29 20:11:44 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 114.35.138.178 (Type: incoming)
2013/01/29 20:11:44 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 114.35.138.178 (Type: incoming)
2013/01/29 20:11:44 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 114.35.138.178 (Type: incoming)
2013/01/29 20:11:45 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 66.212.137.147 (Type: incoming)
2013/01/29 20:11:45 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 114.35.138.178 (Type: incoming)
2013/01/29 20:11:45 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 114.35.138.178 (Type: incoming)
2013/01/29 20:11:46 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 61.58.184.233 (Type: incoming)
2013/01/29 20:11:46 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 114.35.138.178 (Type: incoming)
2013/01/29 20:11:46 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 66.205.100.224 (Type: outgoing)
2013/01/29 20:11:48 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 24.182.202.56 (Type: incoming)
2013/01/29 20:11:49 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 76.183.239.57 (Type: incoming)
2013/01/29 20:11:49 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 76.169.132.29 (Type: incoming)
2013/01/29 20:11:49 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 71.203.178.250 (Type: incoming)
2013/01/29 20:11:49 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 71.203.178.250 (Type: incoming)
2013/01/29 20:11:49 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 109.199.157.122 (Type: incoming)
2013/01/29 20:11:49 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 89.230.230.34 (Type: outgoing)
2013/01/29 20:11:50 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 76.169.132.29 (Type: incoming)
2013/01/29 20:11:50 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 76.169.132.29 (Type: incoming)
2013/01/29 20:11:51 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 76.169.132.29 (Type: incoming)
2013/01/29 20:11:52 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 98.204.92.164 (Type: outgoing)
2013/01/29 20:11:52 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 174.55.62.163 (Type: outgoing)
2013/01/29 20:11:53 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 98.204.92.164 (Type: outgoing)
2013/01/29 20:11:53 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 98.204.92.164 (Type: outgoing)
2013/01/29 20:11:53 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 174.55.62.163 (Type: outgoing)
2013/01/29 20:11:53 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 174.55.62.163 (Type: outgoing)
2013/01/29 20:11:54 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 71.203.178.250 (Type: outgoing)
2013/01/29 20:11:56 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 77.78.240.65 (Type: incoming)
2013/01/29 20:11:56 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 24.182.202.56 (Type: incoming)
2013/01/29 20:11:57 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 124.248.210.27 (Type: outgoing)
2013/01/29 20:11:59 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 203.185.43.71 (Type: outgoing)
2013/01/29 20:12:00 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 203.185.43.71 (Type: outgoing)
2013/01/29 20:12:00 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 124.248.210.27 (Type: outgoing)
2013/01/29 20:12:00 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 203.185.43.71 (Type: outgoing)
2013/01/29 20:12:01 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 203.185.43.71 (Type: outgoing)
2013/01/29 20:12:01 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 203.185.43.71 (Type: outgoing)
2013/01/29 20:12:02 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 174.55.62.163 (Type: incoming)
2013/01/29 20:12:02 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 174.55.62.163 (Type: incoming)
2013/01/29 20:12:02 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 174.55.62.163 (Type: incoming)
2013/01/29 20:12:02 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 174.55.62.163 (Type: incoming)
2013/01/29 20:12:03 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 76.181.225.255 (Type: incoming)
2013/01/29 20:12:06 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 124.248.210.27 (Type: outgoing)
2013/01/29 20:12:08 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 89.230.230.34 (Type: outgoing)
2013/01/29 20:12:09 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 89.230.230.34 (Type: outgoing)
2013/01/29 20:12:09 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 89.230.230.34 (Type: outgoing)
2013/01/29 20:12:09 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 75.135.80.12 (Type: outgoing)
2013/01/29 20:12:10 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 188.254.163.37 (Type: incoming)
2013/01/29 20:12:10 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 188.254.163.37 (Type: incoming)
2013/01/29 20:12:11 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 124.248.210.27 (Type: outgoing)
2013/01/29 20:12:11 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 188.254.163.37 (Type: incoming)
2013/01/29 20:12:11 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 188.254.163.37 (Type: incoming)
2013/01/29 20:12:11 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 202.78.81.197 (Type: outgoing)
2013/01/29 20:12:11 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 109.199.157.122 (Type: outgoing)
2013/01/29 20:12:11 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 58.99.60.24 (Type: outgoing)
2013/01/29 20:12:11 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 202.78.81.197 (Type: outgoing)
2013/01/29 20:12:12 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 202.78.81.197 (Type: outgoing)
2013/01/29 20:12:12 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 188.254.163.37 (Type: incoming)
2013/01/29 20:12:12 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 202.78.81.197 (Type: outgoing)
2013/01/29 20:12:13 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 109.199.157.122 (Type: outgoing)
2013/01/29 20:12:13 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 109.199.157.122 (Type: outgoing)
2013/01/29 20:12:14 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 200.124.110.40 (Type: outgoing)
2013/01/29 20:12:15 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 89.230.230.34 (Type: incoming)
2013/01/29 20:12:15 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 76.183.239.57 (Type: outgoing)
2013/01/29 20:12:19 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 77.78.230.220 (Type: incoming)
2013/01/29 20:12:19 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 117.18.198.20 (Type: outgoing)
2013/01/29 20:12:24 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 124.248.210.27 (Type: outgoing)
2013/01/29 20:12:26 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 27.54.110.77 (Type: outgoing)
2013/01/29 20:12:27 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 124.248.210.27 (Type: outgoing)
2013/01/29 20:12:29 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 58.114.198.54 (Type: outgoing)
2013/01/29 20:12:29 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 58.114.198.54 (Type: outgoing)
2013/01/29 20:12:30 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 58.114.198.54 (Type: outgoing)
2013/01/29 20:12:30 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 46.180.232.85 (Type: outgoing)
2013/01/29 20:12:30 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 46.180.232.85 (Type: outgoing)
2013/01/29 20:12:31 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 46.180.232.85 (Type: outgoing)
2013/01/29 20:12:33 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 124.248.210.27 (Type: outgoing)
2013/01/29 20:12:34 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 200.124.110.40 (Type: incoming)
2013/01/29 20:12:34 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 24.182.202.56 (Type: incoming)
2013/01/29 20:12:37 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 89.230.230.34 (Type: outgoing)
2013/01/29 20:12:37 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 89.230.230.34 (Type: outgoing)
2013/01/29 20:12:37 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 89.230.230.34 (Type: outgoing)
2013/01/29 20:12:37 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 89.230.230.34 (Type: outgoing)
2013/01/29 20:12:37 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 89.230.230.34 (Type: outgoing)
2013/01/29 20:12:37 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 89.230.230.34 (Type: outgoing)
2013/01/29 20:12:37 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 89.230.230.34 (Type: outgoing)
2013/01/29 20:12:38 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 89.230.230.34 (Type: outgoing)
2013/01/29 20:12:40 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 203.185.43.71 (Type: outgoing)
2013/01/29 20:12:40 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 89.230.230.34 (Type: incoming)
2013/01/29 20:12:40 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 89.230.230.34 (Type: incoming)
2013/01/29 20:12:41 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 181.165.81.55 (Type: incoming)
2013/01/29 20:12:41 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 181.165.81.55 (Type: incoming)
2013/01/29 20:12:41 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 181.165.81.55 (Type: incoming)
2013/01/29 20:12:41 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 203.185.43.71 (Type: outgoing)
2013/01/29 20:12:42 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 117.18.198.20 (Type: outgoing)
2013/01/29 20:12:43 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 181.165.81.55 (Type: incoming)
2013/01/29 20:12:44 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 181.165.81.55 (Type: incoming)
2013/01/29 20:12:45 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 181.165.81.55 (Type: incoming)
2013/01/29 20:12:45 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 89.230.230.34 (Type: outgoing)
2013/01/29 20:12:45 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 58.114.198.54 (Type: outgoing)
2013/01/29 20:12:46 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 89.230.230.34 (Type: outgoing)
2013/01/29 20:12:46 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 117.18.198.20 (Type: outgoing)
2013/01/29 20:12:47 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 117.18.198.20 (Type: outgoing)
2013/01/29 20:12:48 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 58.114.198.54 (Type: outgoing)
2013/01/29 20:12:48 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 58.114.198.54 (Type: outgoing)
2013/01/29 20:12:48 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 117.18.198.20 (Type: outgoing)
2013/01/29 20:12:48 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 117.18.198.20 (Type: outgoing)
2013/01/29 20:12:49 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 117.18.198.20 (Type: outgoing)
2013/01/29 20:12:49 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 117.18.198.20 (Type: outgoing)
2013/01/29 20:12:49 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 117.18.198.20 (Type: outgoing)
2013/01/29 20:12:50 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 27.54.110.77 (Type: incoming)
2013/01/29 20:12:50 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 27.54.110.77 (Type: incoming)
2013/01/29 20:12:50 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 46.180.232.85 (Type: outgoing)
2013/01/29 20:12:50 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 58.114.198.54 (Type: incoming)
2013/01/29 20:12:51 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 124.248.210.27 (Type: outgoing)
2013/01/29 20:12:51 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 46.180.232.85 (Type: outgoing)
2013/01/29 20:12:51 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 46.180.232.85 (Type: outgoing)
2013/01/29 20:12:53 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 115.165.212.140 (Type: outgoing)
2013/01/29 20:12:53 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 115.165.212.140 (Type: outgoing)
2013/01/29 20:12:54 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 115.165.212.140 (Type: outgoing)
2013/01/29 20:12:54 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 124.248.210.27 (Type: outgoing)
2013/01/29 20:12:54 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 124.248.210.27 (Type: outgoing)
2013/01/29 20:12:55 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 109.199.157.122 (Type: outgoing)
2013/01/29 20:12:56 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 109.199.157.122 (Type: outgoing)
2013/01/29 20:12:57 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 190.217.236.5 (Type: outgoing)
2013/01/29 20:12:58 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 66.205.100.224 (Type: outgoing)
2013/01/29 20:12:58 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 190.217.236.5 (Type: outgoing)
2013/01/29 20:12:58 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 190.217.236.5 (Type: outgoing)
2013/01/29 20:12:59 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 124.248.210.27 (Type: outgoing)
2013/01/29 20:13:00 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 124.248.210.27 (Type: outgoing)
2013/01/29 20:13:00 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 65.186.201.81 (Type: incoming)
2013/01/29 20:13:02 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 124.248.210.27 (Type: outgoing)
2013/01/29 20:13:02 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 37.251.46.31 (Type: incoming)
2013/01/29 20:13:02 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 37.251.46.31 (Type: incoming)
2013/01/29 20:13:03 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 114.35.138.178 (Type: outgoing)
2013/01/29 20:13:03 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 114.35.138.178 (Type: outgoing)
2013/01/29 20:13:04 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 77.78.216.118 (Type: incoming)
2013/01/29 20:13:04 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 71.193.211.74 (Type: outgoing)
2013/01/29 20:13:04 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 117.18.198.20 (Type: outgoing)
2013/01/29 20:13:05 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 117.18.198.20 (Type: outgoing)
2013/01/29 20:13:05 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 49.251.62.209 (Type: incoming)
2013/01/29 20:13:05 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 202.78.81.197 (Type: incoming)
2013/01/29 20:13:05 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 203.185.43.71 (Type: incoming)
2013/01/29 20:13:05 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 65.186.201.81 (Type: outgoing)
2013/01/29 20:13:06 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 173.171.7.15 (Type: incoming)
2013/01/29 20:13:06 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 49.251.62.209 (Type: incoming)
2013/01/29 20:13:06 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 49.251.62.209 (Type: incoming)
2013/01/29 20:13:06 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 49.251.62.209 (Type: incoming)
2013/01/29 20:13:06 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 202.78.81.197 (Type: incoming)
2013/01/29 20:13:06 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 61.58.184.233 (Type: outgoing)
2013/01/29 20:13:06 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 76.181.225.255 (Type: incoming)
2013/01/29 20:13:08 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 124.248.210.27 (Type: outgoing)
2013/01/29 20:13:12 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 190.217.236.5 (Type: outgoing)
2013/01/29 20:13:16 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 66.205.100.224 (Type: incoming)
2013/01/29 20:13:16 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 37.251.46.31 (Type: incoming)
2013/01/29 20:13:16 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 37.251.46.31 (Type: incoming)
2013/01/29 20:13:17 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 200.124.110.40 (Type: incoming)
2013/01/29 20:13:18 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 124.248.210.27 (Type: outgoing)
2013/01/29 20:13:18 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 49.251.62.209 (Type: outgoing)
2013/01/29 20:13:20 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 124.248.210.27 (Type: outgoing)
2013/01/29 20:13:21 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 27.54.110.77 (Type: outgoing)
2013/01/29 20:13:21 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 89.230.230.34 (Type: outgoing)
2013/01/29 20:13:21 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 124.248.210.27 (Type: outgoing)
2013/01/29 20:13:21 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 27.54.110.77 (Type: outgoing)
2013/01/29 20:13:21 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 89.230.230.34 (Type: outgoing)
2013/01/29 20:13:23 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 124.248.210.27 (Type: outgoing)
2013/01/29 20:13:27 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 124.248.210.27 (Type: outgoing)
2013/01/29 20:13:27 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 76.169.132.29 (Type: outgoing)
2013/01/29 20:13:27 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 76.169.132.29 (Type: outgoing)
2013/01/29 20:13:29 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 76.169.132.29 (Type: outgoing)
2013/01/29 20:13:29 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 124.248.210.27 (Type: outgoing)
2013/01/29 20:13:33 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 222.64.44.59 (Type: incoming)
2013/01/29 20:13:34 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 89.230.230.34 (Type: incoming)
2013/01/29 20:13:37 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 222.64.44.59 (Type: outgoing)
2013/01/29 20:13:38 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 76.169.132.29 (Type: outgoing)
2013/01/29 20:13:38 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 66.182.87.14 (Type: outgoing)
2013/01/29 20:13:38 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 222.64.44.59 (Type: outgoing)
2013/01/29 20:13:38 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 66.182.87.14 (Type: outgoing)
2013/01/29 20:13:39 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 76.169.132.29 (Type: outgoing)
2013/01/29 20:13:40 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 76.169.132.29 (Type: outgoing)
2013/01/29 20:13:40 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 76.169.132.29 (Type: outgoing)
2013/01/29 20:13:40 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 76.169.132.29 (Type: outgoing)
2013/01/29 20:13:40 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 76.169.132.29 (Type: outgoing)
2013/01/29 20:13:41 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 76.169.132.29 (Type: outgoing)
2013/01/29 20:13:43 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 124.6.0.234 (Type: outgoing)
2013/01/29 20:13:43 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 124.6.0.234 (Type: outgoing)
2013/01/29 20:13:43 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 124.6.0.234 (Type: outgoing)
2013/01/29 20:13:45 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 190.217.236.5 (Type: outgoing)
2013/01/29 20:13:46 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 124.248.210.27 (Type: outgoing)
2013/01/29 20:13:47 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 180.176.109.93 (Type: incoming)
2013/01/29 20:13:47 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 180.176.109.93 (Type: incoming)
2013/01/29 20:13:49 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 124.248.210.27 (Type: outgoing)
2013/01/29 20:13:49 -0500 NIAGARA-DDBB696 Owner IP-BLOCK 109.199.157.122 (Type: outgoing)
2013/01/29 21:21:03 -0500 NIAGARA-DDBB696 (null) MESSAGE Starting protection
2013/01/29 21:21:03 -0500 NIAGARA-DDBB696 (null) MESSAGE Protection started successfully
2013/01/29 21:21:03 -0500 NIAGARA-DDBB696 (null) MESSAGE Starting IP protection
2013/01/29 21:21:10 -0500 NIAGARA-DDBB696 (null) MESSAGE IP Protection started successfully

markls8
Novice
Novice

Status :
Online
Offline

Posts : 25
Joined : 2011-01-27
Gender : Male
OS : XP

View user profile

Back to top Go down

Re: Must pay “fine” to “unlock” computer webpage (malware title unknown)

Post by Superdave on Wed Jan 30, 2013 2:59 am

Should I be concerned about the outgoing data there? Here are the two log reports from MBAM
Yes, but they're being blocked so that's good.
Download Combofix from any of the links below, and save it to your DESKTOP.

[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

To prevent your anti-virus application interfering with ComboFix we need to disable it. See [You must be registered and logged in to see this link.] for a tutorial regarding how to do so if you are unsure.

  • Close any open windows and double click ComboFix.exe to run it.

    You will see the following image:



Click I Agree to start the program.

ComboFix will then extract the necessary files and you will see this:



As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. This will not occur in Windows Vista and 7

It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

If you did not have it installed, you will see the prompt below. Choose YES.



Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

Superdave
Captain
Captain

Status :
Online
Offline

Posts : 4202
Joined : 2010-02-01
Gender : Male
OS : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: Must pay “fine” to “unlock” computer webpage (malware title unknown)

Post by markls8 on Wed Jan 30, 2013 3:29 am

Hi Dave - Problems...
Link 1 gives a 404error.
Link 2 loads the infospyware page, Spanish, but the links redirect me to products other than Combofix
Link 3 the page downloads, but the download button then links me to a 404.
Windows MSE, and Firewall are both out of commision, so I don't need to turn them off.

markls8
Novice
Novice

Status :
Online
Offline

Posts : 25
Joined : 2011-01-27
Gender : Male
OS : XP

View user profile

Back to top Go down

Re: Must pay “fine” to “unlock” computer webpage (malware title unknown)

Post by markls8 on Wed Jan 30, 2013 5:14 am

Ok- lost the last post to the matrix- BIG file. Used CNet download for Combofix, which updated itself. No Recovery Console option was offered. Log is in pieces in the following posts...

ComboFix 12-07-31.03 - Owner 29/01/2013 23:21:13.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1479 [GMT -5:00]
Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Owner\Application Data\upsirt.dll
c:\documents and settings\Owner\Application Data\wgetsi.dll
c:\documents and settings\Owner\WINDOWS
C:\install.exe
c:\windows\system32\DC120fc7_32.dll
c:\windows\system32\SET59.tmp
c:\windows\system32\SET5C.tmp
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\fusion.dll
c:\windows\system32\URTTemp\mscoree.dll
c:\windows\system32\URTTemp\mscoree.dll.local
c:\windows\system32\URTTemp\mscorsn.dll
c:\windows\system32\URTTemp\mscorwks.dll
c:\windows\system32\URTTemp\msvcr71.dll
c:\windows\system32\URTTemp\regtlib.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-12-28 to 2013-01-30 )))))))))))))))))))))))))))))))
.
.
2013-01-30 01:07 . 2013-01-30 01:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-01-30 01:07 . 2012-12-14 21:49 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-01-29 01:38 . 2013-01-29 01:38 -------- d--h--w- c:\windows\PIF
2013-01-28 05:54 . 2013-01-28 05:54 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Sun
2013-01-28 05:02 . 2013-01-30 02:17 -------- d-----w- c:\documents and settings\Owner\Application Data\Umewra
2013-01-28 05:02 . 2013-01-30 00:53 -------- d-----w- c:\documents and settings\Owner\Application Data\Saolne
2013-01-28 05:02 . 2013-01-28 05:02 -------- d-----w- c:\documents and settings\Owner\Application Data\Xeqece
2013-01-27 06:42 . 2013-01-08 04:57 6991832 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E253A4DB-7ABB-4094-88F4-4B0AA7621DF9}\mpengine.dll
2013-01-27 02:49 . 2013-01-08 04:57 6991832 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-01-09 02:41 . 2012-04-15 17:32 697864 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-01-09 02:41 . 2011-06-11 02:43 74248 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-12-16 12:23 . 2006-11-10 13:52 290560 ----a-w- c:\windows\system32\atmfd.dll
2012-11-13 01:25 . 2006-11-10 13:53 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-11-06 02:01 . 2008-08-03 05:37 1371648 ------w- c:\windows\system32\msxml6.dll
2012-11-03 04:13 . 2012-11-03 04:13 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-11-03 04:13 . 2012-07-22 04:50 821736 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-11-03 04:13 . 2012-07-22 04:50 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-11-03 04:13 . 2011-02-07 02:07 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-11-02 02:02 . 2006-11-10 13:52 375296 ----a-w- c:\windows\system32\dpnet.dll
2012-11-01 12:17 . 2006-11-10 13:53 916992 ----a-w- c:\windows\system32\wininet.dll
2012-11-01 12:17 . 2006-11-10 13:52 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-11-01 12:17 . 2006-11-10 13:52 1469440 ------w- c:\windows\system32\inetcpl.cpl
2004-10-01 20:00 . 2006-11-09 23:37 40960 ----a-w- c:\program files\Uninstall_CDS.exe

markls8
Novice
Novice

Status :
Online
Offline

Posts : 25
Joined : 2011-01-27
Gender : Male
OS : XP

View user profile

Back to top Go down

Re: Must pay “fine” to “unlock” computer webpage (malware title unknown)

Post by markls8 on Wed Jan 30, 2013 5:18 am

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-05-30 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-05-30 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2012-05-30 137752]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 947176]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2012-6-4 221247]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 06:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati3cgxx.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati3swxx.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati5xkxx.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati8vjxx.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 18:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [10/11/2006 9:07 AM 3712]
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [29/01/2013 8:08 PM 398184]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [29/01/2013 8:08 PM 682344]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [29/01/2013 8:07 PM 21104]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 gupdate1c9867f44bbf20a;Google Update Service (gupdate1c9867f44bbf20a);c:\program files\Google\Update\GoogleUpdate.exe [03/02/2009 11:15 PM 133104]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [15/04/2012 12:32 PM 251400]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [03/02/2009 11:15 PM 133104]
S3 iadusb;GlobespanVirata USB IAD LAN Modem;c:\windows\system32\DRIVERS\glauiad.sys --> c:\windows\system32\DRIVERS\glauiad.sys [?]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [10/11/2006 8:53 AM 14336]
S3 SE31bus;Sony Ericsson Device 049 Driver driver (WDM);c:\windows\system32\drivers\SE31bus.sys [16/09/2007 9:33 PM 61600]
S3 SE31mdfl;Sony Ericsson Device 049 USB WMC Modem Filter;c:\windows\system32\drivers\SE31mdfl.sys [01/05/2006 12:57 PM 9360]
S3 SE31mdm;Sony Ericsson Device 049 USB WMC Modem Driver;c:\windows\system32\drivers\SE31mdm.sys [01/05/2006 12:57 PM 97184]
S3 SE31mgmt;Sony Ericsson Device 049 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\SE31mgmt.sys [01/05/2006 12:58 PM 88688]
S3 se31nd5;Sony Ericsson Device 049 USB Ethernet Emulation SEMC49 (NDIS);c:\windows\system32\drivers\se31nd5.sys [01/05/2006 12:56 PM 18704]
S3 SE31obex;Sony Ericsson Device 049 USB WMC OBEX Interface;c:\windows\system32\drivers\SE31obex.sys [01/05/2006 12:59 PM 86560]
S3 se31unic;Sony Ericsson Device 049 USB Ethernet Emulation SEMC49 (WDM);c:\windows\system32\drivers\se31unic.sys [16/09/2007 9:37 PM 90800]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2013-01-30 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-15 02:41]
.
2012-12-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2013-01-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-04 04:15]
.
2013-01-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-04 04:15]
.
2013-01-30 c:\windows\Tasks\User_Feed_Synchronization-{8188890F-1866-4838-BF25-E30DDEB4F0C9}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
2013-01-30 c:\windows\Tasks\User_Feed_Synchronization-{8CD77659-D71B-47BD-8434-16F64EBCE73B}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
Trusted Zone: 3web.com\myaccount
Trusted Zone: 3web.com\www
Trusted Zone: microsoft.com\*.update
Trusted Zone: microsoft.com\[You must be registered and logged in to see this link.]
Trusted Zone: my3web.com\www
Trusted Zone: uspto.gov
Trusted Zone: windowsupdate.com\download
TCP: Interfaces\{D5198B51-65A8-4E06-9A19-67CE656E1229}: NameServer = 206.80.254.4 206.80.254.68
DPF: RedEyeQuote - [You must be registered and logged in to see this link.]
.
.
------- File Associations -------
.
.scr=AutoCADScript
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
HKCU-Run-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
HKLM-Run-wgetsi - c:\documents and settings\Owner\Application Data\wgetsi.dll
HKLM-Run-upsirt - c:\documents and settings\Owner\Application Data\upsirt.dll
SafeBoot-MsMpSvc
SafeBoot-WinDefend
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2013-01-29 23:34
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(672)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
.
Completion time: 2013-01-29 23:42:58
ComboFix-quarantined-files.txt 2013-01-30 04:42
ComboFix2.txt 2011-02-04 02:10
ComboFix3.txt 2011-02-03 04:22
.
Pre-Run: 213,208,870,912 bytes free
Post-Run: 213,507,252,224 bytes free
.
- - End Of File - - 965EBF216677F8373B67E2B80AB05754

markls8
Novice
Novice

Status :
Online
Offline

Posts : 25
Joined : 2011-01-27
Gender : Male
OS : XP

View user profile

Back to top Go down

Re: Must pay “fine” to “unlock” computer webpage (malware title unknown)

Post by markls8 on Wed Jan 30, 2013 5:20 am

I edited out the content from the following snapshot, but I can include later it if you need it (it's very large)

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))

markls8
Novice
Novice

Status :
Online
Offline

Posts : 25
Joined : 2011-01-27
Gender : Male
OS : XP

View user profile

Back to top Go down

Re: Must pay “fine” to “unlock” computer webpage (malware title unknown)

Post by Superdave on Wed Jan 30, 2013 6:05 pm

The log shows that you have two AV's on your computer; AV: AVG Anti-Virus Free Edition 2012 and AV: Microsoft Security Essentials. Just make sure that only one is enabled at any time on your computer otherwise, they will cause conflicts.
Is the computer working any better?


Please download [You must be registered and logged in to see this link.]by Xplode onto your Desktop.

  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A logfile will automatically open after the scan has finished.
  • Please post the content of that logfile in your reply.
  • You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.

***************************************************
You should not have trusted zones on your computer for the following reasons. If you agree, download Hijack this remove them.

Internet Explorer's security is based upon a set of zones. Each zone has different security in terms of what scripts and applications can be run from a site that is in that zone. There is a security zone called the Trusted Zone. This zone has the lowest security and allows scripts and applications from sites in this zone to run without your knowledge. It is therefore a popular setting for malware sites to use so that future infections can be easily done on your computer without your knowledge as these sites will be in the Trusted Zone. Therefore, I recommend that nothing be allowed in the trusted zone. If you agree, please do the following.Please place a check mark next to this/these line/lines.

Please download: [You must be registered and logged in to see this link.] to your Desktop.

  • Double Click the HijackThis icon, located on your Desktop.
  • By Default, it will install to: C:\Program Files\Trend Micro\HijackThis
  • Accept the license agreement.
  • Click the Open the Misc Tools section button.
  • Click Do a System Scan .

    Place a check mark next to the following entries: (if there)

    Trusted Zone: 3web.com\myaccount
    Trusted Zone: 3web.com\www
    Trusted Zone: microsoft.com\*.update
    Trusted Zone: microsoft.com\[You must be registered and logged in to see this link.]
    Trusted Zone: my3web.com\www
    Trusted Zone: uspto.gov
    Trusted Zone: windowsupdate.com\download


    Important: Close all open windows except for HijackThis and then click Fix checked.

    Once completed, exit HijackThis.

**********************************************
SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

[You must be registered and logged in to see this link.]

Unzip it into a folder on your desktop.

  • Double click Sysprot.exe to start the program.
  • Click on the Log tab.
  • In the Write to log box select the following items.

    • Process << Selected
    • Kernel Modules << Selected
    • SSDT << Selected
    • Kernel Hooks << Selected
    • IRP Hooks << NOT Selected
    • Ports << NOT Selected
    • Hidden Files << Selected

  • At the bottom of the page

    • Hidden Objects Only << Selected

  • Click on the Create Log button on the bottom right.
  • After a few seconds a new window should appear.
  • Select Scan Root Drive. Click on the Start button.
  • When it is complete a new window will appear to indicate that the scan is finished.
  • The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.


Superdave
Captain
Captain

Status :
Online
Offline

Posts : 4202
Joined : 2010-02-01
Gender : Male
OS : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: Must pay “fine” to “unlock” computer webpage (malware title unknown)

Post by markls8 on Thu Jan 31, 2013 1:38 am

Hi Dave - So far looks good, bootup today took longer than usual (long time between login and desktop display, but that might be normal considering the work that’s been done to it.

Thank you. I uninstalled MSE (which I like, but I’m not sure I can “blame” it for this episode, or not?) and re-installed it. I have not run AVG for a while, and thought I had uninstalled it when I started using MSE (sometime this summer?). Windows Firewall appears to be functioning again.

I still have some Microsoft sites listed as “trusted”, which Hijack this apparently did not detect. Should I just remove those, and maintain that section blank?

Logs posted below…


# AdwCleaner v2.109 - Logfile created 01/30/2013 at 19:57:44
# Updated 26/01/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Owner - NIAGARA-DDBB696
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Owner\Desktop\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****


***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

*************************

AdwCleaner[R1].txt - [537 octets] - [30/01/2013 19:57:44]
AdwCleaner[S1].txt - [1592 octets] - [28/01/2013 20:55:56]

########## EOF - C:\AdwCleaner[R1].txt - [656 octets] ##########

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: A79BD000
Module End: A79D5000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: BA62A000
Module End: BA62C000
Hidden: Yes

******************************************************************************************
******************************************************************************************
No SSDT Hooks found

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\Qoobox\BackEnv\AppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cache.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cookies.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Desktop.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Favorites.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\History.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalAppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalSettings.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Music.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\NetHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Personal.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Pictures.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\PrintHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Programs.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Recent.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SendTo.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SetPath.bat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartMenu.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartUp.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SysPath.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Templates.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\VikPev00
Status: Access denied

Object: C:\RECYCLER\S-1-5-18\$2e63bd6ad0c5e2649c981f8734458f25\@
Status: Access denied

Object: C:\RECYCLER\S-1-5-18\$2e63bd6ad0c5e2649c981f8734458f25\L
Status: Access denied

Object: C:\RECYCLER\S-1-5-18\$2e63bd6ad0c5e2649c981f8734458f25\U
Status: Access denied

Object: C:\RECYCLER\S-1-5-18\$2e63bd6ad0c5e2649c981f8734458f25
Status: Access denied

Object: C:\RECYCLER\S-1-5-21-911505261-913323134-2219545934-1003\$2e63bd6ad0c5e2649c981f8734458f25\@
Status: Access denied

Object: C:\RECYCLER\S-1-5-21-911505261-913323134-2219545934-1003\$2e63bd6ad0c5e2649c981f8734458f25\L
Status: Access denied

Object: C:\RECYCLER\S-1-5-21-911505261-913323134-2219545934-1003\$2e63bd6ad0c5e2649c981f8734458f25\U
Status: Access denied

Object: C:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied

Object: C:\System Volume Information\tracking.log
Status: Access denied

Object: C:\System Volume Information\_restore{E225CC7D-4D7A-40E3-830A-EEFBCBE2EA96}
Status: Access denied


markls8
Novice
Novice

Status :
Online
Offline

Posts : 25
Joined : 2011-01-27
Gender : Male
OS : XP

View user profile

Back to top Go down

Re: Must pay “fine” to “unlock” computer webpage (malware title unknown)

Post by Superdave on Thu Jan 31, 2013 2:13 am

I uninstalled MSE (which I like, but I’m not sure I can “blame” it for this episode, or not?) and re-installed it.
No, it's not responsible for this typed of infection. I had my laptop locked a few weeks ago. I'll explain later hot to get full coverage.
I still have some Microsoft sites listed as “trusted”, which Hijack this apparently did not detect. Should I just remove those, and maintain that section blank?
Yes, trusted zones are not a good idea.

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
[You must be registered and logged in to see this link.]

•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

  • Click on to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the icon on your desktop.

•Check
•Click the button.
•Accept any security warnings from your browser.

  • Leave the check mark next to Remove found threats.

•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

Superdave
Captain
Captain

Status :
Online
Offline

Posts : 4202
Joined : 2010-02-01
Gender : Male
OS : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: Must pay “fine” to “unlock” computer webpage (malware title unknown)

Post by markls8 on Thu Jan 31, 2013 4:27 am

C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\31\641ff59f-154452c9 Java/Exploit.CVE-2012-0507.BR trojan deleted - quarantined
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\40\45909fa8-519e3ec0 multiple threats deleted - quarantined
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\45\4f5ea6ad-5a7e4351 a variant of Java/Exploit.Agent.NDH trojan deleted - quarantined
C:\Documents and Settings\Owner\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0\26\79e4f21a-3cbe3448 multiple threats deleted - quarantined
C:\Documents and Settings\Owner\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0\50\1ef9a5b2-6643eaf9 Java/Agent.FH trojan cleaned by deleting - quarantined
C:\Documents and Settings\Owner\Local Settings\Application Data\08ee967b-5e92-46b1-b283-1e8c65350bed.crx JS/Redirector.NCG trojan deleted - quarantined
C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\upsirt.dll.vir a variant of Win32/Medfos.JD trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\wgetsi.dll.vir a variant of Win32/Medfos.JD trojan cleaned by deleting - quarantined

markls8
Novice
Novice

Status :
Online
Offline

Posts : 25
Joined : 2011-01-27
Gender : Male
OS : XP

View user profile

Back to top Go down

Re: Must pay “fine” to “unlock” computer webpage (malware title unknown)

Post by Superdave on Thu Jan 31, 2013 6:56 pm

how's the computer running now? Any other issues?

Superdave
Captain
Captain

Status :
Online
Offline

Posts : 4202
Joined : 2010-02-01
Gender : Male
OS : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: Must pay “fine” to “unlock” computer webpage (malware title unknown)

Post by markls8 on Fri Feb 01, 2013 2:13 am

As far as I can see it looks all good Dave, well done sir, thank you. How does it look from your view? : )

For some reason I found a (dismembered?) Windows Defender on my computer, so I removed it (with “add & remove programs”).

When I uninstalled and re-installed MSE yesterday it did a scan, and came up clean. But when I checked its History today, it tells me it found and removed Trojan:Win32/Sirefef!cfg, at around the same time I did that scan. A mystery. That was before the last battery of tools you gave me to run on the last post. (So I probably shouldn’t have done it at that time, …sorry!).

I have Milton’s Tips and Tricks ebook. Any advice for the future?

On edit. MBAM says it works well with others. Does that mean it can be run alongside MSE, or is it a full stand-alone virus scan and therefore the two should not be run concurrently?

markls8
Novice
Novice

Status :
Online
Offline

Posts : 25
Joined : 2011-01-27
Gender : Male
OS : XP

View user profile

Back to top Go down

Re: Must pay “fine” to “unlock” computer webpage (malware title unknown)

Post by Superdave on Fri Feb 01, 2013 7:16 pm

MBAM says it works well with others. Does that mean it can be run alongside MSE, or is it a full stand-alone virus scan and therefore the two should not be run concurrently?
MBAM is not a full-time scanner unless you have the paid version. It also doesn't look for the same things that MSE looks for so it's compatible.
Let's do some cleanup.

Download this program and run it [You must be registered and logged in to see this link.] .It will remove ComboFix for you.

**********************************************
Click Start> Computer> right click the C Drive and choose Properties> enter
Click Disk Cleanup from there.



Click OK on the Disk Cleanup Screen.
Click Yes on the Confirmation screen.



This runs the Disk Cleanup utility along with other selections if you have chosen any. (if you had a lot System Restore points, you will see a significant change in the free space in C drive)
***************************************
Go to [You must be registered and logged in to see this link.] and get all critical updates.

----------

I suggest using [You must be registered and logged in to see this link.]. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

[You must be registered and logged in to see this link.]- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* [You must be registered and logged in to see this link.] from Spyware and Malware
* If you don't know what ActiveX controls are, see [You must be registered and logged in to see this link.]

Protect yourself against spyware using the Immunize feature in [You must be registered and logged in to see this link.] Guide: [You must be registered and logged in to see this link.] to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. [You must be registered and logged in to see this link.]

Check out [You must be registered and logged in to see this link.] for tips and free tools to help keep you safe in the future.

Also see [You must be registered and logged in to see this link.] for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!

Superdave
Captain
Captain

Status :
Online
Offline

Posts : 4202
Joined : 2010-02-01
Gender : Male
OS : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: Must pay “fine” to “unlock” computer webpage (malware title unknown)

Post by markls8 on Sat Feb 02, 2013 4:59 am

Thanks for your professional help and advice, Dave. Very much appreciated. It's running like a top now. Thank You!

markls8
Novice
Novice

Status :
Online
Offline

Posts : 25
Joined : 2011-01-27
Gender : Male
OS : XP

View user profile

Back to top Go down

Re: Must pay “fine” to “unlock” computer webpage (malware title unknown)

Post by Superdave on Sun Feb 03, 2013 12:05 am

You're welcome. I will lock this thread. If you need it re-opened, please send me a pm.

Superdave
Captain
Captain

Status :
Online
Offline

Posts : 4202
Joined : 2010-02-01
Gender : Male
OS : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum