[Closed] New guy, new thread, the same problems - VIRUSES :)

By monere
Jun 8, 2011
Topic Status:
Not open for further replies.
  1. Hi everyone,

    this is my second attempt to get some help for my virus issues, after I have tried on another similar forum but without any success. Anyway, here's the log files I have been requested for:

    1. Malwarebytes



    Malwarebytes' Anti-Malware 1.51.0.1200
    www.malwarebytes.org

    Database version: 6807

    Windows 5.1.2600 Service Pack 2
    Internet Explorer 8.0.6001.18702

    6/8/2011 12:57:41 PM
    mbam-log-2011-06-08 (12-57-41).txt

    Scan type: Quick scan
    Objects scanned: 157683
    Time elapsed: 2 minute(s), 34 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 20
    Registry Values Infected: 8
    Registry Data Items Infected: 0
    Folders Infected: 24
    Files Infected: 269

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Seekdns Service (Adware.Agent) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{2F9AD413-2E0B-4a85-BB2A-CF961238262A} (Adware.Hotbar) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{100EB1FD-D03E-47FD-81F3-EE91287F9465} (Adware.ShopperReports) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{2AA2FBF8-9C76-4E97-A226-25C5F4AB6358} (Adware.Hotbar) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{851552F5-B878-4B03-904F-2AD6A4CC8994} (PUP.Zwangi) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{851552F5-B878-4B03-904F-2AD6A4CC8994} (PUP.Zwangi) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} (Adware.Zango) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6FD31ED6-7C94-4BBC-8E95-F927F4D3A949} (Adware.180Solutions) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D95C7240-0282-4C01-93F5-673BCA03DA86} (Adware.Hotbar) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{D95C7240-0282-4C01-93F5-673BCA03DA86} (Adware.Hotbar) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A078F691-9C07-4AF2-BF43-35E79EECF8B7} (Adware.Softomate) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{A078F691-9C07-4AF2-BF43-35E79EECF8B7} (Adware.Softomate) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EDDBB5EE-BB64-4bfc-9DBE-E7C85941335B} (Adware.Zango) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{69725738-CD68-4f36-8D02-8C43722EE5DA} (Adware.Hotbar) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{A3E67DAA-DA01-4da5-98BE-3088B554A11E} (Adware.Hotbar) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\DesktopLightning (Adware.Cashon) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\Victim (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Seekdns (PUP.Zwangi) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Seekdns (PUP.Zwangi) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SEEKDNS_SERVICE (PUP.Zwangi) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{851552F5-B878-4B03-904F-2AD6A4CC8994} (PUP.Zwangi) -> Value: {851552F5-B878-4B03-904F-2AD6A4CC8994} -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{C5428486-50A0-4a02-9D20-520B59A9F9B3} (Adware.ShopperReports) -> Value: {C5428486-50A0-4a02-9D20-520B59A9F9B3} -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{C5428486-50A0-4a02-9D20-520B59A9F9B3} (Adware.ShopperReports) -> Value: {C5428486-50A0-4a02-9D20-520B59A9F9B3} -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{C5428486-50A0-4a02-9D20-520B59A9F9B2} (Adware.ShopperReports) -> Value: {C5428486-50A0-4a02-9D20-520B59A9F9B2} -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{C5428486-50A0-4a02-9D20-520B59A9F9B2} (Adware.ShopperReports) -> Value: {C5428486-50A0-4a02-9D20-520B59A9F9B2} -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{851552F5-B878-4B03-904F-2AD6A4CC8994} (PUP.Zwangi) -> Value: {851552F5-B878-4B03-904F-2AD6A4CC8994} -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winappp (Backdoor.Agent) -> Value: winappp -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\Windows Update System (Trojan.Backdoor) -> Value: Windows Update System -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    c:\documents and settings\all users\application data\2aca5cc3-0f83-453d-a079-1076fe1a8b65 (Adware.Seekmo) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\IESkins (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5 (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\HostOI (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\HostOI\dynamic (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\HostOL (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\HostOL\dynamic (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\dynamic (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\dynamic\tooltipxml (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\dynamic\ustat (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1 (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2 (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\Weather (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\Weather\weatherdpa (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\Weather\weatherdpa\weather_xml (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\Weather\weather_xml (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\all users\application data\HotbarSA (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\all users\application data\Seekdns (PUP.Zwangi) -> Quarantined and deleted successfully.
    c:\program files\Seekdns (PUP.Zwangi) -> Quarantined and deleted successfully.
    c:\svnhostsvc.exe (Trojan.SpyEyes.WC) -> Quarantined and deleted successfully.

    Files Infected:
    c:\documents and settings\all users\application data\Seekdns\seekdns129.exe (Adware.Agent) -> Quarantined and deleted successfully.
    c:\documents and settings\john\Desktop\warcraft3keygen.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\program files\mozilla firefox\plugins\npclntax_hotbarsa.dll (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\WINDOWS\watwat\bkkz\bkk.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
    c:\program files\mozilla firefox\searchplugins\flvtube.xml (PUP.Zwangi) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\winappp.exe (Backdoor.Agent) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\dynamic\1.sdf (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\dynamic\1055703.sdf (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\dynamic\3783086.sdf (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\dynamic\3858577.sdf (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\dynamic\737654.sdf (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\dynamic\domains.txt (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\dynamic\tooltipxml\26656 (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\dynamic\tooltipxml\29115 (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\dynamic\tooltipxml\29547 (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\dynamic\tooltipxml\342421 (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\dynamic\tooltipxml\38733 (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\dynamic\tooltipxml\40256 (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\dynamic\tooltipxml\41768 (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\dynamic\tooltipxml\459338 (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\dynamic\tooltipxml\460458 (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\dynamic\tooltipxml\477253 (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\dynamic\tooltipxml\572023 (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\dynamic\tooltipxml\579123 (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\dynamic\tooltipxml\83706 (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\dynamic\tooltipxml\95825 (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\dynamic\ustat\3914.dat (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\ads.cdf (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\btntrans.idx (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\btntrans1.dat (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\business_promo.htm (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\buttondir.txt (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\components.cdf (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\cursors.res (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_bidz12.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_bidz13.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_bidz14.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_bidz15.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_bidz16.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_bidz17.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_bidz18.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_bidz19.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_bidz2.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_bidz20.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_bidz3.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_bidz4.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_bidz5.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_bidz6.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_bidz7.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_bidz8.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_categorize.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_comparison.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_em_profl_ca_flow_b_ieb.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_explorer-mails.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_explorer-people.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_favorites.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_games.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_hide.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_hotbarcom.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_hotmail.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_hsskin.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_jemster.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_jemsterie.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_jemsteruk.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_jobsearch.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default.cdf (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_511745-514279.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_bidz.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_bidz1.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_bidz10.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_new.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_premium.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_reun.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_ringtones.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_searchboxtrapper.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_searchfor.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_searchgo.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_weather.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_yellowpages.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\d_icons_buttons_1000.res (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\d_icons_buttons_2000.res (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\d_icons_buttons_3000.res (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\d_icons_buttons_bar.res (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\d_icons_buttons_bbar1.res (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\d_icons_buttons_logos.res (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\d_icons_buttons_other.res (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\d_icons_weather.res (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\editblbuttons.res (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\email-def-511724-548964.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_bidz11.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_bidz9.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_mails.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\email-def-511724-9595.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\ie_games_icon.res (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\email-t1-bg.res (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\gamesmenu.cdf (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\gamesmenu.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\hb_ie_menu.res (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\hotbar-premium-hotbar-premium.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\hotbar-premium.cdf (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\hotbar_promo.htm (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\icons2.res (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\ie_video.res (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\keywords.idx (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\keywords1.dat (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\layout.cdf (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\linkpathlegal.txt (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\more.res (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\new_games.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\progress.res (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\sales_buttons.res (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\sdfmodifier.xml (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\s_icons_buttons.res (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\t2_bg.res (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\theweb.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\top7.cdf (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\top7_theweb.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\tsd_bg.res (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\weathericon.res (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\ads.cdf (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\btntrans.idx (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\btntrans1.dat (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\business_promo.htm (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\buttondir.txt (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\components.cdf (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\cursors.res (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_bidz12.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_bidz13.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_bidz14.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_bidz15.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_bidz16.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_bidz17.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_bidz18.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_bidz19.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_bidz2.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_bidz20.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_bidz3.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_bidz4.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_bidz5.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_bidz6.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_bidz7.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_bidz8.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_categorize.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_comparison.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_em_profl_ca_flow_b_ieb.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_explorer-mails.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_explorer-people.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_favorites.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_games.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_hide.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_hotbarcom.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_hotmail.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_hsskin.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_jemster.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_jemsterie.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_jemsteruk.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_jobsearch.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default.cdf (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_511745-514279.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_bidz.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_bidz1.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_bidz10.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_new.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_premium.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_reun.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_ringtones.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_searchboxtrapper.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_searchfor.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_searchgo.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_weather.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_yellowpages.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\d_icons_buttons_1000.res (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\d_icons_buttons_2000.res (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\d_icons_buttons_3000.res (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\d_icons_buttons_bar.res (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\d_icons_buttons_bbar1.res (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\d_icons_buttons_logos.res (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\d_icons_buttons_other.res (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\d_icons_weather.res (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\editblbuttons.res (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\email-def-511724-548964.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_bidz11.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_bidz9.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_mails.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\email-def-511724-9595.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\ie_games_icon.res (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\email-t1-bg.res (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\gamesmenu.cdf (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\gamesmenu.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\hb_ie_menu.res (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\hotbar-premium-hotbar-premium.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\hotbar-premium.cdf (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\hotbar_promo.htm (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\icons2.res (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\ie_video.res (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\keywords.idx (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\keywords1.dat (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\layout.cdf (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\linkpathlegal.txt (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\more.res (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\new_games.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\progress.res (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\sales_buttons.res (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\sdfmodifier.xml (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\s_icons_buttons.res (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\t2_bg.res (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\theweb.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\top7.cdf (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\top7_theweb.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\tsd_bg.res (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\weathericon.res (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\ads.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\BtnTrans.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\btntrans1.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\business_promo.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\buttondir.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\editblbuttons.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\email-t1-bg.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\progress.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\sales_buttons.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\samplegroups2.txt (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\samplegroups2.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\sdfmodifier.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\s_icons_buttons.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\t2_bg.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\top7.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\tsd_bg.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\weathericon.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\d_icons_buttons_2000.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\d_icons_buttons_3000.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\d_icons_buttons_bar.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\d_icons_buttons_bbar1.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\d_icons_buttons_logos.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\d_icons_buttons_other.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\ie_video.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\keywords.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\keywords1.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\layout.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\linkpathlegal.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\default.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\cursors.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\d_icons_buttons_1000.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\d_icons_weather.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\ie_games_icon.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\more.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\gamesmenu.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\hb_ie_menu.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\hotbar-premium.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\hotbar_promo.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\icons2.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\Weather\history (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\Weather\weatherstartup.xml (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\Weather\weatherdpa\Links (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\Weather\weatherdpa\weatherpreferences (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\Weather\weatherdpa\weather_xml\Display (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\Weather\weatherdpa\weather_xml\Loading (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\Weather\weatherdpa\weather_xml\screen2 (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\Weather\weather_xml\Default (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\Weather\weather_xml\Genera1 (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\john\application data\Hotbar\Weather\weather_xml\General (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\all users\application data\HotbarSA\HotbarSA.dat (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\all users\application data\HotbarSA\hotbarsaabout.mht (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\all users\application data\HotbarSA\hotbarsaau.dat (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\all users\application data\HotbarSA\hotbarsaeula.mht (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\documents and settings\all users\application data\HotbarSA\hotbarsa_kyf.dat (Adware.Hotbar) -> Quarantined and deleted successfully.
    c:\program files\Seekdns\seekdns.exe (PUP.Zwangi) -> Quarantined and deleted successfully.
    c:\program files\Seekdns\uninstall.exe (PUP.Zwangi) -> Quarantined and deleted successfully.
    c:\svnhostsvc.exe\cleansweepupd.exe (Trojan.SpyEyes.WC) -> Quarantined and deleted successfully.
    c:\svnhostsvc.exe\config.bin (Trojan.SpyEyes.WC) -> Quarantined and deleted successfully.


    This is part 1. Part 2 in the next post.
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    I'll wait until all the logs are in to review. But I will leave you a note:

    The malware you have gotten indicates that:
    1. You are using 'cosmetic' sites to put icons, cursors, wallpaper, screensavers and the like on the system. STOP! You do not get something for nothing. Stay away from all FunWebProducts sites, including the following:
    Reset the Cookies to block 3rd party Cookies:
    Reset Cookies

    For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

    For Firefox: Tools> Options> Privacy> Cookies> CHECK ‘accept Cookies from Sites’> UNCHECK 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')

    I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
    AdBlock Plus
    Easy List

    For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
    (First-party and third-party cookies can be set by the website you're visiting and websites that have items embedded in the website you're visiting. But when you next visit the website, only first-party cookie information is sent to the website. Third-party cookie information isn't sent back to the websites that originally set the third-party cookies.)
    ===============================================
    Put a Site Advisor on the system: I recommend the Web of Trust (WOT) This add-on is a safe surfing tool for your browser. Traffic-light rating symbols show which rate the site for Trustworthiness, Vendor Reliability, Privacy, Child Safety.Your online email account – Google Mail, Yahoo! Mail and Hotmail is also protected.

    Every time you do a search and the screen comes up with the sites, they will have the rating light. Green (2 shades), Amber/Yellow Caution, Red> not advised. A few sites haven't been rated and show as a blue flashlight. NOTE Choose only sites rated Green
    ======================================
    Win32/Zwangi is a malware program that infects Windows computers. It is also known as Spyware.Screenspy, Mal/BHO-S, and Seekapp. The program redirects URLs typed into the browser's address bar to a search page at XXXXXX. It may also take screenshots without permission.

    Please do the following:
    To reset Internet Explorer settings manually
    1. Close all Internet Explorer or Windows Explorer windows that are currently open.
    2. Open Internet Explorer
    3. Click the Tools button, and then click Internet Options.
    4. Click the Advanced tab, and then click Reset.
    5. In the Reset Internet Explorer Settings dialog box, click Reset.
    6. When Internet Explorer finishes applying default settings, click Close, click OK, and then click OK again.
    7. Close Internet Explorer.
    Your changes will take effect the next time you open Internet Explorer.
    =====================================
    I will check the security on the system when I have the additional logs.
  3. monere

    monere Newcomer, in training Topic Starter

    Part 2

    And, here's episode no. 2 :)

    2. GMER



    GMER 1.0.15.15640 - http://www.gmer.net
    Rootkit quick scan 2011-06-08 13:11:59
    Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\00000076 ST3500630NS rev.3.AEG
    Running: pm27g7pv.exe; Driver: C:\DOCUME~1\john\LOCALS~1\Temp\kxtdypow.sys


    ---- System - GMER 1.0.15 ----

    SSDT spsj.sys ZwEnumerateKey [0xBA6C6CA2]
    SSDT spsj.sys ZwEnumerateValueKey [0xBA6C7030]

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\atapi \Device\Ide\IdePort0 89DDC1F8
    Device \Driver\atapi \Device\Ide\IdePort1 89DDC1F8
    Device \Driver\anh3aepm \Device\Scsi\anh3aepm1Port5Path0Target3Lun0 89AD51F8
    Device \Driver\anh3aepm \Device\Scsi\anh3aepm1 89AD51F8
    Device \Driver\anh3aepm \Device\Scsi\anh3aepm1Port5Path0Target2Lun0 89AD51F8
    Device \Driver\anh3aepm \Device\Scsi\anh3aepm1Port5Path0Target0Lun0 89AD51F8
    Device \Driver\JRAID \Device\Scsi\JRAID1 89DDB1F8
    Device \Driver\anh3aepm \Device\Scsi\anh3aepm1Port5Path0Target1Lun0 89AD51F8
    Device \FileSystem\Ntfs \Ntfs 89DDA1F8

    AttachedDevice \FileSystem\Ntfs \Ntfs mozy.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)
    AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

    Device \FileSystem\Fastfat \Fat 88D5B1F8

    AttachedDevice \FileSystem\Fastfat \Fat mozy.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)
    AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    ---- EOF - GMER 1.0.15 ----


    3. DDS.txt


    .
    DDS (Ver_2011-06-03.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
    Run by john at 13:16:00 on 2011-06-08
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1168 [GMT 3:00]
    .
    AV: AVG Internet Security *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    FW: ActiveArmor Firewall *Disabled*
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\Program Files\Thomson SpeedTouch\ST330\service\st330service.exe
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\AVG\AVG9\avgwdsvc.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files\Google\Update\1.3.21.57\GoogleCrashHandler.exe
    C:\Program Files\MozyHome\mozybackup.exe
    C:\Program Files\CDBurnerXP\NMSAccessU.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
    C:\Program Files\AVG\AVG9\avgam.exe
    C:\Program Files\AVG\AVG9\avgnsx.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
    C:\Program Files\Thomson SpeedTouch\ST330\diagnostics\diagnostics.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\PROGRA~1\AVG\AVG9\avgtray.exe
    C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
    C:\Program Files\AVG\AVG9\avgrsx.exe
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.livefootballtvs.com/
    uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
    uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
    uLocal Page = \blank.htm
    mDefault_Page_URL = hxxp://www.yahoo.com/
    mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
    mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
    mStart Page = hxxp://www.yahoo.com/
    mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
    uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
    mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
    BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
    BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
    TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
    uRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
    uRun: [AWC.exe] c:\program files\iobit\advanced systemcare 3\AWC.exe
    uRun: [SmartRAM] "c:\program files\iobit\advanced systemcare 3\Sup_SmartRAM.exe" /m
    uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
    uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
    mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
    mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [diagnostics] "C:\Program Files/Thomson SpeedTouch/ST330/diagnostics/diagnostics.exe" /icon -l:en
    mRun: [PAC207_Monitor] c:\windows\pixart\pac207\Monitor.exe
    mRun: [Monitor] c:\windows\pixart\pac207\Monitor.exe
    mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
    dRunOnce: [RunNarrator] Narrator.exe
    IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
    IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
    IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
    IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
    IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
    IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
    IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - d:\party poker\partypoker\RunApp.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    Trusted Zone: gistweb.com\www
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    DPF: {EF0D1A14-1033-41A2-A589-240C01EDC078} - hxxp://dl.pplive.com/PluginSetup.cab
    TCP: DhcpNameServer = 217.156.101.1 217.156.101.10
    TCP: Interfaces\{7916B3FD-0BAD-4157-BB4D-255D4AD9FA53} : DhcpNameServer = 217.156.101.1 217.156.101.10
    TCP: Interfaces\{D4FD8090-38DD-452C-A0F5-D5B487E8F22F} : NameServer = 217.156.101.1
    Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\john\application data\mozilla\firefox\profiles\libmvgn6.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2922774&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage -
    FF - prefs.js: keyword.URL - hxxp://flvtubesearch.co/?prt=02ff&clid=&subid=&Keywords=
    FF - component: c:\documents and settings\john\application data\mozilla\firefox\profiles\libmvgn6.default\extensions\{018da686-db92-473a-bacb-fe006e046644}\components\RadioWMPCoreGecko19.dll
    FF - component: c:\documents and settings\john\application data\mozilla\firefox\profiles\libmvgn6.default\extensions\{0ed0633c-a54d-47f1-94e7-5bded41ae674}\components\RadioWMPCoreGecko19.dll
    FF - component: c:\documents and settings\john\application data\mozilla\firefox\profiles\libmvgn6.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc_fireftp.dll
    FF - component: c:\documents and settings\john\application data\mozilla\firefox\profiles\libmvgn6.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll
    FF - component: c:\program files\google\google gears\firefox\lib\ff36\gears.dll
    FF - component: c:\program files\siber systems\ai roboform\firefox\components\rfproxy_31.dll
    FF - plugin: c:\documents and settings\john\application data\mozilla\firefox\profiles\libmvgn6.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
    FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
    FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
    FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
    FF - plugin: c:\program files\veetle\player\npvlc.dll
    FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
    FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
    FF - plugin: c:\windows\system32\tvuax\npTVUAx.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Seekdns: {7BA9F755-DCD4-4B60-8AE8-EE3662C7C733} - c:\program files\mozilla firefox\extensions\{7BA9F755-DCD4-4B60-8AE8-EE3662C7C733}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
    FF - Ext: Google Gears: {000a9d1c-beef-4f90-9363-039d445309b8} - c:\program files\google\google gears\Firefox
    FF - Ext: AI Roboform Toolbar for Firefox: {22119944-ED35-4ab1-910B-E619EA06A115} - c:\program files\siber systems\ai roboform\Firefox
    FF - Ext: SearchStatus: {d57c9ff1-6389-48fc-b770-f78bd89b6e8a} - %profile%\extensions\{d57c9ff1-6389-48fc-b770-f78bd89b6e8a}
    FF - Ext: FireFTP: {a7c6cf7f-112c-4500-a7ea-39801a327e5f} - %profile%\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
    FF - Ext: OnlyWire: {e26ba8db-a646-a44e-997c-2fafeadb50f2} - %profile%\extensions\{e26ba8db-a646-a44e-997c-2fafeadb50f2}
    FF - Ext: TVU Web Player: firefox@tvunetworks.com - %profile%\extensions\firefox@tvunetworks.com
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: vShare Plugin: vshare@toolbar - %profile%\extensions\vshare@toolbar
    FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
    FF - Ext: AlphaMarket Community Toolbar: {018da686-db92-473a-bacb-fe006e046644} - %profile%\extensions\{018da686-db92-473a-bacb-fe006e046644}
    FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
    FF - Ext: Free Traffic Bar Community Toolbar: {0ed0633c-a54d-47f1-94e7-5bded41ae674} - %profile%\extensions\{0ed0633c-a54d-47f1-94e7-5bded41ae674}
    FF - Ext: CBSurge.com: cbsurge@cbsurge.com - %profile%\extensions\cbsurge@cbsurge.com
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: browser.cache.memory.capacity - 65536
    FF - user.js: browser.chrome.favicons - false
    FF - user.js: browser.display.show_image_placeholders - true
    FF - user.js: browser.turbo.enabled - true
    FF - user.js: browser.urlbar.autocomplete.enabled - true
    FF - user.js: browser.urlbar.autofill - true
    FF - user.js: content.interrupt.parsing - true
    FF - user.js: content.max.tokenizing.time - 2250000
    FF - user.js: content.notify.backoffcount - 5
    FF - user.js: content.notify.interval - 750000
    FF - user.js: content.notify.ontimer - true
    FF - user.js: content.switch.threshold - 750000
    FF - user.js: network.http.max-connections - 48
    FF - user.js: network.http.max-connections-per-server - 16
    FF - user.js: network.http.max-persistent-connections-per-proxy - 16
    FF - user.js: network.http.max-persistent-connections-per-server - 8
    FF - user.js: network.http.pipelining - true
    FF - user.js: network.http.pipelining.firstrequest - true
    FF - user.js: network.http.pipelining.maxrequests - 8
    FF - user.js: network.http.proxy.pipelining - true
    FF - user.js: network.http.request.max-start-delay - 0
    FF - user.js: nglayout.initialpaint.delay - 0
    FF - user.js: plugin.expose_full_path - true
    FF - user.js: ui.submenuDelay - 0
    FF - user.js: yahoo.homepage.dontask - true
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [2010-1-25 25168]
    R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2010-1-25 52872]
    R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-1-25 216400]
    R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-1-25 29584]
    R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-1-25 243152]
    R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-6-22 308136]
    R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\avg\avg9\identity protection\agent\bin\AVGIDSAgent.exe [2010-6-22 5897808]
    R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-6-8 366640]
    R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2010-10-22 583640]
    R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSDriver.sys [2010-1-25 122448]
    R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSFilter.sys [2010-1-25 30288]
    R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSShim.sys [2010-1-25 26192]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-6-8 22712]
    R3 ST330;ST330;c:\windows\system32\drivers\st330.sys [2009-9-9 30464]
    R3 STBUS;STBUS;c:\windows\system32\drivers\stbus.sys [2009-9-9 12672]
    R3 STETH;SpeedTouch Ethernet Adapter NT Driver;c:\windows\system32\drivers\steth.sys [2009-9-9 40320]
    S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys --> c:\windows\system32\drivers\is3srv.sys [?]
    S0 szkg5;szkg5;c:\windows\system32\drivers\szkg.sys --> c:\windows\system32\drivers\szkg.sys [?]
    S0 szkgfs;szkgfs;c:\windows\system32\drivers\szkgfs.sys --> c:\windows\system32\drivers\szkgfs.sys [?]
    S2 ATE_PROCMON;ATE_PROCMON;\??\c:\program files\anti trojan elite\atepmon.sys --> c:\program files\anti trojan elite\ATEPMon.sys [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-11 136176]
    S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-10-26 947528]
    S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\john\locals~1\temp\upd1e7.tmp --> c:\docume~1\john\locals~1\temp\UPD1E7.tmp [?]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-6-11 136176]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-6-8 39984]
    S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
    S3 WFFALCON;Leadtek WinFast PVR3000 Series Driver;c:\windows\system32\drivers\wffalcon.sys --> c:\windows\system32\drivers\wffalcon.sys [?]
    S3 WFIOCTL;WFIOCTL;\??\c:\program files\winfast\wfdtv\wfioctl.sys --> c:\program files\winfast\wfdtv\WFIOCTL.SYS [?]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    .
    =============== Created Last 30 ================
    .
    2011-06-08 09:52:37 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-06-08 09:52:33 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-06-07 09:36:56 -------- d-----w- c:\program files\common files\Blizzard Entertainment
    2011-06-07 09:36:56 -------- d-----w- c:\documents and settings\all users\application data\Blizzard Entertainment
    2011-06-07 08:06:59 -------- d-----w- c:\program files\Easy eCover Creator
    2011-06-04 19:32:14 2829 ----a-w- c:\windows\War3Unin.pif
    2011-06-04 19:32:13 139264 ----a-w- c:\windows\War3Unin.exe
    2011-06-04 19:29:27 -------- d-----w- C:\w3
    2011-06-03 20:55:48 -------- d-----w- c:\windows\Eurobattle.net
    2011-06-02 18:47:16 -------- d-----w- c:\program files\DAEMON Tools Lite
    2011-06-01 14:04:28 6656 ----a-w- c:\windows\system32\CoInst_071102.dll
    2011-06-01 14:04:27 -------- d-----w- c:\windows\PixArt
    2011-06-01 10:17:55 -------- d-----w- c:\documents and settings\john\application data\Malwarebytes
    2011-06-01 10:17:48 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
    2011-06-01 10:17:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-05-30 22:26:55 -------- d-----w- c:\documents and settings\john\application data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
    2011-05-29 11:57:06 -------- d-----w- c:\documents and settings\all users\application data\TW
    2011-05-28 12:12:56 286720 ----a-w- c:\windows\iun503.exe
    2011-05-28 12:12:54 -------- d-----w- c:\program files\KeywordSwipe
    2011-05-27 10:16:45 -------- d-----w- C:\IncanBots
    2011-05-18 19:35:58 -------- d-----w- c:\program files\Article Drip Robot
    2011-05-17 13:21:59 -------- d-----w- c:\program files\common files\Astech
    2011-05-17 13:20:03 -------- d-----w- c:\program files\Article Submitter Pro Demo
    2011-05-16 11:01:12 -------- d-----w- c:\documents and settings\john\local settings\application data\FastArticleSubmitter
    2011-05-16 10:57:01 -------- d-----w- c:\program files\Fast Article Submitter
    2011-05-14 10:01:01 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-05-13 14:30:02 -------- d-----w- c:\program files\Backlink Loophole
    2011-05-13 11:20:27 -------- d-----w- c:\program files\Article Indexer
    2011-05-12 17:30:09 -------- d-----w- c:\program files\MySQL
    2011-05-12 01:23:20 212240 ----a-w- c:\windows\system32\Richtx32.ocx
    2011-05-11 15:00:04 -------- d-----w- c:\documents and settings\john\application data\Bryxen Software
    .
    ==================== Find3M ====================
    .
    2011-05-05 17:39:19 243152 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2011-03-16 20:56:22 1070432 ----a-w- c:\windows\system32\wodTunnel.dll
    .
    ============= FINISH: 13:16:17.48 ===============


    4. Attach.txt


    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-06-03.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 9/8/2009 6:05:46 PM
    System Uptime: 6/8/2011 12:59:54 PM (1 hours ago)
    .
    Motherboard: ASUSTeK Computer INC. | | P5N-E SLI
    Processor: Intel(R) Core(TM)2 Quad CPU @ 2.40GHz | Socket 775 | 2400/266mhz
    Processor: Intel(R) Core(TM)2 Quad CPU @ 2.40GHz | Socket 775 | 2400/266mhz
    Processor: Intel(R) Core(TM)2 Quad CPU @ 2.40GHz | Socket 775 | 2400/266mhz
    Processor: Intel(R) Core(TM)2 Quad CPU @ 2.40GHz | Socket 775 | 2400/266mhz
    .
    ==== Disk Partitions =========================
    .
    A: is Removable
    C: is FIXED (NTFS) - 54 GiB total, 26.718 GiB free.
    D: is FIXED (NTFS) - 246 GiB total, 19.303 GiB free.
    E: is FIXED (NTFS) - 49 GiB total, 37.56 GiB free.
    F: is FIXED (NTFS) - 59 GiB total, 42.816 GiB free.
    G: is FIXED (NTFS) - 59 GiB total, 27.631 GiB free.
    H: is CDROM (CDFS)
    I: is CDROM ()
    J: is CDROM ()
    K: is CDROM ()
    L: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID:
    Description: Multimedia Video Controller
    Device ID: PCI\VEN_4444&DEV_0016&SUBSYS_6F19107D&REV_01\4&DC268A3&0&3880
    Manufacturer:
    Name: Multimedia Video Controller
    PNP Device ID: PCI\VEN_4444&DEV_0016&SUBSYS_6F19107D&REV_01\4&DC268A3&0&3880
    Service:
    .
    Class GUID:
    Description: Audio Device on High Definition Audio Bus
    Device ID: HDAUDIO\FUNC_01&VEN_10EC&DEV_0883&SUBSYS_10438249&REV_1000\4&2796B9EC&0&0001
    Manufacturer:
    Name: Audio Device on High Definition Audio Bus
    PNP Device ID: HDAUDIO\FUNC_01&VEN_10EC&DEV_0883&SUBSYS_10438249&REV_1000\4&2796B9EC&0&0001
    Service:
    .
    ==== System Restore Points ===================
    .
    RP462: 3/10/2011 2:10:10 PM - System Checkpoint
    RP463: 3/11/2011 3:20:24 PM - System Checkpoint
    RP464: 3/12/2011 8:23:53 PM - System Checkpoint
    RP465: 3/14/2011 11:08:13 AM - System Checkpoint
    RP466: 3/15/2011 11:08:04 AM - Avg Update
    RP467: 3/15/2011 11:09:17 AM - Avg Update
    RP468: 3/16/2011 8:24:53 PM - System Checkpoint
    RP469: 3/17/2011 8:36:23 PM - System Checkpoint
    RP470: 3/19/2011 11:00:52 PM - System Checkpoint
    RP471: 3/20/2011 10:40:58 PM - Installed Magic Rank Tracker
    RP472: 3/23/2011 8:28:07 PM - System Checkpoint
    RP473: 3/25/2011 3:05:47 PM - System Checkpoint
    RP474: 3/27/2011 2:33:45 PM - System Checkpoint
    RP475: 3/28/2011 4:15:40 PM - System Checkpoint
    RP476: 3/29/2011 6:59:11 PM - System Checkpoint
    RP477: 3/30/2011 8:02:00 PM - System Checkpoint
    RP478: 4/2/2011 5:15:55 PM - System Checkpoint
    RP479: 4/3/2011 6:43:18 PM - System Checkpoint
    RP480: 4/4/2011 8:22:15 PM - System Checkpoint
    RP481: 4/6/2011 6:01:06 AM - System Checkpoint
    RP482: 4/7/2011 1:50:07 PM - System Checkpoint
    RP483: 4/8/2011 9:41:34 PM - System Checkpoint
    RP484: 4/9/2011 11:14:54 PM - System Checkpoint
    RP485: 4/11/2011 4:08:00 PM - System Checkpoint
    RP486: 4/12/2011 4:46:59 PM - System Checkpoint
    RP487: 4/13/2011 8:07:47 PM - System Checkpoint
    RP488: 4/15/2011 6:30:03 PM - System Checkpoint
    RP489: 4/16/2011 2:28:09 PM - Removed Smart Virtual Assistants
    RP490: 4/17/2011 11:00:11 PM - System Checkpoint
    RP491: 4/19/2011 7:55:55 PM - System Checkpoint
    RP492: 4/20/2011 8:13:32 PM - System Checkpoint
    RP493: 4/22/2011 9:11:03 PM - System Checkpoint
    RP494: 4/23/2011 11:19:26 PM - System Checkpoint
    RP495: 4/25/2011 2:05:39 PM - Removed WinFast PVR2
    RP496: 4/25/2011 2:15:23 PM - Configured Winfast PVR3000 / Winfast PVR3000 Deluxe
    RP497: 4/26/2011 8:01:45 PM - System Checkpoint
    RP498: 4/27/2011 8:05:10 PM - System Checkpoint
    RP499: 4/28/2011 10:50:31 PM - System Checkpoint
    RP500: 4/30/2011 7:45:34 PM - System Checkpoint
    RP501: 5/1/2011 8:19:01 PM - System Checkpoint
    RP502: 5/3/2011 9:24:41 PM - System Checkpoint
    RP503: 5/4/2011 10:04:20 PM - System Checkpoint
    RP504: 5/5/2011 8:39:23 PM - Avg Update
    RP505: 5/6/2011 4:50:07 AM - Installed ArticleBot
    RP506: 5/7/2011 4:42:11 PM - System Checkpoint
    RP507: 5/8/2011 8:10:46 PM - Removed Magic Rank Tracker
    RP508: 5/8/2011 8:11:14 PM - Installed Magic Rank Tracker
    RP509: 5/9/2011 8:17:09 PM - System Checkpoint
    RP510: 5/10/2011 12:32:20 PM - Avg Update
    RP511: 5/11/2011 12:17:41 PM - Removed Magic Article Submitter
    RP512: 5/11/2011 12:18:14 PM - Installed Magic Article Submitter
    RP513: 5/12/2011 12:04:17 PM - Avg Update
    RP514: 5/12/2011 8:30:08 PM - Installed MySQL Connector/ODBC 5.1
    RP515: 5/13/2011 2:20:26 PM - Installed Article Indexer
    RP516: 5/13/2011 2:59:44 PM - Installed Backlink Loophole
    RP517: 5/13/2011 5:28:40 PM - Removed Backlink Loophole
    RP518: 5/13/2011 5:30:01 PM - Installed Backlink Loophole
    RP519: 5/14/2011 6:33:13 PM - Installed Submita Article
    RP520: 5/15/2011 7:59:04 PM - System Checkpoint
    RP521: 5/16/2011 1:57:01 PM - Installed FastArticleSubmitter
    RP522: 5/16/2011 2:25:49 PM - Removed Submita Article
    RP523: 5/18/2011 7:56:05 PM - System Checkpoint
    RP524: 5/21/2011 4:38:08 AM - Removed Magic Article Submitter
    RP525: 5/21/2011 4:39:57 AM - Removed SAT
    RP526: 5/21/2011 4:48:39 AM - Removed ASHelper
    RP527: 5/22/2011 4:39:53 PM - System Checkpoint
    RP528: 5/24/2011 7:57:02 PM - System Checkpoint
    RP529: 5/25/2011 8:29:20 PM - System Checkpoint
    RP530: 5/27/2011 1:16:45 PM - Installed BlogBot
    RP531: 5/27/2011 1:21:17 PM - Installed EmailBot
    RP532: 5/28/2011 6:49:40 PM - Removed ASHelper
    RP533: 5/30/2011 12:08:05 PM - System Checkpoint
    RP534: 5/31/2011 1:19:03 AM - Made by Registry Mechanic O
    RP535: 5/31/2011 1:21:04 AM - Removed Article Indexer
    RP536: 5/31/2011 1:22:13 AM - Removed NeoBux Referral Analyzer
    RP537: 5/31/2011 1:26:11 AM - Removed PDFill PDF Editor with FREE Writer and Free Tools
    RP538: 5/31/2011 1:31:16 AM - Removed Website Indexer
    RP539: 6/1/2011 5:04:27 PM - Installed PC Camera
    RP540: 6/1/2011 5:06:29 PM - Unsigned driver install
    RP541: 6/1/2011 11:01:34 PM - Removed PC Camera
    RP542: 6/3/2011 3:37:07 AM - System Checkpoint
    RP543: 6/4/2011 3:09:37 PM - System Checkpoint
    RP544: 6/6/2011 12:54:51 AM - System Checkpoint
    RP545: 6/7/2011 1:30:02 PM - System Checkpoint
    .
    ==== Installed Programs ======================
    .
    Acrobat.com
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader X (10.0.1)
    AI RoboForm (All Users)
    Aliens vs. Predator 2
    Apple Application Support
    Apple Software Update
    Article Drip Robot 1.10
    ArticleBot
    Artisteer 2
    ASUS nVidia Driver
    AVG 9.0
    Backlink Loophole
    BitComet 0.70
    BlogBot
    BlueVoda Website Builder 11.4 M
    CDBurnerXP
    CherryPicker
    Creative Software AutoUpdate
    Creative System Information
    DeepBurner Pro v1.8.0.225
    EmailBot
    FastArticleSubmitter
    FLV Player 2.0 (build 25)
    ForumBot
    Free Ad Traffic 1.0 1.0.0.0
    GameRanger
    Google Chrome
    Google Gears
    Google Update Helper
    GPL Ghostscript 8.64
    GSiteCrawler
    Heroes of Might and Magic V
    Heroes of Might and Magic® IV: Winds of War
    High Definition Audio Driver Package - KB888111
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Windows XP (KB954550-v5)
    Java Auto Updater
    Java(TM) 6 Update 20
    JMB36X Raid Configurer
    KeywordSwipe 1.0
    Magic Article Rewriter
    Magic Rank Tracker
    Magic Tokens Database 2.0
    Malwarebytes' Anti-Malware version 1.51.0.1200
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft .NET Framework 4 Extended
    Microsoft Games for Windows - LIVE
    Microsoft Games for Windows - LIVE Redistributable
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Enterprise 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Groove MUI (English) 2007
    Microsoft Office Groove Setup Metadata MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Primary Interoperability Assemblies 2005
    Microsoft Silverlight
    Microsoft Software Update for Web Folders (English) 12
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Mozilla Firefox (3.6.17)
    MozyHome
    MSXML 6.0 Parser (KB933579)
    MySQL Connector/ODBC 5.1
    NVIDIA Drivers
    NVIDIA ForceWare Network Access Manager
    Nvu 1.0
    Pando Media Booster
    PartyPoker
    PIXresizer 1.0.8
    QuickTime
    R-Undelete 4.0
    Real Alternative 1.9.0
    Registry Mechanic 10.0
    RSSBot
    Smart Defrag
    Smart Virtual Assistants
    SopCore 1.1.1
    Sound Blaster X-Fi Xtreme Audio
    SpeedTouch 330
    Street Fighter IV
    TorchED
    Torchlight
    TVAnts 1.0
    Tweet Adder 3
    Update for Windows XP (KB932823-v3)
    Veetle TV 0.9.18
    VideoLAN VLC media player 0.8.5
    Visual C++ 2008 x86 Runtime - (v9.0.30729)
    Visual C++ 2008 x86 Runtime - v9.0.30729.01
    Warcraft III: All Products
    WebFldrs XP
    WinAce Archiver
    Winamp
    Windows Imaging Component
    Windows Installer 3.1 (KB893803)
    Windows Internet Explorer 8
    WinPcap 4.0.2
    WinRAR archiver
    Yahoo! Messenger
    Yahoo! Search Protection
    Yahoo! Software Update
    .
    ==== Event Viewer Messages From Past Week ========
    .
    6/7/2011 11:05:20 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    6/3/2011 2:13:11 AM, error: Service Control Manager [7034] - The SpeedTouch 330 Manager service terminated unexpectedly. It has done this 1 time(s).
    6/3/2011 12:10:19 PM, error: Service Control Manager [7022] - The ForceWare Intelligent Application Manager (IAM) service hung on starting.
    6/1/2011 11:16:16 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: szkg5 szkgfs
    6/1/2011 11:16:16 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Seekdns Service service to connect.
    .
    ==== End Of File ===========================


    Ok, that would be all the log files you have asked for.

    Bobbye, thank you for your fast response. I will definitely consider what you said, just a bit later as right now I need to go somewhere. But anyway, Smiley Central sounds familiar, but the other sites that you mentioned are unknown to me. I have never accessed any of them willingly, and so I am not sure how or why you mentioned them.

    Also, about the WOT add-on that you mentioned, I think AVG has a similar function too. In fact, I know it has because I have seen it when I installed the AV program. But I don't know if and how I disabled it, because I don't see it anymore. Anyway, would it be OK if I used AVG's function or must I only install and use WOT?

    Thanks again, and like I said, I will do what you instructed me when I come back from where I need to go.

    Take care!
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Comments:
    1. Wondering about frequent installs and removals of various indexers, article actions, Bots (email, blog), rank trackers per RP
    2. Advise remove Advanced System Care- IOBit> ASC is not a good program- neither is the IOBit site
    3. Advise remove Registry Mechanic 10.0> We do not recommend Registry cleaners to anyone.
    4. You have 17 Extensions in Firefox. That is a very large number.
    Advise you remove the following:> vShre plugin, Conduit Engine, AlphaMarket Comm TB, CBSurge.com.
    5. Please tell me how you are using this system. Is it for work? Is it your website? There are many entries that are not in the 'norm'. I note you also have the SearchStatus an extension to display the Google PageRank Again, this indicates you may be monitoring a website.
    6. Update Java, Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system. remove v6u20 from FF ext. Do not add separate ext. for Java ti FF
    ==============================================
    Because the system was infected with all the adware, spyware and other 'junk' from those types of sites! Mbam found these infections:
    These infections are:
    Adware.Hotbar> adds graphical skins to Internet Explorer, Microsoft Outlook, and Outlook Express toolbars and also adds its own toolbar and search button. These custom toolbars have keyword-targeted advertisements built into them.
    It appears to me that you do not have security that would have prevented some of this malware.
    =================================
    You asked how you could prevent getting this trash from sites. I told you a Site Advisor with guide you, as explained. However, I strongly suggest that either the AVG advisor isn't working or you're ignoring it. Most of the infections in Mbam came from sites you could have avoided.
    --------------------------------------------
    I want you to run Combofix. To do that you have to temporarily uninstall AVG:
    Download AppRemover and save to the desktop
    1. Double click the setup on the desktop> click Next
    2. Select “Remove Security Application”
    3. Let scan finish to determine security apps
    4. A screen like below will appear:
      [​IMG]
    5. Click on Next after choice has been made
    6. Check the AVG program you want to uninstall
    7. After uninstall shows complete, follow online prompts to Exit the program.
    Note: There is no log to leave for the above.
    Temporary AV: Use one:
    Avira-AntiVir-Personal-Free-Antivirus
    Avast Free Version
    =============================
    Please note: If you have Combofix on the desktop already, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.

    Please paste the Eset and Combofix logs in next reply.
  5. monere

    monere Newcomer, in training Topic Starter

    Hi again

    I have no idea how to temporarily uninstall AVG. There is no uninstall/disable button/link anywhere :(

    Do you have any idea how to do this so that I can run Combofix like you said?
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Please don't quote my instructions. They are available in the post.

    Please refer to this section in my last post:
    The link and instructions are clearly given. All you have to do is read and follow the instructions I give:
  7. monere

    monere Newcomer, in training Topic Starter

    Hello and sorry for taking so long to reply. I couldn't make use of my computer for the last 4 days because I had it in a service because of cooler/fan problems (they got full of dust after 4 years of continuous run, and so they couldn't keep up with the amount of heat generated by the processor, and so they had to be replaced, which they have). Now everything looks more than perfect, especially that I have installed an additional system fan

    Anyway, here's the combofix log you have asked for




    ComboFix 11-06-15.04 - john 06/16/2011 22:08:21.1.4 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1373 [GMT 3:00]
    Running from: c:\documents and settings\john\Desktop\ComboFix.exe
    FW: ActiveArmor Firewall *Disabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\john\Application Data\EurekaLog
    c:\documents and settings\john\Application Data\EurekaLog\EurekaLog.ini
    c:\documents and settings\john\Application Data\john3SQLite3.dll
    c:\documents and settings\john\Application Data\johnlog.dat
    c:\documents and settings\john\g2mdlhlpx.exe
    c:\documents and settings\john\Local Settings\userwin.exe
    c:\documents and settings\john\WINDOWS
    c:\windows\a3kebook.ini
    c:\windows\akebook.ini
    c:\windows\ANS2000.INI
    c:\windows\Downloaded Program Files\Install.inf
    c:\windows\PixArt\PAC207\Monitor.exe
    c:\windows\system32\install
    c:\windows\system32\system
    c:\windows\watwat
    c:\windows\watwat\bkkz\backup.exe
    c:\windows\watwat\Chan.ini
    c:\windows\watwat\FileImp.ini
    F:\install.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-05-16 to 2011-06-16 )))))))))))))))))))))))))))))))
    .
    .
    2011-06-16 18:55 . 2011-06-16 18:55 -------- d-----w- c:\documents and settings\john\Application Data\Avira
    2011-06-16 18:49 . 2011-06-16 18:50 -------- d-----w- c:\windows\system32\NtmsData
    2011-06-12 00:54 . 2011-06-12 00:54 -------- d-----w- c:\documents and settings\john\Application Data\BabylonToolbar
    2011-06-12 00:51 . 2011-06-12 00:51 -------- d-----w- c:\program files\BabylonToolbar
    2011-06-12 00:17 . 2011-05-01 21:19 4045688 ----a-w- c:\windows\system32\GameMon.des
    2011-06-12 00:17 . 2005-01-04 00:43 4682 ----a-w- c:\windows\system32\npptNT2.sys
    2011-06-12 00:17 . 2003-07-20 09:17 5174 ----a-w- c:\windows\system32\nppt9x.vxd
    2011-06-12 00:17 . 2011-06-12 00:17 -------- d-----w- c:\program files\Common Files\INCA Shared
    2011-06-10 20:42 . 2011-06-10 20:42 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
    2011-06-10 20:42 . 2011-06-10 20:42 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
    2011-06-10 20:42 . 2011-06-10 20:42 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
    2011-06-10 20:42 . 2011-06-10 20:42 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
    2011-06-10 20:42 . 2011-06-10 20:42 1974616 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
    2011-06-10 20:42 . 2011-06-10 20:42 1892184 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
    2011-06-10 20:42 . 2011-06-10 20:42 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
    2011-06-10 20:42 . 2011-06-10 20:42 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
    2011-06-10 20:14 . 2011-06-10 20:14 -------- d-----w- c:\program files\Common Files\Java
    2011-06-10 20:14 . 2011-06-10 20:14 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-06-08 15:31 . 2011-06-08 15:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
    2011-06-08 09:52 . 2011-05-29 06:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-06-08 09:52 . 2011-05-29 06:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-06-07 09:36 . 2011-06-07 13:29 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
    2011-06-07 09:36 . 2011-06-07 10:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
    2011-06-07 08:06 . 2011-06-07 08:06 -------- d-----w- c:\program files\Easy eCover Creator
    2011-06-03 20:55 . 2011-06-03 20:55 -------- d-----w- c:\windows\Eurobattle.net
    2011-06-02 18:47 . 2011-06-02 18:47 -------- d-----w- c:\program files\DAEMON Tools Lite
    2011-06-01 14:04 . 2007-11-02 08:07 6656 ----a-w- c:\windows\system32\CoInst_071102.dll
    2011-06-01 14:04 . 2011-06-01 14:04 -------- d-----w- c:\windows\PixArt
    2011-06-01 10:17 . 2011-06-01 10:17 -------- d-----w- c:\documents and settings\john\Application Data\Malwarebytes
    2011-06-01 10:17 . 2011-06-01 10:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-06-01 10:17 . 2011-06-08 09:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-05-30 22:26 . 2011-05-30 22:26 -------- d-----w- c:\documents and settings\john\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
    2011-05-30 15:41 . 2011-05-30 15:42 -------- d-----w- c:\documents and settings\Administrator
    2011-05-29 11:57 . 2011-05-29 11:57 -------- d-----w- c:\documents and settings\All Users\Application Data\TW
    2011-05-28 12:12 . 2011-05-28 12:12 286720 ----a-w- c:\windows\iun503.exe
    2011-05-28 12:12 . 2011-05-28 12:12 -------- d-----w- c:\program files\KeywordSwipe
    2011-05-27 10:16 . 2011-05-27 10:16 -------- d-----w- C:\IncanBots
    2011-05-18 19:35 . 2011-05-18 19:35 -------- d-----w- c:\program files\Article Drip Robot
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-06-11 08:13 . 2011-05-14 10:01 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-06-10 20:14 . 2010-05-26 09:58 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-03-26 13:58 . 2010-03-26 13:58 28472 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
    2010-03-26 13:58 . 2010-03-26 13:58 185224 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
    2010-03-26 13:58 . 2010-03-26 13:58 99208 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
    2011-06-10 20:42 . 2011-06-10 20:42 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
    "DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-04-01 486856]
    "RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2011-06-10 107000]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "diagnostics"="C:\Program Files" [X]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
    "YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-02-23 7774208]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
    "BabylonToolbar"="c:\program files\BabylonToolbar\BabylonToolbar\1.4.19.19\BabylonToolbarsrv.exe" [2010-11-07 286720]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" [2004-08-03 53760]
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\BitComet\\BitComet.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\Documents and Settings\\john\\Application Data\\GameRanger\\GameRanger\\GameRanger.exe"=
    "d:\\KITURI\\h3wog\\Heroes3.exe"=
    "c:\\WINDOWS\\system32\\dplaysvr.exe"=
    "d:\\KITURI\\Aliens Versus Predator 3 in 1 Full Pack\\Aliens Versus Predator 2 Primal Hunt\\AVP2XServ.exe"=
    "d:\\AvP 2\\lithtech.exe"=
    "d:\\AvP 2\\AVP2Serv.exe"=
    "d:\\KITURI\\heroes3\\Heroes3.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\Documents and Settings\\john\\Application Data\\SopCast\\adv\\SopAdver.exe"=
    "c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
    "c:\\Program Files\\Thomson SpeedTouch\\ST330\\service\\st330service.exe"=
    "c:\\Documents and Settings\\john\\Desktop\\listchecker\\pickup.listchecker.exe"=
    "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "20964:TCP"= 20964:TCP:BitComet 20964 TCP
    "20964:UDP"= 20964:UDP:BitComet 20964 UDP
    "9831:TCP"= 9831:TCP:BitComet 9831 TCP
    "9831:UDP"= 9831:UDP:BitComet 9831 UDP
    "57865:TCP"= 57865:TCP:pando Media Booster
    "57865:UDP"= 57865:UDP:pando Media Booster
    "8394:TCP"= 8394:TCP:League of Legends Launcher
    "8394:UDP"= 8394:UDP:League of Legends Launcher
    "57876:TCP"= 57876:TCP:pando Media Booster
    "57876:UDP"= 57876:UDP:pando Media Booster
    .
    R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/8/2009 10:36 PM 717296]
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/8/2011 12:52 PM 366640]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/8/2011 12:52 PM 22712]
    R3 ST330;ST330;c:\windows\system32\drivers\st330.sys [9/9/2009 12:11 PM 30464]
    R3 STBUS;STBUS;c:\windows\system32\drivers\stbus.sys [9/9/2009 12:11 PM 12672]
    R3 STETH;SpeedTouch Ethernet Adapter NT Driver;c:\windows\system32\drivers\steth.sys [9/9/2009 12:11 PM 40320]
    S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys --> c:\windows\system32\drivers\is3srv.sys [?]
    S0 szkg5;szkg5;c:\windows\system32\DRIVERS\szkg.sys --> c:\windows\system32\DRIVERS\szkg.sys [?]
    S0 szkgfs;szkgfs;c:\windows\system32\drivers\szkgfs.sys --> c:\windows\system32\drivers\szkgfs.sys [?]
    S2 ATE_PROCMON;ATE_PROCMON;\??\c:\program files\Anti Trojan Elite\ATEPMon.sys --> c:\program files\Anti Trojan Elite\ATEPMon.sys [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/11/2010 11:11 PM 136176]
    S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\john\LOCALS~1\Temp\UPD1E7.tmp --> c:\docume~1\john\LOCALS~1\Temp\UPD1E7.tmp [?]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/11/2010 11:11 PM 136176]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [6/8/2011 12:52 PM 39984]
    S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/6/2007 11:22 PM 34064]
    S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
    S3 WFFALCON;Leadtek WinFast PVR3000 Series Driver;c:\windows\system32\drivers\wffalcon.sys --> c:\windows\system32\drivers\wffalcon.sys [?]
    S3 WFIOCTL;WFIOCTL;\??\c:\program files\WinFast\WFDTV\WFIOCTL.SYS --> c:\program files\WinFast\WFDTV\WFIOCTL.SYS [?]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    hvpembxz
    rzeikyd
    witrjcbe
    xtgfme
    nbxegt
    topwcpwws
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2010-06-25 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 09:34]
    .
    2011-06-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-06-11 20:11]
    .
    2011-06-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-06-11 20:11]
    .
    2011-06-16 c:\windows\Tasks\User_Feed_Synchronization-{922C654E-B111-45EB-AEB1-437A1BF9AA98}.job
    - c:\windows\system32\msfeedssync.exe [2009-03-08 01:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.livefootballtvs.com/
    mStart Page = hxxp://www.yahoo.com/
    uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
    IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    Trusted Zone: gistweb.com\www
    TCP: Interfaces\{D4FD8090-38DD-452C-A0F5-D5B487E8F22F}: NameServer = 217.156.101.1
    TCP: Interfaces\{FE5D937B-EEB7-4C44-95C3-EAFAD2327E36}: NameServer = 193.231.100.130 193.231.100.134
    DPF: {EF0D1A14-1033-41A2-A589-240C01EDC078} - hxxp://dl.pplive.com/PluginSetup.cab
    FF - ProfilePath - c:\documents and settings\john\Application Data\Mozilla\Firefox\Profiles\libmvgn6.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2922774&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage -
    FF - prefs.js: keyword.URL - hxxp://search.babylon.com/?babsrc=SP_ss&mntrId=687b33d4000000000000000e50b5476e&tlver=1.4.19.19&instlRef=sst&ss=1&affID=17981&q=
    FF - user.js: browser.cache.memory.capacity - 65536
    FF - user.js: browser.chrome.favicons - false
    FF - user.js: browser.display.show_image_placeholders - true
    FF - user.js: browser.turbo.enabled - true
    FF - user.js: browser.urlbar.autocomplete.enabled - true
    FF - user.js: browser.urlbar.autofill - true
    FF - user.js: content.interrupt.parsing - true
    FF - user.js: content.max.tokenizing.time - 2250000
    FF - user.js: content.notify.backoffcount - 5
    FF - user.js: content.notify.interval - 750000
    FF - user.js: content.notify.ontimer - true
    FF - user.js: content.switch.threshold - 750000
    FF - user.js: network.http.max-connections - 48
    FF - user.js: network.http.max-connections-per-server - 16
    FF - user.js: network.http.max-persistent-connections-per-proxy - 16
    FF - user.js: network.http.max-persistent-connections-per-server - 8
    FF - user.js: network.http.pipelining - true
    FF - user.js: network.http.pipelining.firstrequest - true
    FF - user.js: network.http.pipelining.maxrequests - 8
    FF - user.js: network.http.proxy.pipelining - true
    FF - user.js: network.http.request.max-start-delay - 0
    FF - user.js: nglayout.initialpaint.delay - 0
    FF - user.js: plugin.expose_full_path - true
    FF - user.js: ui.submenuDelay - 0
    FF - user.js: yahoo.homepage.dontask - true
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-Locked - (no file)
    HKCU-Run-AVG9_TRAY - c:\progra~1\AVG\AVG9\avgtray.exe
    HKCU-Run-AWC.exe - c:\program files\IObit\Advanced SystemCare 3\AWC.exe
    HKCU-Run-SmartRAM - c:\program files\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe
    HKLM-Run-PAC207_Monitor - c:\windows\PixArt\PAC207\Monitor.exe
    HKLM-Run-Monitor - c:\windows\PixArt\PAC207\Monitor.exe
    AddRemove-BlueVoda_Website_Builder_1.0 - c:\windows\iun6002.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-06-16 22:10
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GarenaPEngine]
    "ImagePath"="\??\c:\docume~1\john\LOCALS~1\Temp\UPD1E7.tmp"
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
    "ImagePath"="c:\windows\system32\GameMon.des -service"
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\st330service]
    "ImagePath"="C:\Program Files/Thomson SpeedTouch/ST330/service/st330service.exe -service"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-1708537768-1425521274-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3979101F-9570-45DA-1278-8CD7D150E838}*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}]
    @DACL=(02 0000)
    @="Wireless"
    "ProcessGroupPolicy"="ProcessWIRELESSPolicy"
    "DllName"=expand:"gptext.dll"
    "NoUserPolicy"=dword:00000001
    "NoGPOListChanges"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}]
    @DACL=(02 0000)
    @="Folder Redirection"
    "ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
    "DllName"=expand:"fdeploy.dll"
    "NoMachinePolicy"=dword:00000001
    "NoSlowLink"=dword:00000001
    "PerUserLocalSettings"=dword:00000001
    "NoGPOListChanges"=dword:00000000
    "NoBackgroundPolicy"=dword:00000000
    "GenerateGroupPolicy"="GenerateGroupPolicy"
    "EventSources"=multi:"(Folder Redirection,Application)\00\00"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]
    @DACL=(02 0000)
    @="Microsoft Disk Quota"
    "NoMachinePolicy"=dword:00000000
    "NoUserPolicy"=dword:00000001
    "NoSlowLink"=dword:00000001
    "NoBackgroundPolicy"=dword:00000001
    "NoGPOListChanges"=dword:00000001
    "PerUserLocalSettings"=dword:00000000
    "RequiresSuccessfulRegistry"=dword:00000001
    "EnableAsynchronousProcessing"=dword:00000000
    "DllName"=expand:"dskquota.dll"
    "ProcessGroupPolicy"="ProcessGroupPolicy"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}]
    @DACL=(02 0000)
    @="QoS Packet Scheduler"
    "ProcessGroupPolicy"="ProcessPSCHEDPolicy"
    "DllName"=expand:"gptext.dll"
    "NoUserPolicy"=dword:00000001
    "NoGPOListChanges"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}]
    @DACL=(02 0000)
    @="Scripts"
    "ProcessGroupPolicy"="ProcessScriptsGroupPolicy"
    "ProcessGroupPolicyEx"="ProcessScriptsGroupPolicyEx"
    "GenerateGroupPolicy"="GenerateScriptsGroupPolicy"
    "DllName"=expand:"gptext.dll"
    "NoSlowLink"=dword:00000001
    "NoGPOListChanges"=dword:00000001
    "NotifyLinkTransition"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]
    @DACL=(02 0000)
    @="Internet Explorer Zonemapping"
    "DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
    "ProcessGroupPolicy"="ProcessGroupPolicyForZoneMap"
    "NoGPOListChanges"=dword:00000001
    "RequiresSucessfulRegistry"=dword:00000001
    "DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
    "RequiresSuccessfulRegistry"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}]
    @DACL=(02 0000)
    @="Internet Explorer User Accelerators"
    "DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
    "DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
    "NoGPOListChanges"=dword:00000001
    "ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
    "ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
    "RequiresSuccessfulRegistry"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]
    @DACL=(02 0000)
    "ProcessGroupPolicy"="SceProcessSecurityPolicyGPO"
    "GenerateGroupPolicy"="SceGenerateGroupPolicy"
    "ExtensionRsopPlanningDebugLevel"=dword:00000001
    "ProcessGroupPolicyEx"="SceProcessSecurityPolicyGPOEx"
    "ExtensionDebugLevel"=dword:00000001
    "DllName"=expand:"scecli.dll"
    @="Security"
    "NoUserPolicy"=dword:00000001
    "NoGPOListChanges"=dword:00000001
    "EnableAsynchronousProcessing"=dword:00000001
    "MaxNoGPOListChangesInterval"=dword:000003c0
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]
    @DACL=(02 0000)
    "ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
    "GenerateGroupPolicy"="GenerateGroupPolicy"
    "ProcessGroupPolicy"="ProcessGroupPolicy"
    "DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
    @="Internet Explorer Branding"
    "NoSlowLink"=dword:00000001
    "NoBackgroundPolicy"=dword:00000000
    "NoGPOListChanges"=dword:00000001
    "NoMachinePolicy"=dword:00000001
    "DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3014"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]
    @DACL=(02 0000)
    "ProcessGroupPolicy"="SceProcessEFSRecoveryGPO"
    "DllName"=expand:"scecli.dll"
    @="EFS recovery"
    "NoUserPolicy"=dword:00000001
    "NoGPOListChanges"=dword:00000001
    "RequiresSuccessfulRegistry"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}]
    @DACL=(02 0000)
    @="Microsoft Offline Files"
    "DllName"=expand:"%SystemRoot%\\System32\\cscui.dll"
    "EnableAsynchronousProcessing"=dword:00000000
    "NoBackgroundPolicy"=dword:00000000
    "NoGPOListChanges"=dword:00000000
    "NoMachinePolicy"=dword:00000000
    "NoSlowLink"=dword:00000000
    "NoUserPolicy"=dword:00000001
    "PerUserLocalSettings"=dword:00000000
    "ProcessGroupPolicy"="ProcessGroupPolicy"
    "RequiresSuccessfulRegistry"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
    @DACL=(02 0000)
    @="Software Installation"
    "DllName"=expand:"appmgmts.dll"
    "ProcessGroupPolicyEx"="ProcessGroupPolicyObjectsEx"
    "GenerateGroupPolicy"="GenerateGroupPolicy"
    "NoBackgroundPolicy"=dword:00000000
    "RequiresSucessfulRegistry"=dword:00000000
    "NoSlowLink"=dword:00000001
    "PerUserLocalSettings"=dword:00000001
    "EventSources"=multi:"(Application Management,Application)\00(MsiInstaller,Application)\00\00"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}]
    @DACL=(02 0000)
    @="Internet Explorer Machine Accelerators"
    "DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
    "DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
    "NoGPOListChanges"=dword:00000001
    "ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
    "ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
    "RequiresSuccessfulRegistry"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}]
    @DACL=(02 0000)
    @="IP Security"
    "ProcessGroupPolicy"="ProcessIPSECPolicy"
    "DllName"=expand:"gptext.dll"
    "NoUserPolicy"=dword:00000001
    "NoGPOListChanges"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
    @DACL=(02 0000)
    "DllName"="c:\\Program Files\\SUPERAntiSpyware\\SASWINLO.dll"
    "Logon"="SABWINLOLogon"
    "Logoff"="SABWINLOLogoff"
    "Startup"="SABWINLOStartup"
    "Shutdown"="SABWINLOShutdown"
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
    @DACL=(02 0000)
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
    @DACL=(02 0000)
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=expand:"crypt32.dll"
    "Logoff"="ChainWlxLogoffEvent"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
    @DACL=(02 0000)
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=expand:"cryptnet.dll"
    "Logoff"="CryptnetWlxLogoffEvent"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
    @DACL=(02 0000)
    "DLLName"="cscdll.dll"
    "Logon"="WinlogonLogonEvent"
    "Logoff"="WinlogonLogoffEvent"
    "ScreenSaver"="WinlogonScreenSaverEvent"
    "Startup"="WinlogonStartupEvent"
    "Shutdown"="WinlogonShutdownEvent"
    "StartShell"="WinlogonStartShellEvent"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
    @DACL=(02 0000)
    "DLLName"="wlnotify.dll"
    "Logon"="SCardStartCertProp"
    "Logoff"="SCardStopCertProp"
    "Lock"="SCardSuspendCertProp"
    "Unlock"="SCardResumeCertProp"
    "Enabled"=dword:00000001
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
    @DACL=(02 0000)
    "Asynchronous"=dword:00000000
    "DllName"=expand:"wlnotify.dll"
    "Impersonate"=dword:00000000
    "StartShell"="SchedStartShell"
    "Logoff"="SchedEventLogOff"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
    @DACL=(02 0000)
    "Logoff"="WLEventLogoff"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001
    "DllName"=expand:"sclgntfy.dll"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
    @DACL=(02 0000)
    "DLLName"="WlNotify.dll"
    "Lock"="SensLockEvent"
    "Logon"="SensLogonEvent"
    "Logoff"="SensLogoffEvent"
    "Safe"=dword:00000001
    "MaxWait"=dword:00000258
    "StartScreenSaver"="SensStartScreenSaverEvent"
    "StopScreenSaver"="SensStopScreenSaverEvent"
    "Startup"="SensStartupEvent"
    "Shutdown"="SensShutdownEvent"
    "StartShell"="SensStartShellEvent"
    "PostShell"="SensPostShellEvent"
    "Disconnect"="SensDisconnectEvent"
    "Reconnect"="SensReconnectEvent"
    "Unlock"="SensUnlockEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
    @DACL=(02 0000)
    "Asynchronous"=dword:00000000
    "DllName"=expand:"wlnotify.dll"
    "Impersonate"=dword:00000000
    "Logoff"="TSEventLogoff"
    "Logon"="TSEventLogon"
    "PostShell"="TSEventPostShell"
    "Shutdown"="TSEventShutdown"
    "StartShell"="TSEventStartShell"
    "Startup"="TSEventStartup"
    "MaxWait"=dword:00000258
    "Reconnect"="TSEventReconnect"
    "Disconnect"="TSEventDisconnect"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
    @DACL=(02 0000)
    "DLLName"="wlnotify.dll"
    "Logon"="RegisterTicketExpiredNotificationEvent"
    "Logoff"="UnregisterTicketExpiredNotificationEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
    @DACL=(02 0000)
    "HelpAssistant"=dword:00000000
    "TsInternetUser"=dword:00000000
    "SQLAgentCmdExec"=dword:00000000
    "NetShowServices"=dword:00000000
    "IWAM_"=dword:00010000
    "IUSR_"=dword:00010000
    "VUSR_"=dword:00010000
    .
    Completion time: 2011-06-16 22:12:08
    ComboFix-quarantined-files.txt 2011-06-16 19:12
    .
    Pre-Run: 28,452,630,528 bytes free
    Post-Run: 28,510,752,768 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
    .
    - - End Of File - - B64D88F9088A609876AAE6381B6E8165


    But, I couldn't find any Eset (whatever that may be) anywhere on my PC. Could you please give further instructions?

    Also, I apologize for quoting your words, but I didn't know this is misplaced. I won't do it anymore

    Thanks
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    What was replaced?

    Do you still need help?

    Who set up all the Group Policy settings?
  9. monere

    monere Newcomer, in training Topic Starter

    The cooler and the fan that were cooling the processor were replaced with better ones, more performant (at least that's what they told me there at the computer shop and repairing service)

    And no, I don't think I need any more help because I just used Malwarebytes and Avira today to scan for more malicious code on my PC and these 2 found nothing. So I assume that everything is fine now :)

    As for the Group Policy settings, I don't know what these are. As usual, if you'll give me more details I will gladly answer your question.

    And one more thing: if I can help you in any way (other than paying money) please let me know. I would like to return the favor for helping me with these viruses, if there is anything I can do

    Thanks
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Please answer these questions:

    1. Are you in Romania?
    2. Was this Combofix log run after you got the system back from the shop?
    3. Is the operating system legitimate?
  11. monere

    monere Newcomer, in training Topic Starter

    Hi

    1. Yes, I am from Romania
    2. Yup, I ran combofix 3-4 hours ago (about 6 hours after I got my PC back)
    3. I don't know what you mean by "legitimate". If you mean if I purchased a license, then no. If you mean anything else, let me know

    Thanks
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Did you purchase the operating system or get the computer from a manufacturer and activate it with the license given? The opposite of this is that the OS was pirated.

    What I am seeing in the Combofix log is not a 'normal' system.
  13. monere

    monere Newcomer, in training Topic Starter

    I am not sure if it's pirated or not but I know for sure that I didn't pay any money for it. I got it from my friends 4 years ago when I purchased my computer, but unfortunately I can't remember who I got it from since most of my friends have the same OS and they didn't pay for it either.

    I know this sounds like an excuse but I want to assure you it is not. I really can't remember who I got the OS from. Besides, I have no troubles in admitting when I use pirated software because that's how things work around here. You rarely see someone willingly and knowingly purchase an OS. Probably that over 50% of the population of Romania uses pirated software. OSs cost too much for us Romanians to afford paying for them, and so we download them from the internet or ask friends to give us their CDs or DVDs :)

    Hope this helps
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Using pirated software because you cannot afford the program is not an excuse. Some of us actually do without because we can't afford something.

    Your system is a great mess and I can't identify almost half of the processes showing in the Combofix log.

    I suggest you reformat and reinstall a legitimate operating system when you can.

    Since we do not support piracy, I am withdrawing my support and closing the thread.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.