[Closed] New guy, new thread, the same problems - VIRUSES :)

[monere]

Hi everyone,

this is my second attempt to get some help for my virus issues, after I have tried on another similar forum but without any success. Anyway, here's the log files I have been requested for:

1. Malwarebytes


Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6807

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

6/8/2011 12:57:41 PM
mbam-log-2011-06-08 (12-57-41).txt

Scan type: Quick scan
Objects scanned: 157683
Time elapsed: 2 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 20
Registry Values Infected: 8
Registry Data Items Infected: 0
Folders Infected: 24
Files Infected: 269

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Seekdns Service (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2F9AD413-2E0B-4a85-BB2A-CF961238262A} (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{100EB1FD-D03E-47FD-81F3-EE91287F9465} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{2AA2FBF8-9C76-4E97-A226-25C5F4AB6358} (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{851552F5-B878-4B03-904F-2AD6A4CC8994} (PUP.Zwangi) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{851552F5-B878-4B03-904F-2AD6A4CC8994} (PUP.Zwangi) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6FD31ED6-7C94-4BBC-8E95-F927F4D3A949} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D95C7240-0282-4C01-93F5-673BCA03DA86} (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{D95C7240-0282-4C01-93F5-673BCA03DA86} (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A078F691-9C07-4AF2-BF43-35E79EECF8B7} (Adware.Softomate) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{A078F691-9C07-4AF2-BF43-35E79EECF8B7} (Adware.Softomate) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EDDBB5EE-BB64-4bfc-9DBE-E7C85941335B} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{69725738-CD68-4f36-8D02-8C43722EE5DA} (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{A3E67DAA-DA01-4da5-98BE-3088B554A11E} (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\DesktopLightning (Adware.Cashon) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Victim (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Seekdns (PUP.Zwangi) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Seekdns (PUP.Zwangi) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SEEKDNS_SERVICE (PUP.Zwangi) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{851552F5-B878-4B03-904F-2AD6A4CC8994} (PUP.Zwangi) -> Value: {851552F5-B878-4B03-904F-2AD6A4CC8994} -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{C5428486-50A0-4a02-9D20-520B59A9F9B3} (Adware.ShopperReports) -> Value: {C5428486-50A0-4a02-9D20-520B59A9F9B3} -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{C5428486-50A0-4a02-9D20-520B59A9F9B3} (Adware.ShopperReports) -> Value: {C5428486-50A0-4a02-9D20-520B59A9F9B3} -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{C5428486-50A0-4a02-9D20-520B59A9F9B2} (Adware.ShopperReports) -> Value: {C5428486-50A0-4a02-9D20-520B59A9F9B2} -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{C5428486-50A0-4a02-9D20-520B59A9F9B2} (Adware.ShopperReports) -> Value: {C5428486-50A0-4a02-9D20-520B59A9F9B2} -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{851552F5-B878-4B03-904F-2AD6A4CC8994} (PUP.Zwangi) -> Value: {851552F5-B878-4B03-904F-2AD6A4CC8994} -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winappp (Backdoor.Agent) -> Value: winappp -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\Windows Update System (Trojan.Backdoor) -> Value: Windows Update System -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\documents and settings\all users\application data\2aca5cc3-0f83-453d-a079-1076fe1a8b65 (Adware.Seekmo) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\IESkins (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5 (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\HostOI (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\HostOI\dynamic (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\HostOL (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\HostOL\dynamic (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\dynamic (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\dynamic\tooltipxml (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\dynamic\ustat (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1 (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2 (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\Weather (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\Weather\weatherdpa (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\Weather\weatherdpa\weather_xml (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\Weather\weather_xml (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\HotbarSA (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\Seekdns (PUP.Zwangi) -> Quarantined and deleted successfully.
c:\program files\Seekdns (PUP.Zwangi) -> Quarantined and deleted successfully.
c:\svnhostsvc.exe (Trojan.SpyEyes.WC) -> Quarantined and deleted successfully.

Files Infected:
c:\documents and settings\all users\application data\Seekdns\seekdns129.exe (Adware.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\john\Desktop\warcraft3keygen.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\program files\mozilla firefox\plugins\npclntax_hotbarsa.dll (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\WINDOWS\watwat\bkkz\bkk.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\program files\mozilla firefox\searchplugins\flvtube.xml (PUP.Zwangi) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\winappp.exe (Backdoor.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\dynamic\1.sdf (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\dynamic\1055703.sdf (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\dynamic\3783086.sdf (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\dynamic\3858577.sdf (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\dynamic\737654.sdf (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\dynamic\domains.txt (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\dynamic\tooltipxml\26656 (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\dynamic\tooltipxml\29115 (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\dynamic\tooltipxml\29547 (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\dynamic\tooltipxml\342421 (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\dynamic\tooltipxml\38733 (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\dynamic\tooltipxml\40256 (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\dynamic\tooltipxml\41768 (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\dynamic\tooltipxml\459338 (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\dynamic\tooltipxml\460458 (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\dynamic\tooltipxml\477253 (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\dynamic\tooltipxml\572023 (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\dynamic\tooltipxml\579123 (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\dynamic\tooltipxml\83706 (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\dynamic\tooltipxml\95825 (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\dynamic\ustat\3914.dat (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\ads.cdf (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\btntrans.idx (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\btntrans1.dat (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\business_promo.htm (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\buttondir.txt (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\components.cdf (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\cursors.res (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_bidz12.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_bidz13.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_bidz14.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_bidz15.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_bidz16.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_bidz17.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_bidz18.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_bidz19.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_bidz2.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_bidz20.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_bidz3.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_bidz4.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_bidz5.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_bidz6.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_bidz7.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_bidz8.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_categorize.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_comparison.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_em_profl_ca_flow_b_ieb.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_explorer-mails.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_explorer-people.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_favorites.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_games.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_hide.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_hotbarcom.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_hotmail.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_hsskin.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_jemster.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_jemsterie.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_jemsteruk.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_jobsearch.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default.cdf (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_511745-514279.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_bidz.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_bidz1.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_bidz10.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_new.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_premium.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_reun.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_ringtones.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_searchboxtrapper.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_searchfor.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_searchgo.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_weather.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_yellowpages.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\d_icons_buttons_1000.res (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\d_icons_buttons_2000.res (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\d_icons_buttons_3000.res (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\d_icons_buttons_bar.res (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\d_icons_buttons_bbar1.res (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\d_icons_buttons_logos.res (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\d_icons_buttons_other.res (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\d_icons_weather.res (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\editblbuttons.res (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\email-def-511724-548964.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_bidz11.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_bidz9.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\default_mails.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\email-def-511724-9595.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\ie_games_icon.res (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\email-t1-bg.res (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\gamesmenu.cdf (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\gamesmenu.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\hb_ie_menu.res (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\hotbar-premium-hotbar-premium.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\hotbar-premium.cdf (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\hotbar_promo.htm (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\icons2.res (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\ie_video.res (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\keywords.idx (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\keywords1.dat (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\layout.cdf (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\linkpathlegal.txt (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\more.res (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\new_games.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\progress.res (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\sales_buttons.res (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\sdfmodifier.xml (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\s_icons_buttons.res (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\t2_bg.res (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\theweb.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\top7.cdf (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\top7_theweb.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\tsd_bg.res (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\1\weathericon.res (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\ads.cdf (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\btntrans.idx (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\btntrans1.dat (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\business_promo.htm (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\buttondir.txt (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\components.cdf (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\cursors.res (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_bidz12.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_bidz13.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_bidz14.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_bidz15.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_bidz16.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_bidz17.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_bidz18.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_bidz19.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_bidz2.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_bidz20.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_bidz3.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_bidz4.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_bidz5.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_bidz6.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_bidz7.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_bidz8.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_categorize.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_comparison.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_em_profl_ca_flow_b_ieb.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_explorer-mails.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_explorer-people.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_favorites.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_games.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_hide.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_hotbarcom.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_hotmail.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_hsskin.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_jemster.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_jemsterie.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_jemsteruk.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_jobsearch.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default.cdf (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_511745-514279.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_bidz.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_bidz1.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_bidz10.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_new.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_premium.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_reun.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_ringtones.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_searchboxtrapper.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_searchfor.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_searchgo.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_weather.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_yellowpages.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\d_icons_buttons_1000.res (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\d_icons_buttons_2000.res (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\d_icons_buttons_3000.res (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\d_icons_buttons_bar.res (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\d_icons_buttons_bbar1.res (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\d_icons_buttons_logos.res (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\d_icons_buttons_other.res (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\d_icons_weather.res (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\editblbuttons.res (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\email-def-511724-548964.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_bidz11.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_bidz9.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\default_mails.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\email-def-511724-9595.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\ie_games_icon.res (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\email-t1-bg.res (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\gamesmenu.cdf (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\gamesmenu.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\hb_ie_menu.res (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\hotbar-premium-hotbar-premium.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\hotbar-premium.cdf (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\hotbar_promo.htm (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\icons2.res (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\ie_video.res (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\keywords.idx (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\keywords1.dat (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\layout.cdf (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\linkpathlegal.txt (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\more.res (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\new_games.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\progress.res (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\sales_buttons.res (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\sdfmodifier.xml (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\s_icons_buttons.res (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\t2_bg.res (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\theweb.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\top7.cdf (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\top7_theweb.mnu (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\tsd_bg.res (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\2\weathericon.res (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\ads.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\BtnTrans.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\btntrans1.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\business_promo.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\buttondir.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\editblbuttons.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\email-t1-bg.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\progress.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\sales_buttons.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\samplegroups2.txt (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\samplegroups2.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\sdfmodifier.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\s_icons_buttons.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\t2_bg.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\top7.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\tsd_bg.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\weathericon.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\d_icons_buttons_2000.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\d_icons_buttons_3000.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\d_icons_buttons_bar.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\d_icons_buttons_bbar1.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\d_icons_buttons_logos.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\d_icons_buttons_other.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\ie_video.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\keywords.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\keywords1.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\layout.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\linkpathlegal.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\default.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\cursors.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\d_icons_buttons_1000.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\d_icons_weather.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\ie_games_icon.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\more.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\gamesmenu.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\hb_ie_menu.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\hotbar-premium.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\hotbar_promo.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\v3.5\Hotbar\static\DownLoad\icons2.xip (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\Weather\history (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\Weather\weatherstartup.xml (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\Weather\weatherdpa\Links (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\Weather\weatherdpa\weatherpreferences (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\Weather\weatherdpa\weather_xml\Display (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\Weather\weatherdpa\weather_xml\Loading (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\Weather\weatherdpa\weather_xml\screen2 (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\Weather\weather_xml\Default (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\Weather\weather_xml\Genera1 (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\john\application data\Hotbar\Weather\weather_xml\General (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\HotbarSA\HotbarSA.dat (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\HotbarSA\hotbarsaabout.mht (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\HotbarSA\hotbarsaau.dat (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\HotbarSA\hotbarsaeula.mht (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\HotbarSA\hotbarsa_kyf.dat (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\program files\Seekdns\seekdns.exe (PUP.Zwangi) -> Quarantined and deleted successfully.
c:\program files\Seekdns\uninstall.exe (PUP.Zwangi) -> Quarantined and deleted successfully.
c:\svnhostsvc.exe\cleansweepupd.exe (Trojan.SpyEyes.WC) -> Quarantined and deleted successfully.
c:\svnhostsvc.exe\config.bin (Trojan.SpyEyes.WC) -> Quarantined and deleted successfully.


This is part 1. Part 2 in the next post.

 

[Bobbye]

I'll wait until all the logs are in to review. But I will leave you a note:

The malware you have gotten indicates that:
1. You are using 'cosmetic' sites to put icons, cursors, wallpaper, screensavers and the like on the system. STOP! You do not get something for nothing. Stay away from all FunWebProducts sites, including the following:

Other FunWebProducts
Smiley Central
Cursor Mania
FunBuddyIcons
My Mail Stationery
My Mail Signature
My Mail Stamps
Popular Screensavers
Webfetti

Reset the Cookies to block 3rd party Cookies:
Reset Cookies

For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

For Firefox: Tools> Options> Privacy> Cookies> CHECK ‘accept Cookies from Sites’> UNCHECK 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')

I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
AdBlock Plus
Easy List

For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
(First-party and third-party cookies can be set by the website you're visiting and websites that have items embedded in the website you're visiting. But when you next visit the website, only first-party cookie information is sent to the website. Third-party cookie information isn't sent back to the websites that originally set the third-party cookies.)
===============================================
Put a Site Advisor on the system: I recommend the Web of Trust (WOT) This add-on is a safe surfing tool for your browser. Traffic-light rating symbols show which rate the site for Trustworthiness, Vendor Reliability, Privacy, Child Safety.Your online email account – Google Mail, Yahoo! Mail and Hotmail is also protected.

Every time you do a search and the screen comes up with the sites, they will have the rating light. Green (2 shades), Amber/Yellow Caution, Red> not advised. A few sites haven't been rated and show as a blue flashlight. NOTE Choose only sites rated Green
======================================
Win32/Zwangi is a malware program that infects Windows computers. It is also known as Spyware.Screenspy, Mal/BHO-S, and Seekapp. The program redirects URLs typed into the browser's address bar to a search page at XXXXXX. It may also take screenshots without permission.

Please do the following:
To reset Internet Explorer settings manually

1. Close all Internet Explorer or Windows Explorer windows that are currently open.
2. Open Internet Explorer
3. Click the Tools button, and then click Internet Options.
4. Click the Advanced tab, and then click Reset.
5. In the Reset Internet Explorer Settings dialog box, click Reset.
6. When Internet Explorer finishes applying default settings, click Close, click OK, and then click OK again.
7. Close Internet Explorer.

Your changes will take effect the next time you open Internet Explorer.
=====================================
I will check the security on the system when I have the additional logs.

 

[monere]

Part 2

And, here's episode no. 2

2. GMER


GMER 1.0.15.15640 - http://www.gmer.net
Rootkit quick scan 2011-06-08 13:11:59
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\00000076 ST3500630NS rev.3.AEG
Running: pm27g7pv.exe; Driver: C:\DOCUME~1\john\LOCALS~1\Temp\kxtdypow.sys


---- System - GMER 1.0.15 ----

SSDT spsj.sys ZwEnumerateKey [0xBA6C6CA2]
SSDT spsj.sys ZwEnumerateValueKey [0xBA6C7030]

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi \Device\Ide\IdePort0 89DDC1F8
Device \Driver\atapi \Device\Ide\IdePort1 89DDC1F8
Device \Driver\anh3aepm \Device\Scsi\anh3aepm1Port5Path0Target3Lun0 89AD51F8
Device \Driver\anh3aepm \Device\Scsi\anh3aepm1 89AD51F8
Device \Driver\anh3aepm \Device\Scsi\anh3aepm1Port5Path0Target2Lun0 89AD51F8
Device \Driver\anh3aepm \Device\Scsi\anh3aepm1Port5Path0Target0Lun0 89AD51F8
Device \Driver\JRAID \Device\Scsi\JRAID1 89DDB1F8
Device \Driver\anh3aepm \Device\Scsi\anh3aepm1Port5Path0Target1Lun0 89AD51F8
Device \FileSystem\Ntfs \Ntfs 89DDA1F8

AttachedDevice \FileSystem\Ntfs \Ntfs mozy.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

Device \FileSystem\Fastfat \Fat 88D5B1F8

AttachedDevice \FileSystem\Fastfat \Fat mozy.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- EOF - GMER 1.0.15 ----


3. DDS.txt


.
DDS (Ver_2011-06-03.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Run by john at 13:16:00 on 2011-06-08
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1168 [GMT 3:00]
.
AV: AVG Internet Security *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ActiveArmor Firewall *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Thomson SpeedTouch\ST330\service\st330service.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Google\Update\1.3.21.57\GoogleCrashHandler.exe
C:\Program Files\MozyHome\mozybackup.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Thomson SpeedTouch\ST330\diagnostics\diagnostics.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.livefootballtvs.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uLocal Page = \blank.htm
mDefault_Page_URL = hxxp://www.yahoo.com/
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
uRun: [AWC.exe] c:\program files\iobit\advanced systemcare 3\AWC.exe
uRun: [SmartRAM] "c:\program files\iobit\advanced systemcare 3\Sup_SmartRAM.exe" /m
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [diagnostics] "C:\Program Files/Thomson SpeedTouch/ST330/diagnostics/diagnostics.exe" /icon -l:en
mRun: [PAC207_Monitor] c:\windows\pixart\pac207\Monitor.exe
mRun: [Monitor] c:\windows\pixart\pac207\Monitor.exe
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRunOnce: [RunNarrator] Narrator.exe
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - d:\party poker\partypoker\RunApp.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: gistweb.com\www
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {EF0D1A14-1033-41A2-A589-240C01EDC078} - hxxp://dl.pplive.com/PluginSetup.cab
TCP: DhcpNameServer = 217.156.101.1 217.156.101.10
TCP: Interfaces\{7916B3FD-0BAD-4157-BB4D-255D4AD9FA53} : DhcpNameServer = 217.156.101.1 217.156.101.10
TCP: Interfaces\{D4FD8090-38DD-452C-A0F5-D5B487E8F22F} : NameServer = 217.156.101.1
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\john\application data\mozilla\firefox\profiles\libmvgn6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2922774&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage -
FF - prefs.js: keyword.URL - hxxp://flvtubesearch.co/?prt=02ff&clid=&subid=&Keywords=
FF - component: c:\documents and settings\john\application data\mozilla\firefox\profiles\libmvgn6.default\extensions\{018da686-db92-473a-bacb-fe006e046644}\components\RadioWMPCoreGecko19.dll
FF - component: c:\documents and settings\john\application data\mozilla\firefox\profiles\libmvgn6.default\extensions\{0ed0633c-a54d-47f1-94e7-5bded41ae674}\components\RadioWMPCoreGecko19.dll
FF - component: c:\documents and settings\john\application data\mozilla\firefox\profiles\libmvgn6.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc_fireftp.dll
FF - component: c:\documents and settings\john\application data\mozilla\firefox\profiles\libmvgn6.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll
FF - component: c:\program files\google\google gears\firefox\lib\ff36\gears.dll
FF - component: c:\program files\siber systems\ai roboform\firefox\components\rfproxy_31.dll
FF - plugin: c:\documents and settings\john\application data\mozilla\firefox\profiles\libmvgn6.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
FF - plugin: c:\windows\system32\tvuax\npTVUAx.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Seekdns: {7BA9F755-DCD4-4B60-8AE8-EE3662C7C733} - c:\program files\mozilla firefox\extensions\{7BA9F755-DCD4-4B60-8AE8-EE3662C7C733}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Google Gears: {000a9d1c-beef-4f90-9363-039d445309b8} - c:\program files\google\google gears\Firefox
FF - Ext: AI Roboform Toolbar for Firefox: {22119944-ED35-4ab1-910B-E619EA06A115} - c:\program files\siber systems\ai roboform\Firefox
FF - Ext: SearchStatus: {d57c9ff1-6389-48fc-b770-f78bd89b6e8a} - %profile%\extensions\{d57c9ff1-6389-48fc-b770-f78bd89b6e8a}
FF - Ext: FireFTP: {a7c6cf7f-112c-4500-a7ea-39801a327e5f} - %profile%\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
FF - Ext: OnlyWire: {e26ba8db-a646-a44e-997c-2fafeadb50f2} - %profile%\extensions\{e26ba8db-a646-a44e-997c-2fafeadb50f2}
FF - Ext: TVU Web Player: firefox@tvunetworks.com - %profile%\extensions\firefox@tvunetworks.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: vShare Plugin: vshare@toolbar - %profile%\extensions\vshare@toolbar
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: AlphaMarket Community Toolbar: {018da686-db92-473a-bacb-fe006e046644} - %profile%\extensions\{018da686-db92-473a-bacb-fe006e046644}
FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
FF - Ext: Free Traffic Bar Community Toolbar: {0ed0633c-a54d-47f1-94e7-5bded41ae674} - %profile%\extensions\{0ed0633c-a54d-47f1-94e7-5bded41ae674}
FF - Ext: CBSurge.com: cbsurge@cbsurge.com - %profile%\extensions\cbsurge@cbsurge.com
.
---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
FF - user.js: yahoo.homepage.dontask - true
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [2010-1-25 25168]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2010-1-25 52872]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-1-25 216400]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-1-25 29584]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-1-25 243152]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-6-22 308136]
R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\avg\avg9\identity protection\agent\bin\AVGIDSAgent.exe [2010-6-22 5897808]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-6-8 366640]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2010-10-22 583640]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSDriver.sys [2010-1-25 122448]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSFilter.sys [2010-1-25 30288]
R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSShim.sys [2010-1-25 26192]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-6-8 22712]
R3 ST330;ST330;c:\windows\system32\drivers\st330.sys [2009-9-9 30464]
R3 STBUS;STBUS;c:\windows\system32\drivers\stbus.sys [2009-9-9 12672]
R3 STETH;SpeedTouch Ethernet Adapter NT Driver;c:\windows\system32\drivers\steth.sys [2009-9-9 40320]
S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys --> c:\windows\system32\drivers\is3srv.sys [?]
S0 szkg5;szkg5;c:\windows\system32\drivers\szkg.sys --> c:\windows\system32\drivers\szkg.sys [?]
S0 szkgfs;szkgfs;c:\windows\system32\drivers\szkgfs.sys --> c:\windows\system32\drivers\szkgfs.sys [?]
S2 ATE_PROCMON;ATE_PROCMON;\??\c:\program files\anti trojan elite\atepmon.sys --> c:\program files\anti trojan elite\ATEPMon.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-11 136176]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-10-26 947528]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\john\locals~1\temp\upd1e7.tmp --> c:\docume~1\john\locals~1\temp\UPD1E7.tmp [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-6-11 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-6-8 39984]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 WFFALCON;Leadtek WinFast PVR3000 Series Driver;c:\windows\system32\drivers\wffalcon.sys --> c:\windows\system32\drivers\wffalcon.sys [?]
S3 WFIOCTL;WFIOCTL;\??\c:\program files\winfast\wfdtv\wfioctl.sys --> c:\program files\winfast\wfdtv\WFIOCTL.SYS [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-06-08 09:52:37 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-08 09:52:33 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-07 09:36:56 -------- d-----w- c:\program files\common files\Blizzard Entertainment
2011-06-07 09:36:56 -------- d-----w- c:\documents and settings\all users\application data\Blizzard Entertainment
2011-06-07 08:06:59 -------- d-----w- c:\program files\Easy eCover Creator
2011-06-04 19:32:14 2829 ----a-w- c:\windows\War3Unin.pif
2011-06-04 19:32:13 139264 ----a-w- c:\windows\War3Unin.exe
2011-06-04 19:29:27 -------- d-----w- C:\w3
2011-06-03 20:55:48 -------- d-----w- c:\windows\Eurobattle.net
2011-06-02 18:47:16 -------- d-----w- c:\program files\DAEMON Tools Lite
2011-06-01 14:04:28 6656 ----a-w- c:\windows\system32\CoInst_071102.dll
2011-06-01 14:04:27 -------- d-----w- c:\windows\PixArt
2011-06-01 10:17:55 -------- d-----w- c:\documents and settings\john\application data\Malwarebytes
2011-06-01 10:17:48 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-06-01 10:17:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-30 22:26:55 -------- d-----w- c:\documents and settings\john\application data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2011-05-29 11:57:06 -------- d-----w- c:\documents and settings\all users\application data\TW
2011-05-28 12:12:56 286720 ----a-w- c:\windows\iun503.exe
2011-05-28 12:12:54 -------- d-----w- c:\program files\KeywordSwipe
2011-05-27 10:16:45 -------- d-----w- C:\IncanBots
2011-05-18 19:35:58 -------- d-----w- c:\program files\Article Drip Robot
2011-05-17 13:21:59 -------- d-----w- c:\program files\common files\Astech
2011-05-17 13:20:03 -------- d-----w- c:\program files\Article Submitter Pro Demo
2011-05-16 11:01:12 -------- d-----w- c:\documents and settings\john\local settings\application data\FastArticleSubmitter
2011-05-16 10:57:01 -------- d-----w- c:\program files\Fast Article Submitter
2011-05-14 10:01:01 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-13 14:30:02 -------- d-----w- c:\program files\Backlink Loophole
2011-05-13 11:20:27 -------- d-----w- c:\program files\Article Indexer
2011-05-12 17:30:09 -------- d-----w- c:\program files\MySQL
2011-05-12 01:23:20 212240 ----a-w- c:\windows\system32\Richtx32.ocx
2011-05-11 15:00:04 -------- d-----w- c:\documents and settings\john\application data\Bryxen Software
.
==================== Find3M ====================
.
2011-05-05 17:39:19 243152 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2011-03-16 20:56:22 1070432 ----a-w- c:\windows\system32\wodTunnel.dll
.
============= FINISH: 13:16:17.48 ===============


4. Attach.txt


.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-03.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 9/8/2009 6:05:46 PM
System Uptime: 6/8/2011 12:59:54 PM (1 hours ago)
.
Motherboard: ASUSTeK Computer INC. | | P5N-E SLI
Processor: Intel(R) Core(TM)2 Quad CPU @ 2.40GHz | Socket 775 | 2400/266mhz
Processor: Intel(R) Core(TM)2 Quad CPU @ 2.40GHz | Socket 775 | 2400/266mhz
Processor: Intel(R) Core(TM)2 Quad CPU @ 2.40GHz | Socket 775 | 2400/266mhz
Processor: Intel(R) Core(TM)2 Quad CPU @ 2.40GHz | Socket 775 | 2400/266mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 54 GiB total, 26.718 GiB free.
D: is FIXED (NTFS) - 246 GiB total, 19.303 GiB free.
E: is FIXED (NTFS) - 49 GiB total, 37.56 GiB free.
F: is FIXED (NTFS) - 59 GiB total, 42.816 GiB free.
G: is FIXED (NTFS) - 59 GiB total, 27.631 GiB free.
H: is CDROM (CDFS)
I: is CDROM ()
J: is CDROM ()
K: is CDROM ()
L: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID:
Description: Multimedia Video Controller
Device ID: PCI\VEN_4444&DEV_0016&SUBSYS_6F19107D&REV_01\4&DC268A3&0&3880
Manufacturer:
Name: Multimedia Video Controller
PNP Device ID: PCI\VEN_4444&DEV_0016&SUBSYS_6F19107D&REV_01\4&DC268A3&0&3880
Service:
.
Class GUID:
Description: Audio Device on High Definition Audio Bus
Device ID: HDAUDIO\FUNC_01&VEN_10EC&DEV_0883&SUBSYS_10438249&REV_1000\4&2796B9EC&0&0001
Manufacturer:
Name: Audio Device on High Definition Audio Bus
PNP Device ID: HDAUDIO\FUNC_01&VEN_10EC&DEV_0883&SUBSYS_10438249&REV_1000\4&2796B9EC&0&0001
Service:
.
==== System Restore Points ===================
.
RP462: 3/10/2011 2:10:10 PM - System Checkpoint
RP463: 3/11/2011 3:20:24 PM - System Checkpoint
RP464: 3/12/2011 8:23:53 PM - System Checkpoint
RP465: 3/14/2011 11:08:13 AM - System Checkpoint
RP466: 3/15/2011 11:08:04 AM - Avg Update
RP467: 3/15/2011 11:09:17 AM - Avg Update
RP468: 3/16/2011 8:24:53 PM - System Checkpoint
RP469: 3/17/2011 8:36:23 PM - System Checkpoint
RP470: 3/19/2011 11:00:52 PM - System Checkpoint
RP471: 3/20/2011 10:40:58 PM - Installed Magic Rank Tracker
RP472: 3/23/2011 8:28:07 PM - System Checkpoint
RP473: 3/25/2011 3:05:47 PM - System Checkpoint
RP474: 3/27/2011 2:33:45 PM - System Checkpoint
RP475: 3/28/2011 4:15:40 PM - System Checkpoint
RP476: 3/29/2011 6:59:11 PM - System Checkpoint
RP477: 3/30/2011 8:02:00 PM - System Checkpoint
RP478: 4/2/2011 5:15:55 PM - System Checkpoint
RP479: 4/3/2011 6:43:18 PM - System Checkpoint
RP480: 4/4/2011 8:22:15 PM - System Checkpoint
RP481: 4/6/2011 6:01:06 AM - System Checkpoint
RP482: 4/7/2011 1:50:07 PM - System Checkpoint
RP483: 4/8/2011 9:41:34 PM - System Checkpoint
RP484: 4/9/2011 11:14:54 PM - System Checkpoint
RP485: 4/11/2011 4:08:00 PM - System Checkpoint
RP486: 4/12/2011 4:46:59 PM - System Checkpoint
RP487: 4/13/2011 8:07:47 PM - System Checkpoint
RP488: 4/15/2011 6:30:03 PM - System Checkpoint
RP489: 4/16/2011 2:28:09 PM - Removed Smart Virtual Assistants
RP490: 4/17/2011 11:00:11 PM - System Checkpoint
RP491: 4/19/2011 7:55:55 PM - System Checkpoint
RP492: 4/20/2011 8:13:32 PM - System Checkpoint
RP493: 4/22/2011 9:11:03 PM - System Checkpoint
RP494: 4/23/2011 11:19:26 PM - System Checkpoint
RP495: 4/25/2011 2:05:39 PM - Removed WinFast PVR2
RP496: 4/25/2011 2:15:23 PM - Configured Winfast PVR3000 / Winfast PVR3000 Deluxe
RP497: 4/26/2011 8:01:45 PM - System Checkpoint
RP498: 4/27/2011 8:05:10 PM - System Checkpoint
RP499: 4/28/2011 10:50:31 PM - System Checkpoint
RP500: 4/30/2011 7:45:34 PM - System Checkpoint
RP501: 5/1/2011 8:19:01 PM - System Checkpoint
RP502: 5/3/2011 9:24:41 PM - System Checkpoint
RP503: 5/4/2011 10:04:20 PM - System Checkpoint
RP504: 5/5/2011 8:39:23 PM - Avg Update
RP505: 5/6/2011 4:50:07 AM - Installed ArticleBot
RP506: 5/7/2011 4:42:11 PM - System Checkpoint
RP507: 5/8/2011 8:10:46 PM - Removed Magic Rank Tracker
RP508: 5/8/2011 8:11:14 PM - Installed Magic Rank Tracker
RP509: 5/9/2011 8:17:09 PM - System Checkpoint
RP510: 5/10/2011 12:32:20 PM - Avg Update
RP511: 5/11/2011 12:17:41 PM - Removed Magic Article Submitter
RP512: 5/11/2011 12:18:14 PM - Installed Magic Article Submitter
RP513: 5/12/2011 12:04:17 PM - Avg Update
RP514: 5/12/2011 8:30:08 PM - Installed MySQL Connector/ODBC 5.1
RP515: 5/13/2011 2:20:26 PM - Installed Article Indexer
RP516: 5/13/2011 2:59:44 PM - Installed Backlink Loophole
RP517: 5/13/2011 5:28:40 PM - Removed Backlink Loophole
RP518: 5/13/2011 5:30:01 PM - Installed Backlink Loophole
RP519: 5/14/2011 6:33:13 PM - Installed Submita Article
RP520: 5/15/2011 7:59:04 PM - System Checkpoint
RP521: 5/16/2011 1:57:01 PM - Installed FastArticleSubmitter
RP522: 5/16/2011 2:25:49 PM - Removed Submita Article
RP523: 5/18/2011 7:56:05 PM - System Checkpoint
RP524: 5/21/2011 4:38:08 AM - Removed Magic Article Submitter
RP525: 5/21/2011 4:39:57 AM - Removed SAT
RP526: 5/21/2011 4:48:39 AM - Removed ASHelper
RP527: 5/22/2011 4:39:53 PM - System Checkpoint
RP528: 5/24/2011 7:57:02 PM - System Checkpoint
RP529: 5/25/2011 8:29:20 PM - System Checkpoint
RP530: 5/27/2011 1:16:45 PM - Installed BlogBot
RP531: 5/27/2011 1:21:17 PM - Installed EmailBot
RP532: 5/28/2011 6:49:40 PM - Removed ASHelper
RP533: 5/30/2011 12:08:05 PM - System Checkpoint
RP534: 5/31/2011 1:19:03 AM - Made by Registry Mechanic O
RP535: 5/31/2011 1:21:04 AM - Removed Article Indexer
RP536: 5/31/2011 1:22:13 AM - Removed NeoBux Referral Analyzer
RP537: 5/31/2011 1:26:11 AM - Removed PDFill PDF Editor with FREE Writer and Free Tools
RP538: 5/31/2011 1:31:16 AM - Removed Website Indexer
RP539: 6/1/2011 5:04:27 PM - Installed PC Camera
RP540: 6/1/2011 5:06:29 PM - Unsigned driver install
RP541: 6/1/2011 11:01:34 PM - Removed PC Camera
RP542: 6/3/2011 3:37:07 AM - System Checkpoint
RP543: 6/4/2011 3:09:37 PM - System Checkpoint
RP544: 6/6/2011 12:54:51 AM - System Checkpoint
RP545: 6/7/2011 1:30:02 PM - System Checkpoint
.
==== Installed Programs ======================
.
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader X (10.0.1)
AI RoboForm (All Users)
Aliens vs. Predator 2
Apple Application Support
Apple Software Update
Article Drip Robot 1.10
ArticleBot
Artisteer 2
ASUS nVidia Driver
AVG 9.0
Backlink Loophole
BitComet 0.70
BlogBot
BlueVoda Website Builder 11.4 M
CDBurnerXP
CherryPicker
Creative Software AutoUpdate
Creative System Information
DeepBurner Pro v1.8.0.225
EmailBot
FastArticleSubmitter
FLV Player 2.0 (build 25)
ForumBot
Free Ad Traffic 1.0 1.0.0.0
GameRanger
Google Chrome
Google Gears
Google Update Helper
GPL Ghostscript 8.64
GSiteCrawler
Heroes of Might and Magic V
Heroes of Might and Magic® IV: Winds of War
High Definition Audio Driver Package - KB888111
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Windows XP (KB954550-v5)
Java Auto Updater
Java(TM) 6 Update 20
JMB36X Raid Configurer
KeywordSwipe 1.0
Magic Article Rewriter
Magic Rank Tracker
Magic Tokens Database 2.0
Malwarebytes' Anti-Malware version 1.51.0.1200
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Games for Windows - LIVE
Microsoft Games for Windows - LIVE Redistributable
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Primary Interoperability Assemblies 2005
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox (3.6.17)
MozyHome
MSXML 6.0 Parser (KB933579)
MySQL Connector/ODBC 5.1
NVIDIA Drivers
NVIDIA ForceWare Network Access Manager
Nvu 1.0
Pando Media Booster
PartyPoker
PIXresizer 1.0.8
QuickTime
R-Undelete 4.0
Real Alternative 1.9.0
Registry Mechanic 10.0
RSSBot
Smart Defrag
Smart Virtual Assistants
SopCore 1.1.1
Sound Blaster X-Fi Xtreme Audio
SpeedTouch 330
Street Fighter IV
TorchED
Torchlight
TVAnts 1.0
Tweet Adder 3
Update for Windows XP (KB932823-v3)
Veetle TV 0.9.18
VideoLAN VLC media player 0.8.5
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Warcraft III: All Products
WebFldrs XP
WinAce Archiver
Winamp
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 8
WinPcap 4.0.2
WinRAR archiver
Yahoo! Messenger
Yahoo! Search Protection
Yahoo! Software Update
.
==== Event Viewer Messages From Past Week ========
.
6/7/2011 11:05:20 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
6/3/2011 2:13:11 AM, error: Service Control Manager [7034] - The SpeedTouch 330 Manager service terminated unexpectedly. It has done this 1 time(s).
6/3/2011 12:10:19 PM, error: Service Control Manager [7022] - The ForceWare Intelligent Application Manager (IAM) service hung on starting.
6/1/2011 11:16:16 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: szkg5 szkgfs
6/1/2011 11:16:16 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Seekdns Service service to connect.
.
==== End Of File ===========================


Ok, that would be all the log files you have asked for.

Bobbye, thank you for your fast response. I will definitely consider what you said, just a bit later as right now I need to go somewhere. But anyway, Smiley Central sounds familiar, but the other sites that you mentioned are unknown to me. I have never accessed any of them willingly, and so I am not sure how or why you mentioned them.

Also, about the WOT add-on that you mentioned, I think AVG has a similar function too. In fact, I know it has because I have seen it when I installed the AV program. But I don't know if and how I disabled it, because I don't see it anymore. Anyway, would it be OK if I used AVG's function or must I only install and use WOT?

Thanks again, and like I said, I will do what you instructed me when I come back from where I need to go.

Take care!

 

[Bobbye]

Comments:
1. Wondering about frequent installs and removals of various indexers, article actions, Bots (email, blog), rank trackers per RP
2. Advise remove Advanced System Care- IOBit> ASC is not a good program- neither is the IOBit site
3. Advise remove Registry Mechanic 10.0> We do not recommend Registry cleaners to anyone.
4. You have 17 Extensions in Firefox. That is a very large number.
Advise you remove the following:> vShre plugin, Conduit Engine, AlphaMarket Comm TB, CBSurge.com.
5. Please tell me how you are using this system. Is it for work? Is it your website? There are many entries that are not in the 'norm'. I note you also have the SearchStatus an extension to display the Google PageRank Again, this indicates you may be monitoring a website.
6. Update Java, Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system. remove v6u20 from FF ext. Do not add separate ext. for Java ti FF
==============================================

"Smiley Central sounds familiar, but the other sites that you mentioned are unknown to me. I have never accessed any of them willingly, and so I am not sure how or why you mentioned them"

Because the system was infected with all the adware, spyware and other 'junk' from those types of sites! Mbam found these infections:

Registry Keys Infected: 20
Registry Values Infected: 8
Folders Infected: 24
Files Infected: 269

These infections are:
Adware.Hotbar> adds graphical skins to Internet Explorer, Microsoft Outlook, and Outlook Express toolbars and also adds its own toolbar and search button. These custom toolbars have keyword-targeted advertisements built into them.

Backdoor.Bot
(Backdoor.Agent)
Trojan.SpyEyes.WC
Adware.ZangoSearch> .

It appears to me that you do not have security that would have prevented some of this malware.
=================================

Also, about the WOT add-on that you mentioned, I think AVG has a similar function too. In fact, I know it has because I have seen it when I installed the AV program. But I don't know if and how I disabled it, because I don't see it anymore. Anyway, would it be OK if I used AVG's function or must I only install and use WOT?

You asked how you could prevent getting this trash from sites. I told you a Site Advisor with guide you, as explained. However, I strongly suggest that either the AVG advisor isn't working or you're ignoring it. Most of the infections in Mbam came from sites you could have avoided.
--------------------------------------------
I want you to run Combofix. To do that you have to temporarily uninstall AVG:
Download AppRemover and save to the desktop

1. Double click the setup on the desktop> click Next
2. Select “Remove Security Application”
3. Let scan finish to determine security apps
4. A screen like below will appear:
   
   
5. Click on Next after choice has been made
6. Check the AVG program you want to uninstall
7. After uninstall shows complete, follow online prompts to Exit the program.

Note: There is no log to leave for the above.
Temporary AV: Use one:
Avira-AntiVir-Personal-Free-Antivirus
Avast Free Version
=============================
Please note: If you have Combofix on the desktop already, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

--------------------------------------
Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop

• Double click combofix.exe & follow the prompts.
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
  
  
• .Click on Yes, to continue scanning for malware
• .If Combofix asks you to update the program, allow
• .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• .Close any open browsers.
• .Double click combofix.exe
  
  & follow the prompts to run.
• When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.

Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Note 5: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.

Please paste the Eset and Combofix logs in next reply.

 

[monere]

Comments:
1. Wondering about frequent installs and removals of various indexers, article actions, Bots (email, blog), rank trackers per RP
2. Advise remove Advanced System Care- IOBit> ASC is not a good program- neither is the IOBit site
3. Advise remove Registry Mechanic 10.0> We do not recommend Registry cleaners to anyone.
4. You have 17 Extensions in Firefox. That is a very large number.
Advise you remove the following:> vShre plugin, Conduit Engine, AlphaMarket Comm TB, CBSurge.com.
5. Please tell me how you are using this system. Is it for work? Is it your website? There are many entries that are not in the 'norm'. I note you also have the SearchStatus an extension to display the Google PageRank Again, this indicates you may be monitoring a website.
6. Update Java, Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system. remove v6u20 from FF ext. Do not add separate ext. for Java ti FF
==============================================
Because the system was infected with all the adware, spyware and other 'junk' from those types of sites! Mbam found these infections:

These infections are:
Adware.Hotbar> adds graphical skins to Internet Explorer, Microsoft Outlook, and Outlook Express toolbars and also adds its own toolbar and search button. These custom toolbars have keyword-targeted advertisements built into them.

It appears to me that you do not have security that would have prevented some of this malware.
=================================
You asked how you could prevent getting this trash from sites. I told you a Site Advisor .with guide as explained. However, I strongly suggest that either the AVG advisor isn't working or you're ignoring it. Most of the infections in Mbam came from sites you could have avoided.
--------------------------------------------
I want you to run Combofix. To do that you have to temporarily uninstall AVG:

Download AppRemover and save to the desktop

1. Double click the setup on the desktop> click Next
2. Select “Remove Security Application”
3. Let scan finish to determine security apps
4. A screen like below will appear:
   
   
5. Click on Next after choice has been made
6. Check the AVG program you want to uninstall
7. After uninstall shows complete, follow online prompts to Exit the program.

Note: There is no log to leave for the above.

Temporary AV: Use one:
Avira-AntiVir-Personal-Free-Antivirus
Avast Free Version
=============================
=============================
Please note: If you have Combofix on the desktop already, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

--------------------------------------
Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop

• Double click combofix.exe & follow the prompts.
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
  
  
• .Click on Yes, to continue scanning for malware
• .If Combofix asks you to update the program, allow
• .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• .Close any open browsers.
• .Double click combofix.exe
  
  & follow the prompts to run.
• When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.

Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Note 5: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.

Please paste the Eset and Combofix logs in next reply.

Hi again

I have no idea how to temporarily uninstall AVG. There is no uninstall/disable button/link anywhere

Do you have any idea how to do this so that I can run Combofix like you said?

 

[Bobbye]

Please don't quote my instructions. They are available in the post.

Please refer to this section in my last post:

To do that you have to temporarily uninstall AVG:
Download AppRemover and save to the desktop
1. Double click the setup on the desktop> click Next
2. Select “Remove Security Application”
3. Let scan finish to determine security apps
4. A screen like below will appear:

The link and instructions are clearly given. All you have to do is read and follow the instructions I give:

I have no idea how to temporarily uninstall AVG. There is no uninstall/disable button/link anywhere. Do you have any idea how to do this so that I can run Combofix like you said?

 

[monere]

Hello and sorry for taking so long to reply. I couldn't make use of my computer for the last 4 days because I had it in a service because of cooler/fan problems (they got full of dust after 4 years of continuous run, and so they couldn't keep up with the amount of heat generated by the processor, and so they had to be replaced, which they have). Now everything looks more than perfect, especially that I have installed an additional system fan

Anyway, here's the combofix log you have asked for



ComboFix 11-06-15.04 - john 06/16/2011 22:08:21.1.4 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1373 [GMT 3:00]
Running from: c:\documents and settings\john\Desktop\ComboFix.exe
FW: ActiveArmor Firewall *Disabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\john\Application Data\EurekaLog
c:\documents and settings\john\Application Data\EurekaLog\EurekaLog.ini
c:\documents and settings\john\Application Data\john3SQLite3.dll
c:\documents and settings\john\Application Data\johnlog.dat
c:\documents and settings\john\g2mdlhlpx.exe
c:\documents and settings\john\Local Settings\userwin.exe
c:\documents and settings\john\WINDOWS
c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI
c:\windows\Downloaded Program Files\Install.inf
c:\windows\PixArt\PAC207\Monitor.exe
c:\windows\system32\install
c:\windows\system32\system
c:\windows\watwat
c:\windows\watwat\bkkz\backup.exe
c:\windows\watwat\Chan.ini
c:\windows\watwat\FileImp.ini
F:\install.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-05-16 to 2011-06-16 )))))))))))))))))))))))))))))))
.
.
2011-06-16 18:55 . 2011-06-16 18:55 -------- d-----w- c:\documents and settings\john\Application Data\Avira
2011-06-16 18:49 . 2011-06-16 18:50 -------- d-----w- c:\windows\system32\NtmsData
2011-06-12 00:54 . 2011-06-12 00:54 -------- d-----w- c:\documents and settings\john\Application Data\BabylonToolbar
2011-06-12 00:51 . 2011-06-12 00:51 -------- d-----w- c:\program files\BabylonToolbar
2011-06-12 00:17 . 2011-05-01 21:19 4045688 ----a-w- c:\windows\system32\GameMon.des
2011-06-12 00:17 . 2005-01-04 00:43 4682 ----a-w- c:\windows\system32\npptNT2.sys
2011-06-12 00:17 . 2003-07-20 09:17 5174 ----a-w- c:\windows\system32\nppt9x.vxd
2011-06-12 00:17 . 2011-06-12 00:17 -------- d-----w- c:\program files\Common Files\INCA Shared
2011-06-10 20:42 . 2011-06-10 20:42 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-06-10 20:42 . 2011-06-10 20:42 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-06-10 20:42 . 2011-06-10 20:42 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-06-10 20:42 . 2011-06-10 20:42 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-06-10 20:42 . 2011-06-10 20:42 1974616 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-06-10 20:42 . 2011-06-10 20:42 1892184 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-06-10 20:42 . 2011-06-10 20:42 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-06-10 20:42 . 2011-06-10 20:42 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-06-10 20:14 . 2011-06-10 20:14 -------- d-----w- c:\program files\Common Files\Java
2011-06-10 20:14 . 2011-06-10 20:14 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-06-08 15:31 . 2011-06-08 15:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2011-06-08 09:52 . 2011-05-29 06:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-08 09:52 . 2011-05-29 06:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-07 09:36 . 2011-06-07 13:29 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2011-06-07 09:36 . 2011-06-07 10:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2011-06-07 08:06 . 2011-06-07 08:06 -------- d-----w- c:\program files\Easy eCover Creator
2011-06-03 20:55 . 2011-06-03 20:55 -------- d-----w- c:\windows\Eurobattle.net
2011-06-02 18:47 . 2011-06-02 18:47 -------- d-----w- c:\program files\DAEMON Tools Lite
2011-06-01 14:04 . 2007-11-02 08:07 6656 ----a-w- c:\windows\system32\CoInst_071102.dll
2011-06-01 14:04 . 2011-06-01 14:04 -------- d-----w- c:\windows\PixArt
2011-06-01 10:17 . 2011-06-01 10:17 -------- d-----w- c:\documents and settings\john\Application Data\Malwarebytes
2011-06-01 10:17 . 2011-06-01 10:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-06-01 10:17 . 2011-06-08 09:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-30 22:26 . 2011-05-30 22:26 -------- d-----w- c:\documents and settings\john\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2011-05-30 15:41 . 2011-05-30 15:42 -------- d-----w- c:\documents and settings\Administrator
2011-05-29 11:57 . 2011-05-29 11:57 -------- d-----w- c:\documents and settings\All Users\Application Data\TW
2011-05-28 12:12 . 2011-05-28 12:12 286720 ----a-w- c:\windows\iun503.exe
2011-05-28 12:12 . 2011-05-28 12:12 -------- d-----w- c:\program files\KeywordSwipe
2011-05-27 10:16 . 2011-05-27 10:16 -------- d-----w- C:\IncanBots
2011-05-18 19:35 . 2011-05-18 19:35 -------- d-----w- c:\program files\Article Drip Robot
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-11 08:13 . 2011-05-14 10:01 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-10 20:14 . 2010-05-26 09:58 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-03-26 13:58 . 2010-03-26 13:58 28472 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2010-03-26 13:58 . 2010-03-26 13:58 185224 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2010-03-26 13:58 . 2010-03-26 13:58 99208 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
2011-06-10 20:42 . 2011-06-10 20:42 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-04-01 486856]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2011-06-10 107000]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"diagnostics"="C:\Program Files" [X]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-02-23 7774208]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"BabylonToolbar"="c:\program files\BabylonToolbar\BabylonToolbar\1.4.19.19\BabylonToolbarsrv.exe" [2010-11-07 286720]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-03 53760]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Documents and Settings\\john\\Application Data\\GameRanger\\GameRanger\\GameRanger.exe"=
"d:\\KITURI\\h3wog\\Heroes3.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"d:\\KITURI\\Aliens Versus Predator 3 in 1 Full Pack\\Aliens Versus Predator 2 Primal Hunt\\AVP2XServ.exe"=
"d:\\AvP 2\\lithtech.exe"=
"d:\\AvP 2\\AVP2Serv.exe"=
"d:\\KITURI\\heroes3\\Heroes3.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\john\\Application Data\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Thomson SpeedTouch\\ST330\\service\\st330service.exe"=
"c:\\Documents and Settings\\john\\Desktop\\listchecker\\pickup.listchecker.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"20964:TCP"= 20964:TCP:BitComet 20964 TCP
"20964:UDP"= 20964:UDP:BitComet 20964 UDP
"9831:TCP"= 9831:TCP:BitComet 9831 TCP
"9831:UDP"= 9831:UDP:BitComet 9831 UDP
"57865:TCP"= 57865:TCPando Media Booster
"57865:UDP"= 57865:UDPando Media Booster
"8394:TCP"= 8394:TCP:League of Legends Launcher
"8394:UDP"= 8394:UDP:League of Legends Launcher
"57876:TCP"= 57876:TCPando Media Booster
"57876:UDP"= 57876:UDPando Media Booster
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/8/2009 10:36 PM 717296]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/8/2011 12:52 PM 366640]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/8/2011 12:52 PM 22712]
R3 ST330;ST330;c:\windows\system32\drivers\st330.sys [9/9/2009 12:11 PM 30464]
R3 STBUS;STBUS;c:\windows\system32\drivers\stbus.sys [9/9/2009 12:11 PM 12672]
R3 STETH;SpeedTouch Ethernet Adapter NT Driver;c:\windows\system32\drivers\steth.sys [9/9/2009 12:11 PM 40320]
S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys --> c:\windows\system32\drivers\is3srv.sys [?]
S0 szkg5;szkg5;c:\windows\system32\DRIVERS\szkg.sys --> c:\windows\system32\DRIVERS\szkg.sys [?]
S0 szkgfs;szkgfs;c:\windows\system32\drivers\szkgfs.sys --> c:\windows\system32\drivers\szkgfs.sys [?]
S2 ATE_PROCMON;ATE_PROCMON;\??\c:\program files\Anti Trojan Elite\ATEPMon.sys --> c:\program files\Anti Trojan Elite\ATEPMon.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/11/2010 11:11 PM 136176]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\john\LOCALS~1\Temp\UPD1E7.tmp --> c:\docume~1\john\LOCALS~1\Temp\UPD1E7.tmp [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/11/2010 11:11 PM 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [6/8/2011 12:52 PM 39984]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/6/2007 11:22 PM 34064]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 WFFALCON;Leadtek WinFast PVR3000 Series Driver;c:\windows\system32\drivers\wffalcon.sys --> c:\windows\system32\drivers\wffalcon.sys [?]
S3 WFIOCTL;WFIOCTL;\??\c:\program files\WinFast\WFDTV\WFIOCTL.SYS --> c:\program files\WinFast\WFDTV\WFIOCTL.SYS [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
hvpembxz
rzeikyd
witrjcbe
xtgfme
nbxegt
topwcpwws
.
Contents of the 'Scheduled Tasks' folder
.
2010-06-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 09:34]
.
2011-06-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-11 20:11]
.
2011-06-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-11 20:11]
.
2011-06-16 c:\windows\Tasks\User_Feed_Synchronization-{922C654E-B111-45EB-AEB1-437A1BF9AA98}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 01:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.livefootballtvs.com/
mStart Page = hxxp://www.yahoo.com/
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
Trusted Zone: gistweb.com\www
TCP: Interfaces\{D4FD8090-38DD-452C-A0F5-D5B487E8F22F}: NameServer = 217.156.101.1
TCP: Interfaces\{FE5D937B-EEB7-4C44-95C3-EAFAD2327E36}: NameServer = 193.231.100.130 193.231.100.134
DPF: {EF0D1A14-1033-41A2-A589-240C01EDC078} - hxxp://dl.pplive.com/PluginSetup.cab
FF - ProfilePath - c:\documents and settings\john\Application Data\Mozilla\Firefox\Profiles\libmvgn6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2922774&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage -
FF - prefs.js: keyword.URL - hxxp://search.babylon.com/?babsrc=SP_ss&mntrId=687b33d4000000000000000e50b5476e&tlver=1.4.19.19&instlRef=sst&ss=1&affID=17981&q=
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
HKCU-Run-AVG9_TRAY - c:\progra~1\AVG\AVG9\avgtray.exe
HKCU-Run-AWC.exe - c:\program files\IObit\Advanced SystemCare 3\AWC.exe
HKCU-Run-SmartRAM - c:\program files\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe
HKLM-Run-PAC207_Monitor - c:\windows\PixArt\PAC207\Monitor.exe
HKLM-Run-Monitor - c:\windows\PixArt\PAC207\Monitor.exe
AddRemove-BlueVoda_Website_Builder_1.0 - c:\windows\iun6002.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-16 22:10
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\john\LOCALS~1\Temp\UPD1E7.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\st330service]
"ImagePath"="C:\Program Files/Thomson SpeedTouch/ST330/service/st330service.exe -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1708537768-1425521274-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3979101F-9570-45DA-1278-8CD7D150E838}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}]
@DACL=(02 0000)
@="Wireless"
"ProcessGroupPolicy"="ProcessWIRELESSPolicy"
"DllName"=expand:"gptext.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}]
@DACL=(02 0000)
@="Folder Redirection"
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"DllName"=expand:"fdeploy.dll"
"NoMachinePolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"NoGPOListChanges"=dword:00000000
"NoBackgroundPolicy"=dword:00000000
"GenerateGroupPolicy"="GenerateGroupPolicy"
"EventSources"=multi:"(Folder Redirection,Application)\00\00"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]
@DACL=(02 0000)
@="Microsoft Disk Quota"
"NoMachinePolicy"=dword:00000000
"NoUserPolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"RequiresSuccessfulRegistry"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000000
"DllName"=expand:"dskquota.dll"
"ProcessGroupPolicy"="ProcessGroupPolicy"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}]
@DACL=(02 0000)
@="QoS Packet Scheduler"
"ProcessGroupPolicy"="ProcessPSCHEDPolicy"
"DllName"=expand:"gptext.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}]
@DACL=(02 0000)
@="Scripts"
"ProcessGroupPolicy"="ProcessScriptsGroupPolicy"
"ProcessGroupPolicyEx"="ProcessScriptsGroupPolicyEx"
"GenerateGroupPolicy"="GenerateScriptsGroupPolicy"
"DllName"=expand:"gptext.dll"
"NoSlowLink"=dword:00000001
"NoGPOListChanges"=dword:00000001
"NotifyLinkTransition"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]
@DACL=(02 0000)
@="Internet Explorer Zonemapping"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"ProcessGroupPolicy"="ProcessGroupPolicyForZoneMap"
"NoGPOListChanges"=dword:00000001
"RequiresSucessfulRegistry"=dword:00000001
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"RequiresSuccessfulRegistry"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}]
@DACL=(02 0000)
@="Internet Explorer User Accelerators"
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"NoGPOListChanges"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
"RequiresSuccessfulRegistry"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]
@DACL=(02 0000)
"ProcessGroupPolicy"="SceProcessSecurityPolicyGPO"
"GenerateGroupPolicy"="SceGenerateGroupPolicy"
"ExtensionRsopPlanningDebugLevel"=dword:00000001
"ProcessGroupPolicyEx"="SceProcessSecurityPolicyGPOEx"
"ExtensionDebugLevel"=dword:00000001
"DllName"=expand:"scecli.dll"
@="Security"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001
"MaxNoGPOListChangesInterval"=dword:000003c0
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]
@DACL=(02 0000)
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"ProcessGroupPolicy"="ProcessGroupPolicy"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
@="Internet Explorer Branding"
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000001
"NoMachinePolicy"=dword:00000001
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3014"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]
@DACL=(02 0000)
"ProcessGroupPolicy"="SceProcessEFSRecoveryGPO"
"DllName"=expand:"scecli.dll"
@="EFS recovery"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"RequiresSuccessfulRegistry"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}]
@DACL=(02 0000)
@="Microsoft Offline Files"
"DllName"=expand:"%SystemRoot%\\System32\\cscui.dll"
"EnableAsynchronousProcessing"=dword:00000000
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000000
"NoMachinePolicy"=dword:00000000
"NoSlowLink"=dword:00000000
"NoUserPolicy"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"ProcessGroupPolicy"="ProcessGroupPolicy"
"RequiresSuccessfulRegistry"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
@DACL=(02 0000)
@="Software Installation"
"DllName"=expand:"appmgmts.dll"
"ProcessGroupPolicyEx"="ProcessGroupPolicyObjectsEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"NoBackgroundPolicy"=dword:00000000
"RequiresSucessfulRegistry"=dword:00000000
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"EventSources"=multi:"(Application Management,Application)\00(MsiInstaller,Application)\00\00"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}]
@DACL=(02 0000)
@="Internet Explorer Machine Accelerators"
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"NoGPOListChanges"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
"RequiresSuccessfulRegistry"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}]
@DACL=(02 0000)
@="IP Security"
"ProcessGroupPolicy"="ProcessIPSECPolicy"
"DllName"=expand:"gptext.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000000
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
@DACL=(02 0000)
"DllName"="c:\\Program Files\\SUPERAntiSpyware\\SASWINLO.dll"
"Logon"="SABWINLOLogon"
"Logoff"="SABWINLOLogoff"
"Startup"="SABWINLOStartup"
"Shutdown"="SABWINLOShutdown"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
@DACL=(02 0000)
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=expand:"crypt32.dll"
"Logoff"="ChainWlxLogoffEvent"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=expand:"cryptnet.dll"
"Logoff"="CryptnetWlxLogoffEvent"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
@DACL=(02 0000)
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
@DACL=(02 0000)
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"DllName"=expand:"wlnotify.dll"
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
@DACL=(02 0000)
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=expand:"sclgntfy.dll"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
@DACL=(02 0000)
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"DllName"=expand:"wlnotify.dll"
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
@DACL=(02 0000)
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
@DACL=(02 0000)
"HelpAssistant"=dword:00000000
"TsInternetUser"=dword:00000000
"SQLAgentCmdExec"=dword:00000000
"NetShowServices"=dword:00000000
"IWAM_"=dword:00010000
"IUSR_"=dword:00010000
"VUSR_"=dword:00010000
.
Completion time: 2011-06-16 22:12:08
ComboFix-quarantined-files.txt 2011-06-16 19:12
.
Pre-Run: 28,452,630,528 bytes free
Post-Run: 28,510,752,768 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - B64D88F9088A609876AAE6381B6E8165


But, I couldn't find any Eset (whatever that may be) anywhere on my PC. Could you please give further instructions?

Also, I apologize for quoting your words, but I didn't know this is misplaced. I won't do it anymore

Thanks

 

[Bobbye]

What was replaced?

Do you still need help?

Who set up all the Group Policy settings?

 

[monere]

The cooler and the fan that were cooling the processor were replaced with better ones, more performant (at least that's what they told me there at the computer shop and repairing service)

And no, I don't think I need any more help because I just used Malwarebytes and Avira today to scan for more malicious code on my PC and these 2 found nothing. So I assume that everything is fine now

As for the Group Policy settings, I don't know what these are. As usual, if you'll give me more details I will gladly answer your question.

And one more thing: if I can help you in any way (other than paying money) please let me know. I would like to return the favor for helping me with these viruses, if there is anything I can do

Thanks

 

[Bobbye]

Please answer these questions:

1. Are you in Romania?
2. Was this Combofix log run after you got the system back from the shop?
3. Is the operating system legitimate?

 

[monere]

Hi

1. Yes, I am from Romania
2. Yup, I ran combofix 3-4 hours ago (about 6 hours after I got my PC back)
3. I don't know what you mean by "legitimate". If you mean if I purchased a license, then no. If you mean anything else, let me know

Thanks

 

[Bobbye]

3. I don't know what you mean by "legitimate". If you mean if I purchased a license, then no. If you mean anything else, let me know

Did you purchase the operating system or get the computer from a manufacturer and activate it with the license given? The opposite of this is that the OS was pirated.

What I am seeing in the Combofix log is not a 'normal' system.

 

[monere]

I am not sure if it's pirated or not but I know for sure that I didn't pay any money for it. I got it from my friends 4 years ago when I purchased my computer, but unfortunately I can't remember who I got it from since most of my friends have the same OS and they didn't pay for it either.

I know this sounds like an excuse but I want to assure you it is not. I really can't remember who I got the OS from. Besides, I have no troubles in admitting when I use pirated software because that's how things work around here. You rarely see someone willingly and knowingly purchase an OS. Probably that over 50% of the population of Romania uses pirated software. OSs cost too much for us Romanians to afford paying for them, and so we download them from the internet or ask friends to give us their CDs or DVDs

Hope this helps

 

[Bobbye]

Using pirated software because you cannot afford the program is not an excuse. Some of us actually do without because we can't afford something.

Your system is a great mess and I can't identify almost half of the processes showing in the Combofix log.

I suggest you reformat and reinstall a legitimate operating system when you can.

Since we do not support piracy, I am withdrawing my support and closing the thread.